Add MSE logging configuration
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
2
3         Add MSE logging configuration
4         https://bugs.webkit.org/show_bug.cgi?id=194719
5         <rdar://problem/48122151>
6
7         Reviewed by Joseph Pecoraro.
8
9         * inspector/ConsoleMessage.cpp:
10         (Inspector::messageSourceValue):
11         * inspector/protocol/Console.json:
12         * inspector/scripts/codegen/generator.py:
13         * runtime/ConsoleTypes.h:
14
15 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
16
17         Add version number to cached bytecode
18         https://bugs.webkit.org/show_bug.cgi?id=194768
19         <rdar://problem/48147968>
20
21         Reviewed by Saam Barati.
22
23         Add a version number to the bytecode cache that should be unique per build.
24
25         * CMakeLists.txt:
26         * DerivedSources-output.xcfilelist:
27         * DerivedSources.make:
28         * runtime/CachedTypes.cpp:
29         (JSC::Encoder::malloc):
30         (JSC::GenericCacheEntry::GenericCacheEntry):
31         (JSC::CacheEntry::CacheEntry):
32         (JSC::CacheEntry::encode):
33         (JSC::CacheEntry::decode const):
34         (JSC::GenericCacheEntry::decode const):
35         (JSC::decodeCodeBlockImpl):
36         * runtime/CodeCache.h:
37         (JSC::CodeCacheMap::fetchFromDiskImpl):
38
39 2019-02-17  Saam Barati  <sbarati@apple.com>
40
41         WasmB3IRGenerator models some effects incorrectly
42         https://bugs.webkit.org/show_bug.cgi?id=194038
43
44         Reviewed by Keith Miller.
45
46         * wasm/WasmB3IRGenerator.cpp:
47         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
48         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
49         These two functions were using global state instead of the
50         arguments passed into the function.
51
52         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
53         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
54         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
55         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
56         Any patchpoint that allows scratch register usage must
57         also say that it clobbers the scratch registers.
58
59 2019-02-17  Saam Barati  <sbarati@apple.com>
60
61         Deadlock when adding a Structure property transition and then doing incremental marking
62         https://bugs.webkit.org/show_bug.cgi?id=194767
63
64         Reviewed by Mark Lam.
65
66         This can happen in the following scenario:
67         
68         You have a Structure S. S is on the mark stack. Then:
69         1. S grabs its lock
70         2. S adds a new property transition
71         3. We find out we need to do some incremental marking
72         4. We mark S
73         5. visitChildren on S will try to grab its lock
74         6. We are now in a deadlock
75
76         * heap/Heap.cpp:
77         (JSC::Heap::performIncrement):
78         * runtime/Structure.cpp:
79         (JSC::Structure::addNewPropertyTransition):
80
81 2019-02-17  David Kilzer  <ddkilzer@apple.com>
82
83         Unreviewed, rolling out r241620.
84
85         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
86         (Requested by ddkilzer on #webkit.)
87
88         Reverted changeset:
89
90         "[WTF] Add environment variable helpers"
91         https://bugs.webkit.org/show_bug.cgi?id=192405
92         https://trac.webkit.org/changeset/241620
93
94 2019-02-17  Commit Queue  <commit-queue@webkit.org>
95
96         Unreviewed, rolling out r241612.
97         https://bugs.webkit.org/show_bug.cgi?id=194762
98
99         "It regressed JetStream2 parsing tests by ~40%" (Requested by
100         saamyjoon on #webkit).
101
102         Reverted changeset:
103
104         "Move bytecode cache-related filesystem code out of CodeCache"
105         https://bugs.webkit.org/show_bug.cgi?id=194675
106         https://trac.webkit.org/changeset/241612
107
108 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         [JSC] JSWrapperObject should not be destructible
111         https://bugs.webkit.org/show_bug.cgi?id=194743
112
113         Reviewed by Saam Barati.
114
115         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
116         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
117         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
118
119         * runtime/BigIntObject.cpp:
120         (JSC::BigIntObject::BigIntObject):
121         * runtime/BooleanConstructor.cpp:
122         (JSC::BooleanConstructor::finishCreation):
123         * runtime/BooleanObject.cpp:
124         (JSC::BooleanObject::BooleanObject):
125         * runtime/BooleanObject.h:
126         * runtime/DateInstance.cpp:
127         (JSC::DateInstance::DateInstance):
128         (JSC::DateInstance::finishCreation):
129         * runtime/DateInstance.h:
130         * runtime/DatePrototype.cpp:
131         (JSC::dateProtoFuncGetTime):
132         (JSC::dateProtoFuncSetTime):
133         (JSC::setNewValueFromTimeArgs):
134         (JSC::setNewValueFromDateArgs):
135         (JSC::dateProtoFuncSetYear):
136         * runtime/JSCPoison.h:
137         * runtime/JSWrapperObject.h:
138         (JSC::JSWrapperObject::JSWrapperObject):
139         * runtime/NumberObject.cpp:
140         (JSC::NumberObject::NumberObject):
141         * runtime/NumberObject.h:
142         * runtime/StringConstructor.cpp:
143         (JSC::StringConstructor::finishCreation):
144         * runtime/StringObject.cpp:
145         (JSC::StringObject::StringObject):
146         * runtime/StringObject.h:
147         (JSC::StringObject::internalValue const):
148         * runtime/SymbolObject.cpp:
149         (JSC::SymbolObject::SymbolObject):
150         * runtime/SymbolObject.h:
151
152 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
153
154         [JSC] Shrink UnlinkedFunctionExecutable
155         https://bugs.webkit.org/show_bug.cgi?id=194733
156
157         Reviewed by Mark Lam.
158
159         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
160         directives can be found in the comment of non typical function's source code (Program,
161         Eval code, and Global function from function constructor etc.), and tricky thing is that
162         SourceProvider's directives are updated by Parser. The reason why we have these fields in
163         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
164         if we skip parsing by using CodeCache. These fields are effective only if (1)
165         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
166         or sourceMappingURLDirective. This is rare enough to purge them to a separated
167         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
168         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
169         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
170         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
171         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
172         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
173         one of size class.
174
175         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
176         And kill one MarkedBlock allocation in JSC initialization phase.
177
178         * bytecode/UnlinkedFunctionExecutable.cpp:
179         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
180         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
181         * bytecode/UnlinkedFunctionExecutable.h:
182         * debugger/DebuggerLocation.cpp:
183         (JSC::DebuggerLocation::DebuggerLocation):
184         * inspector/ScriptDebugServer.cpp:
185         (Inspector::ScriptDebugServer::dispatchDidParseSource):
186         * parser/Lexer.h:
187         (JSC::Lexer::sourceURLDirective const):
188         (JSC::Lexer::sourceMappingURLDirective const):
189         (JSC::Lexer::sourceURL const): Deleted.
190         (JSC::Lexer::sourceMappingURL const): Deleted.
191         * parser/Parser.h:
192         (JSC::Parser<LexerType>::parse):
193         * parser/SourceProvider.h:
194         (JSC::SourceProvider::sourceURLDirective const):
195         (JSC::SourceProvider::sourceMappingURLDirective const):
196         (JSC::SourceProvider::setSourceURLDirective):
197         (JSC::SourceProvider::setSourceMappingURLDirective):
198         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
199         since it is the correct name.
200         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
201         sourceMappingURLDirective since it is the correct name.
202         * runtime/CachedTypes.cpp:
203         (JSC::CachedSourceProviderShape::encode):
204         (JSC::CachedFunctionExecutableRareData::encode):
205         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
206         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
207         (JSC::CachedFunctionExecutable::rareData const):
208         (JSC::CachedFunctionExecutable::encode):
209         (JSC::CachedFunctionExecutable::decode const):
210         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
211         * runtime/CodeCache.cpp:
212         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
213         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
214         * runtime/CodeCache.h:
215         (JSC::generateUnlinkedCodeBlockImpl):
216         * runtime/FunctionExecutable.h:
217         * runtime/SamplingProfiler.cpp:
218         (JSC::SamplingProfiler::StackFrame::url):
219
220 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
221
222         [JSC] Remove unused global private variables
223         https://bugs.webkit.org/show_bug.cgi?id=194741
224
225         Reviewed by Joseph Pecoraro.
226
227         There are some private functions and constants that are no longer referenced from builtin JS code.
228         This patch cleans up them.
229
230         * builtins/BuiltinNames.h:
231         * builtins/ObjectConstructor.js:
232         (entries):
233         * runtime/JSGlobalObject.cpp:
234         (JSC::JSGlobalObject::init):
235
236 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
237
238         [JSC] Lazily create empty RegExp
239         https://bugs.webkit.org/show_bug.cgi?id=194735
240
241         Reviewed by Keith Miller.
242
243         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
244         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
245         one MarkedBlock.
246
247         * runtime/JSGlobalObject.cpp:
248         (JSC::JSGlobalObject::init):
249         * runtime/RegExpCache.cpp:
250         (JSC::RegExpCache::ensureEmptyRegExpSlow):
251         (JSC::RegExpCache::initialize): Deleted.
252         * runtime/RegExpCache.h:
253         (JSC::RegExpCache::ensureEmptyRegExp):
254         (JSC::RegExpCache::emptyRegExp const): Deleted.
255         * runtime/RegExpCachedResult.cpp:
256         (JSC::RegExpCachedResult::lastResult):
257         * runtime/RegExpCachedResult.h:
258         * runtime/VM.cpp:
259         (JSC::VM::VM):
260
261 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
262
263         [JSC] Make builtin objects more lazily initialized under non-JIT mode
264         https://bugs.webkit.org/show_bug.cgi?id=194727
265
266         Reviewed by Saam Barati.
267
268         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
269         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
270         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
271         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
272         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
273         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
274         MarkedBlock allocation just for Symbols.
275
276         * runtime/JSGlobalObject.cpp:
277         (JSC::JSGlobalObject::init):
278         (JSC::JSGlobalObject::visitChildren):
279         * runtime/JSGlobalObject.h:
280         (JSC::JSGlobalObject::numberToStringWatchpoint):
281         (JSC::JSGlobalObject::booleanPrototype const):
282         (JSC::JSGlobalObject::numberPrototype const):
283         (JSC::JSGlobalObject::symbolPrototype const):
284         (JSC::JSGlobalObject::booleanObjectStructure const):
285         (JSC::JSGlobalObject::symbolObjectStructure const):
286         (JSC::JSGlobalObject::numberObjectStructure const):
287         (JSC::JSGlobalObject::stringObjectStructure const):
288
289 2019-02-15  Michael Saboff  <msaboff@apple.com>
290
291         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
292         https://bugs.webkit.org/show_bug.cgi?id=194558
293
294         Reviewed by Saam Barati.
295
296         Added an in bounds check before the read of the next character for Unicode regular expressions
297         for pattern generation that didn't already have such checks.
298
299         * yarr/YarrJIT.cpp:
300         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
301         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
302         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
303         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
304
305 2019-02-15  Dean Jackson  <dino@apple.com>
306
307         Allow emulation of user gestures from Web Inspector console
308         https://bugs.webkit.org/show_bug.cgi?id=194725
309         <rdar://problem/48126604>
310
311         Reviewed by Joseph Pecoraro and Devin Rousso.
312
313         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
314         to the evaluate function, and mark the function as override so that PageRuntimeAgent
315         can change the behaviour.
316         (Inspector::InspectorRuntimeAgent::evaluate):
317         * inspector/agents/InspectorRuntimeAgent.h:
318         * inspector/protocol/Runtime.json:
319
320 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
321
322         [JSC] Do not initialize Wasm related data if Wasm is not enabled
323         https://bugs.webkit.org/show_bug.cgi?id=194728
324
325         Reviewed by Mark Lam.
326
327         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
328
329         * runtime/InitializeThreading.cpp:
330         (JSC::initializeThreading):
331         * runtime/JSLock.cpp:
332         (JSC::JSLock::didAcquireLock):
333
334 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
335
336         [WTF] Add environment variable helpers
337         https://bugs.webkit.org/show_bug.cgi?id=192405
338
339         Reviewed by Michael Catanzaro.
340
341         * inspector/remote/glib/RemoteInspectorGlib.cpp:
342         (Inspector::RemoteInspector::RemoteInspector):
343         (Inspector::RemoteInspector::start):
344         * jsc.cpp:
345         (startTimeoutThreadIfNeeded):
346         * runtime/Options.cpp:
347         (JSC::overrideOptionWithHeuristic):
348         (JSC::Options::overrideAliasedOptionWithHeuristic):
349         (JSC::Options::initialize):
350         * runtime/VM.cpp:
351         (JSC::enableAssembler):
352         (JSC::VM::VM):
353         * tools/CodeProfiling.cpp:
354         (JSC::CodeProfiling::notifyAllocator):
355         Utilize WTF::Environment where possible.
356
357 2019-02-15  Mark Lam  <mark.lam@apple.com>
358
359         SamplingProfiler::stackTracesAsJSON() should escape strings.
360         https://bugs.webkit.org/show_bug.cgi?id=194649
361         <rdar://problem/48072386>
362
363         Reviewed by Saam Barati.
364
365         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
366
367         * runtime/SamplingProfiler.cpp:
368         (JSC::SamplingProfiler::stackTracesAsJSON):
369         * runtime/TypeSet.cpp:
370         (JSC::TypeSet::toJSONString const):
371         (JSC::StructureShape::toJSONString const):
372
373 2019-02-15  Robin Morisset  <rmorisset@apple.com>
374
375         CodeBlock::jettison should clear related watchpoints
376         https://bugs.webkit.org/show_bug.cgi?id=194544
377
378         Reviewed by Mark Lam.
379
380         * bytecode/CodeBlock.cpp:
381         (JSC::CodeBlock::jettison):
382         * dfg/DFGCommonData.h:
383         (JSC::DFG::CommonData::clearWatchpoints): Added.
384         * dfg/CommonData.cpp:
385         (JSC::DFG::CommonData::clearWatchpoints): Added.
386
387 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
388
389         Move bytecode cache-related filesystem code out of CodeCache
390         https://bugs.webkit.org/show_bug.cgi?id=194675
391
392         Reviewed by Saam Barati.
393
394         That code is only used for the bytecode-cache tests, so it should live in
395         jsc.cpp rather than in the CodeCache.
396
397         * jsc.cpp:
398         (CliSourceProvider::create):
399         (CliSourceProvider::~CliSourceProvider):
400         (CliSourceProvider::cachePath const):
401         (CliSourceProvider::loadBytecode):
402         (CliSourceProvider::CliSourceProvider):
403         (jscSource):
404         (GlobalObject::moduleLoaderFetch):
405         (functionDollarEvalScript):
406         (runWithOptions):
407         * parser/SourceProvider.h:
408         (JSC::SourceProvider::cacheBytecode const):
409         * runtime/CodeCache.cpp:
410         (JSC::writeCodeBlock):
411         * runtime/CodeCache.h:
412         (JSC::CodeCacheMap::fetchFromDiskImpl):
413
414 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
415
416         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
417         https://bugs.webkit.org/show_bug.cgi?id=194714
418
419         Reviewed by Mark Lam.
420
421         Let's consider about the following extreme case.
422
423         1. VM (A) is created.
424         2. Another VM (B) is created on a different thread.
425         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
426         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
427         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
428         6. (A) sees the half-baked worklist, which may be in the middle of creation.
429
430         This patch puts store-store fence just before putting a pointer to a global variable.
431         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
432
433         * dfg/DFGWorklist.cpp:
434         (JSC::DFG::ensureGlobalDFGWorklist):
435         (JSC::DFG::ensureGlobalFTLWorklist):
436         * wasm/WasmWorklist.cpp:
437         (JSC::Wasm::ensureWorklist):
438
439 2019-02-15  Commit Queue  <commit-queue@webkit.org>
440
441         Unreviewed, rolling out r241559 and r241566.
442         https://bugs.webkit.org/show_bug.cgi?id=194710
443
444         Causes layout test crashes under GuardMalloc (Requested by
445         ryanhaddad on #webkit).
446
447         Reverted changesets:
448
449         "[WTF] Add environment variable helpers"
450         https://bugs.webkit.org/show_bug.cgi?id=192405
451         https://trac.webkit.org/changeset/241559
452
453         "Unreviewed build fix for WinCairo Debug after r241559."
454         https://trac.webkit.org/changeset/241566
455
456 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
457
458         [JSC] Do not even allocate JIT worklists in non-JIT mode
459         https://bugs.webkit.org/show_bug.cgi?id=194693
460
461         Reviewed by Mark Lam.
462
463         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
464         And we do not perform any GC operations that are only meaningful in JIT environment.
465
466         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
467         2. We remove DFG marking constraint in non-JIT mode.
468         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
469         4. We do not visit JITStubRoutineSet.
470         5. Align JITWorklist function names to the other worklists.
471
472         * dfg/DFGOSRExitPreparation.cpp:
473         (JSC::DFG::prepareCodeOriginForOSRExit):
474         * dfg/DFGPlan.h:
475         * dfg/DFGWorklist.cpp:
476         (JSC::DFG::markCodeBlocks): Deleted.
477         * dfg/DFGWorklist.h:
478         * heap/Heap.cpp:
479         (JSC::Heap::completeAllJITPlans):
480         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
481         (JSC::Heap::gatherScratchBufferRoots):
482         (JSC::Heap::removeDeadCompilerWorklistEntries):
483         (JSC::Heap::stopThePeriphery):
484         (JSC::Heap::suspendCompilerThreads):
485         (JSC::Heap::resumeCompilerThreads):
486         (JSC::Heap::addCoreConstraints):
487         * jit/JITWorklist.cpp:
488         (JSC::JITWorklist::existingGlobalWorklistOrNull):
489         (JSC::JITWorklist::ensureGlobalWorklist):
490         (JSC::JITWorklist::instance): Deleted.
491         * jit/JITWorklist.h:
492         * llint/LLIntSlowPaths.cpp:
493         (JSC::LLInt::jitCompileAndSetHeuristics):
494         * runtime/VM.cpp:
495         (JSC::VM::~VM):
496         (JSC::VM::gatherScratchBufferRoots):
497         (JSC::VM::gatherConservativeRoots): Deleted.
498         * runtime/VM.h:
499
500 2019-02-15  Saam barati  <sbarati@apple.com>
501
502         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
503         https://bugs.webkit.org/show_bug.cgi?id=194036
504
505         Reviewed by Yusuke Suzuki.
506
507         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
508         use linear scan for register allocation. Instead of linear scan, Air-O0 does
509         mostly block-local register allocation, and it does this as it's emitting
510         code directly. The register allocator uses liveness analysis to reduce
511         the number of spills. Doing register allocation as we're emitting code
512         allows us to skip editing the IR to insert spills, which saves a non trivial
513         amount of compile time. For stack allocation, we give each Tmp its own slot.
514         This is less than ideal. We probably want to do some trivial live range analysis
515         in the future. The reason this isn't a deal breaker for Wasm is that this patch
516         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
517         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
518         
519         This patch is another 25% Wasm startup time speedup. It seems to be worth
520         another 1% on JetStream2.
521
522         * JavaScriptCore.xcodeproj/project.pbxproj:
523         * Sources.txt:
524         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
525         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
526         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
527         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
528         (JSC::B3::Air::callFrameAddr):
529         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
530         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
531         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
532         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
533         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
534         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
535         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
536         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
537         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
538         * b3/air/AirCode.cpp:
539         * b3/air/AirCode.h:
540         * b3/air/AirGenerate.cpp:
541         (JSC::B3::Air::prepareForGeneration):
542         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
543         (JSC::B3::Air::generate):
544         * b3/air/AirHandleCalleeSaves.cpp:
545         (JSC::B3::Air::handleCalleeSaves):
546         * b3/air/AirHandleCalleeSaves.h:
547         * b3/air/AirTmpMap.h:
548         * runtime/Options.h:
549         * wasm/WasmAirIRGenerator.cpp:
550         (JSC::Wasm::AirIRGenerator::didKill):
551         (JSC::Wasm::AirIRGenerator::newTmp):
552         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
553         (JSC::Wasm::parseAndCompileAir):
554         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
555         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
556         * wasm/WasmAirIRGenerator.h:
557         * wasm/WasmB3IRGenerator.cpp:
558         (JSC::Wasm::B3IRGenerator::didKill):
559         * wasm/WasmBBQPlan.cpp:
560         (JSC::Wasm::BBQPlan::compileFunctions):
561         * wasm/WasmFunctionParser.h:
562         (JSC::Wasm::FunctionParser<Context>::parseBody):
563         (JSC::Wasm::FunctionParser<Context>::parseExpression):
564         * wasm/WasmValidate.cpp:
565         (JSC::Wasm::Validate::didKill):
566
567 2019-02-14  Saam barati  <sbarati@apple.com>
568
569         lowerStackArgs should lower Lea32/64 on ARM64 to Add
570         https://bugs.webkit.org/show_bug.cgi?id=194656
571
572         Reviewed by Yusuke Suzuki.
573
574         On arm64, Lea is just implemented as an add. However, Air treats it as an
575         address with a given width. Because of this width, we were incorrectly
576         computing whether or not this immediate could fit into the instruction itself
577         or it needed to be explicitly put into a register. This patch makes
578         AirLowerStackArgs lower Lea to Add on arm64.
579
580         * b3/air/AirLowerStackArgs.cpp:
581         (JSC::B3::Air::lowerStackArgs):
582         * b3/air/AirOpcode.opcodes:
583         * b3/air/testair.cpp:
584
585 2019-02-14  Saam Barati  <sbarati@apple.com>
586
587         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
588         https://bugs.webkit.org/show_bug.cgi?id=194583
589         <rdar://problem/48028140>
590
591         Reviewed by Yusuke Suzuki.
592
593         This patch makes it so that getVariablesUnderTDZ caches a result of
594         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
595         it's called in an environment where there are a lot of variables.
596         This patch makes it so we cache its results. This is profitable when
597         getVariablesUnderTDZ is called repeatedly with the same environment
598         state. This is common since we call this every time we encounter a
599         function definition/expression node.
600
601         * builtins/BuiltinExecutables.cpp:
602         (JSC::BuiltinExecutables::createExecutable):
603         * bytecode/UnlinkedFunctionExecutable.cpp:
604         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
605         * bytecode/UnlinkedFunctionExecutable.h:
606         * bytecompiler/BytecodeGenerator.cpp:
607         (JSC::BytecodeGenerator::popLexicalScopeInternal):
608         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
609         (JSC::BytecodeGenerator::pushTDZVariables):
610         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
611         (JSC::BytecodeGenerator::restoreTDZStack):
612         * bytecompiler/BytecodeGenerator.h:
613         (JSC::BytecodeGenerator::makeFunction):
614         * parser/VariableEnvironment.cpp:
615         (JSC::CompactVariableMap::Handle::Handle):
616         (JSC::CompactVariableMap::Handle::operator=):
617         * parser/VariableEnvironment.h:
618         (JSC::CompactVariableMap::Handle::operator bool const):
619         * runtime/CodeCache.cpp:
620         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
621
622 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
623
624         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
625         https://bugs.webkit.org/show_bug.cgi?id=194659
626
627         Reviewed by Mark Lam.
628
629         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
630         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
631         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
632
633         * dfg/DFGJITCode.h:
634         * dfg/DFGJITFinalizer.cpp:
635         (JSC::DFG::JITFinalizer::finalize):
636         (JSC::DFG::JITFinalizer::finalizeFunction):
637         * jit/JITCode.cpp:
638         (JSC::DirectJITCode::initializeCodeRefForDFG):
639         (JSC::DirectJITCode::initializeCodeRef): Deleted.
640         (JSC::NativeJITCode::initializeCodeRef): Deleted.
641         * jit/JITCode.h:
642         * llint/LLIntEntrypoint.cpp:
643         (JSC::LLInt::setFunctionEntrypoint):
644         (JSC::LLInt::setEvalEntrypoint):
645         (JSC::LLInt::setProgramEntrypoint):
646         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
647
648 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
649
650         [WTF] Add environment variable helpers
651         https://bugs.webkit.org/show_bug.cgi?id=192405
652
653         Reviewed by Michael Catanzaro.
654
655         * inspector/remote/glib/RemoteInspectorGlib.cpp:
656         (Inspector::RemoteInspector::RemoteInspector):
657         (Inspector::RemoteInspector::start):
658         * jsc.cpp:
659         (startTimeoutThreadIfNeeded):
660         * runtime/Options.cpp:
661         (JSC::overrideOptionWithHeuristic):
662         (JSC::Options::overrideAliasedOptionWithHeuristic):
663         (JSC::Options::initialize):
664         * runtime/VM.cpp:
665         (JSC::enableAssembler):
666         (JSC::VM::VM):
667         * tools/CodeProfiling.cpp:
668         (JSC::CodeProfiling::notifyAllocator):
669         Utilize WTF::Environment where possible.
670
671 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
672
673         [JSC] Should have default NativeJITCode
674         https://bugs.webkit.org/show_bug.cgi?id=194634
675
676         Reviewed by Mark Lam.
677
678         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
679         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
680         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
681         allocations, which takes 14KB.
682
683         * runtime/VM.cpp:
684         (JSC::jitCodeForCallTrampoline):
685         (JSC::jitCodeForConstructTrampoline):
686         (JSC::VM::getHostFunction):
687
688 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
689
690         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
691         https://bugs.webkit.org/show_bug.cgi?id=194576
692
693         Reviewed by Saam Barati.
694
695         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
696         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
697
698         * bytecode/UnlinkedFunctionExecutable.cpp:
699         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
700         (JSC::UnlinkedFunctionExecutable::link):
701         * bytecode/UnlinkedFunctionExecutable.h:
702         * runtime/CodeCache.cpp:
703         (JSC::generateUnlinkedCodeBlockForFunctions):
704
705 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
706
707         CachedBitVector's size must be converted from bits to bytes
708         https://bugs.webkit.org/show_bug.cgi?id=194441
709
710         Reviewed by Saam Barati.
711
712         CachedBitVector used its size in bits for memcpy. That didn't cause any
713         issues when encoding, since the size in bits was also used in the allocation,
714         but would overflow the actual BitVector buffer when decoding.
715
716         * runtime/CachedTypes.cpp:
717         (JSC::CachedBitVector::encode):
718         (JSC::CachedBitVector::decode const):
719
720 2019-02-13  Brian Burg  <bburg@apple.com>
721
722         Web Inspector: don't include accessibility role in DOM.Node object payloads
723         https://bugs.webkit.org/show_bug.cgi?id=194623
724         <rdar://problem/36384037>
725
726         Reviewed by Devin Rousso.
727
728         Remove property of DOM.Node that is no longer being sent.
729
730         * inspector/protocol/DOM.json:
731
732 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
733
734         We should only make rope strings when concatenating strings long enough.
735         https://bugs.webkit.org/show_bug.cgi?id=194465
736
737         Reviewed by Mark Lam.
738
739         This patch stops us from allocating a rope string if the resulting
740         rope would be smaller than the size of the JSRopeString object we
741         would need to allocate.
742
743         This patch also adds paths so that we don't unnecessarily allocate
744         JSString cells for primitives we are going to concatenate with a
745         string anyway.
746
747         The important change from the previous one is that we do not apply
748         the above rule to JSRopeStrings generated by JSStrings. If we convert
749         it to JSString, comparison of memory consumption becomes the following,
750         because JSRopeString does not have StringImpl until it is resolved.
751
752             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
753
754         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
755         resolving eagerly increases memory footprint. The point is that we need to
756         account newly created JSString and JSRopeString from the operands. This is the
757         reason why this patch adds different thresholds for each jsString functions.
758
759         This patch also avoids concatenation for ropes conservatively. Many ropes are
760         temporary cells. So we do not resolve eagerly if one of operands is already a
761         rope.
762
763         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
764
765             Before: 159.3778
766             After:  160.72340000000003
767
768         * dfg/DFGOperations.cpp:
769         * runtime/CommonSlowPaths.cpp:
770         (JSC::SLOW_PATH_DECL):
771         * runtime/JSString.h:
772         (JSC::JSString::isRope const):
773         * runtime/Operations.cpp:
774         (JSC::jsAddSlowCase):
775         * runtime/Operations.h:
776         (JSC::jsString):
777         (JSC::jsAddNonNumber):
778         (JSC::jsAdd):
779
780 2019-02-13  Saam Barati  <sbarati@apple.com>
781
782         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
783         https://bugs.webkit.org/show_bug.cgi?id=194610
784
785         Reviewed by Michael Saboff.
786
787         BinarySwitch might use the scratch register. We must model the
788         effects of that properly. This is already caught by our br-table
789         tests on arm64.
790
791         * wasm/WasmAirIRGenerator.cpp:
792         (JSC::Wasm::AirIRGenerator::addSwitch):
793
794 2019-02-13  Mark Lam  <mark.lam@apple.com>
795
796         Create a randomized free list for new StructureIDs on StructureIDTable resize.
797         https://bugs.webkit.org/show_bug.cgi?id=194566
798         <rdar://problem/47975502>
799
800         Reviewed by Michael Saboff.
801
802         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
803         implementation is a little easier to read.
804
805         This patch appears to be perf neutral on JetStream2 (as run from the command line).
806
807         * runtime/StructureIDTable.cpp:
808         (JSC::StructureIDTable::StructureIDTable):
809         (JSC::StructureIDTable::makeFreeListFromRange):
810         (JSC::StructureIDTable::resize):
811         (JSC::StructureIDTable::allocateID):
812         (JSC::StructureIDTable::deallocateID):
813         * runtime/StructureIDTable.h:
814         (JSC::StructureIDTable::get):
815         (JSC::StructureIDTable::deallocateID):
816         (JSC::StructureIDTable::allocateID):
817         (JSC::StructureIDTable::flushOldTables):
818
819 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
820
821         VariableLengthObject::allocate<T> should initialize objects
822         https://bugs.webkit.org/show_bug.cgi?id=194534
823
824         Reviewed by Michael Saboff.
825
826         `buffer()` should not be called for empty VariableLengthObjects, but
827         these cases were not being caught due to the objects not being properly
828         initialized. Fix it so that allocate calls the constructor and fix the
829         assertion failues.
830
831         * runtime/CachedTypes.cpp:
832         (JSC::CachedObject::operator new):
833         (JSC::VariableLengthObject::allocate):
834         (JSC::CachedVector::encode):
835         (JSC::CachedVector::decode const):
836         (JSC::CachedUniquedStringImpl::decode const):
837         (JSC::CachedBitVector::encode):
838         (JSC::CachedBitVector::decode const):
839         (JSC::CachedArray::encode):
840         (JSC::CachedArray::decode const):
841         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
842         (JSC::CachedBigInt::decode const):
843
844 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
845
846         CodeBlocks read from disk should not be re-written
847         https://bugs.webkit.org/show_bug.cgi?id=194535
848
849         Reviewed by Michael Saboff.
850
851         Keep track of which CodeBlocks have been read from disk or have already
852         been serialized in CodeCache.
853
854         * runtime/CodeCache.cpp:
855         (JSC::CodeCache::write):
856         * runtime/CodeCache.h:
857         (JSC::SourceCodeValue::SourceCodeValue):
858         (JSC::CodeCacheMap::fetchFromDiskImpl):
859
860 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
861
862         SourceCode should be copied when generating bytecode for functions
863         https://bugs.webkit.org/show_bug.cgi?id=194536
864
865         Reviewed by Saam Barati.
866
867         The FunctionExecutable might be collected while generating the bytecode
868         for nested functions, in which case the SourceCode reference would no
869         longer be valid.
870
871         * runtime/CodeCache.cpp:
872         (JSC::generateUnlinkedCodeBlockForFunctions):
873
874 2019-02-12  Saam barati  <sbarati@apple.com>
875
876         JSScript needs to retain its cache path NSURL*
877         https://bugs.webkit.org/show_bug.cgi?id=194577
878
879         Reviewed by Tim Horton.
880
881         * API/JSScript.mm:
882         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
883         (-[JSScript dealloc]):
884
885 2019-02-12  Robin Morisset  <rmorisset@apple.com>
886
887         Make B3Value::returnsBool() more precise
888         https://bugs.webkit.org/show_bug.cgi?id=194457
889
890         Reviewed by Saam Barati.
891
892         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
893         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
894         No new tests added as this should be indirectly tested by the already existing tests.
895
896         * b3/B3Value.cpp:
897         (JSC::B3::Value::returnsBool const):
898
899 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
900
901         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
902         https://bugs.webkit.org/show_bug.cgi?id=194399
903         <rdar://problem/47889777>
904
905         * dfg/DFGDoesGC.cpp:
906         (JSC::DFG::doesGC):
907
908 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
909
910         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
911         https://bugs.webkit.org/show_bug.cgi?id=194370
912
913         Reviewed by Darin Adler.
914
915         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
916         necessary, but it will make errors more visible.
917
918         * inspector/remote/glib/RemoteInspectorGlib.cpp:
919         (Inspector::RemoteInspector::start):
920         (Inspector::dbusConnectionCallAsyncReadyCallback):
921         * inspector/remote/glib/RemoteInspectorServer.cpp:
922         (Inspector::RemoteInspectorServer::start):
923
924 2019-02-12  Andy Estes  <aestes@apple.com>
925
926         [iOSMac] Enable Parental Controls Content Filtering
927         https://bugs.webkit.org/show_bug.cgi?id=194521
928         <rdar://39732376>
929
930         Reviewed by Tim Horton.
931
932         * Configurations/FeatureDefines.xcconfig:
933
934 2019-02-11  Mark Lam  <mark.lam@apple.com>
935
936         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
937         https://bugs.webkit.org/show_bug.cgi?id=194512
938         <rdar://problem/47975465>
939
940         Reviewed by Yusuke Suzuki.
941
942         * runtime/StructureIDTable.cpp:
943         (JSC::StructureIDTable::StructureIDTable):
944         (JSC::StructureIDTable::allocateID):
945         (JSC::StructureIDTable::deallocateID):
946         * runtime/StructureIDTable.h:
947
948 2019-02-10  Mark Lam  <mark.lam@apple.com>
949
950         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
951         https://bugs.webkit.org/show_bug.cgi?id=194493
952         <rdar://problem/36380852>
953
954         Reviewed by Yusuke Suzuki.
955
956         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
957         however not good for performance and memory usage.  As such, a debug ASSERT will
958         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
959         possible to be instantiated with duplicate cases in
960         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
961
962         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
963         see duplicate cases.
964
965         * jit/BinarySwitch.cpp:
966         (JSC::BinarySwitch::BinarySwitch):
967
968 2019-02-10  Darin Adler  <darin@apple.com>
969
970         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
971         https://bugs.webkit.org/show_bug.cgi?id=194485
972
973         Reviewed by Daniel Bates.
974
975         * heap/HeapSnapshotBuilder.cpp:
976         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
977         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
978
979         * runtime/JSGlobalObjectFunctions.cpp:
980         (JSC::encode): Removed some unneeded casts in StringBuilder code,
981         including one in a call to appendByteAsHex.
982         (JSC::globalFuncEscape): Ditto.
983
984 2019-02-10  Commit Queue  <commit-queue@webkit.org>
985
986         Unreviewed, rolling out r241230.
987         https://bugs.webkit.org/show_bug.cgi?id=194488
988
989         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
990         #webkit).
991
992         Reverted changeset:
993
994         "We should only make rope strings when concatenating strings
995         long enough."
996         https://bugs.webkit.org/show_bug.cgi?id=194465
997         https://trac.webkit.org/changeset/241230
998
999 2019-02-10  Saam barati  <sbarati@apple.com>
1000
1001         BBQ-Air: Emit better code for switch
1002         https://bugs.webkit.org/show_bug.cgi?id=194053
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         Instead of emitting a linear set of jumps for Switch, this patch
1007         makes the BBQ-Air backend emit a binary switch.
1008
1009         * wasm/WasmAirIRGenerator.cpp:
1010         (JSC::Wasm::AirIRGenerator::addSwitch):
1011
1012 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1013
1014         Unreviewed, Lexer should use isLatin1 implementation in WTF
1015         https://bugs.webkit.org/show_bug.cgi?id=194466
1016
1017         Follow-up after r241233 pointed by Darin.
1018
1019         * parser/Lexer.cpp:
1020         (JSC::isLatin1): Deleted.
1021
1022 2019-02-09  Darin Adler  <darin@apple.com>
1023
1024         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1025         https://bugs.webkit.org/show_bug.cgi?id=194021
1026
1027         Reviewed by Geoffrey Garen.
1028
1029         * inspector/agents/InspectorConsoleAgent.cpp:
1030         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1031         makeString do the conversion without allocating/destroying a String.
1032         * inspector/agents/InspectorDebuggerAgent.cpp:
1033         (Inspector::objectGroupForBreakpointAction): Ditto.
1034         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1035         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1036         * runtime/JSGenericTypedArrayViewInlines.h:
1037         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1038         * runtime/NumberPrototype.cpp:
1039         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1040         of calling numberToFixedWidthString to do the same thing.
1041         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1042         numberToFixedPrecisionString to do the same thing.
1043         * runtime/SamplingProfiler.cpp:
1044         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1045
1046 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1047
1048         Unreviewed, rolling in r241237 again
1049         https://bugs.webkit.org/show_bug.cgi?id=194469
1050
1051         * runtime/JSString.h:
1052         (JSC::jsSubstring):
1053
1054 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1055
1056         Unreviewed, rolling out r241237.
1057         https://bugs.webkit.org/show_bug.cgi?id=194474
1058
1059         Shows significant memory increase in WSL (Requested by
1060         yusukesuzuki on #webkit).
1061
1062         Reverted changeset:
1063
1064         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1065         takes more memory"
1066         https://bugs.webkit.org/show_bug.cgi?id=194469
1067         https://trac.webkit.org/changeset/241237
1068
1069 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1070
1071         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1072         https://bugs.webkit.org/show_bug.cgi?id=194469
1073
1074         Reviewed by Geoffrey Garen.
1075
1076         * runtime/JSString.h:
1077         (JSC::jsSubstring):
1078
1079 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1080
1081         [JSC] CachedTypes should use jsString instead of JSString::create
1082         https://bugs.webkit.org/show_bug.cgi?id=194471
1083
1084         Reviewed by Mark Lam.
1085
1086         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1087
1088         * runtime/CachedTypes.cpp:
1089         (JSC::CachedJSValue::decode const):
1090
1091 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1092
1093         [JSC] Increase StructureIDTable initial capacity
1094         https://bugs.webkit.org/show_bug.cgi?id=194468
1095
1096         Reviewed by Mark Lam.
1097
1098         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1099         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1100         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1101         more memory dirty. We also remove some structures that are no longer used.
1102
1103         * runtime/JSGlobalObject.h:
1104         (JSC::JSGlobalObject::callbackObjectStructure const):
1105         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1106         * runtime/StructureIDTable.h:
1107         * runtime/VM.h:
1108
1109 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1110
1111         [JSC] String.fromCharCode's slow path always generates 16bit string
1112         https://bugs.webkit.org/show_bug.cgi?id=194466
1113
1114         Reviewed by Keith Miller.
1115
1116         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1117         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1118         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1119         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1120         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1121         as much as possible.
1122
1123         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1124
1125         * runtime/StringConstructor.cpp:
1126         (JSC::stringFromCharCode):
1127
1128 2019-02-08  Keith Miller  <keith_miller@apple.com>
1129
1130         We should only make rope strings when concatenating strings long enough.
1131         https://bugs.webkit.org/show_bug.cgi?id=194465
1132
1133         Reviewed by Saam Barati.
1134
1135         This patch stops us from allocating a rope string if the resulting
1136         rope would be smaller than the size of the JSRopeString object we
1137         would need to allocate.
1138
1139         This patch also adds paths so that we don't unnecessarily allocate
1140         JSString cells for primitives we are going to concatenate with a
1141         string anyway.
1142
1143         * dfg/DFGOperations.cpp:
1144         * runtime/CommonSlowPaths.cpp:
1145         (JSC::SLOW_PATH_DECL):
1146         * runtime/JSString.h:
1147         * runtime/Operations.cpp:
1148         (JSC::jsAddSlowCase):
1149         * runtime/Operations.h:
1150         (JSC::jsString):
1151         (JSC::jsAdd):
1152
1153 2019-02-08  Saam barati  <sbarati@apple.com>
1154
1155         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1156         https://bugs.webkit.org/show_bug.cgi?id=194334
1157         <rdar://problem/47844327>
1158
1159         Reviewed by Mark Lam.
1160
1161         * dfg/DFGAbstractInterpreterInlines.h:
1162         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1163         * dfg/DFGArgumentsEliminationPhase.cpp:
1164         * dfg/DFGByteCodeParser.cpp:
1165         (JSC::DFG::ByteCodeParser::parseBlock):
1166         * dfg/DFGClobberize.h:
1167         (JSC::DFG::clobberize):
1168         * dfg/DFGConstantFoldingPhase.cpp:
1169         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1170         * dfg/DFGFixupPhase.cpp:
1171         (JSC::DFG::FixupPhase::fixupNode):
1172         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1173         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1174         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1175         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1176         * dfg/DFGNodeType.h:
1177         * dfg/DFGSSALoweringPhase.cpp:
1178         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1179         * dfg/DFGSpeculativeJIT.cpp:
1180         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1181         * ftl/FTLLowerDFGToB3.cpp:
1182         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1183         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1184
1185 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1186
1187         [JSC] Shrink sizeof(CodeBlock) more
1188         https://bugs.webkit.org/show_bug.cgi?id=194419
1189
1190         Reviewed by Mark Lam.
1191
1192         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1193
1194         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1195         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1196         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1197
1198         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1199         And we do not touch it in CodeBlock::~CodeBlock.
1200
1201         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1202         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1203         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1204
1205         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1206
1207         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1208
1209         * bytecode/CodeBlock.cpp:
1210         (JSC::CodeBlock::hash const):
1211         (JSC::CodeBlock::sourceCodeForTools const):
1212         (JSC::CodeBlock::dumpAssumingJITType const):
1213         (JSC::CodeBlock::dumpSource):
1214         (JSC::CodeBlock::CodeBlock):
1215         (JSC::CodeBlock::finishCreation):
1216         (JSC::CodeBlock::propagateTransitions):
1217         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1218         (JSC::CodeBlock::setCalleeSaveRegisters):
1219         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1220         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1221         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1222         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1223         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1224         (JSC::CodeBlock::newReplacement):
1225         (JSC::CodeBlock::replacement):
1226         (JSC::CodeBlock::computeCapabilityLevel):
1227         (JSC::CodeBlock::jettison):
1228         (JSC::CodeBlock::calleeSaveRegisters const):
1229         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1230         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1231         (JSC::CodeBlock::getArrayProfile):
1232         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1233         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1234         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1235         (JSC::CodeBlock::validate):
1236         (JSC::CodeBlock::outOfLineJumpTarget):
1237         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1238         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1239         * bytecode/CodeBlock.h:
1240         (JSC::CodeBlock::specializationKind const):
1241         (JSC::CodeBlock::isStrictMode const):
1242         (JSC::CodeBlock::isConstructor const):
1243         (JSC::CodeBlock::codeType const):
1244         (JSC::CodeBlock::isKnownNotImmediate):
1245         (JSC::CodeBlock::instructions const):
1246         (JSC::CodeBlock::ownerExecutable const):
1247         (JSC::CodeBlock::thisRegister const):
1248         (JSC::CodeBlock::source const):
1249         (JSC::CodeBlock::sourceOffset const):
1250         (JSC::CodeBlock::firstLineColumnOffset const):
1251         (JSC::CodeBlock::createRareDataIfNecessary):
1252         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1253         (JSC::CodeBlock::setThisRegister): Deleted.
1254         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1255         * bytecode/EvalCodeBlock.h:
1256         * bytecode/FunctionCodeBlock.h:
1257         * bytecode/GlobalCodeBlock.h:
1258         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1259         * bytecode/ModuleProgramCodeBlock.h:
1260         * bytecode/ProgramCodeBlock.h:
1261         * debugger/Debugger.cpp:
1262         (JSC::Debugger::toggleBreakpoint):
1263         * debugger/DebuggerCallFrame.cpp:
1264         (JSC::DebuggerCallFrame::sourceID const):
1265         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1266         * debugger/DebuggerScope.cpp:
1267         (JSC::DebuggerScope::location const):
1268         * dfg/DFGByteCodeParser.cpp:
1269         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1270         (JSC::DFG::ByteCodeParser::inliningCost):
1271         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1272         * dfg/DFGCapabilities.cpp:
1273         (JSC::DFG::isSupportedForInlining):
1274         (JSC::DFG::mightCompileEval):
1275         (JSC::DFG::mightCompileProgram):
1276         (JSC::DFG::mightCompileFunctionForCall):
1277         (JSC::DFG::mightCompileFunctionForConstruct):
1278         (JSC::DFG::canUseOSRExitFuzzing):
1279         * dfg/DFGGraph.h:
1280         (JSC::DFG::Graph::executableFor):
1281         * dfg/DFGJITCompiler.cpp:
1282         (JSC::DFG::JITCompiler::compileFunction):
1283         * dfg/DFGOSREntry.cpp:
1284         (JSC::DFG::prepareOSREntry):
1285         * dfg/DFGOSRExit.cpp:
1286         (JSC::DFG::restoreCalleeSavesFor):
1287         (JSC::DFG::saveCalleeSavesFor):
1288         (JSC::DFG::saveOrCopyCalleeSavesFor):
1289         * dfg/DFGOSRExitCompilerCommon.cpp:
1290         (JSC::DFG::handleExitCounts):
1291         * dfg/DFGOperations.cpp:
1292         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1293         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1294         * ftl/FTLCapabilities.cpp:
1295         (JSC::FTL::canCompile):
1296         * ftl/FTLLink.cpp:
1297         (JSC::FTL::link):
1298         * ftl/FTLOSRExitCompiler.cpp:
1299         (JSC::FTL::compileStub):
1300         * interpreter/CallFrame.cpp:
1301         (JSC::CallFrame::callerSourceOrigin):
1302         * interpreter/Interpreter.cpp:
1303         (JSC::eval):
1304         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1305         * interpreter/StackVisitor.cpp:
1306         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1307         (JSC::StackVisitor::Frame::sourceURL const):
1308         (JSC::StackVisitor::Frame::sourceID):
1309         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1310         * interpreter/StackVisitor.h:
1311         * jit/AssemblyHelpers.h:
1312         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1313         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1314         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1315         * jit/CallFrameShuffleData.cpp:
1316         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1317         * jit/JIT.cpp:
1318         (JSC::JIT::compileWithoutLinking):
1319         * jit/JITToDFGDeferredCompilationCallback.cpp:
1320         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1321         * jit/JITWorklist.cpp:
1322         (JSC::JITWorklist::Plan::finalize):
1323         (JSC::JITWorklist::compileNow):
1324         * jit/RegisterAtOffsetList.cpp:
1325         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1326         * jit/RegisterAtOffsetList.h:
1327         (JSC::RegisterAtOffsetList::at const):
1328         * runtime/ErrorInstance.cpp:
1329         (JSC::appendSourceToError):
1330         * runtime/ScriptExecutable.cpp:
1331         (JSC::ScriptExecutable::newCodeBlockFor):
1332         * runtime/StackFrame.cpp:
1333         (JSC::StackFrame::sourceID const):
1334         (JSC::StackFrame::sourceURL const):
1335         (JSC::StackFrame::computeLineAndColumn const):
1336
1337 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1338
1339         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1340         https://bugs.webkit.org/show_bug.cgi?id=194460
1341
1342         Reviewed by Mark Lam.
1343
1344         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1345
1346         * b3/B3LowerMacros.cpp:
1347
1348 2019-02-08  Mark Lam  <mark.lam@apple.com>
1349
1350         Use maxSingleCharacterString in comparisons instead of literal constants.
1351         https://bugs.webkit.org/show_bug.cgi?id=194452
1352
1353         Reviewed by Yusuke Suzuki.
1354
1355         This way, if we ever change maxSingleCharacterString, it won't break all this code
1356         that relies on it being 0xff implicitly.
1357
1358         * dfg/DFGSpeculativeJIT.cpp:
1359         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1360         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1361         * ftl/FTLLowerDFGToB3.cpp:
1362         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1363         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1364         * jit/ThunkGenerators.cpp:
1365         (JSC::stringGetByValGenerator):
1366         (JSC::charToString):
1367
1368 2019-02-08  Mark Lam  <mark.lam@apple.com>
1369
1370         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1371         https://bugs.webkit.org/show_bug.cgi?id=194446
1372         <rdar://problem/47926792>
1373
1374         Reviewed by Saam Barati.
1375
1376         Fix doesGC() for the following nodes:
1377
1378             CheckTierUpAtReturn:
1379                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1380                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1381
1382             CheckTierUpInLoop:
1383                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1384                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1385
1386             CheckTierUpAndOSREnter:
1387                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1388                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1389
1390             GetByVal:
1391                 case Array::String calls operationSingleCharacterString(), which calls
1392                 jsSingleCharacterString(), which can allocate a string.
1393
1394             PutByValDirect:
1395             PutByVal:
1396             PutByValAlias:
1397                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1398                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1399                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1400                 slow paths call putByValInternal(), which may create exception objects, or
1401                 call the generic JSValue::put() which may execute arbitrary code.
1402
1403             StringCharAt:
1404                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1405                 which can allocate a string.
1406
1407         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1408         to use the maxSingleCharacterString constant instead of a literal constant.
1409
1410         * dfg/DFGDoesGC.cpp:
1411         (JSC::DFG::doesGC):
1412         * dfg/DFGSpeculativeJIT.cpp:
1413         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1414         * dfg/DFGSpeculativeJIT64.cpp:
1415         (JSC::DFG::SpeculativeJIT::compile):
1416         * ftl/FTLLowerDFGToB3.cpp:
1417         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1418         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1419         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1420
1421 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1422
1423         [JSC] SourceProviderCacheItem should be small
1424         https://bugs.webkit.org/show_bug.cgi?id=194432
1425
1426         Reviewed by Saam Barati.
1427
1428         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1429         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1430         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1431
1432         * parser/Parser.cpp:
1433         (JSC::Parser<LexerType>::parseFunctionInfo):
1434         * parser/ParserModes.h:
1435         * parser/ParserTokens.h:
1436         * parser/SourceProviderCacheItem.h:
1437         (JSC::SourceProviderCacheItem::endFunctionToken const):
1438         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1439
1440 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1441
1442         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1443         https://bugs.webkit.org/show_bug.cgi?id=194420
1444
1445         Reviewed by Saam Barati.
1446
1447         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1448         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1449         This trivial patch fixes both.
1450
1451         * b3/B3ReduceStrength.cpp:
1452         * b3/testb3.cpp:
1453         (JSC::B3::testAbsNegArg):
1454
1455 2019-02-07  Keith Miller  <keith_miller@apple.com>
1456
1457         Better error messages for module loader SPI
1458         https://bugs.webkit.org/show_bug.cgi?id=194421
1459
1460         Reviewed by Saam Barati.
1461
1462         * API/JSAPIGlobalObject.mm:
1463         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1464
1465 2019-02-07  Mark Lam  <mark.lam@apple.com>
1466
1467         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1468         https://bugs.webkit.org/show_bug.cgi?id=194399
1469         <rdar://problem/47889777>
1470
1471         Reviewed by Yusuke Suzuki.
1472
1473         Fix doesGC() for the following nodes:
1474
1475             CheckTraps:
1476                 We normally will not emit this node because Options::usePollingTraps() is
1477                 false by default.  However, as it is implemented now, CheckTraps can GC
1478                 because it can allocate a TerminatedExecutionException.  If we make the
1479                 TerminatedExecutionException a singleton allocated at initialization time,
1480                 doesGC() can return false for CheckTraps.
1481                 https://bugs.webkit.org/show_bug.cgi?id=194323
1482
1483             GetMapBucket:
1484                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1485                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1486                 can resolve a rope.
1487
1488             Switch:
1489                 If switchData kind is SwitchChar, can call operationResolveRope() .
1490                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1491                     can call operationSwitchString() which resolves ropes.
1492
1493             DirectTailCall:
1494             ForceOSRExit:
1495             Return:
1496             TailCallForwardVarargs:
1497             TailCallVarargs:
1498             Throw:
1499                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1500                 for them, but following our conservative practice, unless we have a good
1501                 reason for doesGC() to return false, we should just return true.
1502
1503         * dfg/DFGDoesGC.cpp:
1504         (JSC::DFG::doesGC):
1505
1506 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1507
1508         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1509         https://bugs.webkit.org/show_bug.cgi?id=194250
1510
1511         Reviewed by Saam Barati.
1512
1513         Adds the following optimizations for integers:
1514         - Sub(x, x) => 0
1515             Already covered by the test testSubArg
1516         - Sub(x1, Neg(x2)) => Add (x1, x2)
1517             Added test: testSubNeg
1518         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1519             Added test: testNegSub
1520         - Add(Neg(x1), x2) => Sub(x2, x1)
1521             Added test: testAddNeg1
1522         - Add(x1, Neg(x2)) => Sub(x1, x2)
1523             Added test: testAddNeg2
1524         Adds the following optimization for floating point values:
1525         - Abs(Neg(x)) => Abs(x)
1526             Added test: testAbsNegArg
1527             Adds the following optimization:
1528
1529         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1530
1531         * b3/B3ReduceStrength.cpp:
1532         * b3/testb3.cpp:
1533         (JSC::B3::testAddNeg1):
1534         (JSC::B3::testAddNeg2):
1535         (JSC::B3::testSubNeg):
1536         (JSC::B3::testNegSub):
1537         (JSC::B3::testAbsAbsArg):
1538         (JSC::B3::testAbsNegArg):
1539         (JSC::B3::run):
1540
1541 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1542
1543         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1544         https://bugs.webkit.org/show_bug.cgi?id=194374
1545
1546         Reviewed by Geoffrey Garen.
1547
1548         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1549         But pointer is larger than single character. BufferInternal StringImpl with single character
1550         is more memory efficient.
1551
1552         * runtime/SmallStrings.cpp:
1553         (JSC::SmallStringsStorage::SmallStringsStorage):
1554         (JSC::SmallStrings::SmallStrings):
1555         * runtime/SmallStrings.h:
1556
1557 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1558
1559         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1560         https://bugs.webkit.org/show_bug.cgi?id=194369
1561         <rdar://problem/47813087>
1562
1563         Reviewed by Saam Barati.
1564
1565         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1566         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1567         constant folding phase.
1568
1569         * dfg/DFGAbstractInterpreterInlines.h:
1570         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1571
1572 2019-02-06  Devin Rousso  <drousso@apple.com>
1573
1574         Web Inspector: DOM: don't send the entire function string with each event listener
1575         https://bugs.webkit.org/show_bug.cgi?id=194293
1576         <rdar://problem/47822809>
1577
1578         Reviewed by Joseph Pecoraro.
1579
1580         * inspector/protocol/DOM.json:
1581
1582         * runtime/JSFunction.h:
1583         Export `calculatedDisplayName`.
1584
1585 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1586
1587         [JSC] PrivateName to PublicName hash table is wasteful
1588         https://bugs.webkit.org/show_bug.cgi?id=194277
1589
1590         Reviewed by Michael Saboff.
1591
1592         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1593         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1594         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1595         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1596
1597         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1598
1599         1. PrivateName's content should be the same to PublicName.
1600         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1601            the public name should be easily crafted from the given PrivateName.
1602
1603         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1604         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1605
1606         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1607         WebCore.
1608
1609         * builtins/BuiltinNames.cpp:
1610         (JSC::BuiltinNames::BuiltinNames):
1611         * builtins/BuiltinNames.h:
1612         (JSC::BuiltinNames::lookUpPrivateName const):
1613         (JSC::BuiltinNames::getPublicName const):
1614         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1615         (JSC::BuiltinNames::appendExternalName):
1616         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1617         * builtins/BuiltinUtils.h:
1618         * bytecode/BytecodeDumper.cpp:
1619         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1620         * bytecompiler/NodesCodegen.cpp:
1621         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1622         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1623         * parser/Lexer.cpp:
1624         (JSC::Lexer<LChar>::parseIdentifier):
1625         (JSC::Lexer<UChar>::parseIdentifier):
1626         * parser/Parser.cpp:
1627         (JSC::Parser<LexerType>::createGeneratorParameters):
1628         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1629         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1630         (JSC::Parser<LexerType>::parseClassDeclaration):
1631         (JSC::Parser<LexerType>::parseExportDeclaration):
1632         (JSC::Parser<LexerType>::parseMemberExpression):
1633         * parser/ParserArena.h:
1634         (JSC::IdentifierArena::makeIdentifier):
1635         * runtime/CachedTypes.cpp:
1636         (JSC::CachedUniquedStringImpl::encode):
1637         (JSC::CachedUniquedStringImpl::decode const):
1638         * runtime/CommonIdentifiers.cpp:
1639         (JSC::CommonIdentifiers::CommonIdentifiers):
1640         (JSC::CommonIdentifiers::lookUpPrivateName const):
1641         (JSC::CommonIdentifiers::getPublicName const):
1642         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1643         * runtime/CommonIdentifiers.h:
1644         * runtime/ExceptionHelpers.cpp:
1645         (JSC::createUndefinedVariableError):
1646         * runtime/Identifier.cpp:
1647         (JSC::Identifier::dump const):
1648         * runtime/Identifier.h:
1649         * runtime/IdentifierInlines.h:
1650         (JSC::Identifier::fromUid):
1651         * runtime/JSTypedArrayViewPrototype.cpp:
1652         (JSC::JSTypedArrayViewPrototype::finishCreation):
1653         * tools/JSDollarVM.cpp:
1654         (JSC::functionGetPrivateProperty):
1655
1656 2019-02-06  Keith Rollin  <krollin@apple.com>
1657
1658         Really enable the automatic checking and regenerations of .xcfilelists during builds
1659         https://bugs.webkit.org/show_bug.cgi?id=194357
1660         <rdar://problem/47861231>
1661
1662         Reviewed by Chris Dumez.
1663
1664         Bug 194124 was supposed to enable the automatic checking and
1665         regenerating of .xcfilelist files during the build. While related
1666         changes were included in that patch, the change to actually enable the
1667         operation somehow was omitted. This patch actually enables the
1668         operation. The check-xcfilelist.sh scripts now check
1669         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1670         from the checking.
1671
1672         * Scripts/check-xcfilelists.sh:
1673
1674 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1675
1676         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1677         https://bugs.webkit.org/show_bug.cgi?id=194339
1678
1679         Reviewed by Michael Saboff.
1680
1681         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1682         They have even the same structure. This patch unifies the subspaces for them.
1683
1684         * runtime/DirectEvalExecutable.h:
1685         * runtime/EvalExecutable.h:
1686         (JSC::EvalExecutable::subspaceFor):
1687         * runtime/IndirectEvalExecutable.h:
1688         * runtime/VM.cpp:
1689         * runtime/VM.h:
1690         (JSC::VM::forEachScriptExecutableSpace):
1691
1692 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1693
1694         [JSC] NativeExecutable should be smaller
1695         https://bugs.webkit.org/show_bug.cgi?id=194331
1696
1697         Reviewed by Michael Saboff.
1698
1699         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1700         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1701         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1702         only takes one MarkedBlock for NativeExecutable.
1703
1704         To make NativeExecutable smaller,
1705
1706         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1707            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1708
1709         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1710            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1711            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1712
1713         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1714            Intrinsic for NativeExecutable.
1715
1716         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1717
1718         * CMakeLists.txt:
1719         * JavaScriptCore.xcodeproj/project.pbxproj:
1720         * bytecode/CallVariant.h:
1721         * interpreter/Interpreter.cpp:
1722         * jit/JITCode.cpp:
1723         (JSC::DirectJITCode::DirectJITCode):
1724         (JSC::NativeJITCode::NativeJITCode):
1725         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1726         * jit/JITCode.h:
1727         (JSC::JITCode::signature const):
1728         (JSC::JITCode::intrinsic):
1729         * jit/JITOperations.cpp:
1730         * jit/JITThunks.cpp:
1731         (JSC::JITThunks::hostFunctionStub):
1732         * jit/Repatch.cpp:
1733         * llint/LLIntSlowPaths.cpp:
1734         * runtime/ExecutableBase.cpp:
1735         (JSC::ExecutableBase::dump const):
1736         (JSC::ExecutableBase::hashFor const):
1737         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1738         (JSC::ExecutableBase::clearCode): Deleted.
1739         * runtime/ExecutableBase.h:
1740         (JSC::ExecutableBase::ExecutableBase):
1741         (JSC::ExecutableBase::isModuleProgramExecutable):
1742         (JSC::ExecutableBase::isHostFunction const):
1743         (JSC::ExecutableBase::generatedJITCodeForCall const):
1744         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1745         (JSC::ExecutableBase::generatedJITCodeFor const):
1746         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1747         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1748         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1749         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1750         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1751         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1752         (JSC::ExecutableBase::intrinsic const): Deleted.
1753         * runtime/ExecutableBaseInlines.h: Added.
1754         (JSC::ExecutableBase::intrinsic const):
1755         (JSC::ExecutableBase::hasJITCodeForCall const):
1756         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1757         * runtime/JSBoundFunction.cpp:
1758         * runtime/JSType.cpp:
1759         (WTF::printInternal):
1760         * runtime/JSType.h:
1761         * runtime/NativeExecutable.cpp:
1762         (JSC::NativeExecutable::create):
1763         (JSC::NativeExecutable::createStructure):
1764         (JSC::NativeExecutable::NativeExecutable):
1765         (JSC::NativeExecutable::signatureFor const):
1766         (JSC::NativeExecutable::intrinsic const):
1767         * runtime/NativeExecutable.h:
1768         * runtime/ScriptExecutable.cpp:
1769         (JSC::ScriptExecutable::ScriptExecutable):
1770         (JSC::ScriptExecutable::clearCode):
1771         (JSC::ScriptExecutable::installCode):
1772         (JSC::ScriptExecutable::hasClearableCode const):
1773         * runtime/ScriptExecutable.h:
1774         (JSC::ScriptExecutable::intrinsic const):
1775         (JSC::ScriptExecutable::hasJITCodeForCall const):
1776         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1777         * runtime/VM.cpp:
1778         (JSC::VM::getHostFunction):
1779
1780 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1781
1782         Build failure after r240431
1783         https://bugs.webkit.org/show_bug.cgi?id=194330
1784
1785         Reviewed by Žan Doberšek.
1786
1787         * API/glib/JSCOptions.cpp:
1788
1789 2019-02-05  Mark Lam  <mark.lam@apple.com>
1790
1791         Fix DFG's doesGC() for a few more nodes.
1792         https://bugs.webkit.org/show_bug.cgi?id=194307
1793         <rdar://problem/47832956>
1794
1795         Reviewed by Yusuke Suzuki.
1796
1797         Fix doesGC() for the following nodes:
1798
1799             NumberToStringWithValidRadixConstant:
1800                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1801                 which can allocate a string.
1802                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1803                 which can allocate a string.
1804                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1805                 which can allocate a string.
1806
1807             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1808                 memory for all kinds of objects.
1809             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1810                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1811                 these allocates memory for the match result.
1812             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1813                 calls RegExpObject's collectMatches(), which allocates an array amongst
1814                 other objects.
1815
1816             StringFromCharCode:
1817                 If the uint32 code to convert is greater than maxSingleCharacterString,
1818                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1819                 which allocates a new string if the code is greater than maxSingleCharacterString.
1820
1821         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1822         to use maxSingleCharacterString instead of a literal constant.
1823
1824         * dfg/DFGDoesGC.cpp:
1825         (JSC::DFG::doesGC):
1826         * dfg/DFGSpeculativeJIT.cpp:
1827         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1828         * ftl/FTLLowerDFGToB3.cpp:
1829         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1830
1831 2019-02-05  Keith Rollin  <krollin@apple.com>
1832
1833         Enable the automatic checking and regenerations of .xcfilelists during builds
1834         https://bugs.webkit.org/show_bug.cgi?id=194124
1835         <rdar://problem/47721277>
1836
1837         Reviewed by Tim Horton.
1838
1839         Bug 193790 add a facility for checking -- during build time -- that
1840         any needed .xcfilelist files are up-to-date and for updating them if
1841         they are not. This facility was initially opt-in by setting
1842         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1843         the process seemed robust. Its now time to enable this facility and
1844         make it opt-out. If there is a need to disable this facility, set and
1845         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1846         running `make` or `build-webkit`, or before running Xcode from the
1847         command line.
1848
1849         Additionally, remove the step that generates a list of source files
1850         going into the UnifiedSources build step. It's only necessarily to
1851         specify Sources.txt and SourcesCocoa.txt as inputs.
1852
1853         * JavaScriptCore.xcodeproj/project.pbxproj:
1854         * UnifiedSources-input.xcfilelist: Removed.
1855
1856 2019-02-05  Keith Rollin  <krollin@apple.com>
1857
1858         Update .xcfilelist files
1859         https://bugs.webkit.org/show_bug.cgi?id=194121
1860         <rdar://problem/47720863>
1861
1862         Reviewed by Tim Horton.
1863
1864         Preparatory to enabling the facility for automatically updating the
1865         .xcfilelist files, check in a freshly-updated set so that not everyone
1866         runs up against having to regenerate them themselves.
1867
1868         * DerivedSources-input.xcfilelist:
1869         * DerivedSources-output.xcfilelist:
1870
1871 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1872
1873         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1874         https://bugs.webkit.org/show_bug.cgi?id=185557
1875
1876         Reviewed by Mark Lam.
1877
1878         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1879         where n is the number of characters in the formatted string.
1880         It may be less memory efficient than the previous impl, since the intermediate Vector
1881         is the length of the string, instead of the count of the fields.
1882
1883         * runtime/IntlNumberFormat.cpp:
1884         (JSC::IntlNumberFormat::formatToParts):
1885         * runtime/IntlNumberFormat.h:
1886
1887 2019-02-05  Mark Lam  <mark.lam@apple.com>
1888
1889         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1890         https://bugs.webkit.org/show_bug.cgi?id=194298
1891         <rdar://problem/47827555>
1892
1893         Reviewed by Saam Barati.
1894
1895         We do this for 3 reasons:
1896         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1897         2. If things change in the future where clobberize() no longer reports these nodes
1898            as write(Heap), each node should be vetted first to make sure that it can never
1899            GC before being moved back to the doesGC() list that returns false.
1900         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1901            correct in its claims about the nodes' GCing possibility.
1902
1903         The list of nodes moved are:
1904
1905             ArrayPush
1906             ArrayPop
1907             Call
1908             CallEval
1909             CallForwardVarargs
1910             CallVarargs
1911             Construct
1912             ConstructForwardVarargs
1913             ConstructVarargs
1914             DefineDataProperty
1915             DefineAccessorProperty
1916             DeleteById
1917             DeleteByVal
1918             DirectCall
1919             DirectConstruct
1920             DirectTailCallInlinedCaller
1921             GetById
1922             GetByIdDirect
1923             GetByIdDirectFlush
1924             GetByIdFlush
1925             GetByIdWithThis
1926             GetByValWithThis
1927             GetDirectPname
1928             GetDynamicVar
1929             HasGenericProperty
1930             HasOwnProperty
1931             HasStructureProperty
1932             InById
1933             InByVal
1934             InstanceOf
1935             InstanceOfCustom
1936             LoadVarargs
1937             NumberToStringWithRadix
1938             PutById
1939             PutByIdDirect
1940             PutByIdFlush
1941             PutByIdWithThis
1942             PutByOffset
1943             PutByValWithThis
1944             PutDynamicVar
1945             PutGetterById
1946             PutGetterByVal
1947             PutGetterSetterById
1948             PutSetterById
1949             PutSetterByVal
1950             PutStack
1951             PutToArguments
1952             RegExpExec
1953             RegExpTest
1954             ResolveScope
1955             ResolveScopeForHoistingFuncDeclInEval
1956             TailCall
1957             TailCallForwardVarargsInlinedCaller
1958             TailCallInlinedCaller
1959             TailCallVarargsInlinedCaller
1960             ToNumber
1961             ToPrimitive
1962             ValueNegate
1963
1964         * dfg/DFGDoesGC.cpp:
1965         (JSC::DFG::doesGC):
1966
1967 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1968
1969         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1970         https://bugs.webkit.org/show_bug.cgi?id=194281
1971
1972         Reviewed by Michael Saboff.
1973
1974         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1975         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1976
1977         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1978         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1979         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1980
1981         * bytecode/CodeBlock.cpp:
1982         (JSC::CodeBlock::finishCreation):
1983         * bytecode/CodeBlock.h:
1984         (JSC::CodeBlock::bitVectors const): Deleted.
1985         * bytecode/CodeType.h:
1986         * bytecode/UnlinkedCodeBlock.cpp:
1987         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1988         (JSC::UnlinkedCodeBlock::shrinkToFit):
1989         * bytecode/UnlinkedCodeBlock.h:
1990         (JSC::UnlinkedCodeBlock::bitVector):
1991         (JSC::UnlinkedCodeBlock::addBitVector):
1992         (JSC::UnlinkedCodeBlock::addSetConstant):
1993         (JSC::UnlinkedCodeBlock::constantRegisters):
1994         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1995         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1996         (JSC::UnlinkedCodeBlock::codeType const):
1997         (JSC::UnlinkedCodeBlock::didOptimize const):
1998         (JSC::UnlinkedCodeBlock::setDidOptimize):
1999         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2000         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2001         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2002         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2003         * bytecompiler/BytecodeGenerator.cpp:
2004         (JSC::BytecodeGenerator::emitLoad):
2005         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2006         * bytecompiler/BytecodeGenerator.h:
2007         * runtime/CachedTypes.cpp:
2008         (JSC::CachedCodeBlockRareData::encode):
2009         (JSC::CachedCodeBlockRareData::decode const):
2010         (JSC::CachedCodeBlock::scopeRegister const):
2011         (JSC::CachedCodeBlock::codeType const):
2012         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2013         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2014         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2015         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2016
2017 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2018
2019         Unreviewed, add missing exception checks after r240637
2020         https://bugs.webkit.org/show_bug.cgi?id=193546
2021
2022         * tools/JSDollarVM.cpp:
2023         (JSC::functionShadowChickenFunctionsOnStack):
2024
2025 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2026
2027         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2028         https://bugs.webkit.org/show_bug.cgi?id=193993
2029
2030         Reviewed by Keith Miller.
2031
2032         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2033         And some of them are rarely used. We should allocate it lazily.
2034
2035         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2036         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2037         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2038         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2039         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2040         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2041         by using WTF::storeStoreFence when lazily allocating it.
2042
2043         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2044         existence of the space before touching this. This is not racy because the main thread is stopped when
2045         the constraint solving is working.
2046
2047         This changes sizeof(VM) from 64736 to 56472.
2048
2049         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2050         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2051         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2052         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2053         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2054         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2055         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2056
2057         * API/JSCallbackFunction.h:
2058         * API/ObjCCallbackFunction.h:
2059         (JSC::ObjCCallbackFunction::subspaceFor):
2060         * API/glib/JSCCallbackFunction.h:
2061         * CMakeLists.txt:
2062         * JavaScriptCore.xcodeproj/project.pbxproj:
2063         * bytecode/CodeBlock.cpp:
2064         (JSC::CodeBlock::visitChildren):
2065         (JSC::CodeBlock::finalizeUnconditionally):
2066         * bytecode/CodeBlock.h:
2067         * bytecode/EvalCodeBlock.h:
2068         * bytecode/ExecutableToCodeBlockEdge.h:
2069         * bytecode/FunctionCodeBlock.h:
2070         * bytecode/ModuleProgramCodeBlock.h:
2071         * bytecode/ProgramCodeBlock.h:
2072         * bytecode/UnlinkedFunctionExecutable.cpp:
2073         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2074         * bytecode/UnlinkedFunctionExecutable.h:
2075         * dfg/DFGSpeculativeJIT.cpp:
2076         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2077         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2078         (JSC::DFG::SpeculativeJIT::compileNewObject):
2079         * ftl/FTLLowerDFGToB3.cpp:
2080         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2081         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2082         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2083         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2084         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2085         * heap/Heap.cpp:
2086         (JSC::Heap::finalizeUnconditionalFinalizers):
2087         (JSC::Heap::deleteAllCodeBlocks):
2088         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2089         (JSC::Heap::addCoreConstraints):
2090         * heap/Subspace.cpp:
2091         (JSC::Subspace::initialize):
2092         * jit/AssemblyHelpers.h:
2093         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2094         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2095         * jit/JITOpcodes.cpp:
2096         (JSC::JIT::emit_op_new_object):
2097         * jit/JITOpcodes32_64.cpp:
2098         (JSC::JIT::emit_op_new_object):
2099         * runtime/DirectArguments.h:
2100         * runtime/DirectEvalExecutable.h:
2101         * runtime/ErrorInstance.h:
2102         (JSC::ErrorInstance::subspaceFor):
2103         * runtime/ExecutableBase.h:
2104         * runtime/FunctionExecutable.h:
2105         * runtime/IndirectEvalExecutable.h:
2106         * runtime/InferredValue.cpp:
2107         (JSC::InferredValue::visitChildren):
2108         * runtime/InferredValue.h:
2109         * runtime/InferredValueInlines.h:
2110         (JSC::InferredValue::finalizeUnconditionally):
2111         * runtime/InternalFunction.h:
2112         * runtime/JSAsyncFunction.h:
2113         * runtime/JSAsyncGeneratorFunction.h:
2114         * runtime/JSBoundFunction.h:
2115         * runtime/JSCell.h:
2116         (JSC::subspaceFor):
2117         (JSC::subspaceForConcurrently):
2118         * runtime/JSCellInlines.h:
2119         (JSC::allocatorForNonVirtualConcurrently):
2120         * runtime/JSCustomGetterSetterFunction.h:
2121         * runtime/JSDestructibleObject.h:
2122         * runtime/JSFunction.h:
2123         * runtime/JSGeneratorFunction.h:
2124         * runtime/JSImmutableButterfly.h:
2125         * runtime/JSLexicalEnvironment.h:
2126         (JSC::JSLexicalEnvironment::subspaceFor):
2127         * runtime/JSNativeStdFunction.h:
2128         * runtime/JSSegmentedVariableObject.h:
2129         * runtime/JSString.h:
2130         * runtime/ModuleProgramExecutable.h:
2131         * runtime/NativeExecutable.h:
2132         * runtime/ProgramExecutable.h:
2133         * runtime/PropertyMapHashTable.h:
2134         * runtime/ProxyRevoke.h:
2135         * runtime/ScopedArguments.h:
2136         * runtime/ScriptExecutable.cpp:
2137         (JSC::ScriptExecutable::clearCode):
2138         (JSC::ScriptExecutable::installCode):
2139         * runtime/Structure.h:
2140         * runtime/StructureRareData.h:
2141         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2142         * runtime/VM.cpp:
2143         (JSC::VM::VM):
2144         * runtime/VM.h:
2145         (JSC::VM::SpaceAndSet::SpaceAndSet):
2146         (JSC::VM::SpaceAndSet::setFor):
2147         (JSC::VM::forEachScriptExecutableSpace):
2148         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2149         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2150         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2151         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2152         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2153         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2154         * runtime/WeakMapImpl.h:
2155         (JSC::WeakMapImpl::subspaceFor):
2156         * wasm/js/JSWebAssemblyCodeBlock.h:
2157         * wasm/js/JSWebAssemblyMemory.h:
2158         * wasm/js/WebAssemblyFunction.h:
2159         * wasm/js/WebAssemblyWrapperFunction.h:
2160
2161 2019-02-04  Keith Miller  <keith_miller@apple.com>
2162
2163         Change llint operand macros to inline functions
2164         https://bugs.webkit.org/show_bug.cgi?id=194248
2165
2166         Reviewed by Mark Lam.
2167
2168         * llint/LLIntSlowPaths.cpp:
2169         (JSC::LLInt::getNonConstantOperand):
2170         (JSC::LLInt::getOperand):
2171         (JSC::LLInt::llint_trace_value):
2172         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2173         (JSC::LLInt::getByVal):
2174         (JSC::LLInt::genericCall):
2175         (JSC::LLInt::varargsSetup):
2176         (JSC::LLInt::commonCallEval):
2177
2178 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2179
2180         when lowering AssertNotEmpty, create the value before creating the patchpoint
2181         https://bugs.webkit.org/show_bug.cgi?id=194231
2182
2183         Reviewed by Saam Barati.
2184
2185         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2186         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2187
2188         * ftl/FTLLowerDFGToB3.cpp:
2189         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2190
2191 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2192
2193         [JSC] ExecutableToCodeBlockEdge should be smaller
2194         https://bugs.webkit.org/show_bug.cgi?id=194244
2195
2196         Reviewed by Michael Saboff.
2197
2198         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2199         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2200         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2201         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2202
2203         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2204         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2205         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2206
2207         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2208         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2209         does not touch it if it is called in non-main threads).
2210
2211         * bytecode/ExecutableToCodeBlockEdge.cpp:
2212         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2213         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2214         (JSC::ExecutableToCodeBlockEdge::activate):
2215         (JSC::ExecutableToCodeBlockEdge::deactivate):
2216         (JSC::ExecutableToCodeBlockEdge::isActive const):
2217         * bytecode/ExecutableToCodeBlockEdge.h:
2218         * runtime/JSCell.h:
2219         * runtime/JSCellInlines.h:
2220         (JSC::JSCell::perCellBit const):
2221         (JSC::JSCell::setPerCellBit):
2222         (JSC::JSCell::mayBePrototype const): Deleted.
2223         (JSC::JSCell::didBecomePrototype): Deleted.
2224         * runtime/JSObject.cpp:
2225         (JSC::JSObject::setPrototypeDirect):
2226         * runtime/JSObject.h:
2227         * runtime/JSObjectInlines.h:
2228         (JSC::JSObject::mayBePrototype const):
2229         (JSC::JSObject::didBecomePrototype):
2230         * runtime/JSTypeInfo.h:
2231         (JSC::TypeInfo::perCellBit):
2232         (JSC::TypeInfo::mergeInlineTypeFlags):
2233         (JSC::TypeInfo::mayBePrototype): Deleted.
2234
2235 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2236
2237         [JSC] Shrink size of FunctionExecutable
2238         https://bugs.webkit.org/show_bug.cgi?id=194191
2239
2240         Reviewed by Michael Saboff.
2241
2242         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2243         improves the allocation efficiency.
2244
2245         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2246            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2247
2248         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2249            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2250            the size of FunctionExecutable in the common case.
2251
2252         This patch changes the size of FunctionExecutable from 176 to 144.
2253
2254         * bytecode/CodeBlock.cpp:
2255         (JSC::CodeBlock::dumpSource):
2256         (JSC::CodeBlock::finishCreation):
2257         * dfg/DFGNode.h:
2258         (JSC::DFG::Node::OpInfoWrapper::as const):
2259         * interpreter/StackVisitor.cpp:
2260         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2261         * runtime/ExecutableBase.h:
2262         * runtime/FunctionExecutable.cpp:
2263         (JSC::FunctionExecutable::FunctionExecutable):
2264         (JSC::FunctionExecutable::ensureRareDataSlow):
2265         * runtime/FunctionExecutable.h:
2266         * runtime/Intrinsic.h:
2267         * runtime/ModuleProgramExecutable.cpp:
2268         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2269         * runtime/ProgramExecutable.cpp:
2270         (JSC::ProgramExecutable::ProgramExecutable):
2271         * runtime/ScriptExecutable.cpp:
2272         (JSC::ScriptExecutable::ScriptExecutable):
2273         (JSC::ScriptExecutable::overrideLineNumber const):
2274         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2275         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2276         * runtime/ScriptExecutable.h:
2277         (JSC::ScriptExecutable::firstLine const):
2278         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2279         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2280         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2281         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2282         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2283         * runtime/StackFrame.cpp:
2284         (JSC::StackFrame::computeLineAndColumn const):
2285         * tools/JSDollarVM.cpp:
2286         (JSC::functionReturnTypeFor):
2287
2288 2019-02-04  Mark Lam  <mark.lam@apple.com>
2289
2290         DFG's doesGC() is incorrect about the SameValue node's behavior.
2291         https://bugs.webkit.org/show_bug.cgi?id=194211
2292         <rdar://problem/47608913>
2293
2294         Reviewed by Saam Barati.
2295
2296         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2297         it calls operationSameValue() which may allocate memory for resolving ropes.
2298
2299         * dfg/DFGDoesGC.cpp:
2300         (JSC::DFG::doesGC):
2301
2302 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2303
2304         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2305         https://bugs.webkit.org/show_bug.cgi?id=194031
2306
2307         Reviewed by Saam Barati.
2308
2309         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2310         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2311         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2312         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2313
2314         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2315         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2316
2317         * bytecode/MetadataTable.cpp:
2318         (JSC::MetadataTable::MetadataTable):
2319         (JSC::MetadataTable::~MetadataTable):
2320         * bytecode/UnlinkedCodeBlock.cpp:
2321         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2322         (JSC::UnlinkedCodeBlock::visitChildren):
2323         (JSC::UnlinkedCodeBlock::estimatedSize):
2324         (JSC::UnlinkedCodeBlock::setInstructions):
2325         * bytecode/UnlinkedCodeBlock.h:
2326         (JSC::UnlinkedCodeBlock::metadata):
2327         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2328         * bytecode/UnlinkedMetadataTable.h:
2329         (JSC::UnlinkedMetadataTable::create):
2330         * bytecode/UnlinkedMetadataTableInlines.h:
2331         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2332         * runtime/CachedTypes.cpp:
2333         (JSC::CachedMetadataTable::decode const):
2334         (JSC::CachedCodeBlock::metadata const):
2335         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2336         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2337         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2338
2339 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2340
2341         [JSC] Decouple JIT related data from CodeBlock
2342         https://bugs.webkit.org/show_bug.cgi?id=194187
2343
2344         Reviewed by Saam Barati.
2345
2346         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2347         We have three types of data in CodeBlock.
2348
2349         1. The data which is always used. CodeBlock needs to hold it.
2350         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2351         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2352
2353         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2354         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2355         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2356         in both non-JIT and *JIT* modes.
2357
2358         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2359         by the lock of CodeBlock.
2360
2361         The size of CodeBlock is reduced from 512 to 352.
2362
2363         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2364
2365             Footprint geomean: 36696503 (34.997 MB)
2366             Peak Footprint geomean: 38595988 (36.808 MB)
2367             Score: 37634263 (35.891 MB)
2368
2369             Footprint geomean: 37172768 (35.451 MB)
2370             Peak Footprint geomean: 38978288 (37.173 MB)
2371             Score: 38064824 (36.301 MB)
2372
2373         * bytecode/CodeBlock.cpp:
2374         (JSC::CodeBlock::~CodeBlock):
2375         (JSC::CodeBlock::propagateTransitions):
2376         (JSC::CodeBlock::ensureJITDataSlow):
2377         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2378         (JSC::CodeBlock::getICStatusMap):
2379         (JSC::CodeBlock::addStubInfo):
2380         (JSC::CodeBlock::addJITAddIC):
2381         (JSC::CodeBlock::addJITMulIC):
2382         (JSC::CodeBlock::addJITSubIC):
2383         (JSC::CodeBlock::addJITNegIC):
2384         (JSC::CodeBlock::findStubInfo):
2385         (JSC::CodeBlock::addByValInfo):
2386         (JSC::CodeBlock::addCallLinkInfo):
2387         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2388         (JSC::CodeBlock::addRareCaseProfile):
2389         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2390         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2391         (JSC::CodeBlock::resetJITData):
2392         (JSC::CodeBlock::stronglyVisitStrongReferences):
2393         (JSC::CodeBlock::shrinkToFit):
2394         (JSC::CodeBlock::linkIncomingCall):
2395         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2396         (JSC::CodeBlock::unlinkIncomingCalls):
2397         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2398         (JSC::CodeBlock::dumpValueProfiles):
2399         (JSC::CodeBlock::setPCToCodeOriginMap):
2400         (JSC::CodeBlock::findPC):
2401         (JSC::CodeBlock::dumpMathICStats):
2402         * bytecode/CodeBlock.h:
2403         (JSC::CodeBlock::ensureJITData):
2404         (JSC::CodeBlock::setJITCodeMap):
2405         (JSC::CodeBlock::jitCodeMap):
2406         (JSC::CodeBlock::likelyToTakeSlowCase):
2407         (JSC::CodeBlock::couldTakeSlowCase):
2408         (JSC::CodeBlock::lazyOperandValueProfiles):
2409         (JSC::CodeBlock::stubInfoBegin): Deleted.
2410         (JSC::CodeBlock::stubInfoEnd): Deleted.
2411         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2412         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2413         (JSC::CodeBlock::jitCodeMap const): Deleted.
2414         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2415         * bytecode/MethodOfGettingAValueProfile.cpp:
2416         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2417         (JSC::MethodOfGettingAValueProfile::reportValue):
2418         * dfg/DFGByteCodeParser.cpp:
2419         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2420         * jit/JIT.h:
2421         * jit/JITOperations.cpp:
2422         (JSC::tryGetByValOptimize):
2423         * jit/JITPropertyAccess.cpp:
2424         (JSC::JIT::privateCompileGetByVal):
2425         (JSC::JIT::privateCompilePutByVal):
2426
2427 2018-12-16  Darin Adler  <darin@apple.com>
2428
2429         Convert additional String::format clients to alternative approaches
2430         https://bugs.webkit.org/show_bug.cgi?id=192746
2431
2432         Reviewed by Alexey Proskuryakov.
2433
2434         * inspector/agents/InspectorConsoleAgent.cpp:
2435         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2436         and FormattedNumber::fixedWidth.
2437
2438 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2439
2440         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2441         https://bugs.webkit.org/show_bug.cgi?id=194177
2442
2443         Reviewed by Saam Barati.
2444
2445         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2446         We can share the IsoSubspace for JSFunction.
2447
2448         * runtime/JSAsyncFunction.h:
2449         * runtime/JSAsyncGeneratorFunction.h:
2450         * runtime/JSGeneratorFunction.h:
2451         * runtime/VM.cpp:
2452         (JSC::VM::VM):
2453         * runtime/VM.h:
2454
2455 2019-02-01  Mark Lam  <mark.lam@apple.com>
2456
2457         Remove invalid assertion in DFG's compileDoubleRep().
2458         https://bugs.webkit.org/show_bug.cgi?id=194130
2459         <rdar://problem/47699474>
2460
2461         Reviewed by Saam Barati.
2462
2463         * dfg/DFGSpeculativeJIT.cpp:
2464         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2465
2466 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2467
2468         [JSC] Unify CodeBlock IsoSubspaces
2469         https://bugs.webkit.org/show_bug.cgi?id=194167
2470
2471         Reviewed by Saam Barati.
2472
2473         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2474         But this is not necessary since,
2475
2476         1. They do not override the classInfo methods.
2477         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2478
2479         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2480         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2481         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2482
2483         This patch unifies these IsoSubspaces into one.
2484
2485         * bytecode/CodeBlock.cpp:
2486         (JSC::CodeBlock::destroy):
2487         * bytecode/CodeBlock.h:
2488         * bytecode/EvalCodeBlock.cpp:
2489         (JSC::EvalCodeBlock::destroy): Deleted.
2490         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2491         * bytecode/FunctionCodeBlock.cpp:
2492         (JSC::FunctionCodeBlock::destroy): Deleted.
2493         * bytecode/FunctionCodeBlock.h:
2494         * bytecode/GlobalCodeBlock.h:
2495         * bytecode/ModuleProgramCodeBlock.cpp:
2496         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2497         * bytecode/ModuleProgramCodeBlock.h:
2498         * bytecode/ProgramCodeBlock.cpp:
2499         (JSC::ProgramCodeBlock::destroy): Deleted.
2500         * bytecode/ProgramCodeBlock.h:
2501         * interpreter/Interpreter.cpp:
2502         (JSC::Interpreter::execute):
2503         * runtime/VM.cpp:
2504         (JSC::VM::VM):
2505         * runtime/VM.h:
2506         (JSC::VM::forEachCodeBlockSpace):
2507
2508 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2509
2510         Unreviewed, follow-up after r240859
2511         https://bugs.webkit.org/show_bug.cgi?id=194145
2512
2513         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2514         And rename cellDangerousBitsSpace back to cellSpace.
2515
2516         * runtime/JSCellInlines.h:
2517         (JSC::JSCell::subspaceFor):
2518         * runtime/VM.cpp:
2519         (JSC::VM::VM):
2520         * runtime/VM.h:
2521
2522 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2523
2524         [JSC] Remove cellJSValueOOBSpace
2525         https://bugs.webkit.org/show_bug.cgi?id=194145
2526
2527         Reviewed by Mark Lam.
2528
2529         * runtime/JSObject.h:
2530         (JSC::JSObject::subspaceFor): Deleted.
2531         * runtime/VM.cpp:
2532         (JSC::VM::VM):
2533         * runtime/VM.h:
2534
2535 2019-01-31  Mark Lam  <mark.lam@apple.com>
2536
2537         Remove poisoning from CodeBlock and LLInt code.
2538         https://bugs.webkit.org/show_bug.cgi?id=194113
2539
2540         Reviewed by Yusuke Suzuki.
2541
2542         * bytecode/CodeBlock.cpp:
2543         (JSC::CodeBlock::CodeBlock):
2544         (JSC::CodeBlock::~CodeBlock):
2545         (JSC::CodeBlock::setConstantRegisters):
2546         (JSC::CodeBlock::propagateTransitions):
2547         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2548         (JSC::CodeBlock::jettison):
2549         (JSC::CodeBlock::predictedMachineCodeSize):
2550         * bytecode/CodeBlock.h:
2551         (JSC::CodeBlock::vm const):
2552         (JSC::CodeBlock::addConstant):
2553         (JSC::CodeBlock::heap const):
2554         (JSC::CodeBlock::replaceConstant):
2555         * llint/LLIntOfflineAsmConfig.h:
2556         * llint/LLIntSlowPaths.cpp:
2557         (JSC::LLInt::handleHostCall):
2558         (JSC::LLInt::setUpCall):
2559         * llint/LowLevelInterpreter.asm:
2560         * llint/LowLevelInterpreter32_64.asm:
2561         * llint/LowLevelInterpreter64.asm:
2562
2563 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2564
2565         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2566         https://bugs.webkit.org/show_bug.cgi?id=194107
2567
2568         Reviewed by Saam Barati.
2569
2570         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2571         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2572
2573         * CMakeLists.txt:
2574         * DerivedSources.make:
2575         * JavaScriptCore.xcodeproj/project.pbxproj:
2576         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2577         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2578         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2579         (JSC::AsyncFromSyncIteratorPrototype::create):
2580         * runtime/AsyncFromSyncIteratorPrototype.h:
2581
2582 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2583
2584         Fix `runJITThreadLimitTests` in testapi
2585         https://bugs.webkit.org/show_bug.cgi?id=194064
2586         <rdar://problem/46139147>
2587
2588         Reviewed by Mark Lam.
2589
2590         Fix typo where `targetNumberOfThreads` was not being used.
2591
2592         * API/tests/testapi.mm:
2593         (runJITThreadLimitTests):
2594
2595 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2596
2597         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2598         https://bugs.webkit.org/show_bug.cgi?id=194112
2599
2600         Reviewed by Mark Lam.
2601
2602         `testBytecodeCache` does not populate the bytecode cache for the global
2603         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2604
2605         * API/tests/testapi.mm:
2606         (testBytecodeCache):
2607
2608 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2609
2610         Unreviewed, follow-up after r240796
2611
2612         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2613         when allocating InferredValue in FunctionExecutable::finishCreation.
2614
2615         * runtime/FunctionExecutable.cpp:
2616         (JSC::FunctionExecutable::FunctionExecutable):
2617         (JSC::FunctionExecutable::finishCreation):
2618
2619 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2620
2621         [JSC] Do not use InferredValue in non-JIT configuration
2622         https://bugs.webkit.org/show_bug.cgi?id=194084
2623
2624         Reviewed by Saam Barati.
2625
2626         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2627         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2628         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2629         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2630         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2631         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2632         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2633         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2634
2635         * bytecode/ObjectAllocationProfileInlines.h:
2636         (JSC::ObjectAllocationProfile::initializeProfile):
2637         * runtime/FunctionExecutable.cpp:
2638         (JSC::FunctionExecutable::finishCreation):
2639         (JSC::FunctionExecutable::visitChildren):
2640         * runtime/FunctionExecutable.h:
2641         * runtime/InferredValue.cpp:
2642         (JSC::InferredValue::create):
2643         * runtime/JSAsyncFunction.cpp:
2644         (JSC::JSAsyncFunction::create):
2645         * runtime/JSAsyncGeneratorFunction.cpp:
2646         (JSC::JSAsyncGeneratorFunction::create):
2647         * runtime/JSFunction.cpp:
2648         (JSC::JSFunction::create):
2649         * runtime/JSFunctionInlines.h:
2650         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2651         * runtime/JSGeneratorFunction.cpp:
2652         (JSC::JSGeneratorFunction::create):
2653         * runtime/JSSymbolTableObject.h:
2654         (JSC::JSSymbolTableObject::setSymbolTable):
2655         * runtime/SymbolTable.cpp:
2656         (JSC::SymbolTable::finishCreation):
2657         * runtime/VM.cpp:
2658         (JSC::VM::VM):
2659
2660 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2661
2662         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2663         https://bugs.webkit.org/show_bug.cgi?id=194085
2664
2665         Reviewed by Yusuke Suzuki.
2666
2667         r240730 changed ud_itab.py and caused incremental build failures
2668         for Ninja builds.
2669
2670         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2671
2672 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2673
2674         [JSC] Symbol should be in destructibleCellSpace
2675         https://bugs.webkit.org/show_bug.cgi?id=194082
2676
2677         Reviewed by Saam Barati.
2678
2679         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2680         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2681         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2682         Symbol's space destructibleCellSpace to appropriately call the destructor.
2683
2684         * runtime/Symbol.h:
2685
2686 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2687
2688         Unreviewed, rolling out r240755.
2689
2690         This was not correct
2691
2692         Reverted changeset:
2693
2694         "Unreviewed, fix GCC build after r240730"
2695         https://bugs.webkit.org/show_bug.cgi?id=194041
2696         https://trac.webkit.org/changeset/240755
2697
2698 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2699
2700         Unreviewed, fix GCC build after r240730
2701         https://bugs.webkit.org/show_bug.cgi?id=194041
2702         <rdar://problem/47680981>
2703
2704         * disassembler/udis86/ud_itab.py:
2705         (UdItabGenerator.genOpcodeTablesLookupIndex):
2706
2707 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2708
2709         testapi's `testBytecodeCache` does not need to run the code twice
2710         https://bugs.webkit.org/show_bug.cgi?id=194046
2711
2712         Reviewed by Mark Lam.
2713
2714         Since we populate the cache eagerly (unlike the stress tests) we don't
2715         need to run the code twice.
2716
2717         * API/tests/testapi.mm:
2718         (testBytecodeCache):
2719
2720 2019-01-30  Saam barati  <sbarati@apple.com>
2721
2722         [WebAssembly] Change BBQ to generate Air IR
2723         https://bugs.webkit.org/show_bug.cgi?id=191802
2724         <rdar://problem/47651718>
2725
2726         Reviewed by Keith Miller.
2727
2728         This patch adds a new Wasm compiler for the BBQ tier. Instead
2729         of compiling using  B3-01, we now generate Air code directly.
2730         The goal of doing this was to speed up compile times for Wasm
2731         programs.
2732         
2733         This patch provides us with a 20-30% compile time speedup. However, I
2734         have ideas on how to improve compile times even further. For example,
2735         we should probably implement a faster running register allocator:
2736         https://bugs.webkit.org/show_bug.cgi?id=194036
2737         
2738         We can also improve on the code we generate.
2739         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2740         And we should do better instruction selection in various
2741         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2742
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * Sources.txt:
2745         * b3/B3LowerToAir.cpp:
2746         * b3/B3StackmapSpecial.h:
2747         * b3/air/AirCode.cpp:
2748         (JSC::B3::Air::Code::emitDefaultPrologue):
2749         * b3/air/AirCode.h:
2750         * b3/air/AirTmp.h:
2751         (JSC::B3::Air::Tmp::Tmp):
2752         * runtime/Options.h:
2753         * wasm/WasmAirIRGenerator.cpp: Added.
2754         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2755         (JSC::Wasm::TypedTmp::TypedTmp):
2756         (JSC::Wasm::TypedTmp::operator== const):
2757         (JSC::Wasm::TypedTmp::operator!= const):
2758         (JSC::Wasm::TypedTmp::operator bool const):
2759         (JSC::Wasm::TypedTmp::operator Tmp const):
2760         (JSC::Wasm::TypedTmp::operator Arg const):
2761         (JSC::Wasm::TypedTmp::tmp const):
2762         (JSC::Wasm::TypedTmp::type const):
2763         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2764         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2765         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2766         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2767         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2768         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2769         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2770         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2771         (JSC::Wasm::AirIRGenerator::emptyExpression):
2772         (JSC::Wasm::AirIRGenerator::fail const):
2773         (JSC::Wasm::AirIRGenerator::setParser):
2774         (JSC::Wasm::AirIRGenerator::toTmpVector):
2775         (JSC::Wasm::AirIRGenerator::validateInst):
2776         (JSC::Wasm::AirIRGenerator::extractArg):
2777         (JSC::Wasm::AirIRGenerator::append):
2778         (JSC::Wasm::AirIRGenerator::appendEffectful):
2779         (JSC::Wasm::AirIRGenerator::newTmp):
2780         (JSC::Wasm::AirIRGenerator::g32):
2781         (JSC::Wasm::AirIRGenerator::g64):
2782         (JSC::Wasm::AirIRGenerator::f32):
2783         (JSC::Wasm::AirIRGenerator::f64):
2784         (JSC::Wasm::AirIRGenerator::tmpForType):
2785         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2786         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2787         (JSC::Wasm::AirIRGenerator::emitCheck):
2788         (JSC::Wasm::AirIRGenerator::emitCCall):
2789         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2790         (JSC::Wasm::AirIRGenerator::instanceValue):
2791         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2792         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2793         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2794         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2795         (JSC::Wasm::AirIRGenerator::emitThrowException):
2796         (JSC::Wasm::AirIRGenerator::addLocal):
2797         (JSC::Wasm::AirIRGenerator::addConstant):
2798         (JSC::Wasm::AirIRGenerator::addArguments):
2799         (JSC::Wasm::AirIRGenerator::getLocal):
2800         (JSC::Wasm::AirIRGenerator::addUnreachable):
2801         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2802         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2803         (JSC::Wasm::AirIRGenerator::setLocal):
2804         (JSC::Wasm::AirIRGenerator::getGlobal):
2805         (JSC::Wasm::AirIRGenerator::setGlobal):
2806         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2807         (JSC::Wasm::sizeOfLoadOp):
2808         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2809         (JSC::Wasm::AirIRGenerator::load):
2810         (JSC::Wasm::sizeOfStoreOp):
2811         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2812         (JSC::Wasm::AirIRGenerator::store):
2813         (JSC::Wasm::AirIRGenerator::addSelect):
2814         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2815         (JSC::Wasm::AirIRGenerator::addLoop):
2816         (JSC::Wasm::AirIRGenerator::addTopLevel):
2817         (JSC::Wasm::AirIRGenerator::addBlock):
2818         (JSC::Wasm::AirIRGenerator::addIf):
2819         (JSC::Wasm::AirIRGenerator::addElse):
2820         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2821         (JSC::Wasm::AirIRGenerator::addReturn):
2822         (JSC::Wasm::AirIRGenerator::addBranch):
2823         (JSC::Wasm::AirIRGenerator::addSwitch):
2824         (JSC::Wasm::AirIRGenerator::endBlock):
2825         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2826         (JSC::Wasm::AirIRGenerator::addCall):
2827         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2828         (JSC::Wasm::AirIRGenerator::unify):
2829         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2830         (JSC::Wasm::AirIRGenerator::dump):
2831         (JSC::Wasm::AirIRGenerator::origin):
2832         (JSC::Wasm::parseAndCompileAir):
2833         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2834         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2835         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2836         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2837         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2838         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2839         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2840         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2841         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2842         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2843         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2844         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2845         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2846         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2847         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2848         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2849         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2850         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2851         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2852         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2853         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2854         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2855         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2856         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2857         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2858         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2859         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2860         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2861         (JSC::Wasm::AirIRGenerator::addShift):
2862         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2863         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2864         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2865         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2866         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2867         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2868         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2869         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2870         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2871         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2872         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2873         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2874         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2875         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2876         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2877         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2878         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2879         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2880         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2881         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2882         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2883         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2884         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2885         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2886         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2887         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2888         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2889         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2890         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2891         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2892         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2893         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2894         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2895         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2896         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2897         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2898         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2899         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2900         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2901         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2902         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2903         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2904         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2905         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2906         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2907         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2908         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2909         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2910         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2911         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2912         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2913         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2914         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2915         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2916         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2917         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2918         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2919         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2920         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2921         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2922         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2923         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2924         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2925         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2926         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2927         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2928         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2929         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2930         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2931         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2932         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2933         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2934         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2935         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2936         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2937         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2941         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2942         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2943         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2944         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2948         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2949         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2950         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2951         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2952         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2953         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2954         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2955         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2962         * wasm/WasmAirIRGenerator.h: Added.
2963         * wasm/WasmB3IRGenerator.cpp:
2964         (JSC::Wasm::B3IRGenerator::emptyExpression):
2965         * wasm/WasmBBQPlan.cpp:
2966         (JSC::Wasm::BBQPlan::compileFunctions):
2967         * wasm/WasmCallingConvention.cpp:
2968         (JSC::Wasm::jscCallingConventionAir):
2969         (JSC::Wasm::wasmCallingConventionAir):
2970         * wasm/WasmCallingConvention.h:
2971         (JSC::Wasm::CallingConvention::CallingConvention):
2972         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2973         (JSC::Wasm::CallingConvention::marshallArgument const):
2974         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2975         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2976         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2977         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2978         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2979         (JSC::Wasm::CallingConventionAir::loadArguments const):
2980         (JSC::Wasm::CallingConventionAir::setupCall const):
2981         (JSC::Wasm::nextJSCOffset):
2982         * wasm/WasmFunctionParser.h:
2983         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2984         * wasm/WasmValidate.cpp:
2985         (JSC::Wasm::Validate::emptyExpression):
2986
2987 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2988
2989         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2990         https://bugs.webkit.org/show_bug.cgi?id=194050
2991         <rdar://problem/47595592>
2992
2993         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2994         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2995
2996         Reviewed by Yusuke Suzuki.
2997
2998         * ftl/FTLOperations.cpp:
2999         (JSC::FTL::operationMaterializeObjectInOSR):
3000
3001 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3002
3003         Remove assertion that CachedSymbolTables should have no RareData
3004         https://bugs.webkit.org/show_bug.cgi?id=194037
3005
3006         Reviewed by Mark Lam.
3007
3008         It turns out that we don't need to cache the SymbolTableRareData and
3009         we should not assert that it's empty.
3010
3011         * runtime/CachedTypes.cpp:
3012         (JSC::CachedSymbolTable::encode):
3013
3014 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3015
3016         CachedBytecode's move constructor should not call `freeDataIfOwned`
3017         https://bugs.webkit.org/show_bug.cgi?id=194045
3018
3019         Reviewed by Mark Lam.
3020
3021         That might result in freeing a garbage value
3022
3023         * parser/SourceProvider.h:
3024         (JSC::CachedBytecode::CachedBytecode):
3025
3026 2019-01-30  Keith Miller  <keith_miller@apple.com>
3027
3028         mul32 should convert powers of 2 to an lshift
3029         https://bugs.webkit.org/show_bug.cgi?id=193957
3030
3031         Reviewed by Yusuke Suzuki.
3032
3033         * assembler/MacroAssembler.h:
3034         (JSC::MacroAssembler::mul32):
3035         * assembler/testmasm.cpp:
3036         (JSC::int32Operands):
3037         (JSC::testMul32WithImmediates):
3038         (JSC::run):
3039
3040 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3041
3042         [JSC] Make disassembler data structures constant read-only data
3043         https://bugs.webkit.org/show_bug.cgi?id=194041
3044
3045         Reviewed by Mark Lam.
3046
3047         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3048         This patch makes them "const".
3049
3050         * disassembler/ARM64/A64DOpcode.cpp:
3051         * disassembler/udis86/ud_itab.py:
3052         (UdItabGenerator.genOpcodeTablesLookupIndex):
3053         (UdItabGenerator.genInsnTable):
3054         (UdItabGenerator.genMnemonicsList):
3055         (genItabH):
3056         * disassembler/udis86/udis86_decode.h:
3057         * disassembler/udis86/udis86_syn.c:
3058         * disassembler/udis86/udis86_syn.h:
3059         * disassembler/udis86/udis86_types.h:
3060
3061 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3062
3063         Unreviewed, update the builtin test results
3064         https://bugs.webkit.org/show_bug.cgi?id=194015
3065
3066         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3067         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3068         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3069         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3070         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3071         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3072         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3073         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3074         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3075         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3076         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3077         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3078         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3079
3080 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3081
3082         [JSC] Make global static variables "const" as much as possible
3083         https://bugs.webkit.org/show_bug.cgi?id=194015
3084
3085         Reviewed by Mark Lam.
3086
3087         Some of global static variables are not "const". For example, `static const char* name = ...`
3088         is not constant variable. We should make it `static const char* const name = ...`.
3089
3090         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3091         (generate_externs_for_object):
3092         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3093         (generate_externs_for_object):
3094         * Scripts/wkbuiltins/builtins_generator.py:
3095         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3096         * assembler/MacroAssembler.h:
3097         (JSC::MacroAssembler::additionBlindedConstant):
3098         * b3/air/AirFormTable.h:
3099         * b3/air/opcode_generator.rb:
3100         * runtime/JSObject.cpp:
3101         (JSC::JSObject::visitButterfly):
3102         * tools/CodeProfile.cpp:
3103         * tools/CodeProfile.h:
3104
3105 2019-01-29  Keith Miller  <keith_miller@apple.com>
3106
3107         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3108         https://bugs.webkit.org/show_bug.cgi?id=194000
3109         <rdar://problem/47642894>
3110
3111         Reviewed by Mark Lam.
3112
3113         default constructor is unused and
3114         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3115         data member which causes sadness.
3116
3117         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3118
3119 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3120
3121         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3122
3123         Rubber-stamped by Yusuke Suzuki.
3124
3125         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3126
3127         * parser/Parser.h:
3128         (JSC::Parser::declareHoistedVariable):
3129
3130 2019-01-29  Mark Lam  <mark.lam@apple.com>
3131
3132         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3133         https://bugs.webkit.org/show_bug.cgi?id=132333
3134
3135         Reviewed by Yusuke Suzuki.
3136
3137         * bytecode/InstructionStream.h:
3138         (JSC::InstructionStreamWriter::write):
3139         - The 32-bit write() function need not invert the order of the bytes written to
3140           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3141           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3142
3143         * llint/LLIntOfflineAsmConfig.h:
3144         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3145
3146 2019-01-29  Mark Lam  <mark.lam@apple.com>
3147
3148         ValueRecovery::recover() should purify NaN values it recovers.
3149         https://bugs.webkit.org/show_bug.cgi?id=193978
3150         <rdar://problem/47625488>
3151
3152         Reviewed by Saam Barati.
3153
3154         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3155         recovered DoubleDisplacedInJSStack values need to be purified.
3156         ValueRecovery::recover() should do the same.
3157
3158         * bytecode/ValueRecovery.cpp:
3159         (JSC::ValueRecovery::recover const):
3160
3161 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3162
3163         [JSC] FTL should handle LocalAllocator*
3164         https://bugs.webkit.org/show_bug.cgi?id=193980
3165
3166         Reviewed by Saam Barati.
3167
3168         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3169         because the FTL still use the incoming value as 32bit integer there.
3170
3171         * ftl/FTLLowerDFGToB3.cpp:
3172         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3173
3174 2019-01-29  Keith Rollin  <krollin@apple.com>
3175
3176         Add .xcfilelists to Run Script build phases
3177         https://bugs.webkit.org/show_bug.cgi?id=193792
3178         <rdar://problem/47201785>
3179
3180         Reviewed by Alex Christensen.
3181
3182         As part of supporting XCBuild, update the necessary Run Script build
3183         phases in their Xcode projects to refer to their associated
3184         .xcfilelist files.
3185
3186         Note that the addition of these files bumps the Xcode project version
3187         number to something that's Xcode 10 compatible. This change means that
3188         older versions of the Xcode IDE can't read these projects. Nor can it
3189         fully load workspaces that refer to these projects (the updated
3190         projects are shown as non-expandable placeholders). `xcodebuild` can
3191         still build these projects; it's just that the IDE can't open them.
3192
3193         * JavaScriptCore.xcodeproj/project.pbxproj:
3194
3195 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3196
3197         [ARM] Check for negative zero instead of just zero
3198         https://bugs.webkit.org/show_bug.cgi?id=193689
3199
3200         Reviewed by Mark Lam.
3201
3202         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3203         of just bailing out for zero.
3204
3205         * assembler/MacroAssemblerARMv7.h:
3206         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3207
3208 2019-01-28  Devin Rousso  <drousso@apple.com>
3209
3210         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3211         https://bugs.webkit.org/show_bug.cgi?id=193863
3212         <rdar://problem/47572764>
3213
3214         Reviewed by Joseph Pecoraro.
3215
3216         * inspector/protocol/Page.json:
3217         Add more values to the `Setting` enum type:
3218          - `ICECandidateFilteringEnabled`
3219          - `MediaCaptureRequiresSecureConnection`
3220          - `MockCaptureDevicesEnabled`
3221
3222 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3223
3224         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3225         https://bugs.webkit.org/show_bug.cgi?id=193941
3226
3227         Reviewed by Alex Christensen.
3228
3229         * API/JSWeakObjectMapRefPrivate.cpp:
3230         * bytecompiler/NodesCodegen.cpp:
3231         * heap/MachineStackMarker.cpp:
3232         * jit/ExecutableAllocator.cpp:
3233         * jsc.cpp:
3234         * parser/Nodes.cpp:
3235         * runtime/DateConstructor.cpp:
3236         * runtime/DateConversion.cpp:
3237         * runtime/DateInstance.cpp:
3238         * runtime/DatePrototype.cpp:
3239         * runtime/InitializeThreading.cpp:
3240         * runtime/IteratorOperations.cpp:
3241         * runtime/JSDateMath.cpp:
3242         * runtime/JSGlobalObjectFunctions.cpp:
3243         * runtime/StringPrototype.cpp:
3244         * runtime/VM.cpp:
3245         * testRegExp.cpp:
3246         * tools/JSDollarVM.cpp:
3247         * yarr/YarrInterpreter.cpp:
3248         * yarr/YarrJIT.cpp:
3249         * yarr/YarrPattern.cpp:
3250         * yarr/YarrUnicodeProperties.cpp:
3251
3252 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3253
3254         [JSC] Reduce size of memory used for ShadowChicken
3255         https://bugs.webkit.org/show_bug.cgi?id=193546
3256
3257         Reviewed by Mark Lam.
3258
3259         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3260         The removal of ShadowChicken saves 55KB memory.
3261
3262         * debugger/DebuggerCallFrame.cpp:
3263         (JSC::DebuggerCallFrame::create):
3264         * ftl/FTLLowerDFGToB3.cpp:
3265         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3266         * heap/Heap.cpp:
3267         (JSC::Heap::stopThePeriphery):
3268         (JSC::Heap::addCoreConstraints):
3269         * jit/CCallHelpers.cpp:
3270         (JSC::CCallHelpers::ensureShadowChickenPacket):
3271         * jit/JITExceptions.cpp:
3272         (JSC::genericUnwind):
3273         * jit/JITOpcodes.cpp:
3274         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3275         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3276         * jit/JITOpcodes32_64.cpp:
3277         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3278         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3279         * jit/JITOperations.cpp:
3280         * llint/LLIntSlowPaths.cpp:
3281         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3282         * runtime/JSGlobalObject.cpp:
3283         (JSC::JSGlobalObject::setDebugger):
3284         * runtime/JSGlobalObject.h:
3285         (JSC::JSGlobalObject::setDebugger): Deleted.
3286         * runtime/VM.cpp:
3287         (JSC::VM::VM):
3288         (JSC::VM::ensureShadowChicken):
3289         * runtime/VM.h:
3290         (JSC::VM::shadowChicken):
3291         * tools/JSDollarVM.cpp:
3292         (JSC::functionShadowChickenFunctionsOnStack):
3293         (JSC::changeDebuggerModeWhenIdle):
3294
3295 2019-01-28  Andy Estes  <aestes@apple.com>
3296
3297         [watchOS] Enable Parental Controls content filtering
3298         https://bugs.webkit.org/show_bug.cgi?id=193939
3299         <rdar://problem/46641912>
3300
3301         Reviewed by Ryosuke Niwa.
3302
3303         * Configurations/FeatureDefines.xcconfig:
3304
3305 2019-01-28  Mark Lam  <mark.lam@apple.com>
3306
3307         ToString node actually does GC.
3308         https://bugs.webkit.org/show_bug.cgi?id=193920
3309         <rdar://problem/46695900>
3310
3311         Reviewed by Yusuke Suzuki.
3312
3313         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3314         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3315
3316         * dfg/DFGDoesGC.cpp:
3317         (JSC::DFG::doesGC):
3318
3319 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3320
3321         [JSC] RegExpConstructor should not have own IsoSubspace
3322         https://bugs.webkit.org/show_bug.cgi?id=193801
3323
3324         Reviewed by Mark Lam.
3325
3326         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3327         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3328         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3329         it from RegExpConstructor members.
3330
3331         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3332         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3333         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3334
3335         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3336
3337         * CMakeLists.txt:
3338         * JavaScriptCore.xcodeproj/project.pbxproj:
3339         * Sources.txt:
3340         * dfg/DFGOperations.cpp:
3341         * dfg/DFGSpeculativeJIT.cpp:
3342         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3343         * dfg/DFGStrengthReductionPhase.cpp:
3344         (JSC::DFG::StrengthReductionPhase::handleNode):
3345         * ftl/FTLAbstractHeapRepository.cpp:
3346         * ftl/FTLAbstractHeapRepository.h:
3347         * ftl/FTLLowerDFGToB3.cpp:
3348         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3349         * runtime/JSGlobalObject.cpp:
3350         (JSC::JSGlobalObject::init):
3351         (JSC::JSGlobalObject::visitChildren):
3352         * runtime/JSGlobalObject.h:
3353         (JSC::JSGlobalObject::regExpGlobalData):
3354         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3355         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3356         * runtime/RegExpCache.cpp:
3357         (JSC::RegExpCache::initialize):
3358         * runtime/RegExpCache.h:
3359         (JSC::RegExpCache::emptyRegExp const):
3360         * runtime/RegExpCachedResult.cpp:
3361         (JSC::RegExpCachedResult::visitAggregate):
3362         (JSC::RegExpCachedResult::visitChildren): Deleted.
3363         * runtime/RegExpCachedResult.h:
3364         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3365         * runtime/RegExpConstructor.cpp:
3366         (JSC::RegExpConstructor::RegExpConstructor):
3367         (JSC::regExpConstructorDollar):
3368         (JSC::regExpConstructorInput):