8fc4900a2474ca93bec0a99a4ad614f861caa2a2
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Do not even allocate JIT worklists in non-JIT mode
4         https://bugs.webkit.org/show_bug.cgi?id=194693
5
6         Reviewed by Mark Lam.
7
8         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
9         And we do not perform any GC operations that are only meaningful in JIT environment.
10
11         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
12         2. We remove DFG marking constraint in non-JIT mode.
13         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
14         4. We do not visit JITStubRoutineSet.
15         5. Align JITWorklist function names to the other worklists.
16
17         * dfg/DFGOSRExitPreparation.cpp:
18         (JSC::DFG::prepareCodeOriginForOSRExit):
19         * dfg/DFGPlan.h:
20         * dfg/DFGWorklist.cpp:
21         (JSC::DFG::markCodeBlocks): Deleted.
22         * dfg/DFGWorklist.h:
23         * heap/Heap.cpp:
24         (JSC::Heap::completeAllJITPlans):
25         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
26         (JSC::Heap::gatherScratchBufferRoots):
27         (JSC::Heap::removeDeadCompilerWorklistEntries):
28         (JSC::Heap::stopThePeriphery):
29         (JSC::Heap::suspendCompilerThreads):
30         (JSC::Heap::resumeCompilerThreads):
31         (JSC::Heap::addCoreConstraints):
32         * jit/JITWorklist.cpp:
33         (JSC::JITWorklist::existingGlobalWorklistOrNull):
34         (JSC::JITWorklist::ensureGlobalWorklist):
35         (JSC::JITWorklist::instance): Deleted.
36         * jit/JITWorklist.h:
37         * llint/LLIntSlowPaths.cpp:
38         (JSC::LLInt::jitCompileAndSetHeuristics):
39         * runtime/VM.cpp:
40         (JSC::VM::~VM):
41         (JSC::VM::gatherScratchBufferRoots):
42         (JSC::VM::gatherConservativeRoots): Deleted.
43         * runtime/VM.h:
44
45 2019-02-15  Saam barati  <sbarati@apple.com>
46
47         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
48         https://bugs.webkit.org/show_bug.cgi?id=194036
49
50         Reviewed by Yusuke Suzuki.
51
52         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
53         use linear scan for register allocation. Instead of linear scan, Air-O0 does
54         mostly block-local register allocation, and it does this as it's emitting
55         code directly. The register allocator uses liveness analysis to reduce
56         the number of spills. Doing register allocation as we're emitting code
57         allows us to skip editing the IR to insert spills, which saves a non trivial
58         amount of compile time. For stack allocation, we give each Tmp its own slot.
59         This is less than ideal. We probably want to do some trivial live range analysis
60         in the future. The reason this isn't a deal breaker for Wasm is that this patch
61         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
62         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
63         
64         This patch is another 25% Wasm startup time speedup. It seems to be worth
65         another 1% on JetStream2.
66
67         * JavaScriptCore.xcodeproj/project.pbxproj:
68         * Sources.txt:
69         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
70         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
71         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
72         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
73         (JSC::B3::Air::callFrameAddr):
74         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
75         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
76         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
77         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
78         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
79         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
80         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
81         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
82         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
83         * b3/air/AirCode.cpp:
84         * b3/air/AirCode.h:
85         * b3/air/AirGenerate.cpp:
86         (JSC::B3::Air::prepareForGeneration):
87         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
88         (JSC::B3::Air::generate):
89         * b3/air/AirHandleCalleeSaves.cpp:
90         (JSC::B3::Air::handleCalleeSaves):
91         * b3/air/AirHandleCalleeSaves.h:
92         * b3/air/AirTmpMap.h:
93         * runtime/Options.h:
94         * wasm/WasmAirIRGenerator.cpp:
95         (JSC::Wasm::AirIRGenerator::didKill):
96         (JSC::Wasm::AirIRGenerator::newTmp):
97         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
98         (JSC::Wasm::parseAndCompileAir):
99         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
100         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
101         * wasm/WasmAirIRGenerator.h:
102         * wasm/WasmB3IRGenerator.cpp:
103         (JSC::Wasm::B3IRGenerator::didKill):
104         * wasm/WasmBBQPlan.cpp:
105         (JSC::Wasm::BBQPlan::compileFunctions):
106         * wasm/WasmFunctionParser.h:
107         (JSC::Wasm::FunctionParser<Context>::parseBody):
108         (JSC::Wasm::FunctionParser<Context>::parseExpression):
109         * wasm/WasmValidate.cpp:
110         (JSC::Wasm::Validate::didKill):
111
112 2019-02-14  Saam barati  <sbarati@apple.com>
113
114         lowerStackArgs should lower Lea32/64 on ARM64 to Add
115         https://bugs.webkit.org/show_bug.cgi?id=194656
116
117         Reviewed by Yusuke Suzuki.
118
119         On arm64, Lea is just implemented as an add. However, Air treats it as an
120         address with a given width. Because of this width, we were incorrectly
121         computing whether or not this immediate could fit into the instruction itself
122         or it needed to be explicitly put into a register. This patch makes
123         AirLowerStackArgs lower Lea to Add on arm64.
124
125         * b3/air/AirLowerStackArgs.cpp:
126         (JSC::B3::Air::lowerStackArgs):
127         * b3/air/AirOpcode.opcodes:
128         * b3/air/testair.cpp:
129
130 2019-02-14  Saam Barati  <sbarati@apple.com>
131
132         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
133         https://bugs.webkit.org/show_bug.cgi?id=194583
134         <rdar://problem/48028140>
135
136         Reviewed by Yusuke Suzuki.
137
138         This patch makes it so that getVariablesUnderTDZ caches a result of
139         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
140         it's called in an environment where there are a lot of variables.
141         This patch makes it so we cache its results. This is profitable when
142         getVariablesUnderTDZ is called repeatedly with the same environment
143         state. This is common since we call this every time we encounter a
144         function definition/expression node.
145
146         * builtins/BuiltinExecutables.cpp:
147         (JSC::BuiltinExecutables::createExecutable):
148         * bytecode/UnlinkedFunctionExecutable.cpp:
149         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
150         * bytecode/UnlinkedFunctionExecutable.h:
151         * bytecompiler/BytecodeGenerator.cpp:
152         (JSC::BytecodeGenerator::popLexicalScopeInternal):
153         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
154         (JSC::BytecodeGenerator::pushTDZVariables):
155         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
156         (JSC::BytecodeGenerator::restoreTDZStack):
157         * bytecompiler/BytecodeGenerator.h:
158         (JSC::BytecodeGenerator::makeFunction):
159         * parser/VariableEnvironment.cpp:
160         (JSC::CompactVariableMap::Handle::Handle):
161         (JSC::CompactVariableMap::Handle::operator=):
162         * parser/VariableEnvironment.h:
163         (JSC::CompactVariableMap::Handle::operator bool const):
164         * runtime/CodeCache.cpp:
165         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
166
167 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
168
169         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
170         https://bugs.webkit.org/show_bug.cgi?id=194659
171
172         Reviewed by Mark Lam.
173
174         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
175         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
176         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
177
178         * dfg/DFGJITCode.h:
179         * dfg/DFGJITFinalizer.cpp:
180         (JSC::DFG::JITFinalizer::finalize):
181         (JSC::DFG::JITFinalizer::finalizeFunction):
182         * jit/JITCode.cpp:
183         (JSC::DirectJITCode::initializeCodeRefForDFG):
184         (JSC::DirectJITCode::initializeCodeRef): Deleted.
185         (JSC::NativeJITCode::initializeCodeRef): Deleted.
186         * jit/JITCode.h:
187         * llint/LLIntEntrypoint.cpp:
188         (JSC::LLInt::setFunctionEntrypoint):
189         (JSC::LLInt::setEvalEntrypoint):
190         (JSC::LLInt::setProgramEntrypoint):
191         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
192
193 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
194
195         [WTF] Add environment variable helpers
196         https://bugs.webkit.org/show_bug.cgi?id=192405
197
198         Reviewed by Michael Catanzaro.
199
200         * inspector/remote/glib/RemoteInspectorGlib.cpp:
201         (Inspector::RemoteInspector::RemoteInspector):
202         (Inspector::RemoteInspector::start):
203         * jsc.cpp:
204         (startTimeoutThreadIfNeeded):
205         * runtime/Options.cpp:
206         (JSC::overrideOptionWithHeuristic):
207         (JSC::Options::overrideAliasedOptionWithHeuristic):
208         (JSC::Options::initialize):
209         * runtime/VM.cpp:
210         (JSC::enableAssembler):
211         (JSC::VM::VM):
212         * tools/CodeProfiling.cpp:
213         (JSC::CodeProfiling::notifyAllocator):
214         Utilize WTF::Environment where possible.
215
216 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
217
218         [JSC] Should have default NativeJITCode
219         https://bugs.webkit.org/show_bug.cgi?id=194634
220
221         Reviewed by Mark Lam.
222
223         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
224         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
225         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
226         allocations, which takes 14KB.
227
228         * runtime/VM.cpp:
229         (JSC::jitCodeForCallTrampoline):
230         (JSC::jitCodeForConstructTrampoline):
231         (JSC::VM::getHostFunction):
232
233 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
234
235         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
236         https://bugs.webkit.org/show_bug.cgi?id=194576
237
238         Reviewed by Saam Barati.
239
240         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
241         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
242
243         * bytecode/UnlinkedFunctionExecutable.cpp:
244         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
245         (JSC::UnlinkedFunctionExecutable::link):
246         * bytecode/UnlinkedFunctionExecutable.h:
247         * runtime/CodeCache.cpp:
248         (JSC::generateUnlinkedCodeBlockForFunctions):
249
250 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
251
252         CachedBitVector's size must be converted from bits to bytes
253         https://bugs.webkit.org/show_bug.cgi?id=194441
254
255         Reviewed by Saam Barati.
256
257         CachedBitVector used its size in bits for memcpy. That didn't cause any
258         issues when encoding, since the size in bits was also used in the allocation,
259         but would overflow the actual BitVector buffer when decoding.
260
261         * runtime/CachedTypes.cpp:
262         (JSC::CachedBitVector::encode):
263         (JSC::CachedBitVector::decode const):
264
265 2019-02-13  Brian Burg  <bburg@apple.com>
266
267         Web Inspector: don't include accessibility role in DOM.Node object payloads
268         https://bugs.webkit.org/show_bug.cgi?id=194623
269         <rdar://problem/36384037>
270
271         Reviewed by Devin Rousso.
272
273         Remove property of DOM.Node that is no longer being sent.
274
275         * inspector/protocol/DOM.json:
276
277 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
278
279         We should only make rope strings when concatenating strings long enough.
280         https://bugs.webkit.org/show_bug.cgi?id=194465
281
282         Reviewed by Mark Lam.
283
284         This patch stops us from allocating a rope string if the resulting
285         rope would be smaller than the size of the JSRopeString object we
286         would need to allocate.
287
288         This patch also adds paths so that we don't unnecessarily allocate
289         JSString cells for primitives we are going to concatenate with a
290         string anyway.
291
292         The important change from the previous one is that we do not apply
293         the above rule to JSRopeStrings generated by JSStrings. If we convert
294         it to JSString, comparison of memory consumption becomes the following,
295         because JSRopeString does not have StringImpl until it is resolved.
296
297             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
298
299         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
300         resolving eagerly increases memory footprint. The point is that we need to
301         account newly created JSString and JSRopeString from the operands. This is the
302         reason why this patch adds different thresholds for each jsString functions.
303
304         This patch also avoids concatenation for ropes conservatively. Many ropes are
305         temporary cells. So we do not resolve eagerly if one of operands is already a
306         rope.
307
308         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
309
310             Before: 159.3778
311             After:  160.72340000000003
312
313         * dfg/DFGOperations.cpp:
314         * runtime/CommonSlowPaths.cpp:
315         (JSC::SLOW_PATH_DECL):
316         * runtime/JSString.h:
317         (JSC::JSString::isRope const):
318         * runtime/Operations.cpp:
319         (JSC::jsAddSlowCase):
320         * runtime/Operations.h:
321         (JSC::jsString):
322         (JSC::jsAddNonNumber):
323         (JSC::jsAdd):
324
325 2019-02-13  Saam Barati  <sbarati@apple.com>
326
327         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
328         https://bugs.webkit.org/show_bug.cgi?id=194610
329
330         Reviewed by Michael Saboff.
331
332         BinarySwitch might use the scratch register. We must model the
333         effects of that properly. This is already caught by our br-table
334         tests on arm64.
335
336         * wasm/WasmAirIRGenerator.cpp:
337         (JSC::Wasm::AirIRGenerator::addSwitch):
338
339 2019-02-13  Mark Lam  <mark.lam@apple.com>
340
341         Create a randomized free list for new StructureIDs on StructureIDTable resize.
342         https://bugs.webkit.org/show_bug.cgi?id=194566
343         <rdar://problem/47975502>
344
345         Reviewed by Michael Saboff.
346
347         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
348         implementation is a little easier to read.
349
350         This patch appears to be perf neutral on JetStream2 (as run from the command line).
351
352         * runtime/StructureIDTable.cpp:
353         (JSC::StructureIDTable::StructureIDTable):
354         (JSC::StructureIDTable::makeFreeListFromRange):
355         (JSC::StructureIDTable::resize):
356         (JSC::StructureIDTable::allocateID):
357         (JSC::StructureIDTable::deallocateID):
358         * runtime/StructureIDTable.h:
359         (JSC::StructureIDTable::get):
360         (JSC::StructureIDTable::deallocateID):
361         (JSC::StructureIDTable::allocateID):
362         (JSC::StructureIDTable::flushOldTables):
363
364 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
365
366         VariableLengthObject::allocate<T> should initialize objects
367         https://bugs.webkit.org/show_bug.cgi?id=194534
368
369         Reviewed by Michael Saboff.
370
371         `buffer()` should not be called for empty VariableLengthObjects, but
372         these cases were not being caught due to the objects not being properly
373         initialized. Fix it so that allocate calls the constructor and fix the
374         assertion failues.
375
376         * runtime/CachedTypes.cpp:
377         (JSC::CachedObject::operator new):
378         (JSC::VariableLengthObject::allocate):
379         (JSC::CachedVector::encode):
380         (JSC::CachedVector::decode const):
381         (JSC::CachedUniquedStringImpl::decode const):
382         (JSC::CachedBitVector::encode):
383         (JSC::CachedBitVector::decode const):
384         (JSC::CachedArray::encode):
385         (JSC::CachedArray::decode const):
386         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
387         (JSC::CachedBigInt::decode const):
388
389 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
390
391         CodeBlocks read from disk should not be re-written
392         https://bugs.webkit.org/show_bug.cgi?id=194535
393
394         Reviewed by Michael Saboff.
395
396         Keep track of which CodeBlocks have been read from disk or have already
397         been serialized in CodeCache.
398
399         * runtime/CodeCache.cpp:
400         (JSC::CodeCache::write):
401         * runtime/CodeCache.h:
402         (JSC::SourceCodeValue::SourceCodeValue):
403         (JSC::CodeCacheMap::fetchFromDiskImpl):
404
405 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
406
407         SourceCode should be copied when generating bytecode for functions
408         https://bugs.webkit.org/show_bug.cgi?id=194536
409
410         Reviewed by Saam Barati.
411
412         The FunctionExecutable might be collected while generating the bytecode
413         for nested functions, in which case the SourceCode reference would no
414         longer be valid.
415
416         * runtime/CodeCache.cpp:
417         (JSC::generateUnlinkedCodeBlockForFunctions):
418
419 2019-02-12  Saam barati  <sbarati@apple.com>
420
421         JSScript needs to retain its cache path NSURL*
422         https://bugs.webkit.org/show_bug.cgi?id=194577
423
424         Reviewed by Tim Horton.
425
426         * API/JSScript.mm:
427         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
428         (-[JSScript dealloc]):
429
430 2019-02-12  Robin Morisset  <rmorisset@apple.com>
431
432         Make B3Value::returnsBool() more precise
433         https://bugs.webkit.org/show_bug.cgi?id=194457
434
435         Reviewed by Saam Barati.
436
437         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
438         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
439         No new tests added as this should be indirectly tested by the already existing tests.
440
441         * b3/B3Value.cpp:
442         (JSC::B3::Value::returnsBool const):
443
444 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
445
446         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
447         https://bugs.webkit.org/show_bug.cgi?id=194399
448         <rdar://problem/47889777>
449
450         * dfg/DFGDoesGC.cpp:
451         (JSC::DFG::doesGC):
452
453 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
454
455         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
456         https://bugs.webkit.org/show_bug.cgi?id=194370
457
458         Reviewed by Darin Adler.
459
460         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
461         necessary, but it will make errors more visible.
462
463         * inspector/remote/glib/RemoteInspectorGlib.cpp:
464         (Inspector::RemoteInspector::start):
465         (Inspector::dbusConnectionCallAsyncReadyCallback):
466         * inspector/remote/glib/RemoteInspectorServer.cpp:
467         (Inspector::RemoteInspectorServer::start):
468
469 2019-02-12  Andy Estes  <aestes@apple.com>
470
471         [iOSMac] Enable Parental Controls Content Filtering
472         https://bugs.webkit.org/show_bug.cgi?id=194521
473         <rdar://39732376>
474
475         Reviewed by Tim Horton.
476
477         * Configurations/FeatureDefines.xcconfig:
478
479 2019-02-11  Mark Lam  <mark.lam@apple.com>
480
481         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
482         https://bugs.webkit.org/show_bug.cgi?id=194512
483         <rdar://problem/47975465>
484
485         Reviewed by Yusuke Suzuki.
486
487         * runtime/StructureIDTable.cpp:
488         (JSC::StructureIDTable::StructureIDTable):
489         (JSC::StructureIDTable::allocateID):
490         (JSC::StructureIDTable::deallocateID):
491         * runtime/StructureIDTable.h:
492
493 2019-02-10  Mark Lam  <mark.lam@apple.com>
494
495         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
496         https://bugs.webkit.org/show_bug.cgi?id=194493
497         <rdar://problem/36380852>
498
499         Reviewed by Yusuke Suzuki.
500
501         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
502         however not good for performance and memory usage.  As such, a debug ASSERT will
503         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
504         possible to be instantiated with duplicate cases in
505         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
506
507         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
508         see duplicate cases.
509
510         * jit/BinarySwitch.cpp:
511         (JSC::BinarySwitch::BinarySwitch):
512
513 2019-02-10  Darin Adler  <darin@apple.com>
514
515         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
516         https://bugs.webkit.org/show_bug.cgi?id=194485
517
518         Reviewed by Daniel Bates.
519
520         * heap/HeapSnapshotBuilder.cpp:
521         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
522         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
523
524         * runtime/JSGlobalObjectFunctions.cpp:
525         (JSC::encode): Removed some unneeded casts in StringBuilder code,
526         including one in a call to appendByteAsHex.
527         (JSC::globalFuncEscape): Ditto.
528
529 2019-02-10  Commit Queue  <commit-queue@webkit.org>
530
531         Unreviewed, rolling out r241230.
532         https://bugs.webkit.org/show_bug.cgi?id=194488
533
534         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
535         #webkit).
536
537         Reverted changeset:
538
539         "We should only make rope strings when concatenating strings
540         long enough."
541         https://bugs.webkit.org/show_bug.cgi?id=194465
542         https://trac.webkit.org/changeset/241230
543
544 2019-02-10  Saam barati  <sbarati@apple.com>
545
546         BBQ-Air: Emit better code for switch
547         https://bugs.webkit.org/show_bug.cgi?id=194053
548
549         Reviewed by Yusuke Suzuki.
550
551         Instead of emitting a linear set of jumps for Switch, this patch
552         makes the BBQ-Air backend emit a binary switch.
553
554         * wasm/WasmAirIRGenerator.cpp:
555         (JSC::Wasm::AirIRGenerator::addSwitch):
556
557 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
558
559         Unreviewed, Lexer should use isLatin1 implementation in WTF
560         https://bugs.webkit.org/show_bug.cgi?id=194466
561
562         Follow-up after r241233 pointed by Darin.
563
564         * parser/Lexer.cpp:
565         (JSC::isLatin1): Deleted.
566
567 2019-02-09  Darin Adler  <darin@apple.com>
568
569         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
570         https://bugs.webkit.org/show_bug.cgi?id=194021
571
572         Reviewed by Geoffrey Garen.
573
574         * inspector/agents/InspectorConsoleAgent.cpp:
575         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
576         makeString do the conversion without allocating/destroying a String.
577         * inspector/agents/InspectorDebuggerAgent.cpp:
578         (Inspector::objectGroupForBreakpointAction): Ditto.
579         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
580         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
581         * runtime/JSGenericTypedArrayViewInlines.h:
582         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
583         * runtime/NumberPrototype.cpp:
584         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
585         of calling numberToFixedWidthString to do the same thing.
586         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
587         numberToFixedPrecisionString to do the same thing.
588         * runtime/SamplingProfiler.cpp:
589         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
590
591 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
592
593         Unreviewed, rolling in r241237 again
594         https://bugs.webkit.org/show_bug.cgi?id=194469
595
596         * runtime/JSString.h:
597         (JSC::jsSubstring):
598
599 2019-02-09  Commit Queue  <commit-queue@webkit.org>
600
601         Unreviewed, rolling out r241237.
602         https://bugs.webkit.org/show_bug.cgi?id=194474
603
604         Shows significant memory increase in WSL (Requested by
605         yusukesuzuki on #webkit).
606
607         Reverted changeset:
608
609         "[WTF] Use BufferInternal StringImpl if substring StringImpl
610         takes more memory"
611         https://bugs.webkit.org/show_bug.cgi?id=194469
612         https://trac.webkit.org/changeset/241237
613
614 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
615
616         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
617         https://bugs.webkit.org/show_bug.cgi?id=194469
618
619         Reviewed by Geoffrey Garen.
620
621         * runtime/JSString.h:
622         (JSC::jsSubstring):
623
624 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
625
626         [JSC] CachedTypes should use jsString instead of JSString::create
627         https://bugs.webkit.org/show_bug.cgi?id=194471
628
629         Reviewed by Mark Lam.
630
631         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
632
633         * runtime/CachedTypes.cpp:
634         (JSC::CachedJSValue::decode const):
635
636 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
637
638         [JSC] Increase StructureIDTable initial capacity
639         https://bugs.webkit.org/show_bug.cgi?id=194468
640
641         Reviewed by Mark Lam.
642
643         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
644         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
645         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
646         more memory dirty. We also remove some structures that are no longer used.
647
648         * runtime/JSGlobalObject.h:
649         (JSC::JSGlobalObject::callbackObjectStructure const):
650         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
651         * runtime/StructureIDTable.h:
652         * runtime/VM.h:
653
654 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
655
656         [JSC] String.fromCharCode's slow path always generates 16bit string
657         https://bugs.webkit.org/show_bug.cgi?id=194466
658
659         Reviewed by Keith Miller.
660
661         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
662         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
663         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
664         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
665         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
666         as much as possible.
667
668         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
669
670         * runtime/StringConstructor.cpp:
671         (JSC::stringFromCharCode):
672
673 2019-02-08  Keith Miller  <keith_miller@apple.com>
674
675         We should only make rope strings when concatenating strings long enough.
676         https://bugs.webkit.org/show_bug.cgi?id=194465
677
678         Reviewed by Saam Barati.
679
680         This patch stops us from allocating a rope string if the resulting
681         rope would be smaller than the size of the JSRopeString object we
682         would need to allocate.
683
684         This patch also adds paths so that we don't unnecessarily allocate
685         JSString cells for primitives we are going to concatenate with a
686         string anyway.
687
688         * dfg/DFGOperations.cpp:
689         * runtime/CommonSlowPaths.cpp:
690         (JSC::SLOW_PATH_DECL):
691         * runtime/JSString.h:
692         * runtime/Operations.cpp:
693         (JSC::jsAddSlowCase):
694         * runtime/Operations.h:
695         (JSC::jsString):
696         (JSC::jsAdd):
697
698 2019-02-08  Saam barati  <sbarati@apple.com>
699
700         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
701         https://bugs.webkit.org/show_bug.cgi?id=194334
702         <rdar://problem/47844327>
703
704         Reviewed by Mark Lam.
705
706         * dfg/DFGAbstractInterpreterInlines.h:
707         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
708         * dfg/DFGArgumentsEliminationPhase.cpp:
709         * dfg/DFGByteCodeParser.cpp:
710         (JSC::DFG::ByteCodeParser::parseBlock):
711         * dfg/DFGClobberize.h:
712         (JSC::DFG::clobberize):
713         * dfg/DFGConstantFoldingPhase.cpp:
714         (JSC::DFG::ConstantFoldingPhase::foldConstants):
715         * dfg/DFGFixupPhase.cpp:
716         (JSC::DFG::FixupPhase::fixupNode):
717         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
718         * dfg/DFGIntegerCheckCombiningPhase.cpp:
719         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
720         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
721         * dfg/DFGNodeType.h:
722         * dfg/DFGSSALoweringPhase.cpp:
723         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
724         * dfg/DFGSpeculativeJIT.cpp:
725         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
726         * ftl/FTLLowerDFGToB3.cpp:
727         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
728         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
729
730 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
731
732         [JSC] Shrink sizeof(CodeBlock) more
733         https://bugs.webkit.org/show_bug.cgi?id=194419
734
735         Reviewed by Mark Lam.
736
737         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
738
739         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
740         has the same information. These data is not touched in CodeBlock::~CodeBlock,
741         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
742
743         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
744         And we do not touch it in CodeBlock::~CodeBlock.
745
746         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
747         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
748         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
749
750         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
751
752         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
753
754         * bytecode/CodeBlock.cpp:
755         (JSC::CodeBlock::hash const):
756         (JSC::CodeBlock::sourceCodeForTools const):
757         (JSC::CodeBlock::dumpAssumingJITType const):
758         (JSC::CodeBlock::dumpSource):
759         (JSC::CodeBlock::CodeBlock):
760         (JSC::CodeBlock::finishCreation):
761         (JSC::CodeBlock::propagateTransitions):
762         (JSC::CodeBlock::finalizeLLIntInlineCaches):
763         (JSC::CodeBlock::setCalleeSaveRegisters):
764         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
765         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
766         (JSC::CodeBlock::lineNumberForBytecodeOffset):
767         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
768         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
769         (JSC::CodeBlock::newReplacement):
770         (JSC::CodeBlock::replacement):
771         (JSC::CodeBlock::computeCapabilityLevel):
772         (JSC::CodeBlock::jettison):
773         (JSC::CodeBlock::calleeSaveRegisters const):
774         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
775         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
776         (JSC::CodeBlock::getArrayProfile):
777         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
778         (JSC::CodeBlock::notifyLexicalBindingUpdate):
779         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
780         (JSC::CodeBlock::validate):
781         (JSC::CodeBlock::outOfLineJumpTarget):
782         (JSC::CodeBlock::arithProfileForBytecodeOffset):
783         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
784         * bytecode/CodeBlock.h:
785         (JSC::CodeBlock::specializationKind const):
786         (JSC::CodeBlock::isStrictMode const):
787         (JSC::CodeBlock::isConstructor const):
788         (JSC::CodeBlock::codeType const):
789         (JSC::CodeBlock::isKnownNotImmediate):
790         (JSC::CodeBlock::instructions const):
791         (JSC::CodeBlock::ownerExecutable const):
792         (JSC::CodeBlock::thisRegister const):
793         (JSC::CodeBlock::source const):
794         (JSC::CodeBlock::sourceOffset const):
795         (JSC::CodeBlock::firstLineColumnOffset const):
796         (JSC::CodeBlock::createRareDataIfNecessary):
797         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
798         (JSC::CodeBlock::setThisRegister): Deleted.
799         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
800         * bytecode/EvalCodeBlock.h:
801         * bytecode/FunctionCodeBlock.h:
802         * bytecode/GlobalCodeBlock.h:
803         (JSC::GlobalCodeBlock::GlobalCodeBlock):
804         * bytecode/ModuleProgramCodeBlock.h:
805         * bytecode/ProgramCodeBlock.h:
806         * debugger/Debugger.cpp:
807         (JSC::Debugger::toggleBreakpoint):
808         * debugger/DebuggerCallFrame.cpp:
809         (JSC::DebuggerCallFrame::sourceID const):
810         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
811         * debugger/DebuggerScope.cpp:
812         (JSC::DebuggerScope::location const):
813         * dfg/DFGByteCodeParser.cpp:
814         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
815         (JSC::DFG::ByteCodeParser::inliningCost):
816         (JSC::DFG::ByteCodeParser::parseCodeBlock):
817         * dfg/DFGCapabilities.cpp:
818         (JSC::DFG::isSupportedForInlining):
819         (JSC::DFG::mightCompileEval):
820         (JSC::DFG::mightCompileProgram):
821         (JSC::DFG::mightCompileFunctionForCall):
822         (JSC::DFG::mightCompileFunctionForConstruct):
823         (JSC::DFG::canUseOSRExitFuzzing):
824         * dfg/DFGGraph.h:
825         (JSC::DFG::Graph::executableFor):
826         * dfg/DFGJITCompiler.cpp:
827         (JSC::DFG::JITCompiler::compileFunction):
828         * dfg/DFGOSREntry.cpp:
829         (JSC::DFG::prepareOSREntry):
830         * dfg/DFGOSRExit.cpp:
831         (JSC::DFG::restoreCalleeSavesFor):
832         (JSC::DFG::saveCalleeSavesFor):
833         (JSC::DFG::saveOrCopyCalleeSavesFor):
834         * dfg/DFGOSRExitCompilerCommon.cpp:
835         (JSC::DFG::handleExitCounts):
836         * dfg/DFGOperations.cpp:
837         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
838         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
839         * ftl/FTLCapabilities.cpp:
840         (JSC::FTL::canCompile):
841         * ftl/FTLLink.cpp:
842         (JSC::FTL::link):
843         * ftl/FTLOSRExitCompiler.cpp:
844         (JSC::FTL::compileStub):
845         * interpreter/CallFrame.cpp:
846         (JSC::CallFrame::callerSourceOrigin):
847         * interpreter/Interpreter.cpp:
848         (JSC::eval):
849         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
850         * interpreter/StackVisitor.cpp:
851         (JSC::StackVisitor::Frame::calleeSaveRegisters):
852         (JSC::StackVisitor::Frame::sourceURL const):
853         (JSC::StackVisitor::Frame::sourceID):
854         (JSC::StackVisitor::Frame::computeLineAndColumn const):
855         * interpreter/StackVisitor.h:
856         * jit/AssemblyHelpers.h:
857         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
858         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
859         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
860         * jit/CallFrameShuffleData.cpp:
861         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
862         * jit/JIT.cpp:
863         (JSC::JIT::compileWithoutLinking):
864         * jit/JITToDFGDeferredCompilationCallback.cpp:
865         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
866         * jit/JITWorklist.cpp:
867         (JSC::JITWorklist::Plan::finalize):
868         (JSC::JITWorklist::compileNow):
869         * jit/RegisterAtOffsetList.cpp:
870         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
871         * jit/RegisterAtOffsetList.h:
872         (JSC::RegisterAtOffsetList::at const):
873         * runtime/ErrorInstance.cpp:
874         (JSC::appendSourceToError):
875         * runtime/ScriptExecutable.cpp:
876         (JSC::ScriptExecutable::newCodeBlockFor):
877         * runtime/StackFrame.cpp:
878         (JSC::StackFrame::sourceID const):
879         (JSC::StackFrame::sourceURL const):
880         (JSC::StackFrame::computeLineAndColumn const):
881
882 2019-02-08  Robin Morisset  <rmorisset@apple.com>
883
884         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
885         https://bugs.webkit.org/show_bug.cgi?id=194460
886
887         Reviewed by Mark Lam.
888
889         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
890
891         * b3/B3LowerMacros.cpp:
892
893 2019-02-08  Mark Lam  <mark.lam@apple.com>
894
895         Use maxSingleCharacterString in comparisons instead of literal constants.
896         https://bugs.webkit.org/show_bug.cgi?id=194452
897
898         Reviewed by Yusuke Suzuki.
899
900         This way, if we ever change maxSingleCharacterString, it won't break all this code
901         that relies on it being 0xff implicitly.
902
903         * dfg/DFGSpeculativeJIT.cpp:
904         (JSC::DFG::SpeculativeJIT::compileStringSlice):
905         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
906         * ftl/FTLLowerDFGToB3.cpp:
907         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
908         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
909         * jit/ThunkGenerators.cpp:
910         (JSC::stringGetByValGenerator):
911         (JSC::charToString):
912
913 2019-02-08  Mark Lam  <mark.lam@apple.com>
914
915         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
916         https://bugs.webkit.org/show_bug.cgi?id=194446
917         <rdar://problem/47926792>
918
919         Reviewed by Saam Barati.
920
921         Fix doesGC() for the following nodes:
922
923             CheckTierUpAtReturn:
924                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
925                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
926
927             CheckTierUpInLoop:
928                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
929                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
930
931             CheckTierUpAndOSREnter:
932                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
933                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
934
935             GetByVal:
936                 case Array::String calls operationSingleCharacterString(), which calls
937                 jsSingleCharacterString(), which can allocate a string.
938
939             PutByValDirect:
940             PutByVal:
941             PutByValAlias:
942                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
943                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
944                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
945                 slow paths call putByValInternal(), which may create exception objects, or
946                 call the generic JSValue::put() which may execute arbitrary code.
947
948             StringCharAt:
949                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
950                 which can allocate a string.
951
952         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
953         to use the maxSingleCharacterString constant instead of a literal constant.
954
955         * dfg/DFGDoesGC.cpp:
956         (JSC::DFG::doesGC):
957         * dfg/DFGSpeculativeJIT.cpp:
958         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
959         * dfg/DFGSpeculativeJIT64.cpp:
960         (JSC::DFG::SpeculativeJIT::compile):
961         * ftl/FTLLowerDFGToB3.cpp:
962         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
963         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
964         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
965
966 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
967
968         [JSC] SourceProviderCacheItem should be small
969         https://bugs.webkit.org/show_bug.cgi?id=194432
970
971         Reviewed by Saam Barati.
972
973         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
974         While they are removed when full-GC happens, it significantly increases the peak memory usage.
975         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
976
977         * parser/Parser.cpp:
978         (JSC::Parser<LexerType>::parseFunctionInfo):
979         * parser/ParserModes.h:
980         * parser/ParserTokens.h:
981         * parser/SourceProviderCacheItem.h:
982         (JSC::SourceProviderCacheItem::endFunctionToken const):
983         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
984
985 2019-02-07  Robin Morisset  <rmorisset@apple.com>
986
987         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
988         https://bugs.webkit.org/show_bug.cgi?id=194420
989
990         Reviewed by Saam Barati.
991
992         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
993         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
994         This trivial patch fixes both.
995
996         * b3/B3ReduceStrength.cpp:
997         * b3/testb3.cpp:
998         (JSC::B3::testAbsNegArg):
999
1000 2019-02-07  Keith Miller  <keith_miller@apple.com>
1001
1002         Better error messages for module loader SPI
1003         https://bugs.webkit.org/show_bug.cgi?id=194421
1004
1005         Reviewed by Saam Barati.
1006
1007         * API/JSAPIGlobalObject.mm:
1008         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1009
1010 2019-02-07  Mark Lam  <mark.lam@apple.com>
1011
1012         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1013         https://bugs.webkit.org/show_bug.cgi?id=194399
1014         <rdar://problem/47889777>
1015
1016         Reviewed by Yusuke Suzuki.
1017
1018         Fix doesGC() for the following nodes:
1019
1020             CheckTraps:
1021                 We normally will not emit this node because Options::usePollingTraps() is
1022                 false by default.  However, as it is implemented now, CheckTraps can GC
1023                 because it can allocate a TerminatedExecutionException.  If we make the
1024                 TerminatedExecutionException a singleton allocated at initialization time,
1025                 doesGC() can return false for CheckTraps.
1026                 https://bugs.webkit.org/show_bug.cgi?id=194323
1027
1028             GetMapBucket:
1029                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1030                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1031                 can resolve a rope.
1032
1033             Switch:
1034                 If switchData kind is SwitchChar, can call operationResolveRope() .
1035                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1036                     can call operationSwitchString() which resolves ropes.
1037
1038             DirectTailCall:
1039             ForceOSRExit:
1040             Return:
1041             TailCallForwardVarargs:
1042             TailCallVarargs:
1043             Throw:
1044                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1045                 for them, but following our conservative practice, unless we have a good
1046                 reason for doesGC() to return false, we should just return true.
1047
1048         * dfg/DFGDoesGC.cpp:
1049         (JSC::DFG::doesGC):
1050
1051 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1052
1053         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1054         https://bugs.webkit.org/show_bug.cgi?id=194250
1055
1056         Reviewed by Saam Barati.
1057
1058         Adds the following optimizations for integers:
1059         - Sub(x, x) => 0
1060             Already covered by the test testSubArg
1061         - Sub(x1, Neg(x2)) => Add (x1, x2)
1062             Added test: testSubNeg
1063         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1064             Added test: testNegSub
1065         - Add(Neg(x1), x2) => Sub(x2, x1)
1066             Added test: testAddNeg1
1067         - Add(x1, Neg(x2)) => Sub(x1, x2)
1068             Added test: testAddNeg2
1069         Adds the following optimization for floating point values:
1070         - Abs(Neg(x)) => Abs(x)
1071             Added test: testAbsNegArg
1072             Adds the following optimization:
1073
1074         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1075
1076         * b3/B3ReduceStrength.cpp:
1077         * b3/testb3.cpp:
1078         (JSC::B3::testAddNeg1):
1079         (JSC::B3::testAddNeg2):
1080         (JSC::B3::testSubNeg):
1081         (JSC::B3::testNegSub):
1082         (JSC::B3::testAbsAbsArg):
1083         (JSC::B3::testAbsNegArg):
1084         (JSC::B3::run):
1085
1086 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1087
1088         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1089         https://bugs.webkit.org/show_bug.cgi?id=194374
1090
1091         Reviewed by Geoffrey Garen.
1092
1093         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1094         But pointer is larger than single character. BufferInternal StringImpl with single character
1095         is more memory efficient.
1096
1097         * runtime/SmallStrings.cpp:
1098         (JSC::SmallStringsStorage::SmallStringsStorage):
1099         (JSC::SmallStrings::SmallStrings):
1100         * runtime/SmallStrings.h:
1101
1102 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1103
1104         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1105         https://bugs.webkit.org/show_bug.cgi?id=194369
1106         <rdar://problem/47813087>
1107
1108         Reviewed by Saam Barati.
1109
1110         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1111         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1112         constant folding phase.
1113
1114         * dfg/DFGAbstractInterpreterInlines.h:
1115         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1116
1117 2019-02-06  Devin Rousso  <drousso@apple.com>
1118
1119         Web Inspector: DOM: don't send the entire function string with each event listener
1120         https://bugs.webkit.org/show_bug.cgi?id=194293
1121         <rdar://problem/47822809>
1122
1123         Reviewed by Joseph Pecoraro.
1124
1125         * inspector/protocol/DOM.json:
1126
1127         * runtime/JSFunction.h:
1128         Export `calculatedDisplayName`.
1129
1130 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1131
1132         [JSC] PrivateName to PublicName hash table is wasteful
1133         https://bugs.webkit.org/show_bug.cgi?id=194277
1134
1135         Reviewed by Michael Saboff.
1136
1137         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1138         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1139         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1140         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1141
1142         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1143
1144         1. PrivateName's content should be the same to PublicName.
1145         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1146            the public name should be easily crafted from the given PrivateName.
1147
1148         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1149         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1150
1151         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1152         WebCore.
1153
1154         * builtins/BuiltinNames.cpp:
1155         (JSC::BuiltinNames::BuiltinNames):
1156         * builtins/BuiltinNames.h:
1157         (JSC::BuiltinNames::lookUpPrivateName const):
1158         (JSC::BuiltinNames::getPublicName const):
1159         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1160         (JSC::BuiltinNames::appendExternalName):
1161         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1162         * builtins/BuiltinUtils.h:
1163         * bytecode/BytecodeDumper.cpp:
1164         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1165         * bytecompiler/NodesCodegen.cpp:
1166         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1167         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1168         * parser/Lexer.cpp:
1169         (JSC::Lexer<LChar>::parseIdentifier):
1170         (JSC::Lexer<UChar>::parseIdentifier):
1171         * parser/Parser.cpp:
1172         (JSC::Parser<LexerType>::createGeneratorParameters):
1173         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1174         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1175         (JSC::Parser<LexerType>::parseClassDeclaration):
1176         (JSC::Parser<LexerType>::parseExportDeclaration):
1177         (JSC::Parser<LexerType>::parseMemberExpression):
1178         * parser/ParserArena.h:
1179         (JSC::IdentifierArena::makeIdentifier):
1180         * runtime/CachedTypes.cpp:
1181         (JSC::CachedUniquedStringImpl::encode):
1182         (JSC::CachedUniquedStringImpl::decode const):
1183         * runtime/CommonIdentifiers.cpp:
1184         (JSC::CommonIdentifiers::CommonIdentifiers):
1185         (JSC::CommonIdentifiers::lookUpPrivateName const):
1186         (JSC::CommonIdentifiers::getPublicName const):
1187         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1188         * runtime/CommonIdentifiers.h:
1189         * runtime/ExceptionHelpers.cpp:
1190         (JSC::createUndefinedVariableError):
1191         * runtime/Identifier.cpp:
1192         (JSC::Identifier::dump const):
1193         * runtime/Identifier.h:
1194         * runtime/IdentifierInlines.h:
1195         (JSC::Identifier::fromUid):
1196         * runtime/JSTypedArrayViewPrototype.cpp:
1197         (JSC::JSTypedArrayViewPrototype::finishCreation):
1198         * tools/JSDollarVM.cpp:
1199         (JSC::functionGetPrivateProperty):
1200
1201 2019-02-06  Keith Rollin  <krollin@apple.com>
1202
1203         Really enable the automatic checking and regenerations of .xcfilelists during builds
1204         https://bugs.webkit.org/show_bug.cgi?id=194357
1205         <rdar://problem/47861231>
1206
1207         Reviewed by Chris Dumez.
1208
1209         Bug 194124 was supposed to enable the automatic checking and
1210         regenerating of .xcfilelist files during the build. While related
1211         changes were included in that patch, the change to actually enable the
1212         operation somehow was omitted. This patch actually enables the
1213         operation. The check-xcfilelist.sh scripts now check
1214         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1215         from the checking.
1216
1217         * Scripts/check-xcfilelists.sh:
1218
1219 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1222         https://bugs.webkit.org/show_bug.cgi?id=194339
1223
1224         Reviewed by Michael Saboff.
1225
1226         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1227         They have even the same structure. This patch unifies the subspaces for them.
1228
1229         * runtime/DirectEvalExecutable.h:
1230         * runtime/EvalExecutable.h:
1231         (JSC::EvalExecutable::subspaceFor):
1232         * runtime/IndirectEvalExecutable.h:
1233         * runtime/VM.cpp:
1234         * runtime/VM.h:
1235         (JSC::VM::forEachScriptExecutableSpace):
1236
1237 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1238
1239         [JSC] NativeExecutable should be smaller
1240         https://bugs.webkit.org/show_bug.cgi?id=194331
1241
1242         Reviewed by Michael Saboff.
1243
1244         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1245         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1246         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1247         only takes one MarkedBlock for NativeExecutable.
1248
1249         To make NativeExecutable smaller,
1250
1251         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1252            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1253
1254         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1255            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1256            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1257
1258         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1259            Intrinsic for NativeExecutable.
1260
1261         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1262
1263         * CMakeLists.txt:
1264         * JavaScriptCore.xcodeproj/project.pbxproj:
1265         * bytecode/CallVariant.h:
1266         * interpreter/Interpreter.cpp:
1267         * jit/JITCode.cpp:
1268         (JSC::DirectJITCode::DirectJITCode):
1269         (JSC::NativeJITCode::NativeJITCode):
1270         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1271         * jit/JITCode.h:
1272         (JSC::JITCode::signature const):
1273         (JSC::JITCode::intrinsic):
1274         * jit/JITOperations.cpp:
1275         * jit/JITThunks.cpp:
1276         (JSC::JITThunks::hostFunctionStub):
1277         * jit/Repatch.cpp:
1278         * llint/LLIntSlowPaths.cpp:
1279         * runtime/ExecutableBase.cpp:
1280         (JSC::ExecutableBase::dump const):
1281         (JSC::ExecutableBase::hashFor const):
1282         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1283         (JSC::ExecutableBase::clearCode): Deleted.
1284         * runtime/ExecutableBase.h:
1285         (JSC::ExecutableBase::ExecutableBase):
1286         (JSC::ExecutableBase::isModuleProgramExecutable):
1287         (JSC::ExecutableBase::isHostFunction const):
1288         (JSC::ExecutableBase::generatedJITCodeForCall const):
1289         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1290         (JSC::ExecutableBase::generatedJITCodeFor const):
1291         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1292         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1293         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1294         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1295         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1296         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1297         (JSC::ExecutableBase::intrinsic const): Deleted.
1298         * runtime/ExecutableBaseInlines.h: Added.
1299         (JSC::ExecutableBase::intrinsic const):
1300         (JSC::ExecutableBase::hasJITCodeForCall const):
1301         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1302         * runtime/JSBoundFunction.cpp:
1303         * runtime/JSType.cpp:
1304         (WTF::printInternal):
1305         * runtime/JSType.h:
1306         * runtime/NativeExecutable.cpp:
1307         (JSC::NativeExecutable::create):
1308         (JSC::NativeExecutable::createStructure):
1309         (JSC::NativeExecutable::NativeExecutable):
1310         (JSC::NativeExecutable::signatureFor const):
1311         (JSC::NativeExecutable::intrinsic const):
1312         * runtime/NativeExecutable.h:
1313         * runtime/ScriptExecutable.cpp:
1314         (JSC::ScriptExecutable::ScriptExecutable):
1315         (JSC::ScriptExecutable::clearCode):
1316         (JSC::ScriptExecutable::installCode):
1317         (JSC::ScriptExecutable::hasClearableCode const):
1318         * runtime/ScriptExecutable.h:
1319         (JSC::ScriptExecutable::intrinsic const):
1320         (JSC::ScriptExecutable::hasJITCodeForCall const):
1321         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1322         * runtime/VM.cpp:
1323         (JSC::VM::getHostFunction):
1324
1325 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1326
1327         Build failure after r240431
1328         https://bugs.webkit.org/show_bug.cgi?id=194330
1329
1330         Reviewed by Žan Doberšek.
1331
1332         * API/glib/JSCOptions.cpp:
1333
1334 2019-02-05  Mark Lam  <mark.lam@apple.com>
1335
1336         Fix DFG's doesGC() for a few more nodes.
1337         https://bugs.webkit.org/show_bug.cgi?id=194307
1338         <rdar://problem/47832956>
1339
1340         Reviewed by Yusuke Suzuki.
1341
1342         Fix doesGC() for the following nodes:
1343
1344             NumberToStringWithValidRadixConstant:
1345                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1346                 which can allocate a string.
1347                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1348                 which can allocate a string.
1349                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1350                 which can allocate a string.
1351
1352             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1353                 memory for all kinds of objects.
1354             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1355                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1356                 these allocates memory for the match result.
1357             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1358                 calls RegExpObject's collectMatches(), which allocates an array amongst
1359                 other objects.
1360
1361             StringFromCharCode:
1362                 If the uint32 code to convert is greater than maxSingleCharacterString,
1363                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1364                 which allocates a new string if the code is greater than maxSingleCharacterString.
1365
1366         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1367         to use maxSingleCharacterString instead of a literal constant.
1368
1369         * dfg/DFGDoesGC.cpp:
1370         (JSC::DFG::doesGC):
1371         * dfg/DFGSpeculativeJIT.cpp:
1372         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1373         * ftl/FTLLowerDFGToB3.cpp:
1374         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1375
1376 2019-02-05  Keith Rollin  <krollin@apple.com>
1377
1378         Enable the automatic checking and regenerations of .xcfilelists during builds
1379         https://bugs.webkit.org/show_bug.cgi?id=194124
1380         <rdar://problem/47721277>
1381
1382         Reviewed by Tim Horton.
1383
1384         Bug 193790 add a facility for checking -- during build time -- that
1385         any needed .xcfilelist files are up-to-date and for updating them if
1386         they are not. This facility was initially opt-in by setting
1387         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1388         the process seemed robust. Its now time to enable this facility and
1389         make it opt-out. If there is a need to disable this facility, set and
1390         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1391         running `make` or `build-webkit`, or before running Xcode from the
1392         command line.
1393
1394         Additionally, remove the step that generates a list of source files
1395         going into the UnifiedSources build step. It's only necessarily to
1396         specify Sources.txt and SourcesCocoa.txt as inputs.
1397
1398         * JavaScriptCore.xcodeproj/project.pbxproj:
1399         * UnifiedSources-input.xcfilelist: Removed.
1400
1401 2019-02-05  Keith Rollin  <krollin@apple.com>
1402
1403         Update .xcfilelist files
1404         https://bugs.webkit.org/show_bug.cgi?id=194121
1405         <rdar://problem/47720863>
1406
1407         Reviewed by Tim Horton.
1408
1409         Preparatory to enabling the facility for automatically updating the
1410         .xcfilelist files, check in a freshly-updated set so that not everyone
1411         runs up against having to regenerate them themselves.
1412
1413         * DerivedSources-input.xcfilelist:
1414         * DerivedSources-output.xcfilelist:
1415
1416 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1417
1418         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1419         https://bugs.webkit.org/show_bug.cgi?id=185557
1420
1421         Reviewed by Mark Lam.
1422
1423         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1424         where n is the number of characters in the formatted string.
1425         It may be less memory efficient than the previous impl, since the intermediate Vector
1426         is the length of the string, instead of the count of the fields.
1427
1428         * runtime/IntlNumberFormat.cpp:
1429         (JSC::IntlNumberFormat::formatToParts):
1430         * runtime/IntlNumberFormat.h:
1431
1432 2019-02-05  Mark Lam  <mark.lam@apple.com>
1433
1434         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1435         https://bugs.webkit.org/show_bug.cgi?id=194298
1436         <rdar://problem/47827555>
1437
1438         Reviewed by Saam Barati.
1439
1440         We do this for 3 reasons:
1441         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1442         2. If things change in the future where clobberize() no longer reports these nodes
1443            as write(Heap), each node should be vetted first to make sure that it can never
1444            GC before being moved back to the doesGC() list that returns false.
1445         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1446            correct in its claims about the nodes' GCing possibility.
1447
1448         The list of nodes moved are:
1449
1450             ArrayPush
1451             ArrayPop
1452             Call
1453             CallEval
1454             CallForwardVarargs
1455             CallVarargs
1456             Construct
1457             ConstructForwardVarargs
1458             ConstructVarargs
1459             DefineDataProperty
1460             DefineAccessorProperty
1461             DeleteById
1462             DeleteByVal
1463             DirectCall
1464             DirectConstruct
1465             DirectTailCallInlinedCaller
1466             GetById
1467             GetByIdDirect
1468             GetByIdDirectFlush
1469             GetByIdFlush
1470             GetByIdWithThis
1471             GetByValWithThis
1472             GetDirectPname
1473             GetDynamicVar
1474             HasGenericProperty
1475             HasOwnProperty
1476             HasStructureProperty
1477             InById
1478             InByVal
1479             InstanceOf
1480             InstanceOfCustom
1481             LoadVarargs
1482             NumberToStringWithRadix
1483             PutById
1484             PutByIdDirect
1485             PutByIdFlush
1486             PutByIdWithThis
1487             PutByOffset
1488             PutByValWithThis
1489             PutDynamicVar
1490             PutGetterById
1491             PutGetterByVal
1492             PutGetterSetterById
1493             PutSetterById
1494             PutSetterByVal
1495             PutStack
1496             PutToArguments
1497             RegExpExec
1498             RegExpTest
1499             ResolveScope
1500             ResolveScopeForHoistingFuncDeclInEval
1501             TailCall
1502             TailCallForwardVarargsInlinedCaller
1503             TailCallInlinedCaller
1504             TailCallVarargsInlinedCaller
1505             ToNumber
1506             ToPrimitive
1507             ValueNegate
1508
1509         * dfg/DFGDoesGC.cpp:
1510         (JSC::DFG::doesGC):
1511
1512 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1513
1514         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1515         https://bugs.webkit.org/show_bug.cgi?id=194281
1516
1517         Reviewed by Michael Saboff.
1518
1519         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1520         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1521
1522         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1523         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1524         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1525
1526         * bytecode/CodeBlock.cpp:
1527         (JSC::CodeBlock::finishCreation):
1528         * bytecode/CodeBlock.h:
1529         (JSC::CodeBlock::bitVectors const): Deleted.
1530         * bytecode/CodeType.h:
1531         * bytecode/UnlinkedCodeBlock.cpp:
1532         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1533         (JSC::UnlinkedCodeBlock::shrinkToFit):
1534         * bytecode/UnlinkedCodeBlock.h:
1535         (JSC::UnlinkedCodeBlock::bitVector):
1536         (JSC::UnlinkedCodeBlock::addBitVector):
1537         (JSC::UnlinkedCodeBlock::addSetConstant):
1538         (JSC::UnlinkedCodeBlock::constantRegisters):
1539         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1540         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1541         (JSC::UnlinkedCodeBlock::codeType const):
1542         (JSC::UnlinkedCodeBlock::didOptimize const):
1543         (JSC::UnlinkedCodeBlock::setDidOptimize):
1544         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1545         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1546         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1547         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1548         * bytecompiler/BytecodeGenerator.cpp:
1549         (JSC::BytecodeGenerator::emitLoad):
1550         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1551         * bytecompiler/BytecodeGenerator.h:
1552         * runtime/CachedTypes.cpp:
1553         (JSC::CachedCodeBlockRareData::encode):
1554         (JSC::CachedCodeBlockRareData::decode const):
1555         (JSC::CachedCodeBlock::scopeRegister const):
1556         (JSC::CachedCodeBlock::codeType const):
1557         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1558         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1559         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1560         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1561
1562 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1563
1564         Unreviewed, add missing exception checks after r240637
1565         https://bugs.webkit.org/show_bug.cgi?id=193546
1566
1567         * tools/JSDollarVM.cpp:
1568         (JSC::functionShadowChickenFunctionsOnStack):
1569
1570 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1571
1572         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1573         https://bugs.webkit.org/show_bug.cgi?id=193993
1574
1575         Reviewed by Keith Miller.
1576
1577         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1578         And some of them are rarely used. We should allocate it lazily.
1579
1580         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1581         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1582         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1583         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1584         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1585         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1586         by using WTF::storeStoreFence when lazily allocating it.
1587
1588         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1589         existence of the space before touching this. This is not racy because the main thread is stopped when
1590         the constraint solving is working.
1591
1592         This changes sizeof(VM) from 64736 to 56472.
1593
1594         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1595         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1596         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1597         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1598         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1599         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1600         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1601
1602         * API/JSCallbackFunction.h:
1603         * API/ObjCCallbackFunction.h:
1604         (JSC::ObjCCallbackFunction::subspaceFor):
1605         * API/glib/JSCCallbackFunction.h:
1606         * CMakeLists.txt:
1607         * JavaScriptCore.xcodeproj/project.pbxproj:
1608         * bytecode/CodeBlock.cpp:
1609         (JSC::CodeBlock::visitChildren):
1610         (JSC::CodeBlock::finalizeUnconditionally):
1611         * bytecode/CodeBlock.h:
1612         * bytecode/EvalCodeBlock.h:
1613         * bytecode/ExecutableToCodeBlockEdge.h:
1614         * bytecode/FunctionCodeBlock.h:
1615         * bytecode/ModuleProgramCodeBlock.h:
1616         * bytecode/ProgramCodeBlock.h:
1617         * bytecode/UnlinkedFunctionExecutable.cpp:
1618         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1619         * bytecode/UnlinkedFunctionExecutable.h:
1620         * dfg/DFGSpeculativeJIT.cpp:
1621         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1622         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1623         (JSC::DFG::SpeculativeJIT::compileNewObject):
1624         * ftl/FTLLowerDFGToB3.cpp:
1625         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1626         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1627         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1628         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1629         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1630         * heap/Heap.cpp:
1631         (JSC::Heap::finalizeUnconditionalFinalizers):
1632         (JSC::Heap::deleteAllCodeBlocks):
1633         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1634         (JSC::Heap::addCoreConstraints):
1635         * heap/Subspace.cpp:
1636         (JSC::Subspace::initialize):
1637         * jit/AssemblyHelpers.h:
1638         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1639         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1640         * jit/JITOpcodes.cpp:
1641         (JSC::JIT::emit_op_new_object):
1642         * jit/JITOpcodes32_64.cpp:
1643         (JSC::JIT::emit_op_new_object):
1644         * runtime/DirectArguments.h:
1645         * runtime/DirectEvalExecutable.h:
1646         * runtime/ErrorInstance.h:
1647         (JSC::ErrorInstance::subspaceFor):
1648         * runtime/ExecutableBase.h:
1649         * runtime/FunctionExecutable.h:
1650         * runtime/IndirectEvalExecutable.h:
1651         * runtime/InferredValue.cpp:
1652         (JSC::InferredValue::visitChildren):
1653         * runtime/InferredValue.h:
1654         * runtime/InferredValueInlines.h:
1655         (JSC::InferredValue::finalizeUnconditionally):
1656         * runtime/InternalFunction.h:
1657         * runtime/JSAsyncFunction.h:
1658         * runtime/JSAsyncGeneratorFunction.h:
1659         * runtime/JSBoundFunction.h:
1660         * runtime/JSCell.h:
1661         (JSC::subspaceFor):
1662         (JSC::subspaceForConcurrently):
1663         * runtime/JSCellInlines.h:
1664         (JSC::allocatorForNonVirtualConcurrently):
1665         * runtime/JSCustomGetterSetterFunction.h:
1666         * runtime/JSDestructibleObject.h:
1667         * runtime/JSFunction.h:
1668         * runtime/JSGeneratorFunction.h:
1669         * runtime/JSImmutableButterfly.h:
1670         * runtime/JSLexicalEnvironment.h:
1671         (JSC::JSLexicalEnvironment::subspaceFor):
1672         * runtime/JSNativeStdFunction.h:
1673         * runtime/JSSegmentedVariableObject.h:
1674         * runtime/JSString.h:
1675         * runtime/ModuleProgramExecutable.h:
1676         * runtime/NativeExecutable.h:
1677         * runtime/ProgramExecutable.h:
1678         * runtime/PropertyMapHashTable.h:
1679         * runtime/ProxyRevoke.h:
1680         * runtime/ScopedArguments.h:
1681         * runtime/ScriptExecutable.cpp:
1682         (JSC::ScriptExecutable::clearCode):
1683         (JSC::ScriptExecutable::installCode):
1684         * runtime/Structure.h:
1685         * runtime/StructureRareData.h:
1686         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1687         * runtime/VM.cpp:
1688         (JSC::VM::VM):
1689         * runtime/VM.h:
1690         (JSC::VM::SpaceAndSet::SpaceAndSet):
1691         (JSC::VM::SpaceAndSet::setFor):
1692         (JSC::VM::forEachScriptExecutableSpace):
1693         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1694         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1695         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1696         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1697         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1698         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1699         * runtime/WeakMapImpl.h:
1700         (JSC::WeakMapImpl::subspaceFor):
1701         * wasm/js/JSWebAssemblyCodeBlock.h:
1702         * wasm/js/JSWebAssemblyMemory.h:
1703         * wasm/js/WebAssemblyFunction.h:
1704         * wasm/js/WebAssemblyWrapperFunction.h:
1705
1706 2019-02-04  Keith Miller  <keith_miller@apple.com>
1707
1708         Change llint operand macros to inline functions
1709         https://bugs.webkit.org/show_bug.cgi?id=194248
1710
1711         Reviewed by Mark Lam.
1712
1713         * llint/LLIntSlowPaths.cpp:
1714         (JSC::LLInt::getNonConstantOperand):
1715         (JSC::LLInt::getOperand):
1716         (JSC::LLInt::llint_trace_value):
1717         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1718         (JSC::LLInt::getByVal):
1719         (JSC::LLInt::genericCall):
1720         (JSC::LLInt::varargsSetup):
1721         (JSC::LLInt::commonCallEval):
1722
1723 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1724
1725         when lowering AssertNotEmpty, create the value before creating the patchpoint
1726         https://bugs.webkit.org/show_bug.cgi?id=194231
1727
1728         Reviewed by Saam Barati.
1729
1730         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1731         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1732
1733         * ftl/FTLLowerDFGToB3.cpp:
1734         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1735
1736 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1737
1738         [JSC] ExecutableToCodeBlockEdge should be smaller
1739         https://bugs.webkit.org/show_bug.cgi?id=194244
1740
1741         Reviewed by Michael Saboff.
1742
1743         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1744         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1745         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1746         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1747
1748         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1749         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1750         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1751
1752         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1753         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1754         does not touch it if it is called in non-main threads).
1755
1756         * bytecode/ExecutableToCodeBlockEdge.cpp:
1757         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1758         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1759         (JSC::ExecutableToCodeBlockEdge::activate):
1760         (JSC::ExecutableToCodeBlockEdge::deactivate):
1761         (JSC::ExecutableToCodeBlockEdge::isActive const):
1762         * bytecode/ExecutableToCodeBlockEdge.h:
1763         * runtime/JSCell.h:
1764         * runtime/JSCellInlines.h:
1765         (JSC::JSCell::perCellBit const):
1766         (JSC::JSCell::setPerCellBit):
1767         (JSC::JSCell::mayBePrototype const): Deleted.
1768         (JSC::JSCell::didBecomePrototype): Deleted.
1769         * runtime/JSObject.cpp:
1770         (JSC::JSObject::setPrototypeDirect):
1771         * runtime/JSObject.h:
1772         * runtime/JSObjectInlines.h:
1773         (JSC::JSObject::mayBePrototype const):
1774         (JSC::JSObject::didBecomePrototype):
1775         * runtime/JSTypeInfo.h:
1776         (JSC::TypeInfo::perCellBit):
1777         (JSC::TypeInfo::mergeInlineTypeFlags):
1778         (JSC::TypeInfo::mayBePrototype): Deleted.
1779
1780 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1781
1782         [JSC] Shrink size of FunctionExecutable
1783         https://bugs.webkit.org/show_bug.cgi?id=194191
1784
1785         Reviewed by Michael Saboff.
1786
1787         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
1788         improves the allocation efficiency.
1789
1790         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
1791            We remove this from ScriptExecutable, and move it to FunctionExecutable.
1792
1793         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
1794            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
1795            the size of FunctionExecutable in the common case.
1796
1797         This patch changes the size of FunctionExecutable from 176 to 144.
1798
1799         * bytecode/CodeBlock.cpp:
1800         (JSC::CodeBlock::dumpSource):
1801         (JSC::CodeBlock::finishCreation):
1802         * dfg/DFGNode.h:
1803         (JSC::DFG::Node::OpInfoWrapper::as const):
1804         * interpreter/StackVisitor.cpp:
1805         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1806         * runtime/ExecutableBase.h:
1807         * runtime/FunctionExecutable.cpp:
1808         (JSC::FunctionExecutable::FunctionExecutable):
1809         (JSC::FunctionExecutable::ensureRareDataSlow):
1810         * runtime/FunctionExecutable.h:
1811         * runtime/Intrinsic.h:
1812         * runtime/ModuleProgramExecutable.cpp:
1813         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1814         * runtime/ProgramExecutable.cpp:
1815         (JSC::ProgramExecutable::ProgramExecutable):
1816         * runtime/ScriptExecutable.cpp:
1817         (JSC::ScriptExecutable::ScriptExecutable):
1818         (JSC::ScriptExecutable::overrideLineNumber const):
1819         (JSC::ScriptExecutable::typeProfilingStartOffset const):
1820         (JSC::ScriptExecutable::typeProfilingEndOffset const):
1821         * runtime/ScriptExecutable.h:
1822         (JSC::ScriptExecutable::firstLine const):
1823         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
1824         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
1825         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
1826         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
1827         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
1828         * runtime/StackFrame.cpp:
1829         (JSC::StackFrame::computeLineAndColumn const):
1830         * tools/JSDollarVM.cpp:
1831         (JSC::functionReturnTypeFor):
1832
1833 2019-02-04  Mark Lam  <mark.lam@apple.com>
1834
1835         DFG's doesGC() is incorrect about the SameValue node's behavior.
1836         https://bugs.webkit.org/show_bug.cgi?id=194211
1837         <rdar://problem/47608913>
1838
1839         Reviewed by Saam Barati.
1840
1841         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
1842         it calls operationSameValue() which may allocate memory for resolving ropes.
1843
1844         * dfg/DFGDoesGC.cpp:
1845         (JSC::DFG::doesGC):
1846
1847 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
1848
1849         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
1850         https://bugs.webkit.org/show_bug.cgi?id=194031
1851
1852         Reviewed by Saam Barati.
1853
1854         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
1855         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
1856         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
1857         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
1858
1859         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
1860         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
1861
1862         * bytecode/MetadataTable.cpp:
1863         (JSC::MetadataTable::MetadataTable):
1864         (JSC::MetadataTable::~MetadataTable):
1865         * bytecode/UnlinkedCodeBlock.cpp:
1866         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1867         (JSC::UnlinkedCodeBlock::visitChildren):
1868         (JSC::UnlinkedCodeBlock::estimatedSize):
1869         (JSC::UnlinkedCodeBlock::setInstructions):
1870         * bytecode/UnlinkedCodeBlock.h:
1871         (JSC::UnlinkedCodeBlock::metadata):
1872         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
1873         * bytecode/UnlinkedMetadataTable.h:
1874         (JSC::UnlinkedMetadataTable::create):
1875         * bytecode/UnlinkedMetadataTableInlines.h:
1876         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
1877         * runtime/CachedTypes.cpp:
1878         (JSC::CachedMetadataTable::decode const):
1879         (JSC::CachedCodeBlock::metadata const):
1880         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1881         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1882         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1883
1884 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
1885
1886         [JSC] Decouple JIT related data from CodeBlock
1887         https://bugs.webkit.org/show_bug.cgi?id=194187
1888
1889         Reviewed by Saam Barati.
1890
1891         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
1892         We have three types of data in CodeBlock.
1893
1894         1. The data which is always used. CodeBlock needs to hold it.
1895         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
1896         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
1897
1898         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
1899         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
1900         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
1901         in both non-JIT and *JIT* modes.
1902
1903         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
1904         by the lock of CodeBlock.
1905
1906         The size of CodeBlock is reduced from 512 to 352.
1907
1908         This patch improves memory footprint and gets 1.1% improvement in RAMification.
1909
1910             Footprint geomean: 36696503 (34.997 MB)
1911             Peak Footprint geomean: 38595988 (36.808 MB)
1912             Score: 37634263 (35.891 MB)
1913
1914             Footprint geomean: 37172768 (35.451 MB)
1915             Peak Footprint geomean: 38978288 (37.173 MB)
1916             Score: 38064824 (36.301 MB)
1917
1918         * bytecode/CodeBlock.cpp:
1919         (JSC::CodeBlock::~CodeBlock):
1920         (JSC::CodeBlock::propagateTransitions):
1921         (JSC::CodeBlock::ensureJITDataSlow):
1922         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1923         (JSC::CodeBlock::getICStatusMap):
1924         (JSC::CodeBlock::addStubInfo):
1925         (JSC::CodeBlock::addJITAddIC):
1926         (JSC::CodeBlock::addJITMulIC):
1927         (JSC::CodeBlock::addJITSubIC):
1928         (JSC::CodeBlock::addJITNegIC):
1929         (JSC::CodeBlock::findStubInfo):
1930         (JSC::CodeBlock::addByValInfo):
1931         (JSC::CodeBlock::addCallLinkInfo):
1932         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
1933         (JSC::CodeBlock::addRareCaseProfile):
1934         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
1935         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1936         (JSC::CodeBlock::resetJITData):
1937         (JSC::CodeBlock::stronglyVisitStrongReferences):
1938         (JSC::CodeBlock::shrinkToFit):
1939         (JSC::CodeBlock::linkIncomingCall):
1940         (JSC::CodeBlock::linkIncomingPolymorphicCall):
1941         (JSC::CodeBlock::unlinkIncomingCalls):
1942         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1943         (JSC::CodeBlock::dumpValueProfiles):
1944         (JSC::CodeBlock::setPCToCodeOriginMap):
1945         (JSC::CodeBlock::findPC):
1946         (JSC::CodeBlock::dumpMathICStats):
1947         * bytecode/CodeBlock.h:
1948         (JSC::CodeBlock::ensureJITData):
1949         (JSC::CodeBlock::setJITCodeMap):
1950         (JSC::CodeBlock::jitCodeMap):
1951         (JSC::CodeBlock::likelyToTakeSlowCase):
1952         (JSC::CodeBlock::couldTakeSlowCase):
1953         (JSC::CodeBlock::lazyOperandValueProfiles):
1954         (JSC::CodeBlock::stubInfoBegin): Deleted.
1955         (JSC::CodeBlock::stubInfoEnd): Deleted.
1956         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
1957         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
1958         (JSC::CodeBlock::jitCodeMap const): Deleted.
1959         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
1960         * bytecode/MethodOfGettingAValueProfile.cpp:
1961         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
1962         (JSC::MethodOfGettingAValueProfile::reportValue):
1963         * dfg/DFGByteCodeParser.cpp:
1964         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1965         * jit/JIT.h:
1966         * jit/JITOperations.cpp:
1967         (JSC::tryGetByValOptimize):
1968         * jit/JITPropertyAccess.cpp:
1969         (JSC::JIT::privateCompileGetByVal):
1970         (JSC::JIT::privateCompilePutByVal):
1971
1972 2018-12-16  Darin Adler  <darin@apple.com>
1973
1974         Convert additional String::format clients to alternative approaches
1975         https://bugs.webkit.org/show_bug.cgi?id=192746
1976
1977         Reviewed by Alexey Proskuryakov.
1978
1979         * inspector/agents/InspectorConsoleAgent.cpp:
1980         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
1981         and FormattedNumber::fixedWidth.
1982
1983 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
1984
1985         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
1986         https://bugs.webkit.org/show_bug.cgi?id=194177
1987
1988         Reviewed by Saam Barati.
1989
1990         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
1991         We can share the IsoSubspace for JSFunction.
1992
1993         * runtime/JSAsyncFunction.h:
1994         * runtime/JSAsyncGeneratorFunction.h:
1995         * runtime/JSGeneratorFunction.h:
1996         * runtime/VM.cpp:
1997         (JSC::VM::VM):
1998         * runtime/VM.h:
1999
2000 2019-02-01  Mark Lam  <mark.lam@apple.com>
2001
2002         Remove invalid assertion in DFG's compileDoubleRep().
2003         https://bugs.webkit.org/show_bug.cgi?id=194130
2004         <rdar://problem/47699474>
2005
2006         Reviewed by Saam Barati.
2007
2008         * dfg/DFGSpeculativeJIT.cpp:
2009         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2010
2011 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2012
2013         [JSC] Unify CodeBlock IsoSubspaces
2014         https://bugs.webkit.org/show_bug.cgi?id=194167
2015
2016         Reviewed by Saam Barati.
2017
2018         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2019         But this is not necessary since,
2020
2021         1. They do not override the classInfo methods.
2022         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2023
2024         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2025         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2026         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2027
2028         This patch unifies these IsoSubspaces into one.
2029
2030         * bytecode/CodeBlock.cpp:
2031         (JSC::CodeBlock::destroy):
2032         * bytecode/CodeBlock.h:
2033         * bytecode/EvalCodeBlock.cpp:
2034         (JSC::EvalCodeBlock::destroy): Deleted.
2035         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2036         * bytecode/FunctionCodeBlock.cpp:
2037         (JSC::FunctionCodeBlock::destroy): Deleted.
2038         * bytecode/FunctionCodeBlock.h:
2039         * bytecode/GlobalCodeBlock.h:
2040         * bytecode/ModuleProgramCodeBlock.cpp:
2041         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2042         * bytecode/ModuleProgramCodeBlock.h:
2043         * bytecode/ProgramCodeBlock.cpp:
2044         (JSC::ProgramCodeBlock::destroy): Deleted.
2045         * bytecode/ProgramCodeBlock.h:
2046         * interpreter/Interpreter.cpp:
2047         (JSC::Interpreter::execute):
2048         * runtime/VM.cpp:
2049         (JSC::VM::VM):
2050         * runtime/VM.h:
2051         (JSC::VM::forEachCodeBlockSpace):
2052
2053 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2054
2055         Unreviewed, follow-up after r240859
2056         https://bugs.webkit.org/show_bug.cgi?id=194145
2057
2058         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2059         And rename cellDangerousBitsSpace back to cellSpace.
2060
2061         * runtime/JSCellInlines.h:
2062         (JSC::JSCell::subspaceFor):
2063         * runtime/VM.cpp:
2064         (JSC::VM::VM):
2065         * runtime/VM.h:
2066
2067 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2068
2069         [JSC] Remove cellJSValueOOBSpace
2070         https://bugs.webkit.org/show_bug.cgi?id=194145
2071
2072         Reviewed by Mark Lam.
2073
2074         * runtime/JSObject.h:
2075         (JSC::JSObject::subspaceFor): Deleted.
2076         * runtime/VM.cpp:
2077         (JSC::VM::VM):
2078         * runtime/VM.h:
2079
2080 2019-01-31  Mark Lam  <mark.lam@apple.com>
2081
2082         Remove poisoning from CodeBlock and LLInt code.
2083         https://bugs.webkit.org/show_bug.cgi?id=194113
2084
2085         Reviewed by Yusuke Suzuki.
2086
2087         * bytecode/CodeBlock.cpp:
2088         (JSC::CodeBlock::CodeBlock):
2089         (JSC::CodeBlock::~CodeBlock):
2090         (JSC::CodeBlock::setConstantRegisters):
2091         (JSC::CodeBlock::propagateTransitions):
2092         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2093         (JSC::CodeBlock::jettison):
2094         (JSC::CodeBlock::predictedMachineCodeSize):
2095         * bytecode/CodeBlock.h:
2096         (JSC::CodeBlock::vm const):
2097         (JSC::CodeBlock::addConstant):
2098         (JSC::CodeBlock::heap const):
2099         (JSC::CodeBlock::replaceConstant):
2100         * llint/LLIntOfflineAsmConfig.h:
2101         * llint/LLIntSlowPaths.cpp:
2102         (JSC::LLInt::handleHostCall):
2103         (JSC::LLInt::setUpCall):
2104         * llint/LowLevelInterpreter.asm:
2105         * llint/LowLevelInterpreter32_64.asm:
2106         * llint/LowLevelInterpreter64.asm:
2107
2108 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2109
2110         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2111         https://bugs.webkit.org/show_bug.cgi?id=194107
2112
2113         Reviewed by Saam Barati.
2114
2115         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2116         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2117
2118         * CMakeLists.txt:
2119         * DerivedSources.make:
2120         * JavaScriptCore.xcodeproj/project.pbxproj:
2121         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2122         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2123         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2124         (JSC::AsyncFromSyncIteratorPrototype::create):
2125         * runtime/AsyncFromSyncIteratorPrototype.h:
2126
2127 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2128
2129         Fix `runJITThreadLimitTests` in testapi
2130         https://bugs.webkit.org/show_bug.cgi?id=194064
2131         <rdar://problem/46139147>
2132
2133         Reviewed by Mark Lam.
2134
2135         Fix typo where `targetNumberOfThreads` was not being used.
2136
2137         * API/tests/testapi.mm:
2138         (runJITThreadLimitTests):
2139
2140 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2141
2142         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2143         https://bugs.webkit.org/show_bug.cgi?id=194112
2144
2145         Reviewed by Mark Lam.
2146
2147         `testBytecodeCache` does not populate the bytecode cache for the global
2148         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2149
2150         * API/tests/testapi.mm:
2151         (testBytecodeCache):
2152
2153 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2154
2155         Unreviewed, follow-up after r240796
2156
2157         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2158         when allocating InferredValue in FunctionExecutable::finishCreation.
2159
2160         * runtime/FunctionExecutable.cpp:
2161         (JSC::FunctionExecutable::FunctionExecutable):
2162         (JSC::FunctionExecutable::finishCreation):
2163
2164 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2165
2166         [JSC] Do not use InferredValue in non-JIT configuration
2167         https://bugs.webkit.org/show_bug.cgi?id=194084
2168
2169         Reviewed by Saam Barati.
2170
2171         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2172         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2173         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2174         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2175         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2176         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2177         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2178         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2179
2180         * bytecode/ObjectAllocationProfileInlines.h:
2181         (JSC::ObjectAllocationProfile::initializeProfile):
2182         * runtime/FunctionExecutable.cpp:
2183         (JSC::FunctionExecutable::finishCreation):
2184         (JSC::FunctionExecutable::visitChildren):
2185         * runtime/FunctionExecutable.h:
2186         * runtime/InferredValue.cpp:
2187         (JSC::InferredValue::create):
2188         * runtime/JSAsyncFunction.cpp:
2189         (JSC::JSAsyncFunction::create):
2190         * runtime/JSAsyncGeneratorFunction.cpp:
2191         (JSC::JSAsyncGeneratorFunction::create):
2192         * runtime/JSFunction.cpp:
2193         (JSC::JSFunction::create):
2194         * runtime/JSFunctionInlines.h:
2195         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2196         * runtime/JSGeneratorFunction.cpp:
2197         (JSC::JSGeneratorFunction::create):
2198         * runtime/JSSymbolTableObject.h:
2199         (JSC::JSSymbolTableObject::setSymbolTable):
2200         * runtime/SymbolTable.cpp:
2201         (JSC::SymbolTable::finishCreation):
2202         * runtime/VM.cpp:
2203         (JSC::VM::VM):
2204
2205 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2206
2207         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2208         https://bugs.webkit.org/show_bug.cgi?id=194085
2209
2210         Reviewed by Yusuke Suzuki.
2211
2212         r240730 changed ud_itab.py and caused incremental build failures
2213         for Ninja builds.
2214
2215         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2216
2217 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2218
2219         [JSC] Symbol should be in destructibleCellSpace
2220         https://bugs.webkit.org/show_bug.cgi?id=194082
2221
2222         Reviewed by Saam Barati.
2223
2224         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2225         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2226         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2227         Symbol's space destructibleCellSpace to appropriately call the destructor.
2228
2229         * runtime/Symbol.h:
2230
2231 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2232
2233         Unreviewed, rolling out r240755.
2234
2235         This was not correct
2236
2237         Reverted changeset:
2238
2239         "Unreviewed, fix GCC build after r240730"
2240         https://bugs.webkit.org/show_bug.cgi?id=194041
2241         https://trac.webkit.org/changeset/240755
2242
2243 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2244
2245         Unreviewed, fix GCC build after r240730
2246         https://bugs.webkit.org/show_bug.cgi?id=194041
2247         <rdar://problem/47680981>
2248
2249         * disassembler/udis86/ud_itab.py:
2250         (UdItabGenerator.genOpcodeTablesLookupIndex):
2251
2252 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2253
2254         testapi's `testBytecodeCache` does not need to run the code twice
2255         https://bugs.webkit.org/show_bug.cgi?id=194046
2256
2257         Reviewed by Mark Lam.
2258
2259         Since we populate the cache eagerly (unlike the stress tests) we don't
2260         need to run the code twice.
2261
2262         * API/tests/testapi.mm:
2263         (testBytecodeCache):
2264
2265 2019-01-30  Saam barati  <sbarati@apple.com>
2266
2267         [WebAssembly] Change BBQ to generate Air IR
2268         https://bugs.webkit.org/show_bug.cgi?id=191802
2269         <rdar://problem/47651718>
2270
2271         Reviewed by Keith Miller.
2272
2273         This patch adds a new Wasm compiler for the BBQ tier. Instead
2274         of compiling using  B3-01, we now generate Air code directly.
2275         The goal of doing this was to speed up compile times for Wasm
2276         programs.
2277         
2278         This patch provides us with a 20-30% compile time speedup. However, I
2279         have ideas on how to improve compile times even further. For example,
2280         we should probably implement a faster running register allocator:
2281         https://bugs.webkit.org/show_bug.cgi?id=194036
2282         
2283         We can also improve on the code we generate.
2284         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2285         And we should do better instruction selection in various
2286         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2287
2288         * JavaScriptCore.xcodeproj/project.pbxproj:
2289         * Sources.txt:
2290         * b3/B3LowerToAir.cpp:
2291         * b3/B3StackmapSpecial.h:
2292         * b3/air/AirCode.cpp:
2293         (JSC::B3::Air::Code::emitDefaultPrologue):
2294         * b3/air/AirCode.h:
2295         * b3/air/AirTmp.h:
2296         (JSC::B3::Air::Tmp::Tmp):
2297         * runtime/Options.h:
2298         * wasm/WasmAirIRGenerator.cpp: Added.
2299         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2300         (JSC::Wasm::TypedTmp::TypedTmp):
2301         (JSC::Wasm::TypedTmp::operator== const):
2302         (JSC::Wasm::TypedTmp::operator!= const):
2303         (JSC::Wasm::TypedTmp::operator bool const):
2304         (JSC::Wasm::TypedTmp::operator Tmp const):
2305         (JSC::Wasm::TypedTmp::operator Arg const):
2306         (JSC::Wasm::TypedTmp::tmp const):
2307         (JSC::Wasm::TypedTmp::type const):
2308         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2309         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2310         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2311         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2312         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2313         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2314         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2315         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2316         (JSC::Wasm::AirIRGenerator::emptyExpression):
2317         (JSC::Wasm::AirIRGenerator::fail const):
2318         (JSC::Wasm::AirIRGenerator::setParser):
2319         (JSC::Wasm::AirIRGenerator::toTmpVector):
2320         (JSC::Wasm::AirIRGenerator::validateInst):
2321         (JSC::Wasm::AirIRGenerator::extractArg):
2322         (JSC::Wasm::AirIRGenerator::append):
2323         (JSC::Wasm::AirIRGenerator::appendEffectful):
2324         (JSC::Wasm::AirIRGenerator::newTmp):
2325         (JSC::Wasm::AirIRGenerator::g32):
2326         (JSC::Wasm::AirIRGenerator::g64):
2327         (JSC::Wasm::AirIRGenerator::f32):
2328         (JSC::Wasm::AirIRGenerator::f64):
2329         (JSC::Wasm::AirIRGenerator::tmpForType):
2330         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2331         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2332         (JSC::Wasm::AirIRGenerator::emitCheck):
2333         (JSC::Wasm::AirIRGenerator::emitCCall):
2334         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2335         (JSC::Wasm::AirIRGenerator::instanceValue):
2336         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2337         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2338         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2339         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2340         (JSC::Wasm::AirIRGenerator::emitThrowException):
2341         (JSC::Wasm::AirIRGenerator::addLocal):
2342         (JSC::Wasm::AirIRGenerator::addConstant):
2343         (JSC::Wasm::AirIRGenerator::addArguments):
2344         (JSC::Wasm::AirIRGenerator::getLocal):
2345         (JSC::Wasm::AirIRGenerator::addUnreachable):
2346         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2347         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2348         (JSC::Wasm::AirIRGenerator::setLocal):
2349         (JSC::Wasm::AirIRGenerator::getGlobal):
2350         (JSC::Wasm::AirIRGenerator::setGlobal):
2351         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2352         (JSC::Wasm::sizeOfLoadOp):
2353         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2354         (JSC::Wasm::AirIRGenerator::load):
2355         (JSC::Wasm::sizeOfStoreOp):
2356         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2357         (JSC::Wasm::AirIRGenerator::store):
2358         (JSC::Wasm::AirIRGenerator::addSelect):
2359         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2360         (JSC::Wasm::AirIRGenerator::addLoop):
2361         (JSC::Wasm::AirIRGenerator::addTopLevel):
2362         (JSC::Wasm::AirIRGenerator::addBlock):
2363         (JSC::Wasm::AirIRGenerator::addIf):
2364         (JSC::Wasm::AirIRGenerator::addElse):
2365         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2366         (JSC::Wasm::AirIRGenerator::addReturn):
2367         (JSC::Wasm::AirIRGenerator::addBranch):
2368         (JSC::Wasm::AirIRGenerator::addSwitch):
2369         (JSC::Wasm::AirIRGenerator::endBlock):
2370         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2371         (JSC::Wasm::AirIRGenerator::addCall):
2372         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2373         (JSC::Wasm::AirIRGenerator::unify):
2374         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2375         (JSC::Wasm::AirIRGenerator::dump):
2376         (JSC::Wasm::AirIRGenerator::origin):
2377         (JSC::Wasm::parseAndCompileAir):
2378         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2379         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2380         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2381         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2382         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2383         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2384         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2385         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2386         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2387         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2388         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2389         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2390         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2391         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2392         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2393         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2394         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2395         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2396         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2397         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2398         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2399         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2400         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2401         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2402         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2403         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2404         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2405         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2406         (JSC::Wasm::AirIRGenerator::addShift):
2407         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2408         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2409         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2410         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2411         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2412         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2413         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2414         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2415         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2416         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2417         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2418         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2419         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2420         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2421         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2422         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2423         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2424         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2425         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2426         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2427         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2428         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2429         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2430         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2431         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2432         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2433         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2434         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2435         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2436         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2437         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2438         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2439         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2440         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2441         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2442         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2443         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2444         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2445         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2446         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2447         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2448         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2449         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2450         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2451         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2452         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2453         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2454         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2455         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2456         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2457         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2458         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2459         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2460         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2461         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2462         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2463         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2464         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2465         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2466         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2467         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2468         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2469         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2470         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2471         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2472         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2473         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2474         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2475         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2476         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2477         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2478         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2479         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2480         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2481         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2482         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2483         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2484         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2485         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2486         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2487         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2488         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2489         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2490         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2491         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2492         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2493         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2494         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2495         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2496         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2497         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2498         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2499         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2500         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2501         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2502         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2503         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2504         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2505         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2506         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2507         * wasm/WasmAirIRGenerator.h: Added.
2508         * wasm/WasmB3IRGenerator.cpp:
2509         (JSC::Wasm::B3IRGenerator::emptyExpression):
2510         * wasm/WasmBBQPlan.cpp:
2511         (JSC::Wasm::BBQPlan::compileFunctions):
2512         * wasm/WasmCallingConvention.cpp:
2513         (JSC::Wasm::jscCallingConventionAir):
2514         (JSC::Wasm::wasmCallingConventionAir):
2515         * wasm/WasmCallingConvention.h:
2516         (JSC::Wasm::CallingConvention::CallingConvention):
2517         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2518         (JSC::Wasm::CallingConvention::marshallArgument const):
2519         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2520         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2521         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2522         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2523         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2524         (JSC::Wasm::CallingConventionAir::loadArguments const):
2525         (JSC::Wasm::CallingConventionAir::setupCall const):
2526         (JSC::Wasm::nextJSCOffset):
2527         * wasm/WasmFunctionParser.h:
2528         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2529         * wasm/WasmValidate.cpp:
2530         (JSC::Wasm::Validate::emptyExpression):
2531
2532 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2533
2534         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2535         https://bugs.webkit.org/show_bug.cgi?id=194050
2536         <rdar://problem/47595592>
2537
2538         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2539         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2540
2541         Reviewed by Yusuke Suzuki.
2542
2543         * ftl/FTLOperations.cpp:
2544         (JSC::FTL::operationMaterializeObjectInOSR):
2545
2546 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2547
2548         Remove assertion that CachedSymbolTables should have no RareData
2549         https://bugs.webkit.org/show_bug.cgi?id=194037
2550
2551         Reviewed by Mark Lam.
2552
2553         It turns out that we don't need to cache the SymbolTableRareData and
2554         we should not assert that it's empty.
2555
2556         * runtime/CachedTypes.cpp:
2557         (JSC::CachedSymbolTable::encode):
2558
2559 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2560
2561         CachedBytecode's move constructor should not call `freeDataIfOwned`
2562         https://bugs.webkit.org/show_bug.cgi?id=194045
2563
2564         Reviewed by Mark Lam.
2565
2566         That might result in freeing a garbage value
2567
2568         * parser/SourceProvider.h:
2569         (JSC::CachedBytecode::CachedBytecode):
2570
2571 2019-01-30  Keith Miller  <keith_miller@apple.com>
2572
2573         mul32 should convert powers of 2 to an lshift
2574         https://bugs.webkit.org/show_bug.cgi?id=193957
2575
2576         Reviewed by Yusuke Suzuki.
2577
2578         * assembler/MacroAssembler.h:
2579         (JSC::MacroAssembler::mul32):
2580         * assembler/testmasm.cpp:
2581         (JSC::int32Operands):
2582         (JSC::testMul32WithImmediates):
2583         (JSC::run):
2584
2585 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2586
2587         [JSC] Make disassembler data structures constant read-only data
2588         https://bugs.webkit.org/show_bug.cgi?id=194041
2589
2590         Reviewed by Mark Lam.
2591
2592         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2593         This patch makes them "const".
2594
2595         * disassembler/ARM64/A64DOpcode.cpp:
2596         * disassembler/udis86/ud_itab.py:
2597         (UdItabGenerator.genOpcodeTablesLookupIndex):
2598         (UdItabGenerator.genInsnTable):
2599         (UdItabGenerator.genMnemonicsList):
2600         (genItabH):
2601         * disassembler/udis86/udis86_decode.h:
2602         * disassembler/udis86/udis86_syn.c:
2603         * disassembler/udis86/udis86_syn.h:
2604         * disassembler/udis86/udis86_types.h:
2605
2606 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2607
2608         Unreviewed, update the builtin test results
2609         https://bugs.webkit.org/show_bug.cgi?id=194015
2610
2611         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2612         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2613         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2614         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2615         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2616         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2617         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2618         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2619         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2620         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2621         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2622         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2623         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2624
2625 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2626
2627         [JSC] Make global static variables "const" as much as possible
2628         https://bugs.webkit.org/show_bug.cgi?id=194015
2629
2630         Reviewed by Mark Lam.
2631
2632         Some of global static variables are not "const". For example, `static const char* name = ...`
2633         is not constant variable. We should make it `static const char* const name = ...`.
2634
2635         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2636         (generate_externs_for_object):
2637         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2638         (generate_externs_for_object):
2639         * Scripts/wkbuiltins/builtins_generator.py:
2640         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2641         * assembler/MacroAssembler.h:
2642         (JSC::MacroAssembler::additionBlindedConstant):
2643         * b3/air/AirFormTable.h:
2644         * b3/air/opcode_generator.rb:
2645         * runtime/JSObject.cpp:
2646         (JSC::JSObject::visitButterfly):
2647         * tools/CodeProfile.cpp:
2648         * tools/CodeProfile.h:
2649
2650 2019-01-29  Keith Miller  <keith_miller@apple.com>
2651
2652         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2653         https://bugs.webkit.org/show_bug.cgi?id=194000
2654         <rdar://problem/47642894>
2655
2656         Reviewed by Mark Lam.
2657
2658         default constructor is unused and
2659         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2660         data member which causes sadness.
2661
2662         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2663
2664 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2665
2666         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2667
2668         Rubber-stamped by Yusuke Suzuki.
2669
2670         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2671
2672         * parser/Parser.h:
2673         (JSC::Parser::declareHoistedVariable):
2674
2675 2019-01-29  Mark Lam  <mark.lam@apple.com>
2676
2677         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2678         https://bugs.webkit.org/show_bug.cgi?id=132333
2679
2680         Reviewed by Yusuke Suzuki.
2681
2682         * bytecode/InstructionStream.h:
2683         (JSC::InstructionStreamWriter::write):
2684         - The 32-bit write() function need not invert the order of the bytes written to
2685           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2686           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2687
2688         * llint/LLIntOfflineAsmConfig.h:
2689         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2690
2691 2019-01-29  Mark Lam  <mark.lam@apple.com>
2692
2693         ValueRecovery::recover() should purify NaN values it recovers.
2694         https://bugs.webkit.org/show_bug.cgi?id=193978
2695         <rdar://problem/47625488>
2696
2697         Reviewed by Saam Barati.
2698
2699         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2700         recovered DoubleDisplacedInJSStack values need to be purified.
2701         ValueRecovery::recover() should do the same.
2702
2703         * bytecode/ValueRecovery.cpp:
2704         (JSC::ValueRecovery::recover const):
2705
2706 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2707
2708         [JSC] FTL should handle LocalAllocator*
2709         https://bugs.webkit.org/show_bug.cgi?id=193980
2710
2711         Reviewed by Saam Barati.
2712
2713         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2714         because the FTL still use the incoming value as 32bit integer there.
2715
2716         * ftl/FTLLowerDFGToB3.cpp:
2717         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2718
2719 2019-01-29  Keith Rollin  <krollin@apple.com>
2720
2721         Add .xcfilelists to Run Script build phases
2722         https://bugs.webkit.org/show_bug.cgi?id=193792
2723         <rdar://problem/47201785>
2724
2725         Reviewed by Alex Christensen.
2726
2727         As part of supporting XCBuild, update the necessary Run Script build
2728         phases in their Xcode projects to refer to their associated
2729         .xcfilelist files.
2730
2731         Note that the addition of these files bumps the Xcode project version
2732         number to something that's Xcode 10 compatible. This change means that
2733         older versions of the Xcode IDE can't read these projects. Nor can it
2734         fully load workspaces that refer to these projects (the updated
2735         projects are shown as non-expandable placeholders). `xcodebuild` can
2736         still build these projects; it's just that the IDE can't open them.
2737
2738         * JavaScriptCore.xcodeproj/project.pbxproj:
2739
2740 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2741
2742         [ARM] Check for negative zero instead of just zero
2743         https://bugs.webkit.org/show_bug.cgi?id=193689
2744
2745         Reviewed by Mark Lam.
2746
2747         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2748         of just bailing out for zero.
2749
2750         * assembler/MacroAssemblerARMv7.h:
2751         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2752
2753 2019-01-28  Devin Rousso  <drousso@apple.com>
2754
2755         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2756         https://bugs.webkit.org/show_bug.cgi?id=193863
2757         <rdar://problem/47572764>
2758
2759         Reviewed by Joseph Pecoraro.
2760
2761         * inspector/protocol/Page.json:
2762         Add more values to the `Setting` enum type:
2763          - `ICECandidateFilteringEnabled`
2764          - `MediaCaptureRequiresSecureConnection`
2765          - `MockCaptureDevicesEnabled`
2766
2767 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
2768
2769         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
2770         https://bugs.webkit.org/show_bug.cgi?id=193941
2771
2772         Reviewed by Alex Christensen.
2773
2774         * API/JSWeakObjectMapRefPrivate.cpp:
2775         * bytecompiler/NodesCodegen.cpp:
2776         * heap/MachineStackMarker.cpp:
2777         * jit/ExecutableAllocator.cpp:
2778         * jsc.cpp:
2779         * parser/Nodes.cpp:
2780         * runtime/DateConstructor.cpp:
2781         * runtime/DateConversion.cpp:
2782         * runtime/DateInstance.cpp:
2783         * runtime/DatePrototype.cpp:
2784         * runtime/InitializeThreading.cpp:
2785         * runtime/IteratorOperations.cpp:
2786         * runtime/JSDateMath.cpp:
2787         * runtime/JSGlobalObjectFunctions.cpp:
2788         * runtime/StringPrototype.cpp:
2789         * runtime/VM.cpp:
2790         * testRegExp.cpp:
2791         * tools/JSDollarVM.cpp:
2792         * yarr/YarrInterpreter.cpp:
2793         * yarr/YarrJIT.cpp:
2794         * yarr/YarrPattern.cpp:
2795         * yarr/YarrUnicodeProperties.cpp:
2796
2797 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2798
2799         [JSC] Reduce size of memory used for ShadowChicken
2800         https://bugs.webkit.org/show_bug.cgi?id=193546
2801
2802         Reviewed by Mark Lam.
2803
2804         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
2805         The removal of ShadowChicken saves 55KB memory.
2806
2807         * debugger/DebuggerCallFrame.cpp:
2808         (JSC::DebuggerCallFrame::create):
2809         * ftl/FTLLowerDFGToB3.cpp:
2810         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
2811         * heap/Heap.cpp:
2812         (JSC::Heap::stopThePeriphery):
2813         (JSC::Heap::addCoreConstraints):
2814         * jit/CCallHelpers.cpp:
2815         (JSC::CCallHelpers::ensureShadowChickenPacket):
2816         * jit/JITExceptions.cpp:
2817         (JSC::genericUnwind):
2818         * jit/JITOpcodes.cpp:
2819         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2820         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2821         * jit/JITOpcodes32_64.cpp:
2822         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2823         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2824         * jit/JITOperations.cpp:
2825         * llint/LLIntSlowPaths.cpp:
2826         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2827         * runtime/JSGlobalObject.cpp:
2828         (JSC::JSGlobalObject::setDebugger):
2829         * runtime/JSGlobalObject.h:
2830         (JSC::JSGlobalObject::setDebugger): Deleted.
2831         * runtime/VM.cpp:
2832         (JSC::VM::VM):
2833         (JSC::VM::ensureShadowChicken):
2834         * runtime/VM.h:
2835         (JSC::VM::shadowChicken):
2836         * tools/JSDollarVM.cpp:
2837         (JSC::functionShadowChickenFunctionsOnStack):
2838         (JSC::changeDebuggerModeWhenIdle):
2839
2840 2019-01-28  Andy Estes  <aestes@apple.com>
2841
2842         [watchOS] Enable Parental Controls content filtering
2843         https://bugs.webkit.org/show_bug.cgi?id=193939
2844         <rdar://problem/46641912>
2845
2846         Reviewed by Ryosuke Niwa.
2847
2848         * Configurations/FeatureDefines.xcconfig:
2849
2850 2019-01-28  Mark Lam  <mark.lam@apple.com>
2851
2852         ToString node actually does GC.
2853         https://bugs.webkit.org/show_bug.cgi?id=193920
2854         <rdar://problem/46695900>
2855
2856         Reviewed by Yusuke Suzuki.
2857
2858         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
2859         CallStringConstructor can allocate new JSStrings, and hence, can GC.
2860
2861         * dfg/DFGDoesGC.cpp:
2862         (JSC::DFG::doesGC):
2863
2864 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2865
2866         [JSC] RegExpConstructor should not have own IsoSubspace
2867         https://bugs.webkit.org/show_bug.cgi?id=193801
2868
2869         Reviewed by Mark Lam.
2870
2871         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
2872         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
2873         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
2874         it from RegExpConstructor members.
2875
2876         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
2877         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
2878         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
2879
2880         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
2881
2882         * CMakeLists.txt:
2883         * JavaScriptCore.xcodeproj/project.pbxproj:
2884         * Sources.txt:
2885         * dfg/DFGOperations.cpp:
2886         * dfg/DFGSpeculativeJIT.cpp:
2887         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
2888         * dfg/DFGStrengthReductionPhase.cpp:
2889         (JSC::DFG::StrengthReductionPhase::handleNode):
2890         * ftl/FTLAbstractHeapRepository.cpp:
2891         * ftl/FTLAbstractHeapRepository.h:
2892         * ftl/FTLLowerDFGToB3.cpp:
2893         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
2894         * runtime/JSGlobalObject.cpp:
2895         (JSC::JSGlobalObject::init):
2896         (JSC::JSGlobalObject::visitChildren):
2897         * runtime/JSGlobalObject.h:
2898         (JSC::JSGlobalObject::regExpGlobalData):
2899         (JSC::JSGlobalObject::regExpGlobalDataOffset):
2900         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
2901         * runtime/RegExpCache.cpp:
2902         (JSC::RegExpCache::initialize):
2903         * runtime/RegExpCache.h:
2904         (JSC::RegExpCache::emptyRegExp const):
2905         * runtime/RegExpCachedResult.cpp:
2906         (JSC::RegExpCachedResult::visitAggregate):
2907         (JSC::RegExpCachedResult::visitChildren): Deleted.
2908         * runtime/RegExpCachedResult.h:
2909         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
2910         * runtime/RegExpConstructor.cpp:
2911         (JSC::RegExpConstructor::RegExpConstructor):
2912         (JSC::regExpConstructorDollar):
2913         (JSC::regExpConstructorInput):
2914         (JSC::regExpConstructorMultiline):
2915         (JSC::regExpConstructorLastMatch):
2916         (JSC::regExpConstructorLastParen):
2917         (JSC::regExpConstructorLeftContext):
2918         (JSC::regExpConstructorRightContext):
2919         (JSC::setRegExpConstructorInput):
2920         (JSC::setRegExpConstructorMultiline):
2921         (JSC::RegExpConstructor::destroy): Deleted.
2922         (JSC::RegExpConstructor::visitChildren): Deleted.
2923         (JSC::RegExpConstructor::getBackref): Deleted.
2924         (JSC::RegExpConstructor::getLastParen): Deleted.
2925         (JSC::RegExpConstructor::getLeftContext): Deleted.
2926         (JSC::RegExpConstructor::getRightContext): Deleted.
2927         * runtime/RegExpConstructor.h:
2928         (JSC::RegExpConstructor::performMatch): Deleted.
2929         (JSC::RegExpConstructor::recordMatch): Deleted.
2930         * runtime/RegExpGlobalData.cpp: Added.
2931         (JSC::RegExpGlobalData::visitAggregate):
2932         (JSC::RegExpGlobalData::getBackref):
2933         (JSC::RegExpGlobalData::getLastParen):
2934         (JSC::RegExpGlobalData::getLeftContext):
2935         (JSC::RegExpGlobalData::getRightContext):
2936         * runtime/RegExpGlobalData.h: Added.
2937         (JSC::RegExpGlobalData::cachedResult):
2938         (JSC::RegExpGlobalData::setMultiline):
2939         (JSC::RegExpGlobalData::multiline const):
2940         (JSC::RegExpGlobalData::input):
2941         (JSC::RegExpGlobalData::offsetOfCachedResult):
2942         * runtime/RegExpGlobalDataInlines.h: Added.
2943         (JSC::RegExpGlobalData::setInput):
2944         (JSC::RegExpGlobalData::performMatch):
2945         (JSC::RegExpGlobalData::recordMatch):
2946         * runtime/RegExpObject.cpp:
2947         (JSC::RegExpObject::matchGlobal):
2948         * runtime/RegExpObjectInlines.h:
2949         (JSC::RegExpObject::execInline):
2950         (JSC::RegExpObject::matchInline):
2951         (JSC::collectMatches):
2952         * runtime/RegExpPrototype.cpp:
2953         (JSC::RegExpPrototype::finishCreation):
2954         (JSC::regExpProtoFuncSearchFast):
2955         (JSC::RegExpPrototype::visitChildren): Deleted.
2956         * runtime/RegExpPrototype.h:
2957         * runtime/StringPrototype.cpp:
2958         (JSC::removeUsingRegExpSearch):
2959         (JSC::replaceUsingRegExpSearch):
2960         * runtime/VM.cpp:
2961         (JSC::VM::VM):
2962         * runtime/VM.h:
2963
2964 2018-12-15  Darin Adler  <darin@apple.com>
2965
2966         Replace many uses of String::format with more type-safe alternatives
2967         https://bugs.webkit.org/show_bug.cgi?id=192742
2968
2969         Reviewed by Mark Lam.
2970
2971         * inspector/InjectedScriptBase.cpp:
2972         (Inspector::InjectedScriptBase::makeCall): Use makeString.
2973         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
2974         * inspector/InspectorBackendDispatcher.cpp:
2975         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
2976         * inspector/agents/InspectorConsoleAgent.cpp:
2977         (Inspector::InspectorConsoleAgent::enable): Ditto.
2978         * jsc.cpp:
2979         (FunctionJSCStackFunctor::operator() const): Ditto.
2980
2981         * runtime/CodeCache.cpp:
2982         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
2983         using String::number.
2984
2985         * runtime/IntlDateTimeFormat.cpp:
2986         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
2987         * runtime/IntlObject.cpp:
2988         (JSC::canonicalizeLocaleList): Ditto.
2989
2990 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
2991
2992         AX: Introduce a static accessibility tree
2993         https://bugs.webkit.org/show_bug.cgi?id=193348
2994         <rdar://problem/47203295>
2995
2996         Reviewed by Ryosuke Niwa.
2997
2998         * Configurations/FeatureDefines.xcconfig:
2999
3000 2019-01-26  Devin Rousso  <drousso@apple.com>
3001
3002         Web Inspector: provide a way to edit the user agent of a remote target
3003         https://bugs.webkit.org/show_bug.cgi?id=193862
3004         <rdar://problem/47359292>
3005
3006         Reviewed by Joseph Pecoraro.
3007
3008         * inspector/protocol/Page.json:
3009         Add `overrideUserAgent` command.
3010
3011 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3012
3013         [JSC] NativeErrorConstructor should not have own IsoSubspace
3014         https://bugs.webkit.org/show_bug.cgi?id=193713
3015
3016         Reviewed by Saam Barati.
3017
3018         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3019         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3020         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3021         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3022         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3023         referenced.
3024
3025         * CMakeLists.txt:
3026         * JavaScriptCore.xcodeproj/project.pbxproj:
3027         * Sources.txt:
3028         * builtins/BuiltinNames.h:
3029         * interpreter/Interpreter.h:
3030         * runtime/Error.cpp:
3031         (JSC::createEvalError):
3032         (JSC::createRangeError):
3033         (JSC::createReferenceError):
3034         (JSC::createSyntaxError):
3035         (JSC::createTypeError):
3036         (JSC::createURIError):
3037         (WTF::printInternal): Deleted.
3038         * runtime/Error.h:
3039         * runtime/ErrorPrototype.cpp:
3040         (JSC::ErrorPrototype::create):
3041         (JSC::ErrorPrototype::finishCreation):
3042         * runtime/ErrorPrototype.h:
3043         (JSC::ErrorPrototype::create): Deleted.
3044         * runtime/ErrorType.cpp: Added.
3045         (JSC::errorTypeName):
3046         (WTF::printInternal):
3047         * runtime/ErrorType.h: Added.
3048         * runtime/JSGlobalObject.cpp:
3049         (JSC::JSGlobalObject::initializeErrorConstructor):
3050         (JSC::JSGlobalObject::init):
3051         (JSC::JSGlobalObject::visitChildren):
3052         * runtime/JSGlobalObject.h:
3053         (JSC::JSGlobalObject::internalPromiseConstructor const):
3054         (JSC::JSGlobalObject::errorStructure const):
3055         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3056         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3057         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3058         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3059         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3060         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3061         * runtime/NativeErrorConstructor.cpp:
3062         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3063         (JSC::NativeErrorConstructorBase::finishCreation):
3064         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3065         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3066         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3067         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3068         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3069         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3070         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3071         * runtime/NativeErrorConstructor.h:
3072         (JSC::NativeErrorConstructorBase::createStructure):
3073         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3074         * runtime/NativeErrorPrototype.cpp:
3075         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3076         * runtime/NativeErrorPrototype.h:
3077         * runtime/VM.cpp:
3078         (JSC::VM::VM):
3079         * runtime/VM.h:
3080         * wasm/js/WasmToJS.cpp:
3081         (JSC::Wasm::handleBadI64Use):
3082
3083 2019-01-25  Devin Rousso  <drousso@apple.com>
3084
3085         Web Inspector: provide a way to edit page settings on a remote target
3086         https://bugs.webkit.org/show_bug.cgi?id=193813
3087         <rdar://problem/47359510>
3088
3089         Reviewed by Joseph Pecoraro.
3090
3091         * inspector/protocol/Page.json:
3092         Add `overrideSetting` command with supporting `Setting` enum type.
3093
3094 2019-01-25  Keith Rollin  <krollin@apple.com>
3095
3096         Update Xcode projects with "Check .xcfilelists" build phase
3097         https://bugs.webkit.org/show_bug.cgi?id=193790
3098         <rdar://problem/47201374>
3099
3100         Reviewed by Alex Christensen.
3101
3102         Support for XCBuild includes specifying inputs and outputs to various
3103         Run Script build phases. These inputs and outputs are specified as
3104         .xcfilelist files. Once created, these .xcfilelist files need to be
3105         kept up-to-date. In order to check that they are up-to-date or not,
3106         add an Xcode build step that invokes an external script that performs
3107         the checking. If the .xcfilelists are found to be out-of-date, update
3108         them, halt the build, and instruct the developer to restart the build
3109         with up-to-date files.
3110
3111         At this time, the checking and regenerating is performed only if the
3112         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3113         who want to use this facility can set this variable and test out the
3114         checking/regenerating. Once it seems like there are no egregious
3115         issues that upset a developer's workflow, we'll unconditionally enable
3116         this facility.
3117
3118         * JavaScriptCore.xcodeproj/project.pbxproj:
3119         * Scripts/check-xcfilelists.sh: Added.
3120
3121 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3122
3123         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3124         https://bugs.webkit.org/show_bug.cgi?id=193796
3125         <rdar://problem/47532910>
3126
3127         Reviewed by Devin Rousso.
3128
3129         * runtime/SamplingProfiler.cpp:
3130         (JSC::SamplingProfiler::machThread):
3131         * runtime/SamplingProfiler.h:
3132         Expose the mach_port_t of the SamplingProfiler thread
3133         so it can be tested against later.
3134
3135 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3136
3137         Fix Windows build after r240511
3138
3139         * bytecode/UnlinkedFunctionExecutable.cpp:
3140         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3141
3142 2019-01-25  Keith Rollin  <krollin@apple.com>
3143
3144         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3145         https://bugs.webkit.org/show_bug.cgi?id=193781
3146         <rdar://problem/47201153>
3147
3148         Reviewed by Alex Christensen.
3149
3150         Part of generating the .xcfilelists used as part of adopting XCBuild
3151         includes running `make DerivedSources.make` from a standalone script.
3152         It’s important for this invocation to have the same environment as
3153         when the actual build invokes `make DerivedSources.make`. If the
3154         environments are different, then the two invocations will provide
3155         different results. In order to get the same environment in the
3156         standalone script, have the script launch xcodebuild targeting the
3157         "Apply Configuration to XCFileLists" build target, which will then
3158         re-invoke our standalone script. The script is now running again, this
3159         time in an environment with all workspace, project, target, xcconfig
3160         and other environment variables established.
3161
3162         The "Apply Configuration to XCFileLists" build target accomplishes
3163         this task via a small embedded shell script that consists only of:
3164
3165             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3166
3167         The process that invokes "Apply Configuration to XCFileLists" first
3168         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3169         evaluated and exports it into the shell environment. When xcodebuild
3170         is invoked, it inherits the value of this variable and can `eval` the
3171         contents of that variable. Our external standalone script can then set
3172         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3173         of command-line parameters needed to restart itself in the appropriate
3174         state.
3175
3176         * JavaScriptCore.xcodeproj/project.pbxproj:
3177
3178 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3179
3180         Add API to generate and consume cached bytecode
3181         https://bugs.webkit.org/show_bug.cgi?id=193401
3182         <rdar://problem/47514099>
3183
3184         Reviewed by Keith Miller.
3185
3186         Add the `generateBytecode` and `generateModuleBytecode` functions to
3187         generate serialized bytecode for a given `SourceCode`. These functions
3188         will eagerly generate code for all the nested functions.
3189
3190         Additionally, update the API methods in JSScript to generate and use the
3191         bytecode when the bytecodeCache path is provided.
3192
3193         * API/JSAPIGlobalObject.mm:
3194         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3195         * API/JSContext.mm:
3196         (-[JSContext wrapperMap]):
3197         * API/JSContextInternal.h:
3198         * API/JSScript.mm:
3199         (+[JSScript scriptWithSource:inVirtualMachine:]):
3200         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3201         (-[JSScript dealloc]):
3202         (-[JSScript readCache]):
3203         (-[JSScript writeCache]):
3204         (-[JSScript hash]):
3205         (-[JSScript source]):
3206         (-[JSScript cachedBytecode]):
3207         (-[JSScript jsSourceCode:]):
3208         * API/JSScriptInternal.h:
3209         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3210         (JSScriptSourceProvider::create):
3211         (JSScriptSourceProvider::JSScriptSourceProvider):
3212         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3213         (JSScriptSourceProvider::hash const):
3214         (JSScriptSourceProvider::source const):
3215         (JSScriptSourceProvider::cachedBytecode const):
3216         * API/JSVirtualMachine.mm:
3217         (-[JSVirtualMachine vm]):
3218         * API/JSVirtualMachineInternal.h:
3219         * API/tests/testapi.mm:
3220         (testBytecodeCache):
3221         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3222         (testObjectiveCAPI):
3223         * JavaScriptCore.xcodeproj/project.pbxproj:
3224         * SourcesCocoa.txt:
3225         * bytecode/UnlinkedFunctionExecutable.cpp:
3226         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3227         * bytecode/UnlinkedFunctionExecutable.h:
3228         * parser/SourceCodeKey.h:
3229         (JSC::SourceCodeKey::source const):
3230         * parser/SourceProvider.h:
3231         (JSC::CachedBytecode::CachedBytecode):
3232         (JSC::CachedBytecode::operator=):
3233         (JSC::CachedBytecode::data const):
3234         (JSC::CachedBytecode::size const):
3235         (JSC::CachedBytecode::owned const):
3236         (JSC::CachedBytecode::~CachedBytecode):
3237         (JSC::CachedBytecode::freeDataIfOwned):
3238         (JSC::SourceProvider::cachedBytecode const):
3239         * parser/UnlinkedSourceCode.h:
3240         (JSC::UnlinkedSourceCode::provider const):
3241         * runtime/CodeCache.cpp:
3242         (JSC::generateUnlinkedCodeBlockForFunctions):
3243         (JSC::writeCodeBlock):
3244         (JSC::serializeBytecode):
3245         * runtime/CodeCache.h:
3246         (JSC::CodeCacheMap::fetchFromDiskImpl):
3247         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3248         (JSC::generateUnlinkedCodeBlockImpl):
3249         (JSC::generateUnlinkedCodeBlock):
3250         * runtime/Completion.cpp:
3251         (JSC::generateBytecode):
3252         (JSC::generateModuleBytecode):
3253         * runtime/Completion.h:
3254         * runtime/Options.cpp:
3255         (JSC::recomputeDependentOptions):
3256
3257 2019-01-25  Keith Rollin  <krollin@apple.com>
3258
3259         Update WebKitAdditions.xcconfig with correct order of variable definitions
3260         https://bugs.webkit.org/show_bug.cgi?id=193793
3261         <rdar://problem/47532439>
3262
3263         Reviewed by Alex Christensen.
3264
3265         XCBuild changes the way xcconfig variables are evaluated. In short,
3266         all config file assignments are now considered in part of the
3267         evaluation. When using the new build system and an .xcconfig file
3268         contains multiple assignments of the same build setting:
3269
3270         - Later assignments using $(inherited) will inherit from earlier
3271           assignments in the xcconfig file.
3272         - Later assignments not using $(inherited) will take precedence over
3273           earlier assignments. An assignment to a more general setting will
3274           mask an earlier assignment to a less general setting. For example,
3275           an assignment without a condition ('FOO = bar') will completely mask
3276           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3277
3278         This affects some of our .xcconfig files, in that sometimes platform-
3279         or sdk-specific definitions appear before the general definitions.
3280         Under the new evaluations rules, the general definitions alway take
3281         effect because they always overwrite the more-specific definitions. The
3282         solution is to swap the order, so that the general definitions are
3283         established first, and then conditionally overwritten by the
3284         more-specific definitions.
3285
3286         * Configurations/Version.xcconfig:
3287
3288 2019-01-25  Keith Rollin  <krollin@apple.com>
3289
3290         Update existing .xcfilelists
3291         https://bugs.webkit.org/show_bug.cgi?id=193791
3292         <rdar://problem/47201706>
3293
3294         Reviewed by Alex Christensen.
3295
3296         Many .xcfilelist files were added in r238824 in order to support
3297         XCBuild. Update these with recent changes to the set of build files
3298         and with the current generate-xcfilelist script.
3299
3300         * DerivedSources-input.xcfilelist:
3301         * DerivedSources-output.xcfilelist:
3302         * UnifiedSources-input.xcfilelist:
3303         * UnifiedSources-output.xcfilelist:
3304
3305 2019-01-25  Jon Davis  <jond@apple.com>
3306
3307         Update JavaScriptCore feature status entries.
3308         https://bugs.webkit.org/show_bug.cgi?id=193797
3309
3310         Reviewed by Mark Lam.
3311         
3312         Updated feature status for Async Iteration, and Object rest/spread.
3313
3314         * features.json:
3315
3316 2019-01-24  Keith Miller  <keith_miller@apple.com>
3317
3318         Remove usage of internal macro from private header
3319         https://bugs.webkit.org/show_bug.cgi?id=193809
3320
3321         Reviewed by Saam Barati.
3322
3323         Also, add a new file to include all of our API headers to make sure
3324         they don't accidentally include C++ or internal values.
3325
3326         * API/JSScript.h:
3327         * API/tests/testIncludes.m: Added.
3328         * JavaScriptCore.xcodeproj/project.pbxproj:
3329
3330 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3331
3332         [JSC] ErrorConstructor should not have own IsoSubspace
3333         https://bugs.webkit.org/show_bug.cgi?id=193800
3334
3335         Reviewed by Saam Barati.
3336
3337         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3338         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3339         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3340         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3341         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3342         into IsoSubspaces) described,
3343
3344             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3345             appear to just override methods, which are called dynamically via the structure or class of the object.
3346             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3347
3348         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3349         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3350         This reduces the memory usage.
3351
3352         * interpreter/Interpreter.h:
3353         * runtime/Error.cpp:
3354         (JSC::getStackTrace):
3355         * runtime/ErrorConstructor.cpp:
3356         (JSC::ErrorConstructor::ErrorConstructor):
3357         (JSC::ErrorConstructor::finishCreation):
3358         (JSC::constructErrorConstructor):
3359         (JSC::callErrorConstructor):
3360         (JSC::ErrorConstructor::put):
3361         (JSC::ErrorConstructor::deleteProperty):
3362         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3363         (JSC::Interpreter::callErrorConstructor): Deleted.
3364         * runtime/ErrorConstructor.h:
3365         * runtime/JSGlobalObject.cpp:
3366         (JSC::JSGlobalObject::JSGlobalObject):
3367         (JSC::JSGlobalObject::init):
3368         (JSC::JSGlobalObject::visitChildren):
3369         * runtime/JSGlobalObject.h:
3370         (JSC::JSGlobalObject::stackTraceLimit const):
3371         (JSC::JSGlobalObject::setStackTraceLimit):
3372         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3373         * runtime/VM.cpp:
3374         (JSC::VM::VM):
3375         * runtime/VM.h:
3376
3377 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3378
3379         Web Inspector: CPU Usage Timeline
3380         https://bugs.webkit.org/show_bug.cgi?id=193730
3381         <rdar://problem/46797201>
3382
3383         Reviewed by Devin Rousso.
3384
3385         * CMakeLists.txt:
3386         * DerivedSources-input.xcfilelist:
3387         * DerivedSources.make:
3388         New files.
3389
3390         * inspector/protocol/CPUProfiler.json: Added.
3391         New domain that follows the pattern of Memory/ScriptProfiler.
3392
3393         * inspector/protocol/Timeline.json:
3394         New enum to auto-start a CPU instrument in the backend.
3395
3396 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3397
3398         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3399         https://bugs.webkit.org/show_bug.cgi?id=193774
3400
3401         Reviewed by Mark Lam.
3402
3403         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3404         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3405         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3406         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3407         for these two constructor instances. They are only two instances per JSGlobalObject.
3408
3409         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3410         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3411         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3412         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3413         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3414         for ArrayBufferConstructors, and reduces the memory usage.
3415
3416         * runtime/JSArrayBufferConstructor.cpp:
3417         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3418         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3419         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3420         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3421         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3422         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3423         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3424         (JSC::JSArrayBufferConstructor::create): Deleted.
3425         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3426         (JSC::constructArrayBuffer): Deleted.
3427         * runtime/JSArrayBufferConstructor.h:
3428         * runtime/JSGlobalObject.cpp:
3429         (JSC::JSGlobalObject::init):
3430         * runtime/JSGlobalObject.h:
3431         * runtime/VM.cpp:
3432         (JSC::VM::VM):
3433         * runtime/VM.h:
3434
3435 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3436
3437         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3438         https://bugs.webkit.org/show_bug.cgi?id=190693
3439
3440         Reviewed by Michael Saboff.
3441
3442         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3443         This becomes true when we find the executable address in our conservative roots, which
3444         means that we could be executing it right now. This means that object liveness in
3445         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3446         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3447         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3448         executing JITStubRoutine because "Conservative Scan" finds it later.
3449         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3450         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3451         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3452         attempt to mark the depending objects, and encounter the dead objects which are collected
3453         in the previous cycles.
3454
3455         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3456         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3457         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3458         GC stop time.
3459
3460         * heap/ConservativeRoots.h:
3461         (JSC::ConservativeRoots::roots const):
3462         (JSC::ConservativeRoots::roots): Deleted.
3463         * heap/Heap.cpp:
3464         (JSC::Heap::addCoreConstraints):
3465         * heap/SlotVisitor.cpp:
3466         (JSC::SlotVisitor::append):
3467         * heap/SlotVisitor.h:
3468         * jit/GCAwareJITStubRoutine.cpp:
3469         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3470         * jit/GCAwareJITStubRoutine.h:
3471
3472 2019-01-24  Saam Barati  <sbarati@apple.com>
3473
3474         Update ARM64EHash
3475         https://bugs.webkit.org/show_bug.cgi?id=193776
3476         <rdar://problem/47526457>
3477
3478         Reviewed by Mark Lam.
3479
3480         See radar for details.
3481
3482         * assembler/AssemblerBuffer.h:
3483         (JSC::ARM64EHash::update):
3484         (JSC::ARM64EHash::finalHash const):
3485
3486 2019-01-24  Saam Barati  <sbarati@apple.com>
3487
3488         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3489         https://bugs.webkit.org/show_bug.cgi?id=193751
3490         <rdar://problem/47280215>
3491
3492         Reviewed by Michael Saboff.
3493
3494         The Object Allocation Sinking phase may move allocations around inside
3495         of the program. However, it was not ensuring that it's still possible 
3496         to walk the stack at the point in the program that it moved the allocation to.
3497         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3498         All allocation sites can do a stack walk (we do a stack walk when we GC).
3499         Conservatively, this patch says we're ok to move this allocation if we are
3500         moving within the same InlineCallFrame. We could be more precise and do an
3501         analysis of stack writes. However, this scenario is so rare that we just
3502         take the conservative-and-straight-forward approach of checking that the place
3503         we're moving to is the same InlineCallFrame as the allocation site.
3504         
3505         In general, this issue arises anytime we do any kind of code motion.
3506         Interestingly, LICM gets this right. It gets it right because the only
3507         InlineCallFrames we can't move out of are the InlineCallFrames that
3508         have metadata stored on the stack (callee for closure calls and argument
3509         count for varargs calls). LICM doesn't have this issue because it relies
3510         on Clobberize for doing its effects analysis. In clobberize, we model every
3511         node within an InlineCallFrame that meets the above criteria as reading
3512         from those stack fields. Consequently, LICM won't hoist any node in that
3513         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3514         we generate to set up such an InlineCallFrame contains writes to that
3515         stack location.
3516
3517         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3518
3519 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3520
3521         [JSC] Reenable baseline JIT on mips
3522         https://bugs.webkit.org/show_bug.cgi?id=192983
3523
3524         Reviewed by Mark Lam.
3525
3526         Use $s0 as metadata register and make sure it's properly saved and
3527         restored.
3528
3529         * jit/GPRInfo.h:
3530         * jit/RegisterSet.cpp:
3531         (JSC::RegisterSet::vmCalleeSaveRegisters):
3532         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3533         * llint/LowLevelInterpreter.asm:
3534         * offlineasm/mips.rb:
3535
3536 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3537
3538         [GLIB] Expose JavaScriptCore options in GLib public API
3539         https://bugs.webkit.org/show_bug.cgi?id=188742
3540
3541         Reviewed by Michael Catanzaro.
3542
3543         Add new API to set, get and iterate JSC options.
3544
3545         * API/glib/JSCOptions.cpp: Added.
3546         (valueFromGValue):
3547         (valueToGValue):
3548         (jscOptionsSetValue):
3549         (jscOptionsGetValue):
3550         (jsc_options_set_boolean):
3551         (jsc_options_get_boolean):
3552         (jsc_options_set_int):
3553         (jsc_options_get_int):
3554         (jsc_options_set_uint):
3555         (jsc_options_get_uint):
3556         (jsc_options_set_size):
3557         (jsc_options_get_size):
3558         (jsc_options_set_double):
3559         (jsc_options_get_double):
3560         (jsc_options_set_string):
3561         (jsc_options_get_string):
3562         (jsc_options_set_range_string):
3563         (jsc_options_get_range_string):
3564         (jscOptionsType):
3565         (jsc_options_foreach):
3566         (setOptionEntry):
3567         (jsc_options_get_option_group):
3568         * API/glib/JSCOptions.h: Added.
3569         * API/glib/docs/jsc-glib-4.0-sections.txt:
3570         * API/glib/docs/jsc-glib-docs.sgml:
3571         * API/glib/jsc.h:
3572         * GLib.cmake:
3573
3574 2019-01-23  Mark Lam  <mark.lam@apple.com>
3575
3576         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
3577         https://bugs.webkit.org/show_bug.cgi?id=193744
3578         <rdar://problem/46262952>
3579
3580         Reviewed by Saam Barati.
3581
3582         * assembler/LinkBuffer.cpp:
3583         (JSC::LinkBuffer::copyCompactAndLinkCode):
3584
3585 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3586
3587         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3588         https://bugs.webkit.org/show_bug.cgi?id=193711
3589         <rdar://problem/47250262>
3590
3591         Reviewed by Saam Barati.
3592
3593         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
3594         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
3595         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
3596         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
3597         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
3598         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
3599         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
3600         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
3601         as follows.
3602
3603             BB0 -> BB1 -> BB2 -> BB4
3604              |        \        ^
3605              v          > BB3 /
3606             BB5
3607
3608         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
3609
3610             BB0 does nothing
3611                 head: loc1 is dead
3612                 tail: loc1 is dead
3613
3614             BB1 has MovHint @1, loc1
3615                 head: loc1 is dead
3616                 tail: loc1 is live
3617
3618             BB2 does nothing
3619                 head: loc1 is live
3620                 tail: loc1 is live
3621
3622             BB3 has PutStack @1, loc1
3623                 head: loc1 is live
3624                 tail: loc1 is live
3625
3626             BB4 has OSR exit using loc1
3627                 head: loc1 is live
3628                 tail: loc1 is live (in bytecode)
3629
3630             BB5 does nothing
3631                 head: loc1 is dead
3632                 tail: loc1 is dead
3633
3634         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
3635         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
3636
3637         So, the flush format of loc1 in each tail of BB is like this.
3638
3639             BB0
3640                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
3641             BB1
3642                 DeadFlush+@1 (pruning clears it)
3643             BB2
3644                 DeadFlush+@1 (since it is propagated from BB1)
3645             BB3
3646                 FlushedJSValue+@1 with loc1 (since it has PutStack)
3647             BB4
3648                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
3649             BB5
3650                 DeadFlush (pruning clears it)
3651
3652         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
3653         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
3654
3655         * dfg/DFGAvailabilityMap.cpp:
3656         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
3657         and copy the calculated value from the current availability map.
3658         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3659         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
3660
3661 2019-01-23  David Kilzer  <ddkilzer@apple.com>
3662
3663         [JSC] Duplicate global variables: JSC::opcodeLengths
3664         <https://webkit.org/b/193714>
3665         <rdar://problem/47340200>
3666
3667         Reviewed by Mark Lam.
3668
3669         * bytecode/Opcode.cpp:
3670         (JSC::opcodeLengths): Move array implementation here and mark
3671         const.
3672         * bytecode/Opcode.h:
3673         (JSC::opcodeLengths): Change to extern declaration.
3674
3675 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
3676
3677         [GLIB] Remote Inspector: no data displayed
3678         https://bugs.webkit.org/show_bug.cgi?id=193569
3679
3680         Reviewed by Michael Catanzaro.
3681
3682         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
3683         deadlock.
3684
3685         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3686         (Inspector::RemoteInspector::receivedSetupMessage):
3687         (Inspector::RemoteInspector::setup):
3688
3689 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3690
3691         Unreviewed, fix initial global lexical binding epoch
3692         https://bugs.webkit.org/show_bug.cgi?id=193603
3693         <rdar://problem/47380869>
3694
3695         * bytecode/CodeBlock.cpp:
3696         (JSC::CodeBlock::finishCreation):
3697
3698 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3699
3700         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
3701         https://bugs.webkit.org/show_bug.cgi?id=193709
3702         <rdar://problem/47363838>
3703
3704         Unreviewed, rollout to watch the tests.
3705
3706         * JavaScriptCore.xcodeproj/project.pbxproj:
3707         * dfg/DFGAbstractInterpreterInlines.h:
3708         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3709         * dfg/DFGByteCodeParser.cpp:
3710         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3711         * dfg/DFGClobberize.h:
3712         (JSC::DFG::clobberize):
3713         * dfg/DFGDoesGC.cpp:
3714         (JSC::DFG::doesGC):
3715         * dfg/DFGFixupPhase.cpp:
3716         (JSC::DFG::FixupPhase::fixupNode):
3717         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
3718         * dfg/DFGNodeType.h:
3719         * dfg/DFGOperations.cpp:
3720         * dfg/DFGOperations.h:
3721         * dfg/DFGPredictionPropagationPhase.cpp:
3722         * dfg/DFGSafeToExecute.h:
3723         (JSC::DFG::safeToExecute):
3724         * dfg/DFGSpeculativeJIT.cpp:
3725         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
3726         * dfg/DFGSpeculativeJIT.h:
3727         * dfg/DFGSpeculativeJIT32_64.cpp:
3728         (JSC::DFG::SpeculativeJIT::compile):
3729         * dfg/DFGSpeculativeJIT64.cpp:
3730         (JSC::DFG::SpeculativeJIT::compile):
3731         * ftl/FTLAbstractHeapRepository.h:
3732         * ftl/FTLCapabilities.cpp:
3733         (JSC::FTL::canCompile):
3734         * ftl/FTLLowerDFGToB3.cpp:
3735         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3736         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
3737         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
3738         * runtime/Intrinsic.cpp:
3739         (JSC::intrinsicName):
3740         * runtime/Intrinsic.h:
3741         * runtime/ObjectPrototype.cpp:
3742         (JSC::ObjectPrototype::finishCreation):
3743         (JSC::objectProtoFuncToString):
3744         * runtime/ObjectPrototype.h:
3745         * runtime/ObjectPrototypeInlines.h: Removed.
3746         * runtime/StructureRareData.h:
3747
3748 2019-01-22  Devin Rousso  <drousso@apple.com>
3749
3750         Web Inspector: expose Audit and Recording versions to the frontend
3751         https://bugs.webkit.org/show_bug.cgi?id=193262
3752         <rdar://problem/47130684>
3753
3754         Reviewed by Joseph Pecoraro.
3755
3756         * inspector/protocol/Audit.json:
3757         * inspector/protocol/Recording.json:
3758         Add `version` values.
3759
3760         * inspector/scripts/codegen/models.py:
3761         (Protocol.parse_domain):
3762         (Domain.__init__):
3763         (Domain.version): Added.
3764         (Domains):
3765
3766         * inspector/scripts/codegen/generator.py:
3767         (Generator.version_for_domain): Added.
3768
3769         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3770         (CppProtocolTypesHeaderGenerator.generate_output):
3771         (CppProtocolTypesHeaderGenerator._generate_versions): Added.
3772
3773         * inspector/scripts/codegen/generate_js_backend_commands.py:
3774         (JSBackendCommandsGenerator.should_generate_domain):
3775         (JSBackendCommandsGenerator.generate_domain):
3776
3777         * inspector/scripts/tests/generic/version.json: Added.
3778         * inspector/scripts/tests/generic/expected/version.json-result: Added.
3779
3780         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3781         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3782         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3783         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3784         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3785         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3786         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3787         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3788         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3789         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3790         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3791         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3792         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3793         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3794         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3795         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3796         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3797         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3798         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3799
3800 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3801
3802         [JSC] Intl constructors should fit in sizeof(InternalFunction)
3803         https://bugs.webkit.org/show_bug.cgi?id=193661
3804
3805         Reviewed by Mark Lam.
3806
3807         Previously all the Intl constructors have their own subspace. This is because these constructors have different size from InternalFunction.
3808         But it is too costly approach in terms of the memory usage since these constructors are only one per JSGlobalObject. This patch attempts to
3809         reduce the memory size consumed by these Intl objects by holding instance structures in IntlObject instead of in each Intl constructors.
3810         So that we can make sizeof(Intl constructors) == sizeof(InternalFunction) and drop costly subspaces. Since this patch drops subspaces in VM,
3811         it also significantly reduces the sizeof(VM), from 76696 to 74680.
3812
3813         This patch also includes the preparation for making Intl properties lazy. But currently it is not possible since @Collator reference exists
3814         in builtin code.
3815
3816         * CMakeLists.txt:
3817         * DerivedSources.make:
3818         * runtime/IntlCollatorConstructor.cpp:
3819         (JSC::IntlCollatorConstructor::create):
3820         (JSC::IntlCollatorConstructor::finishCreation):
3821         (JSC::constructIntlCollator):
3822         (JSC::callIntlCollator):
3823         (JSC::IntlCollatorConstructor::visitChildren): Deleted.
3824         * runtime/IntlCollatorConstructor.h:
3825         * runtime/IntlDateTimeFormatConstructor.cpp:
3826         (JSC::IntlDateTimeFormatConstructor::create):
3827         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3828         (JSC::constructIntlDateTimeFormat):
3829         (JSC::callIntlDateTimeFormat):
3830         (JSC::IntlDateTimeFormatConstructor::visitChildren): Deleted.
3831         * runtime/IntlDateTimeFormatConstructor.h:
3832         * runtime/IntlNumberFormatConstructor.cpp:
3833         (JSC::IntlNumberFormatConstructor::create):
3834         (JSC::IntlNumberFormatConstructor::finishCreation):
3835         (JSC::constructIntlNumberFormat):
3836         (JSC::callIntlNumberFormat):
3837         (JSC::IntlNumberFormatConstructor::visitChildren): Deleted.
3838         * runtime/IntlNumberFormatConstructor.h:
3839         * runtime/IntlObject.cpp:
3840         (JSC::createCollatorConstructor):
3841         (JSC::createNumberFormatConstructor):
3842         (JSC::createDateTimeFormatConstructor):
3843         (JSC::createPluralRulesConstructor):
3844         (JSC::IntlObject::create):
3845         (JSC::IntlObject::finishCreation):
3846         (JSC::IntlObject::visitChildren):
3847         * runtime/IntlObject.h:
3848         * runtime/IntlPluralRulesConstructor.cpp:
3849         (JSC::IntlPluralRulesConstructor::create):
3850         (JSC::IntlPluralRulesConstructor::finishCreation):
3851         (JSC::constructIntlPluralRules):
3852         (JSC::IntlPluralRulesConstructor::visitChildren): Deleted.
3853         * runtime/IntlPluralRulesConstructor.h:
3854         * runtime/JSGlobalObject.cpp:
3855         (JSC::JSGlobalObject::init):
3856         (JSC::JSGlobalObject::visitChildren):
3857         * runtime/JSGlobalObject.h:
3858         (JSC::JSGlobalObject::intlObject const):
3859         * runtime/VM.cpp:
3860         (JSC::VM::VM):
3861         * runtime/VM.h:
3862
3863 2019-01-22  Saam Barati  <sbarati@apple.com>
3864
3865         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
3866
3867         * dfg/DFGBackwardsPropagationPhase.cpp:
3868         (JSC::DFG::BackwardsPropagationPhase::propagate):
3869
3870 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
3871
3872         Unreviewed, restore bytecode cache-related JSC options deleted in r240254
3873         https://bugs.webkit.org/show_bug.cgi?id=192782
3874
3875         The JSC options were committed as part of r240210, which got rolled out in
3876         r240224. However, the options got re-landed in r240248  and then deleted
3877         again in 240254 (immediately before the caching code code landed in 240255)
3878
3879         * runtime/Options.h:
3880
3881 2019-01-22  Tadeu Zagallo  <tzagallo@apple.com>
3882
3883         Cache bytecode to disk
3884         https://bugs.webkit.org/show_bug.cgi?id=192782
3885         <rdar://problem/46084932>
3886
3887         Reviewed by Keith Miller.
3888
3889         Add the logic to serialize and deserialize the new JSC bytecode. For now,
3890         the cache is only used for tests.
3891
3892         Each class that can be serialized has a counterpart in CachedTypes, which
3893         handles the decoding and encoding. When decoding, the cached objects are
3894         mmap'd from disk, but only used for creating instances of the respective
3895         in-memory version of each object. Ideally, the mmap'd objects should be
3896         used at runtime in the future.
3897
3898         * CMakeLists.txt:
3899         * JavaScriptCore.xcodeproj/project.pbxproj:
3900         * Sources.txt:
3901         * builtins/BuiltinNames.cpp:
3902         (JSC::BuiltinNames::BuiltinNames):
3903         * builtins/BuiltinNames.h:
3904         * bytecode/CodeBlock.cpp:
<