SamplingProfiler::stackTracesAsJSON() should escape strings.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Mark Lam  <mark.lam@apple.com>
2
3         SamplingProfiler::stackTracesAsJSON() should escape strings.
4         https://bugs.webkit.org/show_bug.cgi?id=194649
5         <rdar://problem/48072386>
6
7         Reviewed by Saam Barati.
8
9         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
10
11         * runtime/SamplingProfiler.cpp:
12         (JSC::SamplingProfiler::stackTracesAsJSON):
13         * runtime/TypeSet.cpp:
14         (JSC::TypeSet::toJSONString const):
15         (JSC::StructureShape::toJSONString const):
16
17 2019-02-15  Robin Morisset  <rmorisset@apple.com>
18
19         CodeBlock::jettison should clear related watchpoints
20         https://bugs.webkit.org/show_bug.cgi?id=194544
21
22         Reviewed by Mark Lam.
23
24         * bytecode/CodeBlock.cpp:
25         (JSC::CodeBlock::jettison):
26         * dfg/DFGCommonData.h:
27         (JSC::DFG::CommonData::clearWatchpoints): Added.
28         * dfg/CommonData.cpp:
29         (JSC::DFG::CommonData::clearWatchpoints): Added.
30
31 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
32
33         Move bytecode cache-related filesystem code out of CodeCache
34         https://bugs.webkit.org/show_bug.cgi?id=194675
35
36         Reviewed by Saam Barati.
37
38         That code is only used for the bytecode-cache tests, so it should live in
39         jsc.cpp rather than in the CodeCache.
40
41         * jsc.cpp:
42         (CliSourceProvider::create):
43         (CliSourceProvider::~CliSourceProvider):
44         (CliSourceProvider::cachePath const):
45         (CliSourceProvider::loadBytecode):
46         (CliSourceProvider::CliSourceProvider):
47         (jscSource):
48         (GlobalObject::moduleLoaderFetch):
49         (functionDollarEvalScript):
50         (runWithOptions):
51         * parser/SourceProvider.h:
52         (JSC::SourceProvider::cacheBytecode const):
53         * runtime/CodeCache.cpp:
54         (JSC::writeCodeBlock):
55         * runtime/CodeCache.h:
56         (JSC::CodeCacheMap::fetchFromDiskImpl):
57
58 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
59
60         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
61         https://bugs.webkit.org/show_bug.cgi?id=194714
62
63         Reviewed by Mark Lam.
64
65         Let's consider about the following extreme case.
66
67         1. VM (A) is created.
68         2. Another VM (B) is created on a different thread.
69         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
70         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
71         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
72         6. (A) sees the half-baked worklist, which may be in the middle of creation.
73
74         This patch puts store-store fence just before putting a pointer to a global variable.
75         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
76
77         * dfg/DFGWorklist.cpp:
78         (JSC::DFG::ensureGlobalDFGWorklist):
79         (JSC::DFG::ensureGlobalFTLWorklist):
80         * wasm/WasmWorklist.cpp:
81         (JSC::Wasm::ensureWorklist):
82
83 2019-02-15  Commit Queue  <commit-queue@webkit.org>
84
85         Unreviewed, rolling out r241559 and r241566.
86         https://bugs.webkit.org/show_bug.cgi?id=194710
87
88         Causes layout test crashes under GuardMalloc (Requested by
89         ryanhaddad on #webkit).
90
91         Reverted changesets:
92
93         "[WTF] Add environment variable helpers"
94         https://bugs.webkit.org/show_bug.cgi?id=192405
95         https://trac.webkit.org/changeset/241559
96
97         "Unreviewed build fix for WinCairo Debug after r241559."
98         https://trac.webkit.org/changeset/241566
99
100 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
101
102         [JSC] Do not even allocate JIT worklists in non-JIT mode
103         https://bugs.webkit.org/show_bug.cgi?id=194693
104
105         Reviewed by Mark Lam.
106
107         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
108         And we do not perform any GC operations that are only meaningful in JIT environment.
109
110         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
111         2. We remove DFG marking constraint in non-JIT mode.
112         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
113         4. We do not visit JITStubRoutineSet.
114         5. Align JITWorklist function names to the other worklists.
115
116         * dfg/DFGOSRExitPreparation.cpp:
117         (JSC::DFG::prepareCodeOriginForOSRExit):
118         * dfg/DFGPlan.h:
119         * dfg/DFGWorklist.cpp:
120         (JSC::DFG::markCodeBlocks): Deleted.
121         * dfg/DFGWorklist.h:
122         * heap/Heap.cpp:
123         (JSC::Heap::completeAllJITPlans):
124         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
125         (JSC::Heap::gatherScratchBufferRoots):
126         (JSC::Heap::removeDeadCompilerWorklistEntries):
127         (JSC::Heap::stopThePeriphery):
128         (JSC::Heap::suspendCompilerThreads):
129         (JSC::Heap::resumeCompilerThreads):
130         (JSC::Heap::addCoreConstraints):
131         * jit/JITWorklist.cpp:
132         (JSC::JITWorklist::existingGlobalWorklistOrNull):
133         (JSC::JITWorklist::ensureGlobalWorklist):
134         (JSC::JITWorklist::instance): Deleted.
135         * jit/JITWorklist.h:
136         * llint/LLIntSlowPaths.cpp:
137         (JSC::LLInt::jitCompileAndSetHeuristics):
138         * runtime/VM.cpp:
139         (JSC::VM::~VM):
140         (JSC::VM::gatherScratchBufferRoots):
141         (JSC::VM::gatherConservativeRoots): Deleted.
142         * runtime/VM.h:
143
144 2019-02-15  Saam barati  <sbarati@apple.com>
145
146         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
147         https://bugs.webkit.org/show_bug.cgi?id=194036
148
149         Reviewed by Yusuke Suzuki.
150
151         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
152         use linear scan for register allocation. Instead of linear scan, Air-O0 does
153         mostly block-local register allocation, and it does this as it's emitting
154         code directly. The register allocator uses liveness analysis to reduce
155         the number of spills. Doing register allocation as we're emitting code
156         allows us to skip editing the IR to insert spills, which saves a non trivial
157         amount of compile time. For stack allocation, we give each Tmp its own slot.
158         This is less than ideal. We probably want to do some trivial live range analysis
159         in the future. The reason this isn't a deal breaker for Wasm is that this patch
160         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
161         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
162         
163         This patch is another 25% Wasm startup time speedup. It seems to be worth
164         another 1% on JetStream2.
165
166         * JavaScriptCore.xcodeproj/project.pbxproj:
167         * Sources.txt:
168         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
169         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
170         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
171         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
172         (JSC::B3::Air::callFrameAddr):
173         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
174         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
175         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
176         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
177         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
178         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
179         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
180         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
181         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
182         * b3/air/AirCode.cpp:
183         * b3/air/AirCode.h:
184         * b3/air/AirGenerate.cpp:
185         (JSC::B3::Air::prepareForGeneration):
186         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
187         (JSC::B3::Air::generate):
188         * b3/air/AirHandleCalleeSaves.cpp:
189         (JSC::B3::Air::handleCalleeSaves):
190         * b3/air/AirHandleCalleeSaves.h:
191         * b3/air/AirTmpMap.h:
192         * runtime/Options.h:
193         * wasm/WasmAirIRGenerator.cpp:
194         (JSC::Wasm::AirIRGenerator::didKill):
195         (JSC::Wasm::AirIRGenerator::newTmp):
196         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
197         (JSC::Wasm::parseAndCompileAir):
198         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
199         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
200         * wasm/WasmAirIRGenerator.h:
201         * wasm/WasmB3IRGenerator.cpp:
202         (JSC::Wasm::B3IRGenerator::didKill):
203         * wasm/WasmBBQPlan.cpp:
204         (JSC::Wasm::BBQPlan::compileFunctions):
205         * wasm/WasmFunctionParser.h:
206         (JSC::Wasm::FunctionParser<Context>::parseBody):
207         (JSC::Wasm::FunctionParser<Context>::parseExpression):
208         * wasm/WasmValidate.cpp:
209         (JSC::Wasm::Validate::didKill):
210
211 2019-02-14  Saam barati  <sbarati@apple.com>
212
213         lowerStackArgs should lower Lea32/64 on ARM64 to Add
214         https://bugs.webkit.org/show_bug.cgi?id=194656
215
216         Reviewed by Yusuke Suzuki.
217
218         On arm64, Lea is just implemented as an add. However, Air treats it as an
219         address with a given width. Because of this width, we were incorrectly
220         computing whether or not this immediate could fit into the instruction itself
221         or it needed to be explicitly put into a register. This patch makes
222         AirLowerStackArgs lower Lea to Add on arm64.
223
224         * b3/air/AirLowerStackArgs.cpp:
225         (JSC::B3::Air::lowerStackArgs):
226         * b3/air/AirOpcode.opcodes:
227         * b3/air/testair.cpp:
228
229 2019-02-14  Saam Barati  <sbarati@apple.com>
230
231         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
232         https://bugs.webkit.org/show_bug.cgi?id=194583
233         <rdar://problem/48028140>
234
235         Reviewed by Yusuke Suzuki.
236
237         This patch makes it so that getVariablesUnderTDZ caches a result of
238         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
239         it's called in an environment where there are a lot of variables.
240         This patch makes it so we cache its results. This is profitable when
241         getVariablesUnderTDZ is called repeatedly with the same environment
242         state. This is common since we call this every time we encounter a
243         function definition/expression node.
244
245         * builtins/BuiltinExecutables.cpp:
246         (JSC::BuiltinExecutables::createExecutable):
247         * bytecode/UnlinkedFunctionExecutable.cpp:
248         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
249         * bytecode/UnlinkedFunctionExecutable.h:
250         * bytecompiler/BytecodeGenerator.cpp:
251         (JSC::BytecodeGenerator::popLexicalScopeInternal):
252         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
253         (JSC::BytecodeGenerator::pushTDZVariables):
254         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
255         (JSC::BytecodeGenerator::restoreTDZStack):
256         * bytecompiler/BytecodeGenerator.h:
257         (JSC::BytecodeGenerator::makeFunction):
258         * parser/VariableEnvironment.cpp:
259         (JSC::CompactVariableMap::Handle::Handle):
260         (JSC::CompactVariableMap::Handle::operator=):
261         * parser/VariableEnvironment.h:
262         (JSC::CompactVariableMap::Handle::operator bool const):
263         * runtime/CodeCache.cpp:
264         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
265
266 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
269         https://bugs.webkit.org/show_bug.cgi?id=194659
270
271         Reviewed by Mark Lam.
272
273         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
274         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
275         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
276
277         * dfg/DFGJITCode.h:
278         * dfg/DFGJITFinalizer.cpp:
279         (JSC::DFG::JITFinalizer::finalize):
280         (JSC::DFG::JITFinalizer::finalizeFunction):
281         * jit/JITCode.cpp:
282         (JSC::DirectJITCode::initializeCodeRefForDFG):
283         (JSC::DirectJITCode::initializeCodeRef): Deleted.
284         (JSC::NativeJITCode::initializeCodeRef): Deleted.
285         * jit/JITCode.h:
286         * llint/LLIntEntrypoint.cpp:
287         (JSC::LLInt::setFunctionEntrypoint):
288         (JSC::LLInt::setEvalEntrypoint):
289         (JSC::LLInt::setProgramEntrypoint):
290         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
291
292 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
293
294         [WTF] Add environment variable helpers
295         https://bugs.webkit.org/show_bug.cgi?id=192405
296
297         Reviewed by Michael Catanzaro.
298
299         * inspector/remote/glib/RemoteInspectorGlib.cpp:
300         (Inspector::RemoteInspector::RemoteInspector):
301         (Inspector::RemoteInspector::start):
302         * jsc.cpp:
303         (startTimeoutThreadIfNeeded):
304         * runtime/Options.cpp:
305         (JSC::overrideOptionWithHeuristic):
306         (JSC::Options::overrideAliasedOptionWithHeuristic):
307         (JSC::Options::initialize):
308         * runtime/VM.cpp:
309         (JSC::enableAssembler):
310         (JSC::VM::VM):
311         * tools/CodeProfiling.cpp:
312         (JSC::CodeProfiling::notifyAllocator):
313         Utilize WTF::Environment where possible.
314
315 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
316
317         [JSC] Should have default NativeJITCode
318         https://bugs.webkit.org/show_bug.cgi?id=194634
319
320         Reviewed by Mark Lam.
321
322         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
323         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
324         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
325         allocations, which takes 14KB.
326
327         * runtime/VM.cpp:
328         (JSC::jitCodeForCallTrampoline):
329         (JSC::jitCodeForConstructTrampoline):
330         (JSC::VM::getHostFunction):
331
332 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
333
334         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
335         https://bugs.webkit.org/show_bug.cgi?id=194576
336
337         Reviewed by Saam Barati.
338
339         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
340         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
341
342         * bytecode/UnlinkedFunctionExecutable.cpp:
343         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
344         (JSC::UnlinkedFunctionExecutable::link):
345         * bytecode/UnlinkedFunctionExecutable.h:
346         * runtime/CodeCache.cpp:
347         (JSC::generateUnlinkedCodeBlockForFunctions):
348
349 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
350
351         CachedBitVector's size must be converted from bits to bytes
352         https://bugs.webkit.org/show_bug.cgi?id=194441
353
354         Reviewed by Saam Barati.
355
356         CachedBitVector used its size in bits for memcpy. That didn't cause any
357         issues when encoding, since the size in bits was also used in the allocation,
358         but would overflow the actual BitVector buffer when decoding.
359
360         * runtime/CachedTypes.cpp:
361         (JSC::CachedBitVector::encode):
362         (JSC::CachedBitVector::decode const):
363
364 2019-02-13  Brian Burg  <bburg@apple.com>
365
366         Web Inspector: don't include accessibility role in DOM.Node object payloads
367         https://bugs.webkit.org/show_bug.cgi?id=194623
368         <rdar://problem/36384037>
369
370         Reviewed by Devin Rousso.
371
372         Remove property of DOM.Node that is no longer being sent.
373
374         * inspector/protocol/DOM.json:
375
376 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
377
378         We should only make rope strings when concatenating strings long enough.
379         https://bugs.webkit.org/show_bug.cgi?id=194465
380
381         Reviewed by Mark Lam.
382
383         This patch stops us from allocating a rope string if the resulting
384         rope would be smaller than the size of the JSRopeString object we
385         would need to allocate.
386
387         This patch also adds paths so that we don't unnecessarily allocate
388         JSString cells for primitives we are going to concatenate with a
389         string anyway.
390
391         The important change from the previous one is that we do not apply
392         the above rule to JSRopeStrings generated by JSStrings. If we convert
393         it to JSString, comparison of memory consumption becomes the following,
394         because JSRopeString does not have StringImpl until it is resolved.
395
396             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
397
398         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
399         resolving eagerly increases memory footprint. The point is that we need to
400         account newly created JSString and JSRopeString from the operands. This is the
401         reason why this patch adds different thresholds for each jsString functions.
402
403         This patch also avoids concatenation for ropes conservatively. Many ropes are
404         temporary cells. So we do not resolve eagerly if one of operands is already a
405         rope.
406
407         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
408
409             Before: 159.3778
410             After:  160.72340000000003
411
412         * dfg/DFGOperations.cpp:
413         * runtime/CommonSlowPaths.cpp:
414         (JSC::SLOW_PATH_DECL):
415         * runtime/JSString.h:
416         (JSC::JSString::isRope const):
417         * runtime/Operations.cpp:
418         (JSC::jsAddSlowCase):
419         * runtime/Operations.h:
420         (JSC::jsString):
421         (JSC::jsAddNonNumber):
422         (JSC::jsAdd):
423
424 2019-02-13  Saam Barati  <sbarati@apple.com>
425
426         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
427         https://bugs.webkit.org/show_bug.cgi?id=194610
428
429         Reviewed by Michael Saboff.
430
431         BinarySwitch might use the scratch register. We must model the
432         effects of that properly. This is already caught by our br-table
433         tests on arm64.
434
435         * wasm/WasmAirIRGenerator.cpp:
436         (JSC::Wasm::AirIRGenerator::addSwitch):
437
438 2019-02-13  Mark Lam  <mark.lam@apple.com>
439
440         Create a randomized free list for new StructureIDs on StructureIDTable resize.
441         https://bugs.webkit.org/show_bug.cgi?id=194566
442         <rdar://problem/47975502>
443
444         Reviewed by Michael Saboff.
445
446         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
447         implementation is a little easier to read.
448
449         This patch appears to be perf neutral on JetStream2 (as run from the command line).
450
451         * runtime/StructureIDTable.cpp:
452         (JSC::StructureIDTable::StructureIDTable):
453         (JSC::StructureIDTable::makeFreeListFromRange):
454         (JSC::StructureIDTable::resize):
455         (JSC::StructureIDTable::allocateID):
456         (JSC::StructureIDTable::deallocateID):
457         * runtime/StructureIDTable.h:
458         (JSC::StructureIDTable::get):
459         (JSC::StructureIDTable::deallocateID):
460         (JSC::StructureIDTable::allocateID):
461         (JSC::StructureIDTable::flushOldTables):
462
463 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
464
465         VariableLengthObject::allocate<T> should initialize objects
466         https://bugs.webkit.org/show_bug.cgi?id=194534
467
468         Reviewed by Michael Saboff.
469
470         `buffer()` should not be called for empty VariableLengthObjects, but
471         these cases were not being caught due to the objects not being properly
472         initialized. Fix it so that allocate calls the constructor and fix the
473         assertion failues.
474
475         * runtime/CachedTypes.cpp:
476         (JSC::CachedObject::operator new):
477         (JSC::VariableLengthObject::allocate):
478         (JSC::CachedVector::encode):
479         (JSC::CachedVector::decode const):
480         (JSC::CachedUniquedStringImpl::decode const):
481         (JSC::CachedBitVector::encode):
482         (JSC::CachedBitVector::decode const):
483         (JSC::CachedArray::encode):
484         (JSC::CachedArray::decode const):
485         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
486         (JSC::CachedBigInt::decode const):
487
488 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
489
490         CodeBlocks read from disk should not be re-written
491         https://bugs.webkit.org/show_bug.cgi?id=194535
492
493         Reviewed by Michael Saboff.
494
495         Keep track of which CodeBlocks have been read from disk or have already
496         been serialized in CodeCache.
497
498         * runtime/CodeCache.cpp:
499         (JSC::CodeCache::write):
500         * runtime/CodeCache.h:
501         (JSC::SourceCodeValue::SourceCodeValue):
502         (JSC::CodeCacheMap::fetchFromDiskImpl):
503
504 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
505
506         SourceCode should be copied when generating bytecode for functions
507         https://bugs.webkit.org/show_bug.cgi?id=194536
508
509         Reviewed by Saam Barati.
510
511         The FunctionExecutable might be collected while generating the bytecode
512         for nested functions, in which case the SourceCode reference would no
513         longer be valid.
514
515         * runtime/CodeCache.cpp:
516         (JSC::generateUnlinkedCodeBlockForFunctions):
517
518 2019-02-12  Saam barati  <sbarati@apple.com>
519
520         JSScript needs to retain its cache path NSURL*
521         https://bugs.webkit.org/show_bug.cgi?id=194577
522
523         Reviewed by Tim Horton.
524
525         * API/JSScript.mm:
526         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
527         (-[JSScript dealloc]):
528
529 2019-02-12  Robin Morisset  <rmorisset@apple.com>
530
531         Make B3Value::returnsBool() more precise
532         https://bugs.webkit.org/show_bug.cgi?id=194457
533
534         Reviewed by Saam Barati.
535
536         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
537         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
538         No new tests added as this should be indirectly tested by the already existing tests.
539
540         * b3/B3Value.cpp:
541         (JSC::B3::Value::returnsBool const):
542
543 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
544
545         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
546         https://bugs.webkit.org/show_bug.cgi?id=194399
547         <rdar://problem/47889777>
548
549         * dfg/DFGDoesGC.cpp:
550         (JSC::DFG::doesGC):
551
552 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
553
554         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
555         https://bugs.webkit.org/show_bug.cgi?id=194370
556
557         Reviewed by Darin Adler.
558
559         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
560         necessary, but it will make errors more visible.
561
562         * inspector/remote/glib/RemoteInspectorGlib.cpp:
563         (Inspector::RemoteInspector::start):
564         (Inspector::dbusConnectionCallAsyncReadyCallback):
565         * inspector/remote/glib/RemoteInspectorServer.cpp:
566         (Inspector::RemoteInspectorServer::start):
567
568 2019-02-12  Andy Estes  <aestes@apple.com>
569
570         [iOSMac] Enable Parental Controls Content Filtering
571         https://bugs.webkit.org/show_bug.cgi?id=194521
572         <rdar://39732376>
573
574         Reviewed by Tim Horton.
575
576         * Configurations/FeatureDefines.xcconfig:
577
578 2019-02-11  Mark Lam  <mark.lam@apple.com>
579
580         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
581         https://bugs.webkit.org/show_bug.cgi?id=194512
582         <rdar://problem/47975465>
583
584         Reviewed by Yusuke Suzuki.
585
586         * runtime/StructureIDTable.cpp:
587         (JSC::StructureIDTable::StructureIDTable):
588         (JSC::StructureIDTable::allocateID):
589         (JSC::StructureIDTable::deallocateID):
590         * runtime/StructureIDTable.h:
591
592 2019-02-10  Mark Lam  <mark.lam@apple.com>
593
594         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
595         https://bugs.webkit.org/show_bug.cgi?id=194493
596         <rdar://problem/36380852>
597
598         Reviewed by Yusuke Suzuki.
599
600         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
601         however not good for performance and memory usage.  As such, a debug ASSERT will
602         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
603         possible to be instantiated with duplicate cases in
604         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
605
606         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
607         see duplicate cases.
608
609         * jit/BinarySwitch.cpp:
610         (JSC::BinarySwitch::BinarySwitch):
611
612 2019-02-10  Darin Adler  <darin@apple.com>
613
614         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
615         https://bugs.webkit.org/show_bug.cgi?id=194485
616
617         Reviewed by Daniel Bates.
618
619         * heap/HeapSnapshotBuilder.cpp:
620         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
621         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
622
623         * runtime/JSGlobalObjectFunctions.cpp:
624         (JSC::encode): Removed some unneeded casts in StringBuilder code,
625         including one in a call to appendByteAsHex.
626         (JSC::globalFuncEscape): Ditto.
627
628 2019-02-10  Commit Queue  <commit-queue@webkit.org>
629
630         Unreviewed, rolling out r241230.
631         https://bugs.webkit.org/show_bug.cgi?id=194488
632
633         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
634         #webkit).
635
636         Reverted changeset:
637
638         "We should only make rope strings when concatenating strings
639         long enough."
640         https://bugs.webkit.org/show_bug.cgi?id=194465
641         https://trac.webkit.org/changeset/241230
642
643 2019-02-10  Saam barati  <sbarati@apple.com>
644
645         BBQ-Air: Emit better code for switch
646         https://bugs.webkit.org/show_bug.cgi?id=194053
647
648         Reviewed by Yusuke Suzuki.
649
650         Instead of emitting a linear set of jumps for Switch, this patch
651         makes the BBQ-Air backend emit a binary switch.
652
653         * wasm/WasmAirIRGenerator.cpp:
654         (JSC::Wasm::AirIRGenerator::addSwitch):
655
656 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
657
658         Unreviewed, Lexer should use isLatin1 implementation in WTF
659         https://bugs.webkit.org/show_bug.cgi?id=194466
660
661         Follow-up after r241233 pointed by Darin.
662
663         * parser/Lexer.cpp:
664         (JSC::isLatin1): Deleted.
665
666 2019-02-09  Darin Adler  <darin@apple.com>
667
668         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
669         https://bugs.webkit.org/show_bug.cgi?id=194021
670
671         Reviewed by Geoffrey Garen.
672
673         * inspector/agents/InspectorConsoleAgent.cpp:
674         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
675         makeString do the conversion without allocating/destroying a String.
676         * inspector/agents/InspectorDebuggerAgent.cpp:
677         (Inspector::objectGroupForBreakpointAction): Ditto.
678         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
679         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
680         * runtime/JSGenericTypedArrayViewInlines.h:
681         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
682         * runtime/NumberPrototype.cpp:
683         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
684         of calling numberToFixedWidthString to do the same thing.
685         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
686         numberToFixedPrecisionString to do the same thing.
687         * runtime/SamplingProfiler.cpp:
688         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
689
690 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
691
692         Unreviewed, rolling in r241237 again
693         https://bugs.webkit.org/show_bug.cgi?id=194469
694
695         * runtime/JSString.h:
696         (JSC::jsSubstring):
697
698 2019-02-09  Commit Queue  <commit-queue@webkit.org>
699
700         Unreviewed, rolling out r241237.
701         https://bugs.webkit.org/show_bug.cgi?id=194474
702
703         Shows significant memory increase in WSL (Requested by
704         yusukesuzuki on #webkit).
705
706         Reverted changeset:
707
708         "[WTF] Use BufferInternal StringImpl if substring StringImpl
709         takes more memory"
710         https://bugs.webkit.org/show_bug.cgi?id=194469
711         https://trac.webkit.org/changeset/241237
712
713 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
714
715         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
716         https://bugs.webkit.org/show_bug.cgi?id=194469
717
718         Reviewed by Geoffrey Garen.
719
720         * runtime/JSString.h:
721         (JSC::jsSubstring):
722
723 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
724
725         [JSC] CachedTypes should use jsString instead of JSString::create
726         https://bugs.webkit.org/show_bug.cgi?id=194471
727
728         Reviewed by Mark Lam.
729
730         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
731
732         * runtime/CachedTypes.cpp:
733         (JSC::CachedJSValue::decode const):
734
735 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
736
737         [JSC] Increase StructureIDTable initial capacity
738         https://bugs.webkit.org/show_bug.cgi?id=194468
739
740         Reviewed by Mark Lam.
741
742         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
743         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
744         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
745         more memory dirty. We also remove some structures that are no longer used.
746
747         * runtime/JSGlobalObject.h:
748         (JSC::JSGlobalObject::callbackObjectStructure const):
749         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
750         * runtime/StructureIDTable.h:
751         * runtime/VM.h:
752
753 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
754
755         [JSC] String.fromCharCode's slow path always generates 16bit string
756         https://bugs.webkit.org/show_bug.cgi?id=194466
757
758         Reviewed by Keith Miller.
759
760         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
761         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
762         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
763         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
764         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
765         as much as possible.
766
767         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
768
769         * runtime/StringConstructor.cpp:
770         (JSC::stringFromCharCode):
771
772 2019-02-08  Keith Miller  <keith_miller@apple.com>
773
774         We should only make rope strings when concatenating strings long enough.
775         https://bugs.webkit.org/show_bug.cgi?id=194465
776
777         Reviewed by Saam Barati.
778
779         This patch stops us from allocating a rope string if the resulting
780         rope would be smaller than the size of the JSRopeString object we
781         would need to allocate.
782
783         This patch also adds paths so that we don't unnecessarily allocate
784         JSString cells for primitives we are going to concatenate with a
785         string anyway.
786
787         * dfg/DFGOperations.cpp:
788         * runtime/CommonSlowPaths.cpp:
789         (JSC::SLOW_PATH_DECL):
790         * runtime/JSString.h:
791         * runtime/Operations.cpp:
792         (JSC::jsAddSlowCase):
793         * runtime/Operations.h:
794         (JSC::jsString):
795         (JSC::jsAdd):
796
797 2019-02-08  Saam barati  <sbarati@apple.com>
798
799         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
800         https://bugs.webkit.org/show_bug.cgi?id=194334
801         <rdar://problem/47844327>
802
803         Reviewed by Mark Lam.
804
805         * dfg/DFGAbstractInterpreterInlines.h:
806         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
807         * dfg/DFGArgumentsEliminationPhase.cpp:
808         * dfg/DFGByteCodeParser.cpp:
809         (JSC::DFG::ByteCodeParser::parseBlock):
810         * dfg/DFGClobberize.h:
811         (JSC::DFG::clobberize):
812         * dfg/DFGConstantFoldingPhase.cpp:
813         (JSC::DFG::ConstantFoldingPhase::foldConstants):
814         * dfg/DFGFixupPhase.cpp:
815         (JSC::DFG::FixupPhase::fixupNode):
816         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
817         * dfg/DFGIntegerCheckCombiningPhase.cpp:
818         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
819         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
820         * dfg/DFGNodeType.h:
821         * dfg/DFGSSALoweringPhase.cpp:
822         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
823         * dfg/DFGSpeculativeJIT.cpp:
824         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
825         * ftl/FTLLowerDFGToB3.cpp:
826         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
827         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
828
829 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
830
831         [JSC] Shrink sizeof(CodeBlock) more
832         https://bugs.webkit.org/show_bug.cgi?id=194419
833
834         Reviewed by Mark Lam.
835
836         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
837
838         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
839         has the same information. These data is not touched in CodeBlock::~CodeBlock,
840         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
841
842         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
843         And we do not touch it in CodeBlock::~CodeBlock.
844
845         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
846         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
847         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
848
849         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
850
851         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
852
853         * bytecode/CodeBlock.cpp:
854         (JSC::CodeBlock::hash const):
855         (JSC::CodeBlock::sourceCodeForTools const):
856         (JSC::CodeBlock::dumpAssumingJITType const):
857         (JSC::CodeBlock::dumpSource):
858         (JSC::CodeBlock::CodeBlock):
859         (JSC::CodeBlock::finishCreation):
860         (JSC::CodeBlock::propagateTransitions):
861         (JSC::CodeBlock::finalizeLLIntInlineCaches):
862         (JSC::CodeBlock::setCalleeSaveRegisters):
863         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
864         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
865         (JSC::CodeBlock::lineNumberForBytecodeOffset):
866         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
867         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
868         (JSC::CodeBlock::newReplacement):
869         (JSC::CodeBlock::replacement):
870         (JSC::CodeBlock::computeCapabilityLevel):
871         (JSC::CodeBlock::jettison):
872         (JSC::CodeBlock::calleeSaveRegisters const):
873         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
874         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
875         (JSC::CodeBlock::getArrayProfile):
876         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
877         (JSC::CodeBlock::notifyLexicalBindingUpdate):
878         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
879         (JSC::CodeBlock::validate):
880         (JSC::CodeBlock::outOfLineJumpTarget):
881         (JSC::CodeBlock::arithProfileForBytecodeOffset):
882         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
883         * bytecode/CodeBlock.h:
884         (JSC::CodeBlock::specializationKind const):
885         (JSC::CodeBlock::isStrictMode const):
886         (JSC::CodeBlock::isConstructor const):
887         (JSC::CodeBlock::codeType const):
888         (JSC::CodeBlock::isKnownNotImmediate):
889         (JSC::CodeBlock::instructions const):
890         (JSC::CodeBlock::ownerExecutable const):
891         (JSC::CodeBlock::thisRegister const):
892         (JSC::CodeBlock::source const):
893         (JSC::CodeBlock::sourceOffset const):
894         (JSC::CodeBlock::firstLineColumnOffset const):
895         (JSC::CodeBlock::createRareDataIfNecessary):
896         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
897         (JSC::CodeBlock::setThisRegister): Deleted.
898         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
899         * bytecode/EvalCodeBlock.h:
900         * bytecode/FunctionCodeBlock.h:
901         * bytecode/GlobalCodeBlock.h:
902         (JSC::GlobalCodeBlock::GlobalCodeBlock):
903         * bytecode/ModuleProgramCodeBlock.h:
904         * bytecode/ProgramCodeBlock.h:
905         * debugger/Debugger.cpp:
906         (JSC::Debugger::toggleBreakpoint):
907         * debugger/DebuggerCallFrame.cpp:
908         (JSC::DebuggerCallFrame::sourceID const):
909         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
910         * debugger/DebuggerScope.cpp:
911         (JSC::DebuggerScope::location const):
912         * dfg/DFGByteCodeParser.cpp:
913         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
914         (JSC::DFG::ByteCodeParser::inliningCost):
915         (JSC::DFG::ByteCodeParser::parseCodeBlock):
916         * dfg/DFGCapabilities.cpp:
917         (JSC::DFG::isSupportedForInlining):
918         (JSC::DFG::mightCompileEval):
919         (JSC::DFG::mightCompileProgram):
920         (JSC::DFG::mightCompileFunctionForCall):
921         (JSC::DFG::mightCompileFunctionForConstruct):
922         (JSC::DFG::canUseOSRExitFuzzing):
923         * dfg/DFGGraph.h:
924         (JSC::DFG::Graph::executableFor):
925         * dfg/DFGJITCompiler.cpp:
926         (JSC::DFG::JITCompiler::compileFunction):
927         * dfg/DFGOSREntry.cpp:
928         (JSC::DFG::prepareOSREntry):
929         * dfg/DFGOSRExit.cpp:
930         (JSC::DFG::restoreCalleeSavesFor):
931         (JSC::DFG::saveCalleeSavesFor):
932         (JSC::DFG::saveOrCopyCalleeSavesFor):
933         * dfg/DFGOSRExitCompilerCommon.cpp:
934         (JSC::DFG::handleExitCounts):
935         * dfg/DFGOperations.cpp:
936         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
937         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
938         * ftl/FTLCapabilities.cpp:
939         (JSC::FTL::canCompile):
940         * ftl/FTLLink.cpp:
941         (JSC::FTL::link):
942         * ftl/FTLOSRExitCompiler.cpp:
943         (JSC::FTL::compileStub):
944         * interpreter/CallFrame.cpp:
945         (JSC::CallFrame::callerSourceOrigin):
946         * interpreter/Interpreter.cpp:
947         (JSC::eval):
948         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
949         * interpreter/StackVisitor.cpp:
950         (JSC::StackVisitor::Frame::calleeSaveRegisters):
951         (JSC::StackVisitor::Frame::sourceURL const):
952         (JSC::StackVisitor::Frame::sourceID):
953         (JSC::StackVisitor::Frame::computeLineAndColumn const):
954         * interpreter/StackVisitor.h:
955         * jit/AssemblyHelpers.h:
956         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
957         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
958         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
959         * jit/CallFrameShuffleData.cpp:
960         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
961         * jit/JIT.cpp:
962         (JSC::JIT::compileWithoutLinking):
963         * jit/JITToDFGDeferredCompilationCallback.cpp:
964         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
965         * jit/JITWorklist.cpp:
966         (JSC::JITWorklist::Plan::finalize):
967         (JSC::JITWorklist::compileNow):
968         * jit/RegisterAtOffsetList.cpp:
969         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
970         * jit/RegisterAtOffsetList.h:
971         (JSC::RegisterAtOffsetList::at const):
972         * runtime/ErrorInstance.cpp:
973         (JSC::appendSourceToError):
974         * runtime/ScriptExecutable.cpp:
975         (JSC::ScriptExecutable::newCodeBlockFor):
976         * runtime/StackFrame.cpp:
977         (JSC::StackFrame::sourceID const):
978         (JSC::StackFrame::sourceURL const):
979         (JSC::StackFrame::computeLineAndColumn const):
980
981 2019-02-08  Robin Morisset  <rmorisset@apple.com>
982
983         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
984         https://bugs.webkit.org/show_bug.cgi?id=194460
985
986         Reviewed by Mark Lam.
987
988         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
989
990         * b3/B3LowerMacros.cpp:
991
992 2019-02-08  Mark Lam  <mark.lam@apple.com>
993
994         Use maxSingleCharacterString in comparisons instead of literal constants.
995         https://bugs.webkit.org/show_bug.cgi?id=194452
996
997         Reviewed by Yusuke Suzuki.
998
999         This way, if we ever change maxSingleCharacterString, it won't break all this code
1000         that relies on it being 0xff implicitly.
1001
1002         * dfg/DFGSpeculativeJIT.cpp:
1003         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1004         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1005         * ftl/FTLLowerDFGToB3.cpp:
1006         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1007         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1008         * jit/ThunkGenerators.cpp:
1009         (JSC::stringGetByValGenerator):
1010         (JSC::charToString):
1011
1012 2019-02-08  Mark Lam  <mark.lam@apple.com>
1013
1014         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1015         https://bugs.webkit.org/show_bug.cgi?id=194446
1016         <rdar://problem/47926792>
1017
1018         Reviewed by Saam Barati.
1019
1020         Fix doesGC() for the following nodes:
1021
1022             CheckTierUpAtReturn:
1023                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1024                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1025
1026             CheckTierUpInLoop:
1027                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1028                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1029
1030             CheckTierUpAndOSREnter:
1031                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1032                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1033
1034             GetByVal:
1035                 case Array::String calls operationSingleCharacterString(), which calls
1036                 jsSingleCharacterString(), which can allocate a string.
1037
1038             PutByValDirect:
1039             PutByVal:
1040             PutByValAlias:
1041                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1042                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1043                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1044                 slow paths call putByValInternal(), which may create exception objects, or
1045                 call the generic JSValue::put() which may execute arbitrary code.
1046
1047             StringCharAt:
1048                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1049                 which can allocate a string.
1050
1051         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1052         to use the maxSingleCharacterString constant instead of a literal constant.
1053
1054         * dfg/DFGDoesGC.cpp:
1055         (JSC::DFG::doesGC):
1056         * dfg/DFGSpeculativeJIT.cpp:
1057         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1058         * dfg/DFGSpeculativeJIT64.cpp:
1059         (JSC::DFG::SpeculativeJIT::compile):
1060         * ftl/FTLLowerDFGToB3.cpp:
1061         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1062         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1063         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1064
1065 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1066
1067         [JSC] SourceProviderCacheItem should be small
1068         https://bugs.webkit.org/show_bug.cgi?id=194432
1069
1070         Reviewed by Saam Barati.
1071
1072         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1073         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1074         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1075
1076         * parser/Parser.cpp:
1077         (JSC::Parser<LexerType>::parseFunctionInfo):
1078         * parser/ParserModes.h:
1079         * parser/ParserTokens.h:
1080         * parser/SourceProviderCacheItem.h:
1081         (JSC::SourceProviderCacheItem::endFunctionToken const):
1082         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1083
1084 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1085
1086         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1087         https://bugs.webkit.org/show_bug.cgi?id=194420
1088
1089         Reviewed by Saam Barati.
1090
1091         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1092         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1093         This trivial patch fixes both.
1094
1095         * b3/B3ReduceStrength.cpp:
1096         * b3/testb3.cpp:
1097         (JSC::B3::testAbsNegArg):
1098
1099 2019-02-07  Keith Miller  <keith_miller@apple.com>
1100
1101         Better error messages for module loader SPI
1102         https://bugs.webkit.org/show_bug.cgi?id=194421
1103
1104         Reviewed by Saam Barati.
1105
1106         * API/JSAPIGlobalObject.mm:
1107         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1108
1109 2019-02-07  Mark Lam  <mark.lam@apple.com>
1110
1111         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1112         https://bugs.webkit.org/show_bug.cgi?id=194399
1113         <rdar://problem/47889777>
1114
1115         Reviewed by Yusuke Suzuki.
1116
1117         Fix doesGC() for the following nodes:
1118
1119             CheckTraps:
1120                 We normally will not emit this node because Options::usePollingTraps() is
1121                 false by default.  However, as it is implemented now, CheckTraps can GC
1122                 because it can allocate a TerminatedExecutionException.  If we make the
1123                 TerminatedExecutionException a singleton allocated at initialization time,
1124                 doesGC() can return false for CheckTraps.
1125                 https://bugs.webkit.org/show_bug.cgi?id=194323
1126
1127             GetMapBucket:
1128                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1129                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1130                 can resolve a rope.
1131
1132             Switch:
1133                 If switchData kind is SwitchChar, can call operationResolveRope() .
1134                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1135                     can call operationSwitchString() which resolves ropes.
1136
1137             DirectTailCall:
1138             ForceOSRExit:
1139             Return:
1140             TailCallForwardVarargs:
1141             TailCallVarargs:
1142             Throw:
1143                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1144                 for them, but following our conservative practice, unless we have a good
1145                 reason for doesGC() to return false, we should just return true.
1146
1147         * dfg/DFGDoesGC.cpp:
1148         (JSC::DFG::doesGC):
1149
1150 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1151
1152         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1153         https://bugs.webkit.org/show_bug.cgi?id=194250
1154
1155         Reviewed by Saam Barati.
1156
1157         Adds the following optimizations for integers:
1158         - Sub(x, x) => 0
1159             Already covered by the test testSubArg
1160         - Sub(x1, Neg(x2)) => Add (x1, x2)
1161             Added test: testSubNeg
1162         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1163             Added test: testNegSub
1164         - Add(Neg(x1), x2) => Sub(x2, x1)
1165             Added test: testAddNeg1
1166         - Add(x1, Neg(x2)) => Sub(x1, x2)
1167             Added test: testAddNeg2
1168         Adds the following optimization for floating point values:
1169         - Abs(Neg(x)) => Abs(x)
1170             Added test: testAbsNegArg
1171             Adds the following optimization:
1172
1173         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1174
1175         * b3/B3ReduceStrength.cpp:
1176         * b3/testb3.cpp:
1177         (JSC::B3::testAddNeg1):
1178         (JSC::B3::testAddNeg2):
1179         (JSC::B3::testSubNeg):
1180         (JSC::B3::testNegSub):
1181         (JSC::B3::testAbsAbsArg):
1182         (JSC::B3::testAbsNegArg):
1183         (JSC::B3::run):
1184
1185 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1186
1187         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1188         https://bugs.webkit.org/show_bug.cgi?id=194374
1189
1190         Reviewed by Geoffrey Garen.
1191
1192         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1193         But pointer is larger than single character. BufferInternal StringImpl with single character
1194         is more memory efficient.
1195
1196         * runtime/SmallStrings.cpp:
1197         (JSC::SmallStringsStorage::SmallStringsStorage):
1198         (JSC::SmallStrings::SmallStrings):
1199         * runtime/SmallStrings.h:
1200
1201 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1202
1203         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1204         https://bugs.webkit.org/show_bug.cgi?id=194369
1205         <rdar://problem/47813087>
1206
1207         Reviewed by Saam Barati.
1208
1209         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1210         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1211         constant folding phase.
1212
1213         * dfg/DFGAbstractInterpreterInlines.h:
1214         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1215
1216 2019-02-06  Devin Rousso  <drousso@apple.com>
1217
1218         Web Inspector: DOM: don't send the entire function string with each event listener
1219         https://bugs.webkit.org/show_bug.cgi?id=194293
1220         <rdar://problem/47822809>
1221
1222         Reviewed by Joseph Pecoraro.
1223
1224         * inspector/protocol/DOM.json:
1225
1226         * runtime/JSFunction.h:
1227         Export `calculatedDisplayName`.
1228
1229 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1230
1231         [JSC] PrivateName to PublicName hash table is wasteful
1232         https://bugs.webkit.org/show_bug.cgi?id=194277
1233
1234         Reviewed by Michael Saboff.
1235
1236         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1237         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1238         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1239         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1240
1241         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1242
1243         1. PrivateName's content should be the same to PublicName.
1244         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1245            the public name should be easily crafted from the given PrivateName.
1246
1247         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1248         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1249
1250         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1251         WebCore.
1252
1253         * builtins/BuiltinNames.cpp:
1254         (JSC::BuiltinNames::BuiltinNames):
1255         * builtins/BuiltinNames.h:
1256         (JSC::BuiltinNames::lookUpPrivateName const):
1257         (JSC::BuiltinNames::getPublicName const):
1258         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1259         (JSC::BuiltinNames::appendExternalName):
1260         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1261         * builtins/BuiltinUtils.h:
1262         * bytecode/BytecodeDumper.cpp:
1263         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1264         * bytecompiler/NodesCodegen.cpp:
1265         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1266         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1267         * parser/Lexer.cpp:
1268         (JSC::Lexer<LChar>::parseIdentifier):
1269         (JSC::Lexer<UChar>::parseIdentifier):
1270         * parser/Parser.cpp:
1271         (JSC::Parser<LexerType>::createGeneratorParameters):
1272         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1273         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1274         (JSC::Parser<LexerType>::parseClassDeclaration):
1275         (JSC::Parser<LexerType>::parseExportDeclaration):
1276         (JSC::Parser<LexerType>::parseMemberExpression):
1277         * parser/ParserArena.h:
1278         (JSC::IdentifierArena::makeIdentifier):
1279         * runtime/CachedTypes.cpp:
1280         (JSC::CachedUniquedStringImpl::encode):
1281         (JSC::CachedUniquedStringImpl::decode const):
1282         * runtime/CommonIdentifiers.cpp:
1283         (JSC::CommonIdentifiers::CommonIdentifiers):
1284         (JSC::CommonIdentifiers::lookUpPrivateName const):
1285         (JSC::CommonIdentifiers::getPublicName const):
1286         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1287         * runtime/CommonIdentifiers.h:
1288         * runtime/ExceptionHelpers.cpp:
1289         (JSC::createUndefinedVariableError):
1290         * runtime/Identifier.cpp:
1291         (JSC::Identifier::dump const):
1292         * runtime/Identifier.h:
1293         * runtime/IdentifierInlines.h:
1294         (JSC::Identifier::fromUid):
1295         * runtime/JSTypedArrayViewPrototype.cpp:
1296         (JSC::JSTypedArrayViewPrototype::finishCreation):
1297         * tools/JSDollarVM.cpp:
1298         (JSC::functionGetPrivateProperty):
1299
1300 2019-02-06  Keith Rollin  <krollin@apple.com>
1301
1302         Really enable the automatic checking and regenerations of .xcfilelists during builds
1303         https://bugs.webkit.org/show_bug.cgi?id=194357
1304         <rdar://problem/47861231>
1305
1306         Reviewed by Chris Dumez.
1307
1308         Bug 194124 was supposed to enable the automatic checking and
1309         regenerating of .xcfilelist files during the build. While related
1310         changes were included in that patch, the change to actually enable the
1311         operation somehow was omitted. This patch actually enables the
1312         operation. The check-xcfilelist.sh scripts now check
1313         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1314         from the checking.
1315
1316         * Scripts/check-xcfilelists.sh:
1317
1318 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1319
1320         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1321         https://bugs.webkit.org/show_bug.cgi?id=194339
1322
1323         Reviewed by Michael Saboff.
1324
1325         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1326         They have even the same structure. This patch unifies the subspaces for them.
1327
1328         * runtime/DirectEvalExecutable.h:
1329         * runtime/EvalExecutable.h:
1330         (JSC::EvalExecutable::subspaceFor):
1331         * runtime/IndirectEvalExecutable.h:
1332         * runtime/VM.cpp:
1333         * runtime/VM.h:
1334         (JSC::VM::forEachScriptExecutableSpace):
1335
1336 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1337
1338         [JSC] NativeExecutable should be smaller
1339         https://bugs.webkit.org/show_bug.cgi?id=194331
1340
1341         Reviewed by Michael Saboff.
1342
1343         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1344         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1345         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1346         only takes one MarkedBlock for NativeExecutable.
1347
1348         To make NativeExecutable smaller,
1349
1350         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1351            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1352
1353         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1354            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1355            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1356
1357         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1358            Intrinsic for NativeExecutable.
1359
1360         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1361
1362         * CMakeLists.txt:
1363         * JavaScriptCore.xcodeproj/project.pbxproj:
1364         * bytecode/CallVariant.h:
1365         * interpreter/Interpreter.cpp:
1366         * jit/JITCode.cpp:
1367         (JSC::DirectJITCode::DirectJITCode):
1368         (JSC::NativeJITCode::NativeJITCode):
1369         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1370         * jit/JITCode.h:
1371         (JSC::JITCode::signature const):
1372         (JSC::JITCode::intrinsic):
1373         * jit/JITOperations.cpp:
1374         * jit/JITThunks.cpp:
1375         (JSC::JITThunks::hostFunctionStub):
1376         * jit/Repatch.cpp:
1377         * llint/LLIntSlowPaths.cpp:
1378         * runtime/ExecutableBase.cpp:
1379         (JSC::ExecutableBase::dump const):
1380         (JSC::ExecutableBase::hashFor const):
1381         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1382         (JSC::ExecutableBase::clearCode): Deleted.
1383         * runtime/ExecutableBase.h:
1384         (JSC::ExecutableBase::ExecutableBase):
1385         (JSC::ExecutableBase::isModuleProgramExecutable):
1386         (JSC::ExecutableBase::isHostFunction const):
1387         (JSC::ExecutableBase::generatedJITCodeForCall const):
1388         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1389         (JSC::ExecutableBase::generatedJITCodeFor const):
1390         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1391         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1392         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1393         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1394         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1395         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1396         (JSC::ExecutableBase::intrinsic const): Deleted.
1397         * runtime/ExecutableBaseInlines.h: Added.
1398         (JSC::ExecutableBase::intrinsic const):
1399         (JSC::ExecutableBase::hasJITCodeForCall const):
1400         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1401         * runtime/JSBoundFunction.cpp:
1402         * runtime/JSType.cpp:
1403         (WTF::printInternal):
1404         * runtime/JSType.h:
1405         * runtime/NativeExecutable.cpp:
1406         (JSC::NativeExecutable::create):
1407         (JSC::NativeExecutable::createStructure):
1408         (JSC::NativeExecutable::NativeExecutable):
1409         (JSC::NativeExecutable::signatureFor const):
1410         (JSC::NativeExecutable::intrinsic const):
1411         * runtime/NativeExecutable.h:
1412         * runtime/ScriptExecutable.cpp:
1413         (JSC::ScriptExecutable::ScriptExecutable):
1414         (JSC::ScriptExecutable::clearCode):
1415         (JSC::ScriptExecutable::installCode):
1416         (JSC::ScriptExecutable::hasClearableCode const):
1417         * runtime/ScriptExecutable.h:
1418         (JSC::ScriptExecutable::intrinsic const):
1419         (JSC::ScriptExecutable::hasJITCodeForCall const):
1420         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1421         * runtime/VM.cpp:
1422         (JSC::VM::getHostFunction):
1423
1424 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1425
1426         Build failure after r240431
1427         https://bugs.webkit.org/show_bug.cgi?id=194330
1428
1429         Reviewed by Žan Doberšek.
1430
1431         * API/glib/JSCOptions.cpp:
1432
1433 2019-02-05  Mark Lam  <mark.lam@apple.com>
1434
1435         Fix DFG's doesGC() for a few more nodes.
1436         https://bugs.webkit.org/show_bug.cgi?id=194307
1437         <rdar://problem/47832956>
1438
1439         Reviewed by Yusuke Suzuki.
1440
1441         Fix doesGC() for the following nodes:
1442
1443             NumberToStringWithValidRadixConstant:
1444                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1445                 which can allocate a string.
1446                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1447                 which can allocate a string.
1448                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1449                 which can allocate a string.
1450
1451             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1452                 memory for all kinds of objects.
1453             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1454                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1455                 these allocates memory for the match result.
1456             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1457                 calls RegExpObject's collectMatches(), which allocates an array amongst
1458                 other objects.
1459
1460             StringFromCharCode:
1461                 If the uint32 code to convert is greater than maxSingleCharacterString,
1462                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1463                 which allocates a new string if the code is greater than maxSingleCharacterString.
1464
1465         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1466         to use maxSingleCharacterString instead of a literal constant.
1467
1468         * dfg/DFGDoesGC.cpp:
1469         (JSC::DFG::doesGC):
1470         * dfg/DFGSpeculativeJIT.cpp:
1471         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1472         * ftl/FTLLowerDFGToB3.cpp:
1473         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1474
1475 2019-02-05  Keith Rollin  <krollin@apple.com>
1476
1477         Enable the automatic checking and regenerations of .xcfilelists during builds
1478         https://bugs.webkit.org/show_bug.cgi?id=194124
1479         <rdar://problem/47721277>
1480
1481         Reviewed by Tim Horton.
1482
1483         Bug 193790 add a facility for checking -- during build time -- that
1484         any needed .xcfilelist files are up-to-date and for updating them if
1485         they are not. This facility was initially opt-in by setting
1486         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1487         the process seemed robust. Its now time to enable this facility and
1488         make it opt-out. If there is a need to disable this facility, set and
1489         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1490         running `make` or `build-webkit`, or before running Xcode from the
1491         command line.
1492
1493         Additionally, remove the step that generates a list of source files
1494         going into the UnifiedSources build step. It's only necessarily to
1495         specify Sources.txt and SourcesCocoa.txt as inputs.
1496
1497         * JavaScriptCore.xcodeproj/project.pbxproj:
1498         * UnifiedSources-input.xcfilelist: Removed.
1499
1500 2019-02-05  Keith Rollin  <krollin@apple.com>
1501
1502         Update .xcfilelist files
1503         https://bugs.webkit.org/show_bug.cgi?id=194121
1504         <rdar://problem/47720863>
1505
1506         Reviewed by Tim Horton.
1507
1508         Preparatory to enabling the facility for automatically updating the
1509         .xcfilelist files, check in a freshly-updated set so that not everyone
1510         runs up against having to regenerate them themselves.
1511
1512         * DerivedSources-input.xcfilelist:
1513         * DerivedSources-output.xcfilelist:
1514
1515 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1516
1517         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1518         https://bugs.webkit.org/show_bug.cgi?id=185557
1519
1520         Reviewed by Mark Lam.
1521
1522         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1523         where n is the number of characters in the formatted string.
1524         It may be less memory efficient than the previous impl, since the intermediate Vector
1525         is the length of the string, instead of the count of the fields.
1526
1527         * runtime/IntlNumberFormat.cpp:
1528         (JSC::IntlNumberFormat::formatToParts):
1529         * runtime/IntlNumberFormat.h:
1530
1531 2019-02-05  Mark Lam  <mark.lam@apple.com>
1532
1533         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1534         https://bugs.webkit.org/show_bug.cgi?id=194298
1535         <rdar://problem/47827555>
1536
1537         Reviewed by Saam Barati.
1538
1539         We do this for 3 reasons:
1540         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1541         2. If things change in the future where clobberize() no longer reports these nodes
1542            as write(Heap), each node should be vetted first to make sure that it can never
1543            GC before being moved back to the doesGC() list that returns false.
1544         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1545            correct in its claims about the nodes' GCing possibility.
1546
1547         The list of nodes moved are:
1548
1549             ArrayPush
1550             ArrayPop
1551             Call
1552             CallEval
1553             CallForwardVarargs
1554             CallVarargs
1555             Construct
1556             ConstructForwardVarargs
1557             ConstructVarargs
1558             DefineDataProperty
1559             DefineAccessorProperty
1560             DeleteById
1561             DeleteByVal
1562             DirectCall
1563             DirectConstruct
1564             DirectTailCallInlinedCaller
1565             GetById
1566             GetByIdDirect
1567             GetByIdDirectFlush
1568             GetByIdFlush
1569             GetByIdWithThis
1570             GetByValWithThis
1571             GetDirectPname
1572             GetDynamicVar
1573             HasGenericProperty
1574             HasOwnProperty
1575             HasStructureProperty
1576             InById
1577             InByVal
1578             InstanceOf
1579             InstanceOfCustom
1580             LoadVarargs
1581             NumberToStringWithRadix
1582             PutById
1583             PutByIdDirect
1584             PutByIdFlush
1585             PutByIdWithThis
1586             PutByOffset
1587             PutByValWithThis
1588             PutDynamicVar
1589             PutGetterById
1590             PutGetterByVal
1591             PutGetterSetterById
1592             PutSetterById
1593             PutSetterByVal
1594             PutStack
1595             PutToArguments
1596             RegExpExec
1597             RegExpTest
1598             ResolveScope
1599             ResolveScopeForHoistingFuncDeclInEval
1600             TailCall
1601             TailCallForwardVarargsInlinedCaller
1602             TailCallInlinedCaller
1603             TailCallVarargsInlinedCaller
1604             ToNumber
1605             ToPrimitive
1606             ValueNegate
1607
1608         * dfg/DFGDoesGC.cpp:
1609         (JSC::DFG::doesGC):
1610
1611 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1612
1613         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1614         https://bugs.webkit.org/show_bug.cgi?id=194281
1615
1616         Reviewed by Michael Saboff.
1617
1618         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1619         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1620
1621         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1622         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1623         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1624
1625         * bytecode/CodeBlock.cpp:
1626         (JSC::CodeBlock::finishCreation):
1627         * bytecode/CodeBlock.h:
1628         (JSC::CodeBlock::bitVectors const): Deleted.
1629         * bytecode/CodeType.h:
1630         * bytecode/UnlinkedCodeBlock.cpp:
1631         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1632         (JSC::UnlinkedCodeBlock::shrinkToFit):
1633         * bytecode/UnlinkedCodeBlock.h:
1634         (JSC::UnlinkedCodeBlock::bitVector):
1635         (JSC::UnlinkedCodeBlock::addBitVector):
1636         (JSC::UnlinkedCodeBlock::addSetConstant):
1637         (JSC::UnlinkedCodeBlock::constantRegisters):
1638         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1639         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1640         (JSC::UnlinkedCodeBlock::codeType const):
1641         (JSC::UnlinkedCodeBlock::didOptimize const):
1642         (JSC::UnlinkedCodeBlock::setDidOptimize):
1643         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1644         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1645         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1646         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1647         * bytecompiler/BytecodeGenerator.cpp:
1648         (JSC::BytecodeGenerator::emitLoad):
1649         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1650         * bytecompiler/BytecodeGenerator.h:
1651         * runtime/CachedTypes.cpp:
1652         (JSC::CachedCodeBlockRareData::encode):
1653         (JSC::CachedCodeBlockRareData::decode const):
1654         (JSC::CachedCodeBlock::scopeRegister const):
1655         (JSC::CachedCodeBlock::codeType const):
1656         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1657         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1658         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1659         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1660
1661 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1662
1663         Unreviewed, add missing exception checks after r240637
1664         https://bugs.webkit.org/show_bug.cgi?id=193546
1665
1666         * tools/JSDollarVM.cpp:
1667         (JSC::functionShadowChickenFunctionsOnStack):
1668
1669 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1670
1671         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1672         https://bugs.webkit.org/show_bug.cgi?id=193993
1673
1674         Reviewed by Keith Miller.
1675
1676         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1677         And some of them are rarely used. We should allocate it lazily.
1678
1679         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1680         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1681         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1682         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1683         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1684         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1685         by using WTF::storeStoreFence when lazily allocating it.
1686
1687         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1688         existence of the space before touching this. This is not racy because the main thread is stopped when
1689         the constraint solving is working.
1690
1691         This changes sizeof(VM) from 64736 to 56472.
1692
1693         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1694         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1695         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1696         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1697         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1698         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1699         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1700
1701         * API/JSCallbackFunction.h:
1702         * API/ObjCCallbackFunction.h:
1703         (JSC::ObjCCallbackFunction::subspaceFor):
1704         * API/glib/JSCCallbackFunction.h:
1705         * CMakeLists.txt:
1706         * JavaScriptCore.xcodeproj/project.pbxproj:
1707         * bytecode/CodeBlock.cpp:
1708         (JSC::CodeBlock::visitChildren):
1709         (JSC::CodeBlock::finalizeUnconditionally):
1710         * bytecode/CodeBlock.h:
1711         * bytecode/EvalCodeBlock.h:
1712         * bytecode/ExecutableToCodeBlockEdge.h:
1713         * bytecode/FunctionCodeBlock.h:
1714         * bytecode/ModuleProgramCodeBlock.h:
1715         * bytecode/ProgramCodeBlock.h:
1716         * bytecode/UnlinkedFunctionExecutable.cpp:
1717         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1718         * bytecode/UnlinkedFunctionExecutable.h:
1719         * dfg/DFGSpeculativeJIT.cpp:
1720         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1721         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1722         (JSC::DFG::SpeculativeJIT::compileNewObject):
1723         * ftl/FTLLowerDFGToB3.cpp:
1724         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1725         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1726         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1727         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1728         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1729         * heap/Heap.cpp:
1730         (JSC::Heap::finalizeUnconditionalFinalizers):
1731         (JSC::Heap::deleteAllCodeBlocks):
1732         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1733         (JSC::Heap::addCoreConstraints):
1734         * heap/Subspace.cpp:
1735         (JSC::Subspace::initialize):
1736         * jit/AssemblyHelpers.h:
1737         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1738         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1739         * jit/JITOpcodes.cpp:
1740         (JSC::JIT::emit_op_new_object):
1741         * jit/JITOpcodes32_64.cpp:
1742         (JSC::JIT::emit_op_new_object):
1743         * runtime/DirectArguments.h:
1744         * runtime/DirectEvalExecutable.h:
1745         * runtime/ErrorInstance.h:
1746         (JSC::ErrorInstance::subspaceFor):
1747         * runtime/ExecutableBase.h:
1748         * runtime/FunctionExecutable.h:
1749         * runtime/IndirectEvalExecutable.h:
1750         * runtime/InferredValue.cpp:
1751         (JSC::InferredValue::visitChildren):
1752         * runtime/InferredValue.h:
1753         * runtime/InferredValueInlines.h:
1754         (JSC::InferredValue::finalizeUnconditionally):
1755         * runtime/InternalFunction.h:
1756         * runtime/JSAsyncFunction.h:
1757         * runtime/JSAsyncGeneratorFunction.h:
1758         * runtime/JSBoundFunction.h:
1759         * runtime/JSCell.h:
1760         (JSC::subspaceFor):
1761         (JSC::subspaceForConcurrently):
1762         * runtime/JSCellInlines.h:
1763         (JSC::allocatorForNonVirtualConcurrently):
1764         * runtime/JSCustomGetterSetterFunction.h:
1765         * runtime/JSDestructibleObject.h:
1766         * runtime/JSFunction.h:
1767         * runtime/JSGeneratorFunction.h:
1768         * runtime/JSImmutableButterfly.h:
1769         * runtime/JSLexicalEnvironment.h:
1770         (JSC::JSLexicalEnvironment::subspaceFor):
1771         * runtime/JSNativeStdFunction.h:
1772         * runtime/JSSegmentedVariableObject.h:
1773         * runtime/JSString.h:
1774         * runtime/ModuleProgramExecutable.h:
1775         * runtime/NativeExecutable.h:
1776         * runtime/ProgramExecutable.h:
1777         * runtime/PropertyMapHashTable.h:
1778         * runtime/ProxyRevoke.h:
1779         * runtime/ScopedArguments.h:
1780         * runtime/ScriptExecutable.cpp:
1781         (JSC::ScriptExecutable::clearCode):
1782         (JSC::ScriptExecutable::installCode):
1783         * runtime/Structure.h:
1784         * runtime/StructureRareData.h:
1785         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1786         * runtime/VM.cpp:
1787         (JSC::VM::VM):
1788         * runtime/VM.h:
1789         (JSC::VM::SpaceAndSet::SpaceAndSet):
1790         (JSC::VM::SpaceAndSet::setFor):
1791         (JSC::VM::forEachScriptExecutableSpace):
1792         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1793         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1794         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1795         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1796         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1797         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1798         * runtime/WeakMapImpl.h:
1799         (JSC::WeakMapImpl::subspaceFor):
1800         * wasm/js/JSWebAssemblyCodeBlock.h:
1801         * wasm/js/JSWebAssemblyMemory.h:
1802         * wasm/js/WebAssemblyFunction.h:
1803         * wasm/js/WebAssemblyWrapperFunction.h:
1804
1805 2019-02-04  Keith Miller  <keith_miller@apple.com>
1806
1807         Change llint operand macros to inline functions
1808         https://bugs.webkit.org/show_bug.cgi?id=194248
1809
1810         Reviewed by Mark Lam.
1811
1812         * llint/LLIntSlowPaths.cpp:
1813         (JSC::LLInt::getNonConstantOperand):
1814         (JSC::LLInt::getOperand):
1815         (JSC::LLInt::llint_trace_value):
1816         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1817         (JSC::LLInt::getByVal):
1818         (JSC::LLInt::genericCall):
1819         (JSC::LLInt::varargsSetup):
1820         (JSC::LLInt::commonCallEval):
1821
1822 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1823
1824         when lowering AssertNotEmpty, create the value before creating the patchpoint
1825         https://bugs.webkit.org/show_bug.cgi?id=194231
1826
1827         Reviewed by Saam Barati.
1828
1829         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1830         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1831
1832         * ftl/FTLLowerDFGToB3.cpp:
1833         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1834
1835 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1836
1837         [JSC] ExecutableToCodeBlockEdge should be smaller
1838         https://bugs.webkit.org/show_bug.cgi?id=194244
1839
1840         Reviewed by Michael Saboff.
1841
1842         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1843         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1844         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1845         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1846
1847         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1848         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1849         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1850
1851         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1852         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1853         does not touch it if it is called in non-main threads).
1854
1855         * bytecode/ExecutableToCodeBlockEdge.cpp:
1856         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1857         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1858         (JSC::ExecutableToCodeBlockEdge::activate):
1859         (JSC::ExecutableToCodeBlockEdge::deactivate):
1860         (JSC::ExecutableToCodeBlockEdge::isActive const):
1861         * bytecode/ExecutableToCodeBlockEdge.h:
1862         * runtime/JSCell.h:
1863         * runtime/JSCellInlines.h:
1864         (JSC::JSCell::perCellBit const):
1865         (JSC::JSCell::setPerCellBit):
1866         (JSC::JSCell::mayBePrototype const): Deleted.
1867         (JSC::JSCell::didBecomePrototype): Deleted.
1868         * runtime/JSObject.cpp:
1869         (JSC::JSObject::setPrototypeDirect):
1870         * runtime/JSObject.h:
1871         * runtime/JSObjectInlines.h:
1872         (JSC::JSObject::mayBePrototype const):
1873         (JSC::JSObject::didBecomePrototype):
1874         * runtime/JSTypeInfo.h:
1875         (JSC::TypeInfo::perCellBit):
1876         (JSC::TypeInfo::mergeInlineTypeFlags):
1877         (JSC::TypeInfo::mayBePrototype): Deleted.
1878
1879 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1880
1881         [JSC] Shrink size of FunctionExecutable
1882         https://bugs.webkit.org/show_bug.cgi?id=194191
1883
1884         Reviewed by Michael Saboff.
1885
1886         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
1887         improves the allocation efficiency.
1888
1889         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
1890            We remove this from ScriptExecutable, and move it to FunctionExecutable.
1891
1892         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
1893            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
1894            the size of FunctionExecutable in the common case.
1895
1896         This patch changes the size of FunctionExecutable from 176 to 144.
1897
1898         * bytecode/CodeBlock.cpp:
1899         (JSC::CodeBlock::dumpSource):
1900         (JSC::CodeBlock::finishCreation):
1901         * dfg/DFGNode.h:
1902         (JSC::DFG::Node::OpInfoWrapper::as const):
1903         * interpreter/StackVisitor.cpp:
1904         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1905         * runtime/ExecutableBase.h:
1906         * runtime/FunctionExecutable.cpp:
1907         (JSC::FunctionExecutable::FunctionExecutable):
1908         (JSC::FunctionExecutable::ensureRareDataSlow):
1909         * runtime/FunctionExecutable.h:
1910         * runtime/Intrinsic.h:
1911         * runtime/ModuleProgramExecutable.cpp:
1912         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1913         * runtime/ProgramExecutable.cpp:
1914         (JSC::ProgramExecutable::ProgramExecutable):
1915         * runtime/ScriptExecutable.cpp:
1916         (JSC::ScriptExecutable::ScriptExecutable):
1917         (JSC::ScriptExecutable::overrideLineNumber const):
1918         (JSC::ScriptExecutable::typeProfilingStartOffset const):
1919         (JSC::ScriptExecutable::typeProfilingEndOffset const):
1920         * runtime/ScriptExecutable.h:
1921         (JSC::ScriptExecutable::firstLine const):
1922         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
1923         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
1924         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
1925         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
1926         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
1927         * runtime/StackFrame.cpp:
1928         (JSC::StackFrame::computeLineAndColumn const):
1929         * tools/JSDollarVM.cpp:
1930         (JSC::functionReturnTypeFor):
1931
1932 2019-02-04  Mark Lam  <mark.lam@apple.com>
1933
1934         DFG's doesGC() is incorrect about the SameValue node's behavior.
1935         https://bugs.webkit.org/show_bug.cgi?id=194211
1936         <rdar://problem/47608913>
1937
1938         Reviewed by Saam Barati.
1939
1940         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
1941         it calls operationSameValue() which may allocate memory for resolving ropes.
1942
1943         * dfg/DFGDoesGC.cpp:
1944         (JSC::DFG::doesGC):
1945
1946 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
1947
1948         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
1949         https://bugs.webkit.org/show_bug.cgi?id=194031
1950
1951         Reviewed by Saam Barati.
1952
1953         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
1954         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
1955         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
1956         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
1957
1958         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
1959         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
1960
1961         * bytecode/MetadataTable.cpp:
1962         (JSC::MetadataTable::MetadataTable):
1963         (JSC::MetadataTable::~MetadataTable):
1964         * bytecode/UnlinkedCodeBlock.cpp:
1965         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1966         (JSC::UnlinkedCodeBlock::visitChildren):
1967         (JSC::UnlinkedCodeBlock::estimatedSize):
1968         (JSC::UnlinkedCodeBlock::setInstructions):
1969         * bytecode/UnlinkedCodeBlock.h:
1970         (JSC::UnlinkedCodeBlock::metadata):
1971         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
1972         * bytecode/UnlinkedMetadataTable.h:
1973         (JSC::UnlinkedMetadataTable::create):
1974         * bytecode/UnlinkedMetadataTableInlines.h:
1975         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
1976         * runtime/CachedTypes.cpp:
1977         (JSC::CachedMetadataTable::decode const):
1978         (JSC::CachedCodeBlock::metadata const):
1979         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1980         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1981         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1982
1983 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
1984
1985         [JSC] Decouple JIT related data from CodeBlock
1986         https://bugs.webkit.org/show_bug.cgi?id=194187
1987
1988         Reviewed by Saam Barati.
1989
1990         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
1991         We have three types of data in CodeBlock.
1992
1993         1. The data which is always used. CodeBlock needs to hold it.
1994         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
1995         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
1996
1997         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
1998         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
1999         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2000         in both non-JIT and *JIT* modes.
2001
2002         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2003         by the lock of CodeBlock.
2004
2005         The size of CodeBlock is reduced from 512 to 352.
2006
2007         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2008
2009             Footprint geomean: 36696503 (34.997 MB)
2010             Peak Footprint geomean: 38595988 (36.808 MB)
2011             Score: 37634263 (35.891 MB)
2012
2013             Footprint geomean: 37172768 (35.451 MB)
2014             Peak Footprint geomean: 38978288 (37.173 MB)
2015             Score: 38064824 (36.301 MB)
2016
2017         * bytecode/CodeBlock.cpp:
2018         (JSC::CodeBlock::~CodeBlock):
2019         (JSC::CodeBlock::propagateTransitions):
2020         (JSC::CodeBlock::ensureJITDataSlow):
2021         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2022         (JSC::CodeBlock::getICStatusMap):
2023         (JSC::CodeBlock::addStubInfo):
2024         (JSC::CodeBlock::addJITAddIC):
2025         (JSC::CodeBlock::addJITMulIC):
2026         (JSC::CodeBlock::addJITSubIC):
2027         (JSC::CodeBlock::addJITNegIC):
2028         (JSC::CodeBlock::findStubInfo):
2029         (JSC::CodeBlock::addByValInfo):
2030         (JSC::CodeBlock::addCallLinkInfo):
2031         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2032         (JSC::CodeBlock::addRareCaseProfile):
2033         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2034         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2035         (JSC::CodeBlock::resetJITData):
2036         (JSC::CodeBlock::stronglyVisitStrongReferences):
2037         (JSC::CodeBlock::shrinkToFit):
2038         (JSC::CodeBlock::linkIncomingCall):
2039         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2040         (JSC::CodeBlock::unlinkIncomingCalls):
2041         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2042         (JSC::CodeBlock::dumpValueProfiles):
2043         (JSC::CodeBlock::setPCToCodeOriginMap):
2044         (JSC::CodeBlock::findPC):
2045         (JSC::CodeBlock::dumpMathICStats):
2046         * bytecode/CodeBlock.h:
2047         (JSC::CodeBlock::ensureJITData):
2048         (JSC::CodeBlock::setJITCodeMap):
2049         (JSC::CodeBlock::jitCodeMap):
2050         (JSC::CodeBlock::likelyToTakeSlowCase):
2051         (JSC::CodeBlock::couldTakeSlowCase):
2052         (JSC::CodeBlock::lazyOperandValueProfiles):
2053         (JSC::CodeBlock::stubInfoBegin): Deleted.
2054         (JSC::CodeBlock::stubInfoEnd): Deleted.
2055         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2056         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2057         (JSC::CodeBlock::jitCodeMap const): Deleted.
2058         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2059         * bytecode/MethodOfGettingAValueProfile.cpp:
2060         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2061         (JSC::MethodOfGettingAValueProfile::reportValue):
2062         * dfg/DFGByteCodeParser.cpp:
2063         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2064         * jit/JIT.h:
2065         * jit/JITOperations.cpp:
2066         (JSC::tryGetByValOptimize):
2067         * jit/JITPropertyAccess.cpp:
2068         (JSC::JIT::privateCompileGetByVal):
2069         (JSC::JIT::privateCompilePutByVal):
2070
2071 2018-12-16  Darin Adler  <darin@apple.com>
2072
2073         Convert additional String::format clients to alternative approaches
2074         https://bugs.webkit.org/show_bug.cgi?id=192746
2075
2076         Reviewed by Alexey Proskuryakov.
2077
2078         * inspector/agents/InspectorConsoleAgent.cpp:
2079         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2080         and FormattedNumber::fixedWidth.
2081
2082 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2083
2084         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2085         https://bugs.webkit.org/show_bug.cgi?id=194177
2086
2087         Reviewed by Saam Barati.
2088
2089         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2090         We can share the IsoSubspace for JSFunction.
2091
2092         * runtime/JSAsyncFunction.h:
2093         * runtime/JSAsyncGeneratorFunction.h:
2094         * runtime/JSGeneratorFunction.h:
2095         * runtime/VM.cpp:
2096         (JSC::VM::VM):
2097         * runtime/VM.h:
2098
2099 2019-02-01  Mark Lam  <mark.lam@apple.com>
2100
2101         Remove invalid assertion in DFG's compileDoubleRep().
2102         https://bugs.webkit.org/show_bug.cgi?id=194130
2103         <rdar://problem/47699474>
2104
2105         Reviewed by Saam Barati.
2106
2107         * dfg/DFGSpeculativeJIT.cpp:
2108         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2109
2110 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2111
2112         [JSC] Unify CodeBlock IsoSubspaces
2113         https://bugs.webkit.org/show_bug.cgi?id=194167
2114
2115         Reviewed by Saam Barati.
2116
2117         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2118         But this is not necessary since,
2119
2120         1. They do not override the classInfo methods.
2121         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2122
2123         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2124         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2125         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2126
2127         This patch unifies these IsoSubspaces into one.
2128
2129         * bytecode/CodeBlock.cpp:
2130         (JSC::CodeBlock::destroy):
2131         * bytecode/CodeBlock.h:
2132         * bytecode/EvalCodeBlock.cpp:
2133         (JSC::EvalCodeBlock::destroy): Deleted.
2134         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2135         * bytecode/FunctionCodeBlock.cpp:
2136         (JSC::FunctionCodeBlock::destroy): Deleted.
2137         * bytecode/FunctionCodeBlock.h:
2138         * bytecode/GlobalCodeBlock.h:
2139         * bytecode/ModuleProgramCodeBlock.cpp:
2140         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2141         * bytecode/ModuleProgramCodeBlock.h:
2142         * bytecode/ProgramCodeBlock.cpp:
2143         (JSC::ProgramCodeBlock::destroy): Deleted.
2144         * bytecode/ProgramCodeBlock.h:
2145         * interpreter/Interpreter.cpp:
2146         (JSC::Interpreter::execute):
2147         * runtime/VM.cpp:
2148         (JSC::VM::VM):
2149         * runtime/VM.h:
2150         (JSC::VM::forEachCodeBlockSpace):
2151
2152 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2153
2154         Unreviewed, follow-up after r240859
2155         https://bugs.webkit.org/show_bug.cgi?id=194145
2156
2157         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2158         And rename cellDangerousBitsSpace back to cellSpace.
2159
2160         * runtime/JSCellInlines.h:
2161         (JSC::JSCell::subspaceFor):
2162         * runtime/VM.cpp:
2163         (JSC::VM::VM):
2164         * runtime/VM.h:
2165
2166 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2167
2168         [JSC] Remove cellJSValueOOBSpace
2169         https://bugs.webkit.org/show_bug.cgi?id=194145
2170
2171         Reviewed by Mark Lam.
2172
2173         * runtime/JSObject.h:
2174         (JSC::JSObject::subspaceFor): Deleted.
2175         * runtime/VM.cpp:
2176         (JSC::VM::VM):
2177         * runtime/VM.h:
2178
2179 2019-01-31  Mark Lam  <mark.lam@apple.com>
2180
2181         Remove poisoning from CodeBlock and LLInt code.
2182         https://bugs.webkit.org/show_bug.cgi?id=194113
2183
2184         Reviewed by Yusuke Suzuki.
2185
2186         * bytecode/CodeBlock.cpp:
2187         (JSC::CodeBlock::CodeBlock):
2188         (JSC::CodeBlock::~CodeBlock):
2189         (JSC::CodeBlock::setConstantRegisters):
2190         (JSC::CodeBlock::propagateTransitions):
2191         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2192         (JSC::CodeBlock::jettison):
2193         (JSC::CodeBlock::predictedMachineCodeSize):
2194         * bytecode/CodeBlock.h:
2195         (JSC::CodeBlock::vm const):
2196         (JSC::CodeBlock::addConstant):
2197         (JSC::CodeBlock::heap const):
2198         (JSC::CodeBlock::replaceConstant):
2199         * llint/LLIntOfflineAsmConfig.h:
2200         * llint/LLIntSlowPaths.cpp:
2201         (JSC::LLInt::handleHostCall):
2202         (JSC::LLInt::setUpCall):
2203         * llint/LowLevelInterpreter.asm:
2204         * llint/LowLevelInterpreter32_64.asm:
2205         * llint/LowLevelInterpreter64.asm:
2206
2207 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2208
2209         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2210         https://bugs.webkit.org/show_bug.cgi?id=194107
2211
2212         Reviewed by Saam Barati.
2213
2214         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2215         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2216
2217         * CMakeLists.txt:
2218         * DerivedSources.make:
2219         * JavaScriptCore.xcodeproj/project.pbxproj:
2220         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2221         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2222         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2223         (JSC::AsyncFromSyncIteratorPrototype::create):
2224         * runtime/AsyncFromSyncIteratorPrototype.h:
2225
2226 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2227
2228         Fix `runJITThreadLimitTests` in testapi
2229         https://bugs.webkit.org/show_bug.cgi?id=194064
2230         <rdar://problem/46139147>
2231
2232         Reviewed by Mark Lam.
2233
2234         Fix typo where `targetNumberOfThreads` was not being used.
2235
2236         * API/tests/testapi.mm:
2237         (runJITThreadLimitTests):
2238
2239 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2240
2241         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2242         https://bugs.webkit.org/show_bug.cgi?id=194112
2243
2244         Reviewed by Mark Lam.
2245
2246         `testBytecodeCache` does not populate the bytecode cache for the global
2247         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2248
2249         * API/tests/testapi.mm:
2250         (testBytecodeCache):
2251
2252 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2253
2254         Unreviewed, follow-up after r240796
2255
2256         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2257         when allocating InferredValue in FunctionExecutable::finishCreation.
2258
2259         * runtime/FunctionExecutable.cpp:
2260         (JSC::FunctionExecutable::FunctionExecutable):
2261         (JSC::FunctionExecutable::finishCreation):
2262
2263 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2264
2265         [JSC] Do not use InferredValue in non-JIT configuration
2266         https://bugs.webkit.org/show_bug.cgi?id=194084
2267
2268         Reviewed by Saam Barati.
2269
2270         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2271         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2272         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2273         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2274         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2275         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2276         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2277         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2278
2279         * bytecode/ObjectAllocationProfileInlines.h:
2280         (JSC::ObjectAllocationProfile::initializeProfile):
2281         * runtime/FunctionExecutable.cpp:
2282         (JSC::FunctionExecutable::finishCreation):
2283         (JSC::FunctionExecutable::visitChildren):
2284         * runtime/FunctionExecutable.h:
2285         * runtime/InferredValue.cpp:
2286         (JSC::InferredValue::create):
2287         * runtime/JSAsyncFunction.cpp:
2288         (JSC::JSAsyncFunction::create):
2289         * runtime/JSAsyncGeneratorFunction.cpp:
2290         (JSC::JSAsyncGeneratorFunction::create):
2291         * runtime/JSFunction.cpp:
2292         (JSC::JSFunction::create):
2293         * runtime/JSFunctionInlines.h:
2294         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2295         * runtime/JSGeneratorFunction.cpp:
2296         (JSC::JSGeneratorFunction::create):
2297         * runtime/JSSymbolTableObject.h:
2298         (JSC::JSSymbolTableObject::setSymbolTable):
2299         * runtime/SymbolTable.cpp:
2300         (JSC::SymbolTable::finishCreation):
2301         * runtime/VM.cpp:
2302         (JSC::VM::VM):
2303
2304 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2305
2306         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2307         https://bugs.webkit.org/show_bug.cgi?id=194085
2308
2309         Reviewed by Yusuke Suzuki.
2310
2311         r240730 changed ud_itab.py and caused incremental build failures
2312         for Ninja builds.
2313
2314         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2315
2316 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2317
2318         [JSC] Symbol should be in destructibleCellSpace
2319         https://bugs.webkit.org/show_bug.cgi?id=194082
2320
2321         Reviewed by Saam Barati.
2322
2323         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2324         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2325         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2326         Symbol's space destructibleCellSpace to appropriately call the destructor.
2327
2328         * runtime/Symbol.h:
2329
2330 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2331
2332         Unreviewed, rolling out r240755.
2333
2334         This was not correct
2335
2336         Reverted changeset:
2337
2338         "Unreviewed, fix GCC build after r240730"
2339         https://bugs.webkit.org/show_bug.cgi?id=194041
2340         https://trac.webkit.org/changeset/240755
2341
2342 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2343
2344         Unreviewed, fix GCC build after r240730
2345         https://bugs.webkit.org/show_bug.cgi?id=194041
2346         <rdar://problem/47680981>
2347
2348         * disassembler/udis86/ud_itab.py:
2349         (UdItabGenerator.genOpcodeTablesLookupIndex):
2350
2351 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2352
2353         testapi's `testBytecodeCache` does not need to run the code twice
2354         https://bugs.webkit.org/show_bug.cgi?id=194046
2355
2356         Reviewed by Mark Lam.
2357
2358         Since we populate the cache eagerly (unlike the stress tests) we don't
2359         need to run the code twice.
2360
2361         * API/tests/testapi.mm:
2362         (testBytecodeCache):
2363
2364 2019-01-30  Saam barati  <sbarati@apple.com>
2365
2366         [WebAssembly] Change BBQ to generate Air IR
2367         https://bugs.webkit.org/show_bug.cgi?id=191802
2368         <rdar://problem/47651718>
2369
2370         Reviewed by Keith Miller.
2371
2372         This patch adds a new Wasm compiler for the BBQ tier. Instead
2373         of compiling using  B3-01, we now generate Air code directly.
2374         The goal of doing this was to speed up compile times for Wasm
2375         programs.
2376         
2377         This patch provides us with a 20-30% compile time speedup. However, I
2378         have ideas on how to improve compile times even further. For example,
2379         we should probably implement a faster running register allocator:
2380         https://bugs.webkit.org/show_bug.cgi?id=194036
2381         
2382         We can also improve on the code we generate.
2383         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2384         And we should do better instruction selection in various
2385         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2386
2387         * JavaScriptCore.xcodeproj/project.pbxproj:
2388         * Sources.txt:
2389         * b3/B3LowerToAir.cpp:
2390         * b3/B3StackmapSpecial.h:
2391         * b3/air/AirCode.cpp:
2392         (JSC::B3::Air::Code::emitDefaultPrologue):
2393         * b3/air/AirCode.h:
2394         * b3/air/AirTmp.h:
2395         (JSC::B3::Air::Tmp::Tmp):
2396         * runtime/Options.h:
2397         * wasm/WasmAirIRGenerator.cpp: Added.
2398         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2399         (JSC::Wasm::TypedTmp::TypedTmp):
2400         (JSC::Wasm::TypedTmp::operator== const):
2401         (JSC::Wasm::TypedTmp::operator!= const):
2402         (JSC::Wasm::TypedTmp::operator bool const):
2403         (JSC::Wasm::TypedTmp::operator Tmp const):
2404         (JSC::Wasm::TypedTmp::operator Arg const):
2405         (JSC::Wasm::TypedTmp::tmp const):
2406         (JSC::Wasm::TypedTmp::type const):
2407         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2408         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2409         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2410         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2411         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2412         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2413         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2414         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2415         (JSC::Wasm::AirIRGenerator::emptyExpression):
2416         (JSC::Wasm::AirIRGenerator::fail const):
2417         (JSC::Wasm::AirIRGenerator::setParser):
2418         (JSC::Wasm::AirIRGenerator::toTmpVector):
2419         (JSC::Wasm::AirIRGenerator::validateInst):
2420         (JSC::Wasm::AirIRGenerator::extractArg):
2421         (JSC::Wasm::AirIRGenerator::append):
2422         (JSC::Wasm::AirIRGenerator::appendEffectful):
2423         (JSC::Wasm::AirIRGenerator::newTmp):
2424         (JSC::Wasm::AirIRGenerator::g32):
2425         (JSC::Wasm::AirIRGenerator::g64):
2426         (JSC::Wasm::AirIRGenerator::f32):
2427         (JSC::Wasm::AirIRGenerator::f64):
2428         (JSC::Wasm::AirIRGenerator::tmpForType):
2429         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2430         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2431         (JSC::Wasm::AirIRGenerator::emitCheck):
2432         (JSC::Wasm::AirIRGenerator::emitCCall):
2433         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2434         (JSC::Wasm::AirIRGenerator::instanceValue):
2435         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2436         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2437         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2438         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2439         (JSC::Wasm::AirIRGenerator::emitThrowException):
2440         (JSC::Wasm::AirIRGenerator::addLocal):
2441         (JSC::Wasm::AirIRGenerator::addConstant):
2442         (JSC::Wasm::AirIRGenerator::addArguments):
2443         (JSC::Wasm::AirIRGenerator::getLocal):
2444         (JSC::Wasm::AirIRGenerator::addUnreachable):
2445         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2446         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2447         (JSC::Wasm::AirIRGenerator::setLocal):
2448         (JSC::Wasm::AirIRGenerator::getGlobal):
2449         (JSC::Wasm::AirIRGenerator::setGlobal):
2450         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2451         (JSC::Wasm::sizeOfLoadOp):
2452         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2453         (JSC::Wasm::AirIRGenerator::load):
2454         (JSC::Wasm::sizeOfStoreOp):
2455         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2456         (JSC::Wasm::AirIRGenerator::store):
2457         (JSC::Wasm::AirIRGenerator::addSelect):
2458         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2459         (JSC::Wasm::AirIRGenerator::addLoop):
2460         (JSC::Wasm::AirIRGenerator::addTopLevel):
2461         (JSC::Wasm::AirIRGenerator::addBlock):
2462         (JSC::Wasm::AirIRGenerator::addIf):
2463         (JSC::Wasm::AirIRGenerator::addElse):
2464         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2465         (JSC::Wasm::AirIRGenerator::addReturn):
2466         (JSC::Wasm::AirIRGenerator::addBranch):
2467         (JSC::Wasm::AirIRGenerator::addSwitch):
2468         (JSC::Wasm::AirIRGenerator::endBlock):
2469         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2470         (JSC::Wasm::AirIRGenerator::addCall):
2471         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2472         (JSC::Wasm::AirIRGenerator::unify):
2473         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2474         (JSC::Wasm::AirIRGenerator::dump):
2475         (JSC::Wasm::AirIRGenerator::origin):
2476         (JSC::Wasm::parseAndCompileAir):
2477         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2478         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2479         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2480         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2481         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2482         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2483         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2484         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2485         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2486         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2487         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2488         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2489         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2490         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2491         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2492         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2493         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2494         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2495         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2496         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2497         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2498         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2499         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2500         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2501         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2502         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2503         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2504         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2505         (JSC::Wasm::AirIRGenerator::addShift):
2506         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2507         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2508         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2509         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2510         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2511         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2512         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2513         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2514         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2515         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2516         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2517         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2518         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2519         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2520         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2521         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2522         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2523         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2524         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2525         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2526         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2527         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2528         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2529         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2530         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2531         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2532         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2533         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2534         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2535         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2536         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2537         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2538         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2539         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2540         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2541         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2542         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2543         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2544         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2545         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2546         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2547         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2548         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2549         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2550         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2551         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2552         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2553         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2554         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2555         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2556         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2557         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2558         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2559         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2560         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2561         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2562         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2563         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2564         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2565         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2566         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2567         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2568         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2569         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2570         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2571         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2572         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2573         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2574         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2575         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2576         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2577         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2578         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2579         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2580         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2581         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2582         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2583         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2584         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2585         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2586         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2587         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2588         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2589         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2590         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2591         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2592         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2593         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2594         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2595         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2596         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2597         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2598         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2599         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2600         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2601         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2602         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2603         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2604         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2605         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2606         * wasm/WasmAirIRGenerator.h: Added.
2607         * wasm/WasmB3IRGenerator.cpp:
2608         (JSC::Wasm::B3IRGenerator::emptyExpression):
2609         * wasm/WasmBBQPlan.cpp:
2610         (JSC::Wasm::BBQPlan::compileFunctions):
2611         * wasm/WasmCallingConvention.cpp:
2612         (JSC::Wasm::jscCallingConventionAir):
2613         (JSC::Wasm::wasmCallingConventionAir):
2614         * wasm/WasmCallingConvention.h:
2615         (JSC::Wasm::CallingConvention::CallingConvention):
2616         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2617         (JSC::Wasm::CallingConvention::marshallArgument const):
2618         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2619         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2620         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2621         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2622         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2623         (JSC::Wasm::CallingConventionAir::loadArguments const):
2624         (JSC::Wasm::CallingConventionAir::setupCall const):
2625         (JSC::Wasm::nextJSCOffset):
2626         * wasm/WasmFunctionParser.h:
2627         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2628         * wasm/WasmValidate.cpp:
2629         (JSC::Wasm::Validate::emptyExpression):
2630
2631 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2632
2633         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2634         https://bugs.webkit.org/show_bug.cgi?id=194050
2635         <rdar://problem/47595592>
2636
2637         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2638         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2639
2640         Reviewed by Yusuke Suzuki.
2641
2642         * ftl/FTLOperations.cpp:
2643         (JSC::FTL::operationMaterializeObjectInOSR):
2644
2645 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2646
2647         Remove assertion that CachedSymbolTables should have no RareData
2648         https://bugs.webkit.org/show_bug.cgi?id=194037
2649
2650         Reviewed by Mark Lam.
2651
2652         It turns out that we don't need to cache the SymbolTableRareData and
2653         we should not assert that it's empty.
2654
2655         * runtime/CachedTypes.cpp:
2656         (JSC::CachedSymbolTable::encode):
2657
2658 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2659
2660         CachedBytecode's move constructor should not call `freeDataIfOwned`
2661         https://bugs.webkit.org/show_bug.cgi?id=194045
2662
2663         Reviewed by Mark Lam.
2664
2665         That might result in freeing a garbage value
2666
2667         * parser/SourceProvider.h:
2668         (JSC::CachedBytecode::CachedBytecode):
2669
2670 2019-01-30  Keith Miller  <keith_miller@apple.com>
2671
2672         mul32 should convert powers of 2 to an lshift
2673         https://bugs.webkit.org/show_bug.cgi?id=193957
2674
2675         Reviewed by Yusuke Suzuki.
2676
2677         * assembler/MacroAssembler.h:
2678         (JSC::MacroAssembler::mul32):
2679         * assembler/testmasm.cpp:
2680         (JSC::int32Operands):
2681         (JSC::testMul32WithImmediates):
2682         (JSC::run):
2683
2684 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2685
2686         [JSC] Make disassembler data structures constant read-only data
2687         https://bugs.webkit.org/show_bug.cgi?id=194041
2688
2689         Reviewed by Mark Lam.
2690
2691         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2692         This patch makes them "const".
2693
2694         * disassembler/ARM64/A64DOpcode.cpp:
2695         * disassembler/udis86/ud_itab.py:
2696         (UdItabGenerator.genOpcodeTablesLookupIndex):
2697         (UdItabGenerator.genInsnTable):
2698         (UdItabGenerator.genMnemonicsList):
2699         (genItabH):
2700         * disassembler/udis86/udis86_decode.h:
2701         * disassembler/udis86/udis86_syn.c:
2702         * disassembler/udis86/udis86_syn.h:
2703         * disassembler/udis86/udis86_types.h:
2704
2705 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2706
2707         Unreviewed, update the builtin test results
2708         https://bugs.webkit.org/show_bug.cgi?id=194015
2709
2710         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2711         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2712         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2713         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2714         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2715         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2716         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2717         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2718         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2719         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2720         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2721         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2722         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2723
2724 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2725
2726         [JSC] Make global static variables "const" as much as possible
2727         https://bugs.webkit.org/show_bug.cgi?id=194015
2728
2729         Reviewed by Mark Lam.
2730
2731         Some of global static variables are not "const". For example, `static const char* name = ...`
2732         is not constant variable. We should make it `static const char* const name = ...`.
2733
2734         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2735         (generate_externs_for_object):
2736         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2737         (generate_externs_for_object):
2738         * Scripts/wkbuiltins/builtins_generator.py:
2739         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2740         * assembler/MacroAssembler.h:
2741         (JSC::MacroAssembler::additionBlindedConstant):
2742         * b3/air/AirFormTable.h:
2743         * b3/air/opcode_generator.rb:
2744         * runtime/JSObject.cpp:
2745         (JSC::JSObject::visitButterfly):
2746         * tools/CodeProfile.cpp:
2747         * tools/CodeProfile.h:
2748
2749 2019-01-29  Keith Miller  <keith_miller@apple.com>
2750
2751         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2752         https://bugs.webkit.org/show_bug.cgi?id=194000
2753         <rdar://problem/47642894>
2754
2755         Reviewed by Mark Lam.
2756
2757         default constructor is unused and
2758         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2759         data member which causes sadness.
2760
2761         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2762
2763 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2764
2765         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2766
2767         Rubber-stamped by Yusuke Suzuki.
2768
2769         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2770
2771         * parser/Parser.h:
2772         (JSC::Parser::declareHoistedVariable):
2773
2774 2019-01-29  Mark Lam  <mark.lam@apple.com>
2775
2776         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2777         https://bugs.webkit.org/show_bug.cgi?id=132333
2778
2779         Reviewed by Yusuke Suzuki.
2780
2781         * bytecode/InstructionStream.h:
2782         (JSC::InstructionStreamWriter::write):
2783         - The 32-bit write() function need not invert the order of the bytes written to
2784           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2785           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2786
2787         * llint/LLIntOfflineAsmConfig.h:
2788         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2789
2790 2019-01-29  Mark Lam  <mark.lam@apple.com>
2791
2792         ValueRecovery::recover() should purify NaN values it recovers.
2793         https://bugs.webkit.org/show_bug.cgi?id=193978
2794         <rdar://problem/47625488>
2795
2796         Reviewed by Saam Barati.
2797
2798         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2799         recovered DoubleDisplacedInJSStack values need to be purified.
2800         ValueRecovery::recover() should do the same.
2801
2802         * bytecode/ValueRecovery.cpp:
2803         (JSC::ValueRecovery::recover const):
2804
2805 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2806
2807         [JSC] FTL should handle LocalAllocator*
2808         https://bugs.webkit.org/show_bug.cgi?id=193980
2809
2810         Reviewed by Saam Barati.
2811
2812         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2813         because the FTL still use the incoming value as 32bit integer there.
2814
2815         * ftl/FTLLowerDFGToB3.cpp:
2816         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2817
2818 2019-01-29  Keith Rollin  <krollin@apple.com>
2819
2820         Add .xcfilelists to Run Script build phases
2821         https://bugs.webkit.org/show_bug.cgi?id=193792
2822         <rdar://problem/47201785>
2823
2824         Reviewed by Alex Christensen.
2825
2826         As part of supporting XCBuild, update the necessary Run Script build
2827         phases in their Xcode projects to refer to their associated
2828         .xcfilelist files.
2829
2830         Note that the addition of these files bumps the Xcode project version
2831         number to something that's Xcode 10 compatible. This change means that
2832         older versions of the Xcode IDE can't read these projects. Nor can it
2833         fully load workspaces that refer to these projects (the updated
2834         projects are shown as non-expandable placeholders). `xcodebuild` can
2835         still build these projects; it's just that the IDE can't open them.
2836
2837         * JavaScriptCore.xcodeproj/project.pbxproj:
2838
2839 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2840
2841         [ARM] Check for negative zero instead of just zero
2842         https://bugs.webkit.org/show_bug.cgi?id=193689
2843
2844         Reviewed by Mark Lam.
2845
2846         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2847         of just bailing out for zero.
2848
2849         * assembler/MacroAssemblerARMv7.h:
2850         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2851
2852 2019-01-28  Devin Rousso  <drousso@apple.com>
2853
2854         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2855         https://bugs.webkit.org/show_bug.cgi?id=193863
2856         <rdar://problem/47572764>
2857
2858         Reviewed by Joseph Pecoraro.
2859
2860         * inspector/protocol/Page.json:
2861         Add more values to the `Setting` enum type:
2862          - `ICECandidateFilteringEnabled`
2863          - `MediaCaptureRequiresSecureConnection`
2864          - `MockCaptureDevicesEnabled`
2865
2866 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
2867
2868         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
2869         https://bugs.webkit.org/show_bug.cgi?id=193941
2870
2871         Reviewed by Alex Christensen.
2872
2873         * API/JSWeakObjectMapRefPrivate.cpp:
2874         * bytecompiler/NodesCodegen.cpp:
2875         * heap/MachineStackMarker.cpp:
2876         * jit/ExecutableAllocator.cpp:
2877         * jsc.cpp:
2878         * parser/Nodes.cpp:
2879         * runtime/DateConstructor.cpp:
2880         * runtime/DateConversion.cpp:
2881         * runtime/DateInstance.cpp:
2882         * runtime/DatePrototype.cpp:
2883         * runtime/InitializeThreading.cpp:
2884         * runtime/IteratorOperations.cpp:
2885         * runtime/JSDateMath.cpp:
2886         * runtime/JSGlobalObjectFunctions.cpp:
2887         * runtime/StringPrototype.cpp:
2888         * runtime/VM.cpp:
2889         * testRegExp.cpp:
2890         * tools/JSDollarVM.cpp:
2891         * yarr/YarrInterpreter.cpp:
2892         * yarr/YarrJIT.cpp:
2893         * yarr/YarrPattern.cpp:
2894         * yarr/YarrUnicodeProperties.cpp:
2895
2896 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2897
2898         [JSC] Reduce size of memory used for ShadowChicken
2899         https://bugs.webkit.org/show_bug.cgi?id=193546
2900
2901         Reviewed by Mark Lam.
2902
2903         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
2904         The removal of ShadowChicken saves 55KB memory.
2905
2906         * debugger/DebuggerCallFrame.cpp:
2907         (JSC::DebuggerCallFrame::create):
2908         * ftl/FTLLowerDFGToB3.cpp:
2909         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
2910         * heap/Heap.cpp:
2911         (JSC::Heap::stopThePeriphery):
2912         (JSC::Heap::addCoreConstraints):
2913         * jit/CCallHelpers.cpp:
2914         (JSC::CCallHelpers::ensureShadowChickenPacket):
2915         * jit/JITExceptions.cpp:
2916         (JSC::genericUnwind):
2917         * jit/JITOpcodes.cpp:
2918         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2919         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2920         * jit/JITOpcodes32_64.cpp:
2921         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2922         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2923         * jit/JITOperations.cpp:
2924         * llint/LLIntSlowPaths.cpp:
2925         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2926         * runtime/JSGlobalObject.cpp:
2927         (JSC::JSGlobalObject::setDebugger):
2928         * runtime/JSGlobalObject.h:
2929         (JSC::JSGlobalObject::setDebugger): Deleted.
2930         * runtime/VM.cpp:
2931         (JSC::VM::VM):
2932         (JSC::VM::ensureShadowChicken):
2933         * runtime/VM.h:
2934         (JSC::VM::shadowChicken):
2935         * tools/JSDollarVM.cpp:
2936         (JSC::functionShadowChickenFunctionsOnStack):
2937         (JSC::changeDebuggerModeWhenIdle):
2938
2939 2019-01-28  Andy Estes  <aestes@apple.com>
2940
2941         [watchOS] Enable Parental Controls content filtering
2942         https://bugs.webkit.org/show_bug.cgi?id=193939
2943         <rdar://problem/46641912>
2944
2945         Reviewed by Ryosuke Niwa.
2946
2947         * Configurations/FeatureDefines.xcconfig:
2948
2949 2019-01-28  Mark Lam  <mark.lam@apple.com>
2950
2951         ToString node actually does GC.
2952         https://bugs.webkit.org/show_bug.cgi?id=193920
2953         <rdar://problem/46695900>
2954
2955         Reviewed by Yusuke Suzuki.
2956
2957         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
2958         CallStringConstructor can allocate new JSStrings, and hence, can GC.
2959
2960         * dfg/DFGDoesGC.cpp:
2961         (JSC::DFG::doesGC):
2962
2963 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2964
2965         [JSC] RegExpConstructor should not have own IsoSubspace
2966         https://bugs.webkit.org/show_bug.cgi?id=193801
2967
2968         Reviewed by Mark Lam.
2969
2970         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
2971         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
2972         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
2973         it from RegExpConstructor members.
2974
2975         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
2976         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
2977         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
2978
2979         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
2980
2981         * CMakeLists.txt:
2982         * JavaScriptCore.xcodeproj/project.pbxproj:
2983         * Sources.txt:
2984         * dfg/DFGOperations.cpp:
2985         * dfg/DFGSpeculativeJIT.cpp:
2986         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
2987         * dfg/DFGStrengthReductionPhase.cpp:
2988         (JSC::DFG::StrengthReductionPhase::handleNode):
2989         * ftl/FTLAbstractHeapRepository.cpp:
2990         * ftl/FTLAbstractHeapRepository.h:
2991         * ftl/FTLLowerDFGToB3.cpp:
2992         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
2993         * runtime/JSGlobalObject.cpp:
2994         (JSC::JSGlobalObject::init):
2995         (JSC::JSGlobalObject::visitChildren):
2996         * runtime/JSGlobalObject.h:
2997         (JSC::JSGlobalObject::regExpGlobalData):
2998         (JSC::JSGlobalObject::regExpGlobalDataOffset):
2999         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3000         * runtime/RegExpCache.cpp:
3001         (JSC::RegExpCache::initialize):
3002         * runtime/RegExpCache.h:
3003         (JSC::RegExpCache::emptyRegExp const):
3004         * runtime/RegExpCachedResult.cpp:
3005         (JSC::RegExpCachedResult::visitAggregate):
3006         (JSC::RegExpCachedResult::visitChildren): Deleted.
3007         * runtime/RegExpCachedResult.h:
3008         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3009         * runtime/RegExpConstructor.cpp:
3010         (JSC::RegExpConstructor::RegExpConstructor):
3011         (JSC::regExpConstructorDollar):
3012         (JSC::regExpConstructorInput):
3013         (JSC::regExpConstructorMultiline):
3014         (JSC::regExpConstructorLastMatch):
3015         (JSC::regExpConstructorLastParen):
3016         (JSC::regExpConstructorLeftContext):
3017         (JSC::regExpConstructorRightContext):
3018         (JSC::setRegExpConstructorInput):
3019         (JSC::setRegExpConstructorMultiline):
3020         (JSC::RegExpConstructor::destroy): Deleted.
3021         (JSC::RegExpConstructor::visitChildren): Deleted.
3022         (JSC::RegExpConstructor::getBackref): Deleted.
3023         (JSC::RegExpConstructor::getLastParen): Deleted.
3024         (JSC::RegExpConstructor::getLeftContext): Deleted.
3025         (JSC::RegExpConstructor::getRightContext): Deleted.
3026         * runtime/RegExpConstructor.h:
3027         (JSC::RegExpConstructor::performMatch): Deleted.
3028         (JSC::RegExpConstructor::recordMatch): Deleted.
3029         * runtime/RegExpGlobalData.cpp: Added.
3030         (JSC::RegExpGlobalData::visitAggregate):
3031         (JSC::RegExpGlobalData::getBackref):
3032         (JSC::RegExpGlobalData::getLastParen):
3033         (JSC::RegExpGlobalData::getLeftContext):
3034         (JSC::RegExpGlobalData::getRightContext):
3035         * runtime/RegExpGlobalData.h: Added.
3036         (JSC::RegExpGlobalData::cachedResult):
3037         (JSC::RegExpGlobalData::setMultiline):
3038         (JSC::RegExpGlobalData::multiline const):
3039         (JSC::RegExpGlobalData::input):
3040         (JSC::RegExpGlobalData::offsetOfCachedResult):
3041         * runtime/RegExpGlobalDataInlines.h: Added.
3042         (JSC::RegExpGlobalData::setInput):
3043         (JSC::RegExpGlobalData::performMatch):
3044         (JSC::RegExpGlobalData::recordMatch):
3045         * runtime/RegExpObject.cpp:
3046         (JSC::RegExpObject::matchGlobal):
3047         * runtime/RegExpObjectInlines.h:
3048         (JSC::RegExpObject::execInline):
3049         (JSC::RegExpObject::matchInline):
3050         (JSC::collectMatches):
3051         * runtime/RegExpPrototype.cpp:
3052         (JSC::RegExpPrototype::finishCreation):
3053         (JSC::regExpProtoFuncSearchFast):
3054         (JSC::RegExpPrototype::visitChildren): Deleted.
3055         * runtime/RegExpPrototype.h:
3056         * runtime/StringPrototype.cpp:
3057         (JSC::removeUsingRegExpSearch):
3058         (JSC::replaceUsingRegExpSearch):
3059         * runtime/VM.cpp:
3060         (JSC::VM::VM):
3061         * runtime/VM.h:
3062
3063 2018-12-15  Darin Adler  <darin@apple.com>
3064
3065         Replace many uses of String::format with more type-safe alternatives
3066         https://bugs.webkit.org/show_bug.cgi?id=192742
3067
3068         Reviewed by Mark Lam.
3069
3070         * inspector/InjectedScriptBase.cpp:
3071         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3072         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3073         * inspector/InspectorBackendDispatcher.cpp:
3074         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3075         * inspector/agents/InspectorConsoleAgent.cpp:
3076         (Inspector::InspectorConsoleAgent::enable): Ditto.
3077         * jsc.cpp:
3078         (FunctionJSCStackFunctor::operator() const): Ditto.
3079
3080         * runtime/CodeCache.cpp:
3081         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3082         using String::number.
3083
3084         * runtime/IntlDateTimeFormat.cpp:
3085         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3086         * runtime/IntlObject.cpp:
3087         (JSC::canonicalizeLocaleList): Ditto.
3088
3089 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3090
3091         AX: Introduce a static accessibility tree
3092         https://bugs.webkit.org/show_bug.cgi?id=193348
3093         <rdar://problem/47203295>
3094
3095         Reviewed by Ryosuke Niwa.
3096
3097         * Configurations/FeatureDefines.xcconfig:
3098
3099 2019-01-26  Devin Rousso  <drousso@apple.com>
3100
3101         Web Inspector: provide a way to edit the user agent of a remote target
3102         https://bugs.webkit.org/show_bug.cgi?id=193862
3103         <rdar://problem/47359292>
3104
3105         Reviewed by Joseph Pecoraro.
3106
3107         * inspector/protocol/Page.json:
3108         Add `overrideUserAgent` command.
3109
3110 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3111
3112         [JSC] NativeErrorConstructor should not have own IsoSubspace
3113         https://bugs.webkit.org/show_bug.cgi?id=193713
3114
3115         Reviewed by Saam Barati.
3116
3117         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3118         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3119         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3120         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3121         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3122         referenced.
3123
3124         * CMakeLists.txt:
3125         * JavaScriptCore.xcodeproj/project.pbxproj:
3126         * Sources.txt:
3127         * builtins/BuiltinNames.h:
3128         * interpreter/Interpreter.h:
3129         * runtime/Error.cpp:
3130         (JSC::createEvalError):
3131         (JSC::createRangeError):
3132         (JSC::createReferenceError):
3133         (JSC::createSyntaxError):
3134         (JSC::createTypeError):
3135         (JSC::createURIError):
3136         (WTF::printInternal): Deleted.
3137         * runtime/Error.h:
3138         * runtime/ErrorPrototype.cpp:
3139         (JSC::ErrorPrototype::create):
3140         (JSC::ErrorPrototype::finishCreation):
3141         * runtime/ErrorPrototype.h:
3142         (JSC::ErrorPrototype::create): Deleted.
3143         * runtime/ErrorType.cpp: Added.
3144         (JSC::errorTypeName):
3145         (WTF::printInternal):
3146         * runtime/ErrorType.h: Added.
3147         * runtime/JSGlobalObject.cpp:
3148         (JSC::JSGlobalObject::initializeErrorConstructor):
3149         (JSC::JSGlobalObject::init):
3150         (JSC::JSGlobalObject::visitChildren):
3151         * runtime/JSGlobalObject.h:
3152         (JSC::JSGlobalObject::internalPromiseConstructor const):
3153         (JSC::JSGlobalObject::errorStructure const):
3154         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3155         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3156         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3157         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3158         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3159         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3160         * runtime/NativeErrorConstructor.cpp:
3161         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3162         (JSC::NativeErrorConstructorBase::finishCreation):
3163         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3164         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3165         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3166         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3167         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3168         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3169         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3170         * runtime/NativeErrorConstructor.h:
3171         (JSC::NativeErrorConstructorBase::createStructure):
3172         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3173         * runtime/NativeErrorPrototype.cpp:
3174         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3175         * runtime/NativeErrorPrototype.h:
3176         * runtime/VM.cpp:
3177         (JSC::VM::VM):
3178         * runtime/VM.h:
3179         * wasm/js/WasmToJS.cpp:
3180         (JSC::Wasm::handleBadI64Use):
3181
3182 2019-01-25  Devin Rousso  <drousso@apple.com>
3183
3184         Web Inspector: provide a way to edit page settings on a remote target
3185         https://bugs.webkit.org/show_bug.cgi?id=193813
3186         <rdar://problem/47359510>
3187
3188         Reviewed by Joseph Pecoraro.
3189
3190         * inspector/protocol/Page.json:
3191         Add `overrideSetting` command with supporting `Setting` enum type.
3192
3193 2019-01-25  Keith Rollin  <krollin@apple.com>
3194
3195         Update Xcode projects with "Check .xcfilelists" build phase
3196         https://bugs.webkit.org/show_bug.cgi?id=193790
3197         <rdar://problem/47201374>
3198
3199         Reviewed by Alex Christensen.
3200
3201         Support for XCBuild includes specifying inputs and outputs to various
3202         Run Script build phases. These inputs and outputs are specified as
3203         .xcfilelist files. Once created, these .xcfilelist files need to be
3204         kept up-to-date. In order to check that they are up-to-date or not,
3205         add an Xcode build step that invokes an external script that performs
3206         the checking. If the .xcfilelists are found to be out-of-date, update
3207         them, halt the build, and instruct the developer to restart the build
3208         with up-to-date files.
3209
3210         At this time, the checking and regenerating is performed only if the
3211         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3212         who want to use this facility can set this variable and test out the
3213         checking/regenerating. Once it seems like there are no egregious
3214         issues that upset a developer's workflow, we'll unconditionally enable
3215         this facility.
3216
3217         * JavaScriptCore.xcodeproj/project.pbxproj:
3218         * Scripts/check-xcfilelists.sh: Added.
3219
3220 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3221
3222         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3223         https://bugs.webkit.org/show_bug.cgi?id=193796
3224         <rdar://problem/47532910>
3225
3226         Reviewed by Devin Rousso.
3227
3228         * runtime/SamplingProfiler.cpp:
3229         (JSC::SamplingProfiler::machThread):
3230         * runtime/SamplingProfiler.h:
3231         Expose the mach_port_t of the SamplingProfiler thread
3232         so it can be tested against later.
3233
3234 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3235
3236         Fix Windows build after r240511
3237
3238         * bytecode/UnlinkedFunctionExecutable.cpp:
3239         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3240
3241 2019-01-25  Keith Rollin  <krollin@apple.com>
3242
3243         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3244         https://bugs.webkit.org/show_bug.cgi?id=193781
3245         <rdar://problem/47201153>
3246
3247         Reviewed by Alex Christensen.
3248
3249         Part of generating the .xcfilelists used as part of adopting XCBuild
3250         includes running `make DerivedSources.make` from a standalone script.
3251         It’s important for this invocation to have the same environment as
3252         when the actual build invokes `make DerivedSources.make`. If the
3253         environments are different, then the two invocations will provide
3254         different results. In order to get the same environment in the
3255         standalone script, have the script launch xcodebuild targeting the
3256         "Apply Configuration to XCFileLists" build target, which will then
3257         re-invoke our standalone script. The script is now running again, this
3258         time in an environment with all workspace, project, target, xcconfig
3259         and other environment variables established.
3260
3261         The "Apply Configuration to XCFileLists" build target accomplishes
3262         this task via a small embedded shell script that consists only of:
3263
3264             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3265
3266         The process that invokes "Apply Configuration to XCFileLists" first
3267         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3268         evaluated and exports it into the shell environment. When xcodebuild
3269         is invoked, it inherits the value of this variable and can `eval` the
3270         contents of that variable. Our external standalone script can then set
3271         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3272         of command-line parameters needed to restart itself in the appropriate
3273         state.
3274
3275         * JavaScriptCore.xcodeproj/project.pbxproj:
3276
3277 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3278
3279         Add API to generate and consume cached bytecode
3280         https://bugs.webkit.org/show_bug.cgi?id=193401
3281         <rdar://problem/47514099>
3282
3283         Reviewed by Keith Miller.
3284
3285         Add the `generateBytecode` and `generateModuleBytecode` functions to
3286         generate serialized bytecode for a given `SourceCode`. These functions
3287         will eagerly generate code for all the nested functions.
3288
3289         Additionally, update the API methods in JSScript to generate and use the
3290         bytecode when the bytecodeCache path is provided.
3291
3292         * API/JSAPIGlobalObject.mm:
3293         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3294         * API/JSContext.mm:
3295         (-[JSContext wrapperMap]):
3296         * API/JSContextInternal.h:
3297         * API/JSScript.mm:
3298         (+[JSScript scriptWithSource:inVirtualMachine:]):
3299         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3300         (-[JSScript dealloc]):
3301         (-[JSScript readCache]):
3302         (-[JSScript writeCache]):
3303         (-[JSScript hash]):
3304         (-[JSScript source]):
3305         (-[JSScript cachedBytecode]):
3306         (-[JSScript jsSourceCode:]):
3307         * API/JSScriptInternal.h:
3308         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3309         (JSScriptSourceProvider::create):
3310         (JSScriptSourceProvider::JSScriptSourceProvider):
3311         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3312         (JSScriptSourceProvider::hash const):
3313         (JSScriptSourceProvider::source const):
3314         (JSScriptSourceProvider::cachedBytecode const):
3315         * API/JSVirtualMachine.mm:
3316         (-[JSVirtualMachine vm]):
3317         * API/JSVirtualMachineInternal.h:
3318         * API/tests/testapi.mm:
3319         (testBytecodeCache):
3320         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3321         (testObjectiveCAPI):
3322         * JavaScriptCore.xcodeproj/project.pbxproj:
3323         * SourcesCocoa.txt:
3324         * bytecode/UnlinkedFunctionExecutable.cpp:
3325         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3326         * bytecode/UnlinkedFunctionExecutable.h:
3327         * parser/SourceCodeKey.h:
3328         (JSC::SourceCodeKey::source const):
3329         * parser/SourceProvider.h:
3330         (JSC::CachedBytecode::CachedBytecode):
3331         (JSC::CachedBytecode::operator=):
3332         (JSC::CachedBytecode::data const):
3333         (JSC::CachedBytecode::size const):
3334         (JSC::CachedBytecode::owned const):
3335         (JSC::CachedBytecode::~CachedBytecode):
3336         (JSC::CachedBytecode::freeDataIfOwned):
3337         (JSC::SourceProvider::cachedBytecode const):
3338         * parser/UnlinkedSourceCode.h:
3339         (JSC::UnlinkedSourceCode::provider const):
3340         * runtime/CodeCache.cpp:
3341         (JSC::generateUnlinkedCodeBlockForFunctions):
3342         (JSC::writeCodeBlock):
3343         (JSC::serializeBytecode):
3344         * runtime/CodeCache.h:
3345         (JSC::CodeCacheMap::fetchFromDiskImpl):
3346         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3347         (JSC::generateUnlinkedCodeBlockImpl):
3348         (JSC::generateUnlinkedCodeBlock):
3349         * runtime/Completion.cpp:
3350         (JSC::generateBytecode):
3351         (JSC::generateModuleBytecode):
3352         * runtime/Completion.h:
3353         * runtime/Options.cpp:
3354         (JSC::recomputeDependentOptions):
3355
3356 2019-01-25  Keith Rollin  <krollin@apple.com>
3357
3358         Update WebKitAdditions.xcconfig with correct order of variable definitions
3359         https://bugs.webkit.org/show_bug.cgi?id=193793
3360         <rdar://problem/47532439>
3361
3362         Reviewed by Alex Christensen.
3363
3364         XCBuild changes the way xcconfig variables are evaluated. In short,