eeff7e648620c59aa5ef2982828c5962a794065f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Add version number to cached bytecode
4         https://bugs.webkit.org/show_bug.cgi?id=194768
5         <rdar://problem/48147968>
6
7         Reviewed by Saam Barati.
8
9         Add a version number to the bytecode cache that should be unique per build.
10
11         * CMakeLists.txt:
12         * DerivedSources-output.xcfilelist:
13         * DerivedSources.make:
14         * runtime/CachedTypes.cpp:
15         (JSC::Encoder::malloc):
16         (JSC::GenericCacheEntry::GenericCacheEntry):
17         (JSC::CacheEntry::CacheEntry):
18         (JSC::CacheEntry::encode):
19         (JSC::CacheEntry::decode const):
20         (JSC::GenericCacheEntry::decode const):
21         (JSC::decodeCodeBlockImpl):
22         * runtime/CodeCache.h:
23         (JSC::CodeCacheMap::fetchFromDiskImpl):
24
25 2019-02-17  Saam Barati  <sbarati@apple.com>
26
27         WasmB3IRGenerator models some effects incorrectly
28         https://bugs.webkit.org/show_bug.cgi?id=194038
29
30         Reviewed by Keith Miller.
31
32         * wasm/WasmB3IRGenerator.cpp:
33         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
34         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
35         These two functions were using global state instead of the
36         arguments passed into the function.
37
38         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
39         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
40         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
41         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
42         Any patchpoint that allows scratch register usage must
43         also say that it clobbers the scratch registers.
44
45 2019-02-17  Saam Barati  <sbarati@apple.com>
46
47         Deadlock when adding a Structure property transition and then doing incremental marking
48         https://bugs.webkit.org/show_bug.cgi?id=194767
49
50         Reviewed by Mark Lam.
51
52         This can happen in the following scenario:
53         
54         You have a Structure S. S is on the mark stack. Then:
55         1. S grabs its lock
56         2. S adds a new property transition
57         3. We find out we need to do some incremental marking
58         4. We mark S
59         5. visitChildren on S will try to grab its lock
60         6. We are now in a deadlock
61
62         * heap/Heap.cpp:
63         (JSC::Heap::performIncrement):
64         * runtime/Structure.cpp:
65         (JSC::Structure::addNewPropertyTransition):
66
67 2019-02-17  David Kilzer  <ddkilzer@apple.com>
68
69         Unreviewed, rolling out r241620.
70
71         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
72         (Requested by ddkilzer on #webkit.)
73
74         Reverted changeset:
75
76         "[WTF] Add environment variable helpers"
77         https://bugs.webkit.org/show_bug.cgi?id=192405
78         https://trac.webkit.org/changeset/241620
79
80 2019-02-17  Commit Queue  <commit-queue@webkit.org>
81
82         Unreviewed, rolling out r241612.
83         https://bugs.webkit.org/show_bug.cgi?id=194762
84
85         "It regressed JetStream2 parsing tests by ~40%" (Requested by
86         saamyjoon on #webkit).
87
88         Reverted changeset:
89
90         "Move bytecode cache-related filesystem code out of CodeCache"
91         https://bugs.webkit.org/show_bug.cgi?id=194675
92         https://trac.webkit.org/changeset/241612
93
94 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
95
96         [JSC] JSWrapperObject should not be destructible
97         https://bugs.webkit.org/show_bug.cgi?id=194743
98
99         Reviewed by Saam Barati.
100
101         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
102         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
103         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
104
105         * runtime/BigIntObject.cpp:
106         (JSC::BigIntObject::BigIntObject):
107         * runtime/BooleanConstructor.cpp:
108         (JSC::BooleanConstructor::finishCreation):
109         * runtime/BooleanObject.cpp:
110         (JSC::BooleanObject::BooleanObject):
111         * runtime/BooleanObject.h:
112         * runtime/DateInstance.cpp:
113         (JSC::DateInstance::DateInstance):
114         (JSC::DateInstance::finishCreation):
115         * runtime/DateInstance.h:
116         * runtime/DatePrototype.cpp:
117         (JSC::dateProtoFuncGetTime):
118         (JSC::dateProtoFuncSetTime):
119         (JSC::setNewValueFromTimeArgs):
120         (JSC::setNewValueFromDateArgs):
121         (JSC::dateProtoFuncSetYear):
122         * runtime/JSCPoison.h:
123         * runtime/JSWrapperObject.h:
124         (JSC::JSWrapperObject::JSWrapperObject):
125         * runtime/NumberObject.cpp:
126         (JSC::NumberObject::NumberObject):
127         * runtime/NumberObject.h:
128         * runtime/StringConstructor.cpp:
129         (JSC::StringConstructor::finishCreation):
130         * runtime/StringObject.cpp:
131         (JSC::StringObject::StringObject):
132         * runtime/StringObject.h:
133         (JSC::StringObject::internalValue const):
134         * runtime/SymbolObject.cpp:
135         (JSC::SymbolObject::SymbolObject):
136         * runtime/SymbolObject.h:
137
138 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] Shrink UnlinkedFunctionExecutable
141         https://bugs.webkit.org/show_bug.cgi?id=194733
142
143         Reviewed by Mark Lam.
144
145         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
146         directives can be found in the comment of non typical function's source code (Program,
147         Eval code, and Global function from function constructor etc.), and tricky thing is that
148         SourceProvider's directives are updated by Parser. The reason why we have these fields in
149         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
150         if we skip parsing by using CodeCache. These fields are effective only if (1)
151         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
152         or sourceMappingURLDirective. This is rare enough to purge them to a separated
153         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
154         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
155         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
156         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
157         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
158         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
159         one of size class.
160
161         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
162         And kill one MarkedBlock allocation in JSC initialization phase.
163
164         * bytecode/UnlinkedFunctionExecutable.cpp:
165         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
166         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
167         * bytecode/UnlinkedFunctionExecutable.h:
168         * debugger/DebuggerLocation.cpp:
169         (JSC::DebuggerLocation::DebuggerLocation):
170         * inspector/ScriptDebugServer.cpp:
171         (Inspector::ScriptDebugServer::dispatchDidParseSource):
172         * parser/Lexer.h:
173         (JSC::Lexer::sourceURLDirective const):
174         (JSC::Lexer::sourceMappingURLDirective const):
175         (JSC::Lexer::sourceURL const): Deleted.
176         (JSC::Lexer::sourceMappingURL const): Deleted.
177         * parser/Parser.h:
178         (JSC::Parser<LexerType>::parse):
179         * parser/SourceProvider.h:
180         (JSC::SourceProvider::sourceURLDirective const):
181         (JSC::SourceProvider::sourceMappingURLDirective const):
182         (JSC::SourceProvider::setSourceURLDirective):
183         (JSC::SourceProvider::setSourceMappingURLDirective):
184         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
185         since it is the correct name.
186         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
187         sourceMappingURLDirective since it is the correct name.
188         * runtime/CachedTypes.cpp:
189         (JSC::CachedSourceProviderShape::encode):
190         (JSC::CachedFunctionExecutableRareData::encode):
191         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
192         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
193         (JSC::CachedFunctionExecutable::rareData const):
194         (JSC::CachedFunctionExecutable::encode):
195         (JSC::CachedFunctionExecutable::decode const):
196         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
197         * runtime/CodeCache.cpp:
198         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
199         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
200         * runtime/CodeCache.h:
201         (JSC::generateUnlinkedCodeBlockImpl):
202         * runtime/FunctionExecutable.h:
203         * runtime/SamplingProfiler.cpp:
204         (JSC::SamplingProfiler::StackFrame::url):
205
206 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
207
208         [JSC] Remove unused global private variables
209         https://bugs.webkit.org/show_bug.cgi?id=194741
210
211         Reviewed by Joseph Pecoraro.
212
213         There are some private functions and constants that are no longer referenced from builtin JS code.
214         This patch cleans up them.
215
216         * builtins/BuiltinNames.h:
217         * builtins/ObjectConstructor.js:
218         (entries):
219         * runtime/JSGlobalObject.cpp:
220         (JSC::JSGlobalObject::init):
221
222 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
223
224         [JSC] Lazily create empty RegExp
225         https://bugs.webkit.org/show_bug.cgi?id=194735
226
227         Reviewed by Keith Miller.
228
229         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
230         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
231         one MarkedBlock.
232
233         * runtime/JSGlobalObject.cpp:
234         (JSC::JSGlobalObject::init):
235         * runtime/RegExpCache.cpp:
236         (JSC::RegExpCache::ensureEmptyRegExpSlow):
237         (JSC::RegExpCache::initialize): Deleted.
238         * runtime/RegExpCache.h:
239         (JSC::RegExpCache::ensureEmptyRegExp):
240         (JSC::RegExpCache::emptyRegExp const): Deleted.
241         * runtime/RegExpCachedResult.cpp:
242         (JSC::RegExpCachedResult::lastResult):
243         * runtime/RegExpCachedResult.h:
244         * runtime/VM.cpp:
245         (JSC::VM::VM):
246
247 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
248
249         [JSC] Make builtin objects more lazily initialized under non-JIT mode
250         https://bugs.webkit.org/show_bug.cgi?id=194727
251
252         Reviewed by Saam Barati.
253
254         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
255         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
256         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
257         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
258         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
259         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
260         MarkedBlock allocation just for Symbols.
261
262         * runtime/JSGlobalObject.cpp:
263         (JSC::JSGlobalObject::init):
264         (JSC::JSGlobalObject::visitChildren):
265         * runtime/JSGlobalObject.h:
266         (JSC::JSGlobalObject::numberToStringWatchpoint):
267         (JSC::JSGlobalObject::booleanPrototype const):
268         (JSC::JSGlobalObject::numberPrototype const):
269         (JSC::JSGlobalObject::symbolPrototype const):
270         (JSC::JSGlobalObject::booleanObjectStructure const):
271         (JSC::JSGlobalObject::symbolObjectStructure const):
272         (JSC::JSGlobalObject::numberObjectStructure const):
273         (JSC::JSGlobalObject::stringObjectStructure const):
274
275 2019-02-15  Michael Saboff  <msaboff@apple.com>
276
277         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
278         https://bugs.webkit.org/show_bug.cgi?id=194558
279
280         Reviewed by Saam Barati.
281
282         Added an in bounds check before the read of the next character for Unicode regular expressions
283         for pattern generation that didn't already have such checks.
284
285         * yarr/YarrJIT.cpp:
286         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
287         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
288         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
289         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
290
291 2019-02-15  Dean Jackson  <dino@apple.com>
292
293         Allow emulation of user gestures from Web Inspector console
294         https://bugs.webkit.org/show_bug.cgi?id=194725
295         <rdar://problem/48126604>
296
297         Reviewed by Joseph Pecoraro and Devin Rousso.
298
299         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
300         to the evaluate function, and mark the function as override so that PageRuntimeAgent
301         can change the behaviour.
302         (Inspector::InspectorRuntimeAgent::evaluate):
303         * inspector/agents/InspectorRuntimeAgent.h:
304         * inspector/protocol/Runtime.json:
305
306 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
307
308         [JSC] Do not initialize Wasm related data if Wasm is not enabled
309         https://bugs.webkit.org/show_bug.cgi?id=194728
310
311         Reviewed by Mark Lam.
312
313         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
314
315         * runtime/InitializeThreading.cpp:
316         (JSC::initializeThreading):
317         * runtime/JSLock.cpp:
318         (JSC::JSLock::didAcquireLock):
319
320 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
321
322         [WTF] Add environment variable helpers
323         https://bugs.webkit.org/show_bug.cgi?id=192405
324
325         Reviewed by Michael Catanzaro.
326
327         * inspector/remote/glib/RemoteInspectorGlib.cpp:
328         (Inspector::RemoteInspector::RemoteInspector):
329         (Inspector::RemoteInspector::start):
330         * jsc.cpp:
331         (startTimeoutThreadIfNeeded):
332         * runtime/Options.cpp:
333         (JSC::overrideOptionWithHeuristic):
334         (JSC::Options::overrideAliasedOptionWithHeuristic):
335         (JSC::Options::initialize):
336         * runtime/VM.cpp:
337         (JSC::enableAssembler):
338         (JSC::VM::VM):
339         * tools/CodeProfiling.cpp:
340         (JSC::CodeProfiling::notifyAllocator):
341         Utilize WTF::Environment where possible.
342
343 2019-02-15  Mark Lam  <mark.lam@apple.com>
344
345         SamplingProfiler::stackTracesAsJSON() should escape strings.
346         https://bugs.webkit.org/show_bug.cgi?id=194649
347         <rdar://problem/48072386>
348
349         Reviewed by Saam Barati.
350
351         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
352
353         * runtime/SamplingProfiler.cpp:
354         (JSC::SamplingProfiler::stackTracesAsJSON):
355         * runtime/TypeSet.cpp:
356         (JSC::TypeSet::toJSONString const):
357         (JSC::StructureShape::toJSONString const):
358
359 2019-02-15  Robin Morisset  <rmorisset@apple.com>
360
361         CodeBlock::jettison should clear related watchpoints
362         https://bugs.webkit.org/show_bug.cgi?id=194544
363
364         Reviewed by Mark Lam.
365
366         * bytecode/CodeBlock.cpp:
367         (JSC::CodeBlock::jettison):
368         * dfg/DFGCommonData.h:
369         (JSC::DFG::CommonData::clearWatchpoints): Added.
370         * dfg/CommonData.cpp:
371         (JSC::DFG::CommonData::clearWatchpoints): Added.
372
373 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
374
375         Move bytecode cache-related filesystem code out of CodeCache
376         https://bugs.webkit.org/show_bug.cgi?id=194675
377
378         Reviewed by Saam Barati.
379
380         That code is only used for the bytecode-cache tests, so it should live in
381         jsc.cpp rather than in the CodeCache.
382
383         * jsc.cpp:
384         (CliSourceProvider::create):
385         (CliSourceProvider::~CliSourceProvider):
386         (CliSourceProvider::cachePath const):
387         (CliSourceProvider::loadBytecode):
388         (CliSourceProvider::CliSourceProvider):
389         (jscSource):
390         (GlobalObject::moduleLoaderFetch):
391         (functionDollarEvalScript):
392         (runWithOptions):
393         * parser/SourceProvider.h:
394         (JSC::SourceProvider::cacheBytecode const):
395         * runtime/CodeCache.cpp:
396         (JSC::writeCodeBlock):
397         * runtime/CodeCache.h:
398         (JSC::CodeCacheMap::fetchFromDiskImpl):
399
400 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
401
402         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
403         https://bugs.webkit.org/show_bug.cgi?id=194714
404
405         Reviewed by Mark Lam.
406
407         Let's consider about the following extreme case.
408
409         1. VM (A) is created.
410         2. Another VM (B) is created on a different thread.
411         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
412         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
413         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
414         6. (A) sees the half-baked worklist, which may be in the middle of creation.
415
416         This patch puts store-store fence just before putting a pointer to a global variable.
417         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
418
419         * dfg/DFGWorklist.cpp:
420         (JSC::DFG::ensureGlobalDFGWorklist):
421         (JSC::DFG::ensureGlobalFTLWorklist):
422         * wasm/WasmWorklist.cpp:
423         (JSC::Wasm::ensureWorklist):
424
425 2019-02-15  Commit Queue  <commit-queue@webkit.org>
426
427         Unreviewed, rolling out r241559 and r241566.
428         https://bugs.webkit.org/show_bug.cgi?id=194710
429
430         Causes layout test crashes under GuardMalloc (Requested by
431         ryanhaddad on #webkit).
432
433         Reverted changesets:
434
435         "[WTF] Add environment variable helpers"
436         https://bugs.webkit.org/show_bug.cgi?id=192405
437         https://trac.webkit.org/changeset/241559
438
439         "Unreviewed build fix for WinCairo Debug after r241559."
440         https://trac.webkit.org/changeset/241566
441
442 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
443
444         [JSC] Do not even allocate JIT worklists in non-JIT mode
445         https://bugs.webkit.org/show_bug.cgi?id=194693
446
447         Reviewed by Mark Lam.
448
449         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
450         And we do not perform any GC operations that are only meaningful in JIT environment.
451
452         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
453         2. We remove DFG marking constraint in non-JIT mode.
454         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
455         4. We do not visit JITStubRoutineSet.
456         5. Align JITWorklist function names to the other worklists.
457
458         * dfg/DFGOSRExitPreparation.cpp:
459         (JSC::DFG::prepareCodeOriginForOSRExit):
460         * dfg/DFGPlan.h:
461         * dfg/DFGWorklist.cpp:
462         (JSC::DFG::markCodeBlocks): Deleted.
463         * dfg/DFGWorklist.h:
464         * heap/Heap.cpp:
465         (JSC::Heap::completeAllJITPlans):
466         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
467         (JSC::Heap::gatherScratchBufferRoots):
468         (JSC::Heap::removeDeadCompilerWorklistEntries):
469         (JSC::Heap::stopThePeriphery):
470         (JSC::Heap::suspendCompilerThreads):
471         (JSC::Heap::resumeCompilerThreads):
472         (JSC::Heap::addCoreConstraints):
473         * jit/JITWorklist.cpp:
474         (JSC::JITWorklist::existingGlobalWorklistOrNull):
475         (JSC::JITWorklist::ensureGlobalWorklist):
476         (JSC::JITWorklist::instance): Deleted.
477         * jit/JITWorklist.h:
478         * llint/LLIntSlowPaths.cpp:
479         (JSC::LLInt::jitCompileAndSetHeuristics):
480         * runtime/VM.cpp:
481         (JSC::VM::~VM):
482         (JSC::VM::gatherScratchBufferRoots):
483         (JSC::VM::gatherConservativeRoots): Deleted.
484         * runtime/VM.h:
485
486 2019-02-15  Saam barati  <sbarati@apple.com>
487
488         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
489         https://bugs.webkit.org/show_bug.cgi?id=194036
490
491         Reviewed by Yusuke Suzuki.
492
493         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
494         use linear scan for register allocation. Instead of linear scan, Air-O0 does
495         mostly block-local register allocation, and it does this as it's emitting
496         code directly. The register allocator uses liveness analysis to reduce
497         the number of spills. Doing register allocation as we're emitting code
498         allows us to skip editing the IR to insert spills, which saves a non trivial
499         amount of compile time. For stack allocation, we give each Tmp its own slot.
500         This is less than ideal. We probably want to do some trivial live range analysis
501         in the future. The reason this isn't a deal breaker for Wasm is that this patch
502         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
503         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
504         
505         This patch is another 25% Wasm startup time speedup. It seems to be worth
506         another 1% on JetStream2.
507
508         * JavaScriptCore.xcodeproj/project.pbxproj:
509         * Sources.txt:
510         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
511         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
512         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
513         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
514         (JSC::B3::Air::callFrameAddr):
515         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
516         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
517         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
518         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
519         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
520         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
521         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
522         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
523         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
524         * b3/air/AirCode.cpp:
525         * b3/air/AirCode.h:
526         * b3/air/AirGenerate.cpp:
527         (JSC::B3::Air::prepareForGeneration):
528         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
529         (JSC::B3::Air::generate):
530         * b3/air/AirHandleCalleeSaves.cpp:
531         (JSC::B3::Air::handleCalleeSaves):
532         * b3/air/AirHandleCalleeSaves.h:
533         * b3/air/AirTmpMap.h:
534         * runtime/Options.h:
535         * wasm/WasmAirIRGenerator.cpp:
536         (JSC::Wasm::AirIRGenerator::didKill):
537         (JSC::Wasm::AirIRGenerator::newTmp):
538         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
539         (JSC::Wasm::parseAndCompileAir):
540         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
541         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
542         * wasm/WasmAirIRGenerator.h:
543         * wasm/WasmB3IRGenerator.cpp:
544         (JSC::Wasm::B3IRGenerator::didKill):
545         * wasm/WasmBBQPlan.cpp:
546         (JSC::Wasm::BBQPlan::compileFunctions):
547         * wasm/WasmFunctionParser.h:
548         (JSC::Wasm::FunctionParser<Context>::parseBody):
549         (JSC::Wasm::FunctionParser<Context>::parseExpression):
550         * wasm/WasmValidate.cpp:
551         (JSC::Wasm::Validate::didKill):
552
553 2019-02-14  Saam barati  <sbarati@apple.com>
554
555         lowerStackArgs should lower Lea32/64 on ARM64 to Add
556         https://bugs.webkit.org/show_bug.cgi?id=194656
557
558         Reviewed by Yusuke Suzuki.
559
560         On arm64, Lea is just implemented as an add. However, Air treats it as an
561         address with a given width. Because of this width, we were incorrectly
562         computing whether or not this immediate could fit into the instruction itself
563         or it needed to be explicitly put into a register. This patch makes
564         AirLowerStackArgs lower Lea to Add on arm64.
565
566         * b3/air/AirLowerStackArgs.cpp:
567         (JSC::B3::Air::lowerStackArgs):
568         * b3/air/AirOpcode.opcodes:
569         * b3/air/testair.cpp:
570
571 2019-02-14  Saam Barati  <sbarati@apple.com>
572
573         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
574         https://bugs.webkit.org/show_bug.cgi?id=194583
575         <rdar://problem/48028140>
576
577         Reviewed by Yusuke Suzuki.
578
579         This patch makes it so that getVariablesUnderTDZ caches a result of
580         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
581         it's called in an environment where there are a lot of variables.
582         This patch makes it so we cache its results. This is profitable when
583         getVariablesUnderTDZ is called repeatedly with the same environment
584         state. This is common since we call this every time we encounter a
585         function definition/expression node.
586
587         * builtins/BuiltinExecutables.cpp:
588         (JSC::BuiltinExecutables::createExecutable):
589         * bytecode/UnlinkedFunctionExecutable.cpp:
590         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
591         * bytecode/UnlinkedFunctionExecutable.h:
592         * bytecompiler/BytecodeGenerator.cpp:
593         (JSC::BytecodeGenerator::popLexicalScopeInternal):
594         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
595         (JSC::BytecodeGenerator::pushTDZVariables):
596         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
597         (JSC::BytecodeGenerator::restoreTDZStack):
598         * bytecompiler/BytecodeGenerator.h:
599         (JSC::BytecodeGenerator::makeFunction):
600         * parser/VariableEnvironment.cpp:
601         (JSC::CompactVariableMap::Handle::Handle):
602         (JSC::CompactVariableMap::Handle::operator=):
603         * parser/VariableEnvironment.h:
604         (JSC::CompactVariableMap::Handle::operator bool const):
605         * runtime/CodeCache.cpp:
606         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
607
608 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
609
610         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
611         https://bugs.webkit.org/show_bug.cgi?id=194659
612
613         Reviewed by Mark Lam.
614
615         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
616         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
617         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
618
619         * dfg/DFGJITCode.h:
620         * dfg/DFGJITFinalizer.cpp:
621         (JSC::DFG::JITFinalizer::finalize):
622         (JSC::DFG::JITFinalizer::finalizeFunction):
623         * jit/JITCode.cpp:
624         (JSC::DirectJITCode::initializeCodeRefForDFG):
625         (JSC::DirectJITCode::initializeCodeRef): Deleted.
626         (JSC::NativeJITCode::initializeCodeRef): Deleted.
627         * jit/JITCode.h:
628         * llint/LLIntEntrypoint.cpp:
629         (JSC::LLInt::setFunctionEntrypoint):
630         (JSC::LLInt::setEvalEntrypoint):
631         (JSC::LLInt::setProgramEntrypoint):
632         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
633
634 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
635
636         [WTF] Add environment variable helpers
637         https://bugs.webkit.org/show_bug.cgi?id=192405
638
639         Reviewed by Michael Catanzaro.
640
641         * inspector/remote/glib/RemoteInspectorGlib.cpp:
642         (Inspector::RemoteInspector::RemoteInspector):
643         (Inspector::RemoteInspector::start):
644         * jsc.cpp:
645         (startTimeoutThreadIfNeeded):
646         * runtime/Options.cpp:
647         (JSC::overrideOptionWithHeuristic):
648         (JSC::Options::overrideAliasedOptionWithHeuristic):
649         (JSC::Options::initialize):
650         * runtime/VM.cpp:
651         (JSC::enableAssembler):
652         (JSC::VM::VM):
653         * tools/CodeProfiling.cpp:
654         (JSC::CodeProfiling::notifyAllocator):
655         Utilize WTF::Environment where possible.
656
657 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
658
659         [JSC] Should have default NativeJITCode
660         https://bugs.webkit.org/show_bug.cgi?id=194634
661
662         Reviewed by Mark Lam.
663
664         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
665         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
666         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
667         allocations, which takes 14KB.
668
669         * runtime/VM.cpp:
670         (JSC::jitCodeForCallTrampoline):
671         (JSC::jitCodeForConstructTrampoline):
672         (JSC::VM::getHostFunction):
673
674 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
675
676         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
677         https://bugs.webkit.org/show_bug.cgi?id=194576
678
679         Reviewed by Saam Barati.
680
681         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
682         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
683
684         * bytecode/UnlinkedFunctionExecutable.cpp:
685         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
686         (JSC::UnlinkedFunctionExecutable::link):
687         * bytecode/UnlinkedFunctionExecutable.h:
688         * runtime/CodeCache.cpp:
689         (JSC::generateUnlinkedCodeBlockForFunctions):
690
691 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
692
693         CachedBitVector's size must be converted from bits to bytes
694         https://bugs.webkit.org/show_bug.cgi?id=194441
695
696         Reviewed by Saam Barati.
697
698         CachedBitVector used its size in bits for memcpy. That didn't cause any
699         issues when encoding, since the size in bits was also used in the allocation,
700         but would overflow the actual BitVector buffer when decoding.
701
702         * runtime/CachedTypes.cpp:
703         (JSC::CachedBitVector::encode):
704         (JSC::CachedBitVector::decode const):
705
706 2019-02-13  Brian Burg  <bburg@apple.com>
707
708         Web Inspector: don't include accessibility role in DOM.Node object payloads
709         https://bugs.webkit.org/show_bug.cgi?id=194623
710         <rdar://problem/36384037>
711
712         Reviewed by Devin Rousso.
713
714         Remove property of DOM.Node that is no longer being sent.
715
716         * inspector/protocol/DOM.json:
717
718 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
719
720         We should only make rope strings when concatenating strings long enough.
721         https://bugs.webkit.org/show_bug.cgi?id=194465
722
723         Reviewed by Mark Lam.
724
725         This patch stops us from allocating a rope string if the resulting
726         rope would be smaller than the size of the JSRopeString object we
727         would need to allocate.
728
729         This patch also adds paths so that we don't unnecessarily allocate
730         JSString cells for primitives we are going to concatenate with a
731         string anyway.
732
733         The important change from the previous one is that we do not apply
734         the above rule to JSRopeStrings generated by JSStrings. If we convert
735         it to JSString, comparison of memory consumption becomes the following,
736         because JSRopeString does not have StringImpl until it is resolved.
737
738             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
739
740         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
741         resolving eagerly increases memory footprint. The point is that we need to
742         account newly created JSString and JSRopeString from the operands. This is the
743         reason why this patch adds different thresholds for each jsString functions.
744
745         This patch also avoids concatenation for ropes conservatively. Many ropes are
746         temporary cells. So we do not resolve eagerly if one of operands is already a
747         rope.
748
749         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
750
751             Before: 159.3778
752             After:  160.72340000000003
753
754         * dfg/DFGOperations.cpp:
755         * runtime/CommonSlowPaths.cpp:
756         (JSC::SLOW_PATH_DECL):
757         * runtime/JSString.h:
758         (JSC::JSString::isRope const):
759         * runtime/Operations.cpp:
760         (JSC::jsAddSlowCase):
761         * runtime/Operations.h:
762         (JSC::jsString):
763         (JSC::jsAddNonNumber):
764         (JSC::jsAdd):
765
766 2019-02-13  Saam Barati  <sbarati@apple.com>
767
768         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
769         https://bugs.webkit.org/show_bug.cgi?id=194610
770
771         Reviewed by Michael Saboff.
772
773         BinarySwitch might use the scratch register. We must model the
774         effects of that properly. This is already caught by our br-table
775         tests on arm64.
776
777         * wasm/WasmAirIRGenerator.cpp:
778         (JSC::Wasm::AirIRGenerator::addSwitch):
779
780 2019-02-13  Mark Lam  <mark.lam@apple.com>
781
782         Create a randomized free list for new StructureIDs on StructureIDTable resize.
783         https://bugs.webkit.org/show_bug.cgi?id=194566
784         <rdar://problem/47975502>
785
786         Reviewed by Michael Saboff.
787
788         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
789         implementation is a little easier to read.
790
791         This patch appears to be perf neutral on JetStream2 (as run from the command line).
792
793         * runtime/StructureIDTable.cpp:
794         (JSC::StructureIDTable::StructureIDTable):
795         (JSC::StructureIDTable::makeFreeListFromRange):
796         (JSC::StructureIDTable::resize):
797         (JSC::StructureIDTable::allocateID):
798         (JSC::StructureIDTable::deallocateID):
799         * runtime/StructureIDTable.h:
800         (JSC::StructureIDTable::get):
801         (JSC::StructureIDTable::deallocateID):
802         (JSC::StructureIDTable::allocateID):
803         (JSC::StructureIDTable::flushOldTables):
804
805 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
806
807         VariableLengthObject::allocate<T> should initialize objects
808         https://bugs.webkit.org/show_bug.cgi?id=194534
809
810         Reviewed by Michael Saboff.
811
812         `buffer()` should not be called for empty VariableLengthObjects, but
813         these cases were not being caught due to the objects not being properly
814         initialized. Fix it so that allocate calls the constructor and fix the
815         assertion failues.
816
817         * runtime/CachedTypes.cpp:
818         (JSC::CachedObject::operator new):
819         (JSC::VariableLengthObject::allocate):
820         (JSC::CachedVector::encode):
821         (JSC::CachedVector::decode const):
822         (JSC::CachedUniquedStringImpl::decode const):
823         (JSC::CachedBitVector::encode):
824         (JSC::CachedBitVector::decode const):
825         (JSC::CachedArray::encode):
826         (JSC::CachedArray::decode const):
827         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
828         (JSC::CachedBigInt::decode const):
829
830 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
831
832         CodeBlocks read from disk should not be re-written
833         https://bugs.webkit.org/show_bug.cgi?id=194535
834
835         Reviewed by Michael Saboff.
836
837         Keep track of which CodeBlocks have been read from disk or have already
838         been serialized in CodeCache.
839
840         * runtime/CodeCache.cpp:
841         (JSC::CodeCache::write):
842         * runtime/CodeCache.h:
843         (JSC::SourceCodeValue::SourceCodeValue):
844         (JSC::CodeCacheMap::fetchFromDiskImpl):
845
846 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
847
848         SourceCode should be copied when generating bytecode for functions
849         https://bugs.webkit.org/show_bug.cgi?id=194536
850
851         Reviewed by Saam Barati.
852
853         The FunctionExecutable might be collected while generating the bytecode
854         for nested functions, in which case the SourceCode reference would no
855         longer be valid.
856
857         * runtime/CodeCache.cpp:
858         (JSC::generateUnlinkedCodeBlockForFunctions):
859
860 2019-02-12  Saam barati  <sbarati@apple.com>
861
862         JSScript needs to retain its cache path NSURL*
863         https://bugs.webkit.org/show_bug.cgi?id=194577
864
865         Reviewed by Tim Horton.
866
867         * API/JSScript.mm:
868         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
869         (-[JSScript dealloc]):
870
871 2019-02-12  Robin Morisset  <rmorisset@apple.com>
872
873         Make B3Value::returnsBool() more precise
874         https://bugs.webkit.org/show_bug.cgi?id=194457
875
876         Reviewed by Saam Barati.
877
878         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
879         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
880         No new tests added as this should be indirectly tested by the already existing tests.
881
882         * b3/B3Value.cpp:
883         (JSC::B3::Value::returnsBool const):
884
885 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
886
887         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
888         https://bugs.webkit.org/show_bug.cgi?id=194399
889         <rdar://problem/47889777>
890
891         * dfg/DFGDoesGC.cpp:
892         (JSC::DFG::doesGC):
893
894 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
895
896         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
897         https://bugs.webkit.org/show_bug.cgi?id=194370
898
899         Reviewed by Darin Adler.
900
901         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
902         necessary, but it will make errors more visible.
903
904         * inspector/remote/glib/RemoteInspectorGlib.cpp:
905         (Inspector::RemoteInspector::start):
906         (Inspector::dbusConnectionCallAsyncReadyCallback):
907         * inspector/remote/glib/RemoteInspectorServer.cpp:
908         (Inspector::RemoteInspectorServer::start):
909
910 2019-02-12  Andy Estes  <aestes@apple.com>
911
912         [iOSMac] Enable Parental Controls Content Filtering
913         https://bugs.webkit.org/show_bug.cgi?id=194521
914         <rdar://39732376>
915
916         Reviewed by Tim Horton.
917
918         * Configurations/FeatureDefines.xcconfig:
919
920 2019-02-11  Mark Lam  <mark.lam@apple.com>
921
922         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
923         https://bugs.webkit.org/show_bug.cgi?id=194512
924         <rdar://problem/47975465>
925
926         Reviewed by Yusuke Suzuki.
927
928         * runtime/StructureIDTable.cpp:
929         (JSC::StructureIDTable::StructureIDTable):
930         (JSC::StructureIDTable::allocateID):
931         (JSC::StructureIDTable::deallocateID):
932         * runtime/StructureIDTable.h:
933
934 2019-02-10  Mark Lam  <mark.lam@apple.com>
935
936         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
937         https://bugs.webkit.org/show_bug.cgi?id=194493
938         <rdar://problem/36380852>
939
940         Reviewed by Yusuke Suzuki.
941
942         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
943         however not good for performance and memory usage.  As such, a debug ASSERT will
944         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
945         possible to be instantiated with duplicate cases in
946         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
947
948         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
949         see duplicate cases.
950
951         * jit/BinarySwitch.cpp:
952         (JSC::BinarySwitch::BinarySwitch):
953
954 2019-02-10  Darin Adler  <darin@apple.com>
955
956         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
957         https://bugs.webkit.org/show_bug.cgi?id=194485
958
959         Reviewed by Daniel Bates.
960
961         * heap/HeapSnapshotBuilder.cpp:
962         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
963         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
964
965         * runtime/JSGlobalObjectFunctions.cpp:
966         (JSC::encode): Removed some unneeded casts in StringBuilder code,
967         including one in a call to appendByteAsHex.
968         (JSC::globalFuncEscape): Ditto.
969
970 2019-02-10  Commit Queue  <commit-queue@webkit.org>
971
972         Unreviewed, rolling out r241230.
973         https://bugs.webkit.org/show_bug.cgi?id=194488
974
975         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
976         #webkit).
977
978         Reverted changeset:
979
980         "We should only make rope strings when concatenating strings
981         long enough."
982         https://bugs.webkit.org/show_bug.cgi?id=194465
983         https://trac.webkit.org/changeset/241230
984
985 2019-02-10  Saam barati  <sbarati@apple.com>
986
987         BBQ-Air: Emit better code for switch
988         https://bugs.webkit.org/show_bug.cgi?id=194053
989
990         Reviewed by Yusuke Suzuki.
991
992         Instead of emitting a linear set of jumps for Switch, this patch
993         makes the BBQ-Air backend emit a binary switch.
994
995         * wasm/WasmAirIRGenerator.cpp:
996         (JSC::Wasm::AirIRGenerator::addSwitch):
997
998 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
999
1000         Unreviewed, Lexer should use isLatin1 implementation in WTF
1001         https://bugs.webkit.org/show_bug.cgi?id=194466
1002
1003         Follow-up after r241233 pointed by Darin.
1004
1005         * parser/Lexer.cpp:
1006         (JSC::isLatin1): Deleted.
1007
1008 2019-02-09  Darin Adler  <darin@apple.com>
1009
1010         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1011         https://bugs.webkit.org/show_bug.cgi?id=194021
1012
1013         Reviewed by Geoffrey Garen.
1014
1015         * inspector/agents/InspectorConsoleAgent.cpp:
1016         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1017         makeString do the conversion without allocating/destroying a String.
1018         * inspector/agents/InspectorDebuggerAgent.cpp:
1019         (Inspector::objectGroupForBreakpointAction): Ditto.
1020         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1021         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1022         * runtime/JSGenericTypedArrayViewInlines.h:
1023         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1024         * runtime/NumberPrototype.cpp:
1025         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1026         of calling numberToFixedWidthString to do the same thing.
1027         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1028         numberToFixedPrecisionString to do the same thing.
1029         * runtime/SamplingProfiler.cpp:
1030         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1031
1032 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1033
1034         Unreviewed, rolling in r241237 again
1035         https://bugs.webkit.org/show_bug.cgi?id=194469
1036
1037         * runtime/JSString.h:
1038         (JSC::jsSubstring):
1039
1040 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1041
1042         Unreviewed, rolling out r241237.
1043         https://bugs.webkit.org/show_bug.cgi?id=194474
1044
1045         Shows significant memory increase in WSL (Requested by
1046         yusukesuzuki on #webkit).
1047
1048         Reverted changeset:
1049
1050         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1051         takes more memory"
1052         https://bugs.webkit.org/show_bug.cgi?id=194469
1053         https://trac.webkit.org/changeset/241237
1054
1055 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1056
1057         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1058         https://bugs.webkit.org/show_bug.cgi?id=194469
1059
1060         Reviewed by Geoffrey Garen.
1061
1062         * runtime/JSString.h:
1063         (JSC::jsSubstring):
1064
1065 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1066
1067         [JSC] CachedTypes should use jsString instead of JSString::create
1068         https://bugs.webkit.org/show_bug.cgi?id=194471
1069
1070         Reviewed by Mark Lam.
1071
1072         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1073
1074         * runtime/CachedTypes.cpp:
1075         (JSC::CachedJSValue::decode const):
1076
1077 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1078
1079         [JSC] Increase StructureIDTable initial capacity
1080         https://bugs.webkit.org/show_bug.cgi?id=194468
1081
1082         Reviewed by Mark Lam.
1083
1084         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1085         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1086         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1087         more memory dirty. We also remove some structures that are no longer used.
1088
1089         * runtime/JSGlobalObject.h:
1090         (JSC::JSGlobalObject::callbackObjectStructure const):
1091         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1092         * runtime/StructureIDTable.h:
1093         * runtime/VM.h:
1094
1095 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1096
1097         [JSC] String.fromCharCode's slow path always generates 16bit string
1098         https://bugs.webkit.org/show_bug.cgi?id=194466
1099
1100         Reviewed by Keith Miller.
1101
1102         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1103         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1104         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1105         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1106         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1107         as much as possible.
1108
1109         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1110
1111         * runtime/StringConstructor.cpp:
1112         (JSC::stringFromCharCode):
1113
1114 2019-02-08  Keith Miller  <keith_miller@apple.com>
1115
1116         We should only make rope strings when concatenating strings long enough.
1117         https://bugs.webkit.org/show_bug.cgi?id=194465
1118
1119         Reviewed by Saam Barati.
1120
1121         This patch stops us from allocating a rope string if the resulting
1122         rope would be smaller than the size of the JSRopeString object we
1123         would need to allocate.
1124
1125         This patch also adds paths so that we don't unnecessarily allocate
1126         JSString cells for primitives we are going to concatenate with a
1127         string anyway.
1128
1129         * dfg/DFGOperations.cpp:
1130         * runtime/CommonSlowPaths.cpp:
1131         (JSC::SLOW_PATH_DECL):
1132         * runtime/JSString.h:
1133         * runtime/Operations.cpp:
1134         (JSC::jsAddSlowCase):
1135         * runtime/Operations.h:
1136         (JSC::jsString):
1137         (JSC::jsAdd):
1138
1139 2019-02-08  Saam barati  <sbarati@apple.com>
1140
1141         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1142         https://bugs.webkit.org/show_bug.cgi?id=194334
1143         <rdar://problem/47844327>
1144
1145         Reviewed by Mark Lam.
1146
1147         * dfg/DFGAbstractInterpreterInlines.h:
1148         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1149         * dfg/DFGArgumentsEliminationPhase.cpp:
1150         * dfg/DFGByteCodeParser.cpp:
1151         (JSC::DFG::ByteCodeParser::parseBlock):
1152         * dfg/DFGClobberize.h:
1153         (JSC::DFG::clobberize):
1154         * dfg/DFGConstantFoldingPhase.cpp:
1155         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1156         * dfg/DFGFixupPhase.cpp:
1157         (JSC::DFG::FixupPhase::fixupNode):
1158         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1159         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1160         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1161         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1162         * dfg/DFGNodeType.h:
1163         * dfg/DFGSSALoweringPhase.cpp:
1164         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1165         * dfg/DFGSpeculativeJIT.cpp:
1166         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1167         * ftl/FTLLowerDFGToB3.cpp:
1168         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1169         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1170
1171 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1172
1173         [JSC] Shrink sizeof(CodeBlock) more
1174         https://bugs.webkit.org/show_bug.cgi?id=194419
1175
1176         Reviewed by Mark Lam.
1177
1178         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1179
1180         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1181         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1182         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1183
1184         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1185         And we do not touch it in CodeBlock::~CodeBlock.
1186
1187         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1188         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1189         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1190
1191         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1192
1193         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1194
1195         * bytecode/CodeBlock.cpp:
1196         (JSC::CodeBlock::hash const):
1197         (JSC::CodeBlock::sourceCodeForTools const):
1198         (JSC::CodeBlock::dumpAssumingJITType const):
1199         (JSC::CodeBlock::dumpSource):
1200         (JSC::CodeBlock::CodeBlock):
1201         (JSC::CodeBlock::finishCreation):
1202         (JSC::CodeBlock::propagateTransitions):
1203         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1204         (JSC::CodeBlock::setCalleeSaveRegisters):
1205         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1206         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1207         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1208         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1209         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1210         (JSC::CodeBlock::newReplacement):
1211         (JSC::CodeBlock::replacement):
1212         (JSC::CodeBlock::computeCapabilityLevel):
1213         (JSC::CodeBlock::jettison):
1214         (JSC::CodeBlock::calleeSaveRegisters const):
1215         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1216         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1217         (JSC::CodeBlock::getArrayProfile):
1218         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1219         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1220         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1221         (JSC::CodeBlock::validate):
1222         (JSC::CodeBlock::outOfLineJumpTarget):
1223         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1224         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1225         * bytecode/CodeBlock.h:
1226         (JSC::CodeBlock::specializationKind const):
1227         (JSC::CodeBlock::isStrictMode const):
1228         (JSC::CodeBlock::isConstructor const):
1229         (JSC::CodeBlock::codeType const):
1230         (JSC::CodeBlock::isKnownNotImmediate):
1231         (JSC::CodeBlock::instructions const):
1232         (JSC::CodeBlock::ownerExecutable const):
1233         (JSC::CodeBlock::thisRegister const):
1234         (JSC::CodeBlock::source const):
1235         (JSC::CodeBlock::sourceOffset const):
1236         (JSC::CodeBlock::firstLineColumnOffset const):
1237         (JSC::CodeBlock::createRareDataIfNecessary):
1238         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1239         (JSC::CodeBlock::setThisRegister): Deleted.
1240         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1241         * bytecode/EvalCodeBlock.h:
1242         * bytecode/FunctionCodeBlock.h:
1243         * bytecode/GlobalCodeBlock.h:
1244         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1245         * bytecode/ModuleProgramCodeBlock.h:
1246         * bytecode/ProgramCodeBlock.h:
1247         * debugger/Debugger.cpp:
1248         (JSC::Debugger::toggleBreakpoint):
1249         * debugger/DebuggerCallFrame.cpp:
1250         (JSC::DebuggerCallFrame::sourceID const):
1251         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1252         * debugger/DebuggerScope.cpp:
1253         (JSC::DebuggerScope::location const):
1254         * dfg/DFGByteCodeParser.cpp:
1255         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1256         (JSC::DFG::ByteCodeParser::inliningCost):
1257         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1258         * dfg/DFGCapabilities.cpp:
1259         (JSC::DFG::isSupportedForInlining):
1260         (JSC::DFG::mightCompileEval):
1261         (JSC::DFG::mightCompileProgram):
1262         (JSC::DFG::mightCompileFunctionForCall):
1263         (JSC::DFG::mightCompileFunctionForConstruct):
1264         (JSC::DFG::canUseOSRExitFuzzing):
1265         * dfg/DFGGraph.h:
1266         (JSC::DFG::Graph::executableFor):
1267         * dfg/DFGJITCompiler.cpp:
1268         (JSC::DFG::JITCompiler::compileFunction):
1269         * dfg/DFGOSREntry.cpp:
1270         (JSC::DFG::prepareOSREntry):
1271         * dfg/DFGOSRExit.cpp:
1272         (JSC::DFG::restoreCalleeSavesFor):
1273         (JSC::DFG::saveCalleeSavesFor):
1274         (JSC::DFG::saveOrCopyCalleeSavesFor):
1275         * dfg/DFGOSRExitCompilerCommon.cpp:
1276         (JSC::DFG::handleExitCounts):
1277         * dfg/DFGOperations.cpp:
1278         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1279         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1280         * ftl/FTLCapabilities.cpp:
1281         (JSC::FTL::canCompile):
1282         * ftl/FTLLink.cpp:
1283         (JSC::FTL::link):
1284         * ftl/FTLOSRExitCompiler.cpp:
1285         (JSC::FTL::compileStub):
1286         * interpreter/CallFrame.cpp:
1287         (JSC::CallFrame::callerSourceOrigin):
1288         * interpreter/Interpreter.cpp:
1289         (JSC::eval):
1290         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1291         * interpreter/StackVisitor.cpp:
1292         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1293         (JSC::StackVisitor::Frame::sourceURL const):
1294         (JSC::StackVisitor::Frame::sourceID):
1295         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1296         * interpreter/StackVisitor.h:
1297         * jit/AssemblyHelpers.h:
1298         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1299         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1300         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1301         * jit/CallFrameShuffleData.cpp:
1302         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1303         * jit/JIT.cpp:
1304         (JSC::JIT::compileWithoutLinking):
1305         * jit/JITToDFGDeferredCompilationCallback.cpp:
1306         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1307         * jit/JITWorklist.cpp:
1308         (JSC::JITWorklist::Plan::finalize):
1309         (JSC::JITWorklist::compileNow):
1310         * jit/RegisterAtOffsetList.cpp:
1311         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1312         * jit/RegisterAtOffsetList.h:
1313         (JSC::RegisterAtOffsetList::at const):
1314         * runtime/ErrorInstance.cpp:
1315         (JSC::appendSourceToError):
1316         * runtime/ScriptExecutable.cpp:
1317         (JSC::ScriptExecutable::newCodeBlockFor):
1318         * runtime/StackFrame.cpp:
1319         (JSC::StackFrame::sourceID const):
1320         (JSC::StackFrame::sourceURL const):
1321         (JSC::StackFrame::computeLineAndColumn const):
1322
1323 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1324
1325         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1326         https://bugs.webkit.org/show_bug.cgi?id=194460
1327
1328         Reviewed by Mark Lam.
1329
1330         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1331
1332         * b3/B3LowerMacros.cpp:
1333
1334 2019-02-08  Mark Lam  <mark.lam@apple.com>
1335
1336         Use maxSingleCharacterString in comparisons instead of literal constants.
1337         https://bugs.webkit.org/show_bug.cgi?id=194452
1338
1339         Reviewed by Yusuke Suzuki.
1340
1341         This way, if we ever change maxSingleCharacterString, it won't break all this code
1342         that relies on it being 0xff implicitly.
1343
1344         * dfg/DFGSpeculativeJIT.cpp:
1345         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1346         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1347         * ftl/FTLLowerDFGToB3.cpp:
1348         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1349         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1350         * jit/ThunkGenerators.cpp:
1351         (JSC::stringGetByValGenerator):
1352         (JSC::charToString):
1353
1354 2019-02-08  Mark Lam  <mark.lam@apple.com>
1355
1356         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1357         https://bugs.webkit.org/show_bug.cgi?id=194446
1358         <rdar://problem/47926792>
1359
1360         Reviewed by Saam Barati.
1361
1362         Fix doesGC() for the following nodes:
1363
1364             CheckTierUpAtReturn:
1365                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1366                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1367
1368             CheckTierUpInLoop:
1369                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1370                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1371
1372             CheckTierUpAndOSREnter:
1373                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1374                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1375
1376             GetByVal:
1377                 case Array::String calls operationSingleCharacterString(), which calls
1378                 jsSingleCharacterString(), which can allocate a string.
1379
1380             PutByValDirect:
1381             PutByVal:
1382             PutByValAlias:
1383                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1384                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1385                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1386                 slow paths call putByValInternal(), which may create exception objects, or
1387                 call the generic JSValue::put() which may execute arbitrary code.
1388
1389             StringCharAt:
1390                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1391                 which can allocate a string.
1392
1393         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1394         to use the maxSingleCharacterString constant instead of a literal constant.
1395
1396         * dfg/DFGDoesGC.cpp:
1397         (JSC::DFG::doesGC):
1398         * dfg/DFGSpeculativeJIT.cpp:
1399         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1400         * dfg/DFGSpeculativeJIT64.cpp:
1401         (JSC::DFG::SpeculativeJIT::compile):
1402         * ftl/FTLLowerDFGToB3.cpp:
1403         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1404         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1405         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1406
1407 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1408
1409         [JSC] SourceProviderCacheItem should be small
1410         https://bugs.webkit.org/show_bug.cgi?id=194432
1411
1412         Reviewed by Saam Barati.
1413
1414         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1415         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1416         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1417
1418         * parser/Parser.cpp:
1419         (JSC::Parser<LexerType>::parseFunctionInfo):
1420         * parser/ParserModes.h:
1421         * parser/ParserTokens.h:
1422         * parser/SourceProviderCacheItem.h:
1423         (JSC::SourceProviderCacheItem::endFunctionToken const):
1424         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1425
1426 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1427
1428         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1429         https://bugs.webkit.org/show_bug.cgi?id=194420
1430
1431         Reviewed by Saam Barati.
1432
1433         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1434         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1435         This trivial patch fixes both.
1436
1437         * b3/B3ReduceStrength.cpp:
1438         * b3/testb3.cpp:
1439         (JSC::B3::testAbsNegArg):
1440
1441 2019-02-07  Keith Miller  <keith_miller@apple.com>
1442
1443         Better error messages for module loader SPI
1444         https://bugs.webkit.org/show_bug.cgi?id=194421
1445
1446         Reviewed by Saam Barati.
1447
1448         * API/JSAPIGlobalObject.mm:
1449         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1450
1451 2019-02-07  Mark Lam  <mark.lam@apple.com>
1452
1453         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1454         https://bugs.webkit.org/show_bug.cgi?id=194399
1455         <rdar://problem/47889777>
1456
1457         Reviewed by Yusuke Suzuki.
1458
1459         Fix doesGC() for the following nodes:
1460
1461             CheckTraps:
1462                 We normally will not emit this node because Options::usePollingTraps() is
1463                 false by default.  However, as it is implemented now, CheckTraps can GC
1464                 because it can allocate a TerminatedExecutionException.  If we make the
1465                 TerminatedExecutionException a singleton allocated at initialization time,
1466                 doesGC() can return false for CheckTraps.
1467                 https://bugs.webkit.org/show_bug.cgi?id=194323
1468
1469             GetMapBucket:
1470                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1471                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1472                 can resolve a rope.
1473
1474             Switch:
1475                 If switchData kind is SwitchChar, can call operationResolveRope() .
1476                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1477                     can call operationSwitchString() which resolves ropes.
1478
1479             DirectTailCall:
1480             ForceOSRExit:
1481             Return:
1482             TailCallForwardVarargs:
1483             TailCallVarargs:
1484             Throw:
1485                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1486                 for them, but following our conservative practice, unless we have a good
1487                 reason for doesGC() to return false, we should just return true.
1488
1489         * dfg/DFGDoesGC.cpp:
1490         (JSC::DFG::doesGC):
1491
1492 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1493
1494         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1495         https://bugs.webkit.org/show_bug.cgi?id=194250
1496
1497         Reviewed by Saam Barati.
1498
1499         Adds the following optimizations for integers:
1500         - Sub(x, x) => 0
1501             Already covered by the test testSubArg
1502         - Sub(x1, Neg(x2)) => Add (x1, x2)
1503             Added test: testSubNeg
1504         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1505             Added test: testNegSub
1506         - Add(Neg(x1), x2) => Sub(x2, x1)
1507             Added test: testAddNeg1
1508         - Add(x1, Neg(x2)) => Sub(x1, x2)
1509             Added test: testAddNeg2
1510         Adds the following optimization for floating point values:
1511         - Abs(Neg(x)) => Abs(x)
1512             Added test: testAbsNegArg
1513             Adds the following optimization:
1514
1515         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1516
1517         * b3/B3ReduceStrength.cpp:
1518         * b3/testb3.cpp:
1519         (JSC::B3::testAddNeg1):
1520         (JSC::B3::testAddNeg2):
1521         (JSC::B3::testSubNeg):
1522         (JSC::B3::testNegSub):
1523         (JSC::B3::testAbsAbsArg):
1524         (JSC::B3::testAbsNegArg):
1525         (JSC::B3::run):
1526
1527 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1528
1529         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1530         https://bugs.webkit.org/show_bug.cgi?id=194374
1531
1532         Reviewed by Geoffrey Garen.
1533
1534         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1535         But pointer is larger than single character. BufferInternal StringImpl with single character
1536         is more memory efficient.
1537
1538         * runtime/SmallStrings.cpp:
1539         (JSC::SmallStringsStorage::SmallStringsStorage):
1540         (JSC::SmallStrings::SmallStrings):
1541         * runtime/SmallStrings.h:
1542
1543 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1544
1545         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1546         https://bugs.webkit.org/show_bug.cgi?id=194369
1547         <rdar://problem/47813087>
1548
1549         Reviewed by Saam Barati.
1550
1551         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1552         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1553         constant folding phase.
1554
1555         * dfg/DFGAbstractInterpreterInlines.h:
1556         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1557
1558 2019-02-06  Devin Rousso  <drousso@apple.com>
1559
1560         Web Inspector: DOM: don't send the entire function string with each event listener
1561         https://bugs.webkit.org/show_bug.cgi?id=194293
1562         <rdar://problem/47822809>
1563
1564         Reviewed by Joseph Pecoraro.
1565
1566         * inspector/protocol/DOM.json:
1567
1568         * runtime/JSFunction.h:
1569         Export `calculatedDisplayName`.
1570
1571 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1572
1573         [JSC] PrivateName to PublicName hash table is wasteful
1574         https://bugs.webkit.org/show_bug.cgi?id=194277
1575
1576         Reviewed by Michael Saboff.
1577
1578         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1579         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1580         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1581         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1582
1583         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1584
1585         1. PrivateName's content should be the same to PublicName.
1586         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1587            the public name should be easily crafted from the given PrivateName.
1588
1589         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1590         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1591
1592         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1593         WebCore.
1594
1595         * builtins/BuiltinNames.cpp:
1596         (JSC::BuiltinNames::BuiltinNames):
1597         * builtins/BuiltinNames.h:
1598         (JSC::BuiltinNames::lookUpPrivateName const):
1599         (JSC::BuiltinNames::getPublicName const):
1600         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1601         (JSC::BuiltinNames::appendExternalName):
1602         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1603         * builtins/BuiltinUtils.h:
1604         * bytecode/BytecodeDumper.cpp:
1605         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1606         * bytecompiler/NodesCodegen.cpp:
1607         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1608         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1609         * parser/Lexer.cpp:
1610         (JSC::Lexer<LChar>::parseIdentifier):
1611         (JSC::Lexer<UChar>::parseIdentifier):
1612         * parser/Parser.cpp:
1613         (JSC::Parser<LexerType>::createGeneratorParameters):
1614         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1615         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1616         (JSC::Parser<LexerType>::parseClassDeclaration):
1617         (JSC::Parser<LexerType>::parseExportDeclaration):
1618         (JSC::Parser<LexerType>::parseMemberExpression):
1619         * parser/ParserArena.h:
1620         (JSC::IdentifierArena::makeIdentifier):
1621         * runtime/CachedTypes.cpp:
1622         (JSC::CachedUniquedStringImpl::encode):
1623         (JSC::CachedUniquedStringImpl::decode const):
1624         * runtime/CommonIdentifiers.cpp:
1625         (JSC::CommonIdentifiers::CommonIdentifiers):
1626         (JSC::CommonIdentifiers::lookUpPrivateName const):
1627         (JSC::CommonIdentifiers::getPublicName const):
1628         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1629         * runtime/CommonIdentifiers.h:
1630         * runtime/ExceptionHelpers.cpp:
1631         (JSC::createUndefinedVariableError):
1632         * runtime/Identifier.cpp:
1633         (JSC::Identifier::dump const):
1634         * runtime/Identifier.h:
1635         * runtime/IdentifierInlines.h:
1636         (JSC::Identifier::fromUid):
1637         * runtime/JSTypedArrayViewPrototype.cpp:
1638         (JSC::JSTypedArrayViewPrototype::finishCreation):
1639         * tools/JSDollarVM.cpp:
1640         (JSC::functionGetPrivateProperty):
1641
1642 2019-02-06  Keith Rollin  <krollin@apple.com>
1643
1644         Really enable the automatic checking and regenerations of .xcfilelists during builds
1645         https://bugs.webkit.org/show_bug.cgi?id=194357
1646         <rdar://problem/47861231>
1647
1648         Reviewed by Chris Dumez.
1649
1650         Bug 194124 was supposed to enable the automatic checking and
1651         regenerating of .xcfilelist files during the build. While related
1652         changes were included in that patch, the change to actually enable the
1653         operation somehow was omitted. This patch actually enables the
1654         operation. The check-xcfilelist.sh scripts now check
1655         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1656         from the checking.
1657
1658         * Scripts/check-xcfilelists.sh:
1659
1660 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1661
1662         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1663         https://bugs.webkit.org/show_bug.cgi?id=194339
1664
1665         Reviewed by Michael Saboff.
1666
1667         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1668         They have even the same structure. This patch unifies the subspaces for them.
1669
1670         * runtime/DirectEvalExecutable.h:
1671         * runtime/EvalExecutable.h:
1672         (JSC::EvalExecutable::subspaceFor):
1673         * runtime/IndirectEvalExecutable.h:
1674         * runtime/VM.cpp:
1675         * runtime/VM.h:
1676         (JSC::VM::forEachScriptExecutableSpace):
1677
1678 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1679
1680         [JSC] NativeExecutable should be smaller
1681         https://bugs.webkit.org/show_bug.cgi?id=194331
1682
1683         Reviewed by Michael Saboff.
1684
1685         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1686         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1687         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1688         only takes one MarkedBlock for NativeExecutable.
1689
1690         To make NativeExecutable smaller,
1691
1692         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1693            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1694
1695         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1696            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1697            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1698
1699         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1700            Intrinsic for NativeExecutable.
1701
1702         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1703
1704         * CMakeLists.txt:
1705         * JavaScriptCore.xcodeproj/project.pbxproj:
1706         * bytecode/CallVariant.h:
1707         * interpreter/Interpreter.cpp:
1708         * jit/JITCode.cpp:
1709         (JSC::DirectJITCode::DirectJITCode):
1710         (JSC::NativeJITCode::NativeJITCode):
1711         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1712         * jit/JITCode.h:
1713         (JSC::JITCode::signature const):
1714         (JSC::JITCode::intrinsic):
1715         * jit/JITOperations.cpp:
1716         * jit/JITThunks.cpp:
1717         (JSC::JITThunks::hostFunctionStub):
1718         * jit/Repatch.cpp:
1719         * llint/LLIntSlowPaths.cpp:
1720         * runtime/ExecutableBase.cpp:
1721         (JSC::ExecutableBase::dump const):
1722         (JSC::ExecutableBase::hashFor const):
1723         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1724         (JSC::ExecutableBase::clearCode): Deleted.
1725         * runtime/ExecutableBase.h:
1726         (JSC::ExecutableBase::ExecutableBase):
1727         (JSC::ExecutableBase::isModuleProgramExecutable):
1728         (JSC::ExecutableBase::isHostFunction const):
1729         (JSC::ExecutableBase::generatedJITCodeForCall const):
1730         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1731         (JSC::ExecutableBase::generatedJITCodeFor const):
1732         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1733         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1734         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1735         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1736         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1737         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1738         (JSC::ExecutableBase::intrinsic const): Deleted.
1739         * runtime/ExecutableBaseInlines.h: Added.
1740         (JSC::ExecutableBase::intrinsic const):
1741         (JSC::ExecutableBase::hasJITCodeForCall const):
1742         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1743         * runtime/JSBoundFunction.cpp:
1744         * runtime/JSType.cpp:
1745         (WTF::printInternal):
1746         * runtime/JSType.h:
1747         * runtime/NativeExecutable.cpp:
1748         (JSC::NativeExecutable::create):
1749         (JSC::NativeExecutable::createStructure):
1750         (JSC::NativeExecutable::NativeExecutable):
1751         (JSC::NativeExecutable::signatureFor const):
1752         (JSC::NativeExecutable::intrinsic const):
1753         * runtime/NativeExecutable.h:
1754         * runtime/ScriptExecutable.cpp:
1755         (JSC::ScriptExecutable::ScriptExecutable):
1756         (JSC::ScriptExecutable::clearCode):
1757         (JSC::ScriptExecutable::installCode):
1758         (JSC::ScriptExecutable::hasClearableCode const):
1759         * runtime/ScriptExecutable.h:
1760         (JSC::ScriptExecutable::intrinsic const):
1761         (JSC::ScriptExecutable::hasJITCodeForCall const):
1762         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1763         * runtime/VM.cpp:
1764         (JSC::VM::getHostFunction):
1765
1766 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1767
1768         Build failure after r240431
1769         https://bugs.webkit.org/show_bug.cgi?id=194330
1770
1771         Reviewed by Žan Doberšek.
1772
1773         * API/glib/JSCOptions.cpp:
1774
1775 2019-02-05  Mark Lam  <mark.lam@apple.com>
1776
1777         Fix DFG's doesGC() for a few more nodes.
1778         https://bugs.webkit.org/show_bug.cgi?id=194307
1779         <rdar://problem/47832956>
1780
1781         Reviewed by Yusuke Suzuki.
1782
1783         Fix doesGC() for the following nodes:
1784
1785             NumberToStringWithValidRadixConstant:
1786                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1787                 which can allocate a string.
1788                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1789                 which can allocate a string.
1790                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1791                 which can allocate a string.
1792
1793             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1794                 memory for all kinds of objects.
1795             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1796                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1797                 these allocates memory for the match result.
1798             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1799                 calls RegExpObject's collectMatches(), which allocates an array amongst
1800                 other objects.
1801
1802             StringFromCharCode:
1803                 If the uint32 code to convert is greater than maxSingleCharacterString,
1804                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1805                 which allocates a new string if the code is greater than maxSingleCharacterString.
1806
1807         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1808         to use maxSingleCharacterString instead of a literal constant.
1809
1810         * dfg/DFGDoesGC.cpp:
1811         (JSC::DFG::doesGC):
1812         * dfg/DFGSpeculativeJIT.cpp:
1813         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1814         * ftl/FTLLowerDFGToB3.cpp:
1815         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1816
1817 2019-02-05  Keith Rollin  <krollin@apple.com>
1818
1819         Enable the automatic checking and regenerations of .xcfilelists during builds
1820         https://bugs.webkit.org/show_bug.cgi?id=194124
1821         <rdar://problem/47721277>
1822
1823         Reviewed by Tim Horton.
1824
1825         Bug 193790 add a facility for checking -- during build time -- that
1826         any needed .xcfilelist files are up-to-date and for updating them if
1827         they are not. This facility was initially opt-in by setting
1828         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1829         the process seemed robust. Its now time to enable this facility and
1830         make it opt-out. If there is a need to disable this facility, set and
1831         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1832         running `make` or `build-webkit`, or before running Xcode from the
1833         command line.
1834
1835         Additionally, remove the step that generates a list of source files
1836         going into the UnifiedSources build step. It's only necessarily to
1837         specify Sources.txt and SourcesCocoa.txt as inputs.
1838
1839         * JavaScriptCore.xcodeproj/project.pbxproj:
1840         * UnifiedSources-input.xcfilelist: Removed.
1841
1842 2019-02-05  Keith Rollin  <krollin@apple.com>
1843
1844         Update .xcfilelist files
1845         https://bugs.webkit.org/show_bug.cgi?id=194121
1846         <rdar://problem/47720863>
1847
1848         Reviewed by Tim Horton.
1849
1850         Preparatory to enabling the facility for automatically updating the
1851         .xcfilelist files, check in a freshly-updated set so that not everyone
1852         runs up against having to regenerate them themselves.
1853
1854         * DerivedSources-input.xcfilelist:
1855         * DerivedSources-output.xcfilelist:
1856
1857 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1858
1859         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1860         https://bugs.webkit.org/show_bug.cgi?id=185557
1861
1862         Reviewed by Mark Lam.
1863
1864         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1865         where n is the number of characters in the formatted string.
1866         It may be less memory efficient than the previous impl, since the intermediate Vector
1867         is the length of the string, instead of the count of the fields.
1868
1869         * runtime/IntlNumberFormat.cpp:
1870         (JSC::IntlNumberFormat::formatToParts):
1871         * runtime/IntlNumberFormat.h:
1872
1873 2019-02-05  Mark Lam  <mark.lam@apple.com>
1874
1875         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1876         https://bugs.webkit.org/show_bug.cgi?id=194298
1877         <rdar://problem/47827555>
1878
1879         Reviewed by Saam Barati.
1880
1881         We do this for 3 reasons:
1882         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1883         2. If things change in the future where clobberize() no longer reports these nodes
1884            as write(Heap), each node should be vetted first to make sure that it can never
1885            GC before being moved back to the doesGC() list that returns false.
1886         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1887            correct in its claims about the nodes' GCing possibility.
1888
1889         The list of nodes moved are:
1890
1891             ArrayPush
1892             ArrayPop
1893             Call
1894             CallEval
1895             CallForwardVarargs
1896             CallVarargs
1897             Construct
1898             ConstructForwardVarargs
1899             ConstructVarargs
1900             DefineDataProperty
1901             DefineAccessorProperty
1902             DeleteById
1903             DeleteByVal
1904             DirectCall
1905             DirectConstruct
1906             DirectTailCallInlinedCaller
1907             GetById
1908             GetByIdDirect
1909             GetByIdDirectFlush
1910             GetByIdFlush
1911             GetByIdWithThis
1912             GetByValWithThis
1913             GetDirectPname
1914             GetDynamicVar
1915             HasGenericProperty
1916             HasOwnProperty
1917             HasStructureProperty
1918             InById
1919             InByVal
1920             InstanceOf
1921             InstanceOfCustom
1922             LoadVarargs
1923             NumberToStringWithRadix
1924             PutById
1925             PutByIdDirect
1926             PutByIdFlush
1927             PutByIdWithThis
1928             PutByOffset
1929             PutByValWithThis
1930             PutDynamicVar
1931             PutGetterById
1932             PutGetterByVal
1933             PutGetterSetterById
1934             PutSetterById
1935             PutSetterByVal
1936             PutStack
1937             PutToArguments
1938             RegExpExec
1939             RegExpTest
1940             ResolveScope
1941             ResolveScopeForHoistingFuncDeclInEval
1942             TailCall
1943             TailCallForwardVarargsInlinedCaller
1944             TailCallInlinedCaller
1945             TailCallVarargsInlinedCaller
1946             ToNumber
1947             ToPrimitive
1948             ValueNegate
1949
1950         * dfg/DFGDoesGC.cpp:
1951         (JSC::DFG::doesGC):
1952
1953 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1954
1955         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1956         https://bugs.webkit.org/show_bug.cgi?id=194281
1957
1958         Reviewed by Michael Saboff.
1959
1960         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1961         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1962
1963         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1964         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1965         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1966
1967         * bytecode/CodeBlock.cpp:
1968         (JSC::CodeBlock::finishCreation):
1969         * bytecode/CodeBlock.h:
1970         (JSC::CodeBlock::bitVectors const): Deleted.
1971         * bytecode/CodeType.h:
1972         * bytecode/UnlinkedCodeBlock.cpp:
1973         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1974         (JSC::UnlinkedCodeBlock::shrinkToFit):
1975         * bytecode/UnlinkedCodeBlock.h:
1976         (JSC::UnlinkedCodeBlock::bitVector):
1977         (JSC::UnlinkedCodeBlock::addBitVector):
1978         (JSC::UnlinkedCodeBlock::addSetConstant):
1979         (JSC::UnlinkedCodeBlock::constantRegisters):
1980         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1981         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1982         (JSC::UnlinkedCodeBlock::codeType const):
1983         (JSC::UnlinkedCodeBlock::didOptimize const):
1984         (JSC::UnlinkedCodeBlock::setDidOptimize):
1985         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1986         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1987         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1988         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1989         * bytecompiler/BytecodeGenerator.cpp:
1990         (JSC::BytecodeGenerator::emitLoad):
1991         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1992         * bytecompiler/BytecodeGenerator.h:
1993         * runtime/CachedTypes.cpp:
1994         (JSC::CachedCodeBlockRareData::encode):
1995         (JSC::CachedCodeBlockRareData::decode const):
1996         (JSC::CachedCodeBlock::scopeRegister const):
1997         (JSC::CachedCodeBlock::codeType const):
1998         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1999         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2000         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2001         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2002
2003 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2004
2005         Unreviewed, add missing exception checks after r240637
2006         https://bugs.webkit.org/show_bug.cgi?id=193546
2007
2008         * tools/JSDollarVM.cpp:
2009         (JSC::functionShadowChickenFunctionsOnStack):
2010
2011 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2012
2013         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2014         https://bugs.webkit.org/show_bug.cgi?id=193993
2015
2016         Reviewed by Keith Miller.
2017
2018         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2019         And some of them are rarely used. We should allocate it lazily.
2020
2021         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2022         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2023         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2024         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2025         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2026         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2027         by using WTF::storeStoreFence when lazily allocating it.
2028
2029         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2030         existence of the space before touching this. This is not racy because the main thread is stopped when
2031         the constraint solving is working.
2032
2033         This changes sizeof(VM) from 64736 to 56472.
2034
2035         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2036         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2037         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2038         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2039         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2040         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2041         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2042
2043         * API/JSCallbackFunction.h:
2044         * API/ObjCCallbackFunction.h:
2045         (JSC::ObjCCallbackFunction::subspaceFor):
2046         * API/glib/JSCCallbackFunction.h:
2047         * CMakeLists.txt:
2048         * JavaScriptCore.xcodeproj/project.pbxproj:
2049         * bytecode/CodeBlock.cpp:
2050         (JSC::CodeBlock::visitChildren):
2051         (JSC::CodeBlock::finalizeUnconditionally):
2052         * bytecode/CodeBlock.h:
2053         * bytecode/EvalCodeBlock.h:
2054         * bytecode/ExecutableToCodeBlockEdge.h:
2055         * bytecode/FunctionCodeBlock.h:
2056         * bytecode/ModuleProgramCodeBlock.h:
2057         * bytecode/ProgramCodeBlock.h:
2058         * bytecode/UnlinkedFunctionExecutable.cpp:
2059         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2060         * bytecode/UnlinkedFunctionExecutable.h:
2061         * dfg/DFGSpeculativeJIT.cpp:
2062         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2063         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2064         (JSC::DFG::SpeculativeJIT::compileNewObject):
2065         * ftl/FTLLowerDFGToB3.cpp:
2066         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2067         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2068         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2069         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2070         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2071         * heap/Heap.cpp:
2072         (JSC::Heap::finalizeUnconditionalFinalizers):
2073         (JSC::Heap::deleteAllCodeBlocks):
2074         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2075         (JSC::Heap::addCoreConstraints):
2076         * heap/Subspace.cpp:
2077         (JSC::Subspace::initialize):
2078         * jit/AssemblyHelpers.h:
2079         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2080         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2081         * jit/JITOpcodes.cpp:
2082         (JSC::JIT::emit_op_new_object):
2083         * jit/JITOpcodes32_64.cpp:
2084         (JSC::JIT::emit_op_new_object):
2085         * runtime/DirectArguments.h:
2086         * runtime/DirectEvalExecutable.h:
2087         * runtime/ErrorInstance.h:
2088         (JSC::ErrorInstance::subspaceFor):
2089         * runtime/ExecutableBase.h:
2090         * runtime/FunctionExecutable.h:
2091         * runtime/IndirectEvalExecutable.h:
2092         * runtime/InferredValue.cpp:
2093         (JSC::InferredValue::visitChildren):
2094         * runtime/InferredValue.h:
2095         * runtime/InferredValueInlines.h:
2096         (JSC::InferredValue::finalizeUnconditionally):
2097         * runtime/InternalFunction.h:
2098         * runtime/JSAsyncFunction.h:
2099         * runtime/JSAsyncGeneratorFunction.h:
2100         * runtime/JSBoundFunction.h:
2101         * runtime/JSCell.h:
2102         (JSC::subspaceFor):
2103         (JSC::subspaceForConcurrently):
2104         * runtime/JSCellInlines.h:
2105         (JSC::allocatorForNonVirtualConcurrently):
2106         * runtime/JSCustomGetterSetterFunction.h:
2107         * runtime/JSDestructibleObject.h:
2108         * runtime/JSFunction.h:
2109         * runtime/JSGeneratorFunction.h:
2110         * runtime/JSImmutableButterfly.h:
2111         * runtime/JSLexicalEnvironment.h:
2112         (JSC::JSLexicalEnvironment::subspaceFor):
2113         * runtime/JSNativeStdFunction.h:
2114         * runtime/JSSegmentedVariableObject.h:
2115         * runtime/JSString.h:
2116         * runtime/ModuleProgramExecutable.h:
2117         * runtime/NativeExecutable.h:
2118         * runtime/ProgramExecutable.h:
2119         * runtime/PropertyMapHashTable.h:
2120         * runtime/ProxyRevoke.h:
2121         * runtime/ScopedArguments.h:
2122         * runtime/ScriptExecutable.cpp:
2123         (JSC::ScriptExecutable::clearCode):
2124         (JSC::ScriptExecutable::installCode):
2125         * runtime/Structure.h:
2126         * runtime/StructureRareData.h:
2127         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2128         * runtime/VM.cpp:
2129         (JSC::VM::VM):
2130         * runtime/VM.h:
2131         (JSC::VM::SpaceAndSet::SpaceAndSet):
2132         (JSC::VM::SpaceAndSet::setFor):
2133         (JSC::VM::forEachScriptExecutableSpace):
2134         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2135         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2136         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2137         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2138         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2139         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2140         * runtime/WeakMapImpl.h:
2141         (JSC::WeakMapImpl::subspaceFor):
2142         * wasm/js/JSWebAssemblyCodeBlock.h:
2143         * wasm/js/JSWebAssemblyMemory.h:
2144         * wasm/js/WebAssemblyFunction.h:
2145         * wasm/js/WebAssemblyWrapperFunction.h:
2146
2147 2019-02-04  Keith Miller  <keith_miller@apple.com>
2148
2149         Change llint operand macros to inline functions
2150         https://bugs.webkit.org/show_bug.cgi?id=194248
2151
2152         Reviewed by Mark Lam.
2153
2154         * llint/LLIntSlowPaths.cpp:
2155         (JSC::LLInt::getNonConstantOperand):
2156         (JSC::LLInt::getOperand):
2157         (JSC::LLInt::llint_trace_value):
2158         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2159         (JSC::LLInt::getByVal):
2160         (JSC::LLInt::genericCall):
2161         (JSC::LLInt::varargsSetup):
2162         (JSC::LLInt::commonCallEval):
2163
2164 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2165
2166         when lowering AssertNotEmpty, create the value before creating the patchpoint
2167         https://bugs.webkit.org/show_bug.cgi?id=194231
2168
2169         Reviewed by Saam Barati.
2170
2171         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2172         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2173
2174         * ftl/FTLLowerDFGToB3.cpp:
2175         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2176
2177 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2178
2179         [JSC] ExecutableToCodeBlockEdge should be smaller
2180         https://bugs.webkit.org/show_bug.cgi?id=194244
2181
2182         Reviewed by Michael Saboff.
2183
2184         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2185         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2186         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2187         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2188
2189         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2190         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2191         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2192
2193         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2194         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2195         does not touch it if it is called in non-main threads).
2196
2197         * bytecode/ExecutableToCodeBlockEdge.cpp:
2198         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2199         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2200         (JSC::ExecutableToCodeBlockEdge::activate):
2201         (JSC::ExecutableToCodeBlockEdge::deactivate):
2202         (JSC::ExecutableToCodeBlockEdge::isActive const):
2203         * bytecode/ExecutableToCodeBlockEdge.h:
2204         * runtime/JSCell.h:
2205         * runtime/JSCellInlines.h:
2206         (JSC::JSCell::perCellBit const):
2207         (JSC::JSCell::setPerCellBit):
2208         (JSC::JSCell::mayBePrototype const): Deleted.
2209         (JSC::JSCell::didBecomePrototype): Deleted.
2210         * runtime/JSObject.cpp:
2211         (JSC::JSObject::setPrototypeDirect):
2212         * runtime/JSObject.h:
2213         * runtime/JSObjectInlines.h:
2214         (JSC::JSObject::mayBePrototype const):
2215         (JSC::JSObject::didBecomePrototype):
2216         * runtime/JSTypeInfo.h:
2217         (JSC::TypeInfo::perCellBit):
2218         (JSC::TypeInfo::mergeInlineTypeFlags):
2219         (JSC::TypeInfo::mayBePrototype): Deleted.
2220
2221 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2222
2223         [JSC] Shrink size of FunctionExecutable
2224         https://bugs.webkit.org/show_bug.cgi?id=194191
2225
2226         Reviewed by Michael Saboff.
2227
2228         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2229         improves the allocation efficiency.
2230
2231         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2232            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2233
2234         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2235            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2236            the size of FunctionExecutable in the common case.
2237
2238         This patch changes the size of FunctionExecutable from 176 to 144.
2239
2240         * bytecode/CodeBlock.cpp:
2241         (JSC::CodeBlock::dumpSource):
2242         (JSC::CodeBlock::finishCreation):
2243         * dfg/DFGNode.h:
2244         (JSC::DFG::Node::OpInfoWrapper::as const):
2245         * interpreter/StackVisitor.cpp:
2246         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2247         * runtime/ExecutableBase.h:
2248         * runtime/FunctionExecutable.cpp:
2249         (JSC::FunctionExecutable::FunctionExecutable):
2250         (JSC::FunctionExecutable::ensureRareDataSlow):
2251         * runtime/FunctionExecutable.h:
2252         * runtime/Intrinsic.h:
2253         * runtime/ModuleProgramExecutable.cpp:
2254         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2255         * runtime/ProgramExecutable.cpp:
2256         (JSC::ProgramExecutable::ProgramExecutable):
2257         * runtime/ScriptExecutable.cpp:
2258         (JSC::ScriptExecutable::ScriptExecutable):
2259         (JSC::ScriptExecutable::overrideLineNumber const):
2260         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2261         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2262         * runtime/ScriptExecutable.h:
2263         (JSC::ScriptExecutable::firstLine const):
2264         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2265         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2266         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2267         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2268         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2269         * runtime/StackFrame.cpp:
2270         (JSC::StackFrame::computeLineAndColumn const):
2271         * tools/JSDollarVM.cpp:
2272         (JSC::functionReturnTypeFor):
2273
2274 2019-02-04  Mark Lam  <mark.lam@apple.com>
2275
2276         DFG's doesGC() is incorrect about the SameValue node's behavior.
2277         https://bugs.webkit.org/show_bug.cgi?id=194211
2278         <rdar://problem/47608913>
2279
2280         Reviewed by Saam Barati.
2281
2282         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2283         it calls operationSameValue() which may allocate memory for resolving ropes.
2284
2285         * dfg/DFGDoesGC.cpp:
2286         (JSC::DFG::doesGC):
2287
2288 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2289
2290         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2291         https://bugs.webkit.org/show_bug.cgi?id=194031
2292
2293         Reviewed by Saam Barati.
2294
2295         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2296         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2297         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2298         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2299
2300         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2301         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2302
2303         * bytecode/MetadataTable.cpp:
2304         (JSC::MetadataTable::MetadataTable):
2305         (JSC::MetadataTable::~MetadataTable):
2306         * bytecode/UnlinkedCodeBlock.cpp:
2307         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2308         (JSC::UnlinkedCodeBlock::visitChildren):
2309         (JSC::UnlinkedCodeBlock::estimatedSize):
2310         (JSC::UnlinkedCodeBlock::setInstructions):
2311         * bytecode/UnlinkedCodeBlock.h:
2312         (JSC::UnlinkedCodeBlock::metadata):
2313         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2314         * bytecode/UnlinkedMetadataTable.h:
2315         (JSC::UnlinkedMetadataTable::create):
2316         * bytecode/UnlinkedMetadataTableInlines.h:
2317         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2318         * runtime/CachedTypes.cpp:
2319         (JSC::CachedMetadataTable::decode const):
2320         (JSC::CachedCodeBlock::metadata const):
2321         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2322         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2323         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2324
2325 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2326
2327         [JSC] Decouple JIT related data from CodeBlock
2328         https://bugs.webkit.org/show_bug.cgi?id=194187
2329
2330         Reviewed by Saam Barati.
2331
2332         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2333         We have three types of data in CodeBlock.
2334
2335         1. The data which is always used. CodeBlock needs to hold it.
2336         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2337         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2338
2339         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2340         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2341         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2342         in both non-JIT and *JIT* modes.
2343
2344         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2345         by the lock of CodeBlock.
2346
2347         The size of CodeBlock is reduced from 512 to 352.
2348
2349         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2350
2351             Footprint geomean: 36696503 (34.997 MB)
2352             Peak Footprint geomean: 38595988 (36.808 MB)
2353             Score: 37634263 (35.891 MB)
2354
2355             Footprint geomean: 37172768 (35.451 MB)
2356             Peak Footprint geomean: 38978288 (37.173 MB)
2357             Score: 38064824 (36.301 MB)
2358
2359         * bytecode/CodeBlock.cpp:
2360         (JSC::CodeBlock::~CodeBlock):
2361         (JSC::CodeBlock::propagateTransitions):
2362         (JSC::CodeBlock::ensureJITDataSlow):
2363         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2364         (JSC::CodeBlock::getICStatusMap):
2365         (JSC::CodeBlock::addStubInfo):
2366         (JSC::CodeBlock::addJITAddIC):
2367         (JSC::CodeBlock::addJITMulIC):
2368         (JSC::CodeBlock::addJITSubIC):
2369         (JSC::CodeBlock::addJITNegIC):
2370         (JSC::CodeBlock::findStubInfo):
2371         (JSC::CodeBlock::addByValInfo):
2372         (JSC::CodeBlock::addCallLinkInfo):
2373         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2374         (JSC::CodeBlock::addRareCaseProfile):
2375         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2376         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2377         (JSC::CodeBlock::resetJITData):
2378         (JSC::CodeBlock::stronglyVisitStrongReferences):
2379         (JSC::CodeBlock::shrinkToFit):
2380         (JSC::CodeBlock::linkIncomingCall):
2381         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2382         (JSC::CodeBlock::unlinkIncomingCalls):
2383         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2384         (JSC::CodeBlock::dumpValueProfiles):
2385         (JSC::CodeBlock::setPCToCodeOriginMap):
2386         (JSC::CodeBlock::findPC):
2387         (JSC::CodeBlock::dumpMathICStats):
2388         * bytecode/CodeBlock.h:
2389         (JSC::CodeBlock::ensureJITData):
2390         (JSC::CodeBlock::setJITCodeMap):
2391         (JSC::CodeBlock::jitCodeMap):
2392         (JSC::CodeBlock::likelyToTakeSlowCase):
2393         (JSC::CodeBlock::couldTakeSlowCase):
2394         (JSC::CodeBlock::lazyOperandValueProfiles):
2395         (JSC::CodeBlock::stubInfoBegin): Deleted.
2396         (JSC::CodeBlock::stubInfoEnd): Deleted.
2397         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2398         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2399         (JSC::CodeBlock::jitCodeMap const): Deleted.
2400         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2401         * bytecode/MethodOfGettingAValueProfile.cpp:
2402         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2403         (JSC::MethodOfGettingAValueProfile::reportValue):
2404         * dfg/DFGByteCodeParser.cpp:
2405         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2406         * jit/JIT.h:
2407         * jit/JITOperations.cpp:
2408         (JSC::tryGetByValOptimize):
2409         * jit/JITPropertyAccess.cpp:
2410         (JSC::JIT::privateCompileGetByVal):
2411         (JSC::JIT::privateCompilePutByVal):
2412
2413 2018-12-16  Darin Adler  <darin@apple.com>
2414
2415         Convert additional String::format clients to alternative approaches
2416         https://bugs.webkit.org/show_bug.cgi?id=192746
2417
2418         Reviewed by Alexey Proskuryakov.
2419
2420         * inspector/agents/InspectorConsoleAgent.cpp:
2421         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2422         and FormattedNumber::fixedWidth.
2423
2424 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2425
2426         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2427         https://bugs.webkit.org/show_bug.cgi?id=194177
2428
2429         Reviewed by Saam Barati.
2430
2431         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2432         We can share the IsoSubspace for JSFunction.
2433
2434         * runtime/JSAsyncFunction.h:
2435         * runtime/JSAsyncGeneratorFunction.h:
2436         * runtime/JSGeneratorFunction.h:
2437         * runtime/VM.cpp:
2438         (JSC::VM::VM):
2439         * runtime/VM.h:
2440
2441 2019-02-01  Mark Lam  <mark.lam@apple.com>
2442
2443         Remove invalid assertion in DFG's compileDoubleRep().
2444         https://bugs.webkit.org/show_bug.cgi?id=194130
2445         <rdar://problem/47699474>
2446
2447         Reviewed by Saam Barati.
2448
2449         * dfg/DFGSpeculativeJIT.cpp:
2450         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2451
2452 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2453
2454         [JSC] Unify CodeBlock IsoSubspaces
2455         https://bugs.webkit.org/show_bug.cgi?id=194167
2456
2457         Reviewed by Saam Barati.
2458
2459         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2460         But this is not necessary since,
2461
2462         1. They do not override the classInfo methods.
2463         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2464
2465         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2466         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2467         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2468
2469         This patch unifies these IsoSubspaces into one.
2470
2471         * bytecode/CodeBlock.cpp:
2472         (JSC::CodeBlock::destroy):
2473         * bytecode/CodeBlock.h:
2474         * bytecode/EvalCodeBlock.cpp:
2475         (JSC::EvalCodeBlock::destroy): Deleted.
2476         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2477         * bytecode/FunctionCodeBlock.cpp:
2478         (JSC::FunctionCodeBlock::destroy): Deleted.
2479         * bytecode/FunctionCodeBlock.h:
2480         * bytecode/GlobalCodeBlock.h:
2481         * bytecode/ModuleProgramCodeBlock.cpp:
2482         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2483         * bytecode/ModuleProgramCodeBlock.h:
2484         * bytecode/ProgramCodeBlock.cpp:
2485         (JSC::ProgramCodeBlock::destroy): Deleted.
2486         * bytecode/ProgramCodeBlock.h:
2487         * interpreter/Interpreter.cpp:
2488         (JSC::Interpreter::execute):
2489         * runtime/VM.cpp:
2490         (JSC::VM::VM):
2491         * runtime/VM.h:
2492         (JSC::VM::forEachCodeBlockSpace):
2493
2494 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2495
2496         Unreviewed, follow-up after r240859
2497         https://bugs.webkit.org/show_bug.cgi?id=194145
2498
2499         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2500         And rename cellDangerousBitsSpace back to cellSpace.
2501
2502         * runtime/JSCellInlines.h:
2503         (JSC::JSCell::subspaceFor):
2504         * runtime/VM.cpp:
2505         (JSC::VM::VM):
2506         * runtime/VM.h:
2507
2508 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2509
2510         [JSC] Remove cellJSValueOOBSpace
2511         https://bugs.webkit.org/show_bug.cgi?id=194145
2512
2513         Reviewed by Mark Lam.
2514
2515         * runtime/JSObject.h:
2516         (JSC::JSObject::subspaceFor): Deleted.
2517         * runtime/VM.cpp:
2518         (JSC::VM::VM):
2519         * runtime/VM.h:
2520
2521 2019-01-31  Mark Lam  <mark.lam@apple.com>
2522
2523         Remove poisoning from CodeBlock and LLInt code.
2524         https://bugs.webkit.org/show_bug.cgi?id=194113
2525
2526         Reviewed by Yusuke Suzuki.
2527
2528         * bytecode/CodeBlock.cpp:
2529         (JSC::CodeBlock::CodeBlock):
2530         (JSC::CodeBlock::~CodeBlock):
2531         (JSC::CodeBlock::setConstantRegisters):
2532         (JSC::CodeBlock::propagateTransitions):
2533         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2534         (JSC::CodeBlock::jettison):
2535         (JSC::CodeBlock::predictedMachineCodeSize):
2536         * bytecode/CodeBlock.h:
2537         (JSC::CodeBlock::vm const):
2538         (JSC::CodeBlock::addConstant):
2539         (JSC::CodeBlock::heap const):
2540         (JSC::CodeBlock::replaceConstant):
2541         * llint/LLIntOfflineAsmConfig.h:
2542         * llint/LLIntSlowPaths.cpp:
2543         (JSC::LLInt::handleHostCall):
2544         (JSC::LLInt::setUpCall):
2545         * llint/LowLevelInterpreter.asm:
2546         * llint/LowLevelInterpreter32_64.asm:
2547         * llint/LowLevelInterpreter64.asm:
2548
2549 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2550
2551         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2552         https://bugs.webkit.org/show_bug.cgi?id=194107
2553
2554         Reviewed by Saam Barati.
2555
2556         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2557         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2558
2559         * CMakeLists.txt:
2560         * DerivedSources.make:
2561         * JavaScriptCore.xcodeproj/project.pbxproj:
2562         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2563         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2564         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2565         (JSC::AsyncFromSyncIteratorPrototype::create):
2566         * runtime/AsyncFromSyncIteratorPrototype.h:
2567
2568 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2569
2570         Fix `runJITThreadLimitTests` in testapi
2571         https://bugs.webkit.org/show_bug.cgi?id=194064
2572         <rdar://problem/46139147>
2573
2574         Reviewed by Mark Lam.
2575
2576         Fix typo where `targetNumberOfThreads` was not being used.
2577
2578         * API/tests/testapi.mm:
2579         (runJITThreadLimitTests):
2580
2581 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2582
2583         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2584         https://bugs.webkit.org/show_bug.cgi?id=194112
2585
2586         Reviewed by Mark Lam.
2587
2588         `testBytecodeCache` does not populate the bytecode cache for the global
2589         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2590
2591         * API/tests/testapi.mm:
2592         (testBytecodeCache):
2593
2594 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2595
2596         Unreviewed, follow-up after r240796
2597
2598         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2599         when allocating InferredValue in FunctionExecutable::finishCreation.
2600
2601         * runtime/FunctionExecutable.cpp:
2602         (JSC::FunctionExecutable::FunctionExecutable):
2603         (JSC::FunctionExecutable::finishCreation):
2604
2605 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2606
2607         [JSC] Do not use InferredValue in non-JIT configuration
2608         https://bugs.webkit.org/show_bug.cgi?id=194084
2609
2610         Reviewed by Saam Barati.
2611
2612         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2613         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2614         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2615         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2616         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2617         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2618         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2619         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2620
2621         * bytecode/ObjectAllocationProfileInlines.h:
2622         (JSC::ObjectAllocationProfile::initializeProfile):
2623         * runtime/FunctionExecutable.cpp:
2624         (JSC::FunctionExecutable::finishCreation):
2625         (JSC::FunctionExecutable::visitChildren):
2626         * runtime/FunctionExecutable.h:
2627         * runtime/InferredValue.cpp:
2628         (JSC::InferredValue::create):
2629         * runtime/JSAsyncFunction.cpp:
2630         (JSC::JSAsyncFunction::create):
2631         * runtime/JSAsyncGeneratorFunction.cpp:
2632         (JSC::JSAsyncGeneratorFunction::create):
2633         * runtime/JSFunction.cpp:
2634         (JSC::JSFunction::create):
2635         * runtime/JSFunctionInlines.h:
2636         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2637         * runtime/JSGeneratorFunction.cpp:
2638         (JSC::JSGeneratorFunction::create):
2639         * runtime/JSSymbolTableObject.h:
2640         (JSC::JSSymbolTableObject::setSymbolTable):
2641         * runtime/SymbolTable.cpp:
2642         (JSC::SymbolTable::finishCreation):
2643         * runtime/VM.cpp:
2644         (JSC::VM::VM):
2645
2646 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2647
2648         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2649         https://bugs.webkit.org/show_bug.cgi?id=194085
2650
2651         Reviewed by Yusuke Suzuki.
2652
2653         r240730 changed ud_itab.py and caused incremental build failures
2654         for Ninja builds.
2655
2656         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2657
2658 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2659
2660         [JSC] Symbol should be in destructibleCellSpace
2661         https://bugs.webkit.org/show_bug.cgi?id=194082
2662
2663         Reviewed by Saam Barati.
2664
2665         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2666         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2667         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2668         Symbol's space destructibleCellSpace to appropriately call the destructor.
2669
2670         * runtime/Symbol.h:
2671
2672 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2673
2674         Unreviewed, rolling out r240755.
2675
2676         This was not correct
2677
2678         Reverted changeset:
2679
2680         "Unreviewed, fix GCC build after r240730"
2681         https://bugs.webkit.org/show_bug.cgi?id=194041
2682         https://trac.webkit.org/changeset/240755
2683
2684 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2685
2686         Unreviewed, fix GCC build after r240730
2687         https://bugs.webkit.org/show_bug.cgi?id=194041
2688         <rdar://problem/47680981>
2689
2690         * disassembler/udis86/ud_itab.py:
2691         (UdItabGenerator.genOpcodeTablesLookupIndex):
2692
2693 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2694
2695         testapi's `testBytecodeCache` does not need to run the code twice
2696         https://bugs.webkit.org/show_bug.cgi?id=194046
2697
2698         Reviewed by Mark Lam.
2699
2700         Since we populate the cache eagerly (unlike the stress tests) we don't
2701         need to run the code twice.
2702
2703         * API/tests/testapi.mm:
2704         (testBytecodeCache):
2705
2706 2019-01-30  Saam barati  <sbarati@apple.com>
2707
2708         [WebAssembly] Change BBQ to generate Air IR
2709         https://bugs.webkit.org/show_bug.cgi?id=191802
2710         <rdar://problem/47651718>
2711
2712         Reviewed by Keith Miller.
2713
2714         This patch adds a new Wasm compiler for the BBQ tier. Instead
2715         of compiling using  B3-01, we now generate Air code directly.
2716         The goal of doing this was to speed up compile times for Wasm
2717         programs.
2718         
2719         This patch provides us with a 20-30% compile time speedup. However, I
2720         have ideas on how to improve compile times even further. For example,
2721         we should probably implement a faster running register allocator:
2722         https://bugs.webkit.org/show_bug.cgi?id=194036
2723         
2724         We can also improve on the code we generate.
2725         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2726         And we should do better instruction selection in various
2727         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2728
2729         * JavaScriptCore.xcodeproj/project.pbxproj:
2730         * Sources.txt:
2731         * b3/B3LowerToAir.cpp:
2732         * b3/B3StackmapSpecial.h:
2733         * b3/air/AirCode.cpp:
2734         (JSC::B3::Air::Code::emitDefaultPrologue):
2735         * b3/air/AirCode.h:
2736         * b3/air/AirTmp.h:
2737         (JSC::B3::Air::Tmp::Tmp):
2738         * runtime/Options.h:
2739         * wasm/WasmAirIRGenerator.cpp: Added.
2740         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2741         (JSC::Wasm::TypedTmp::TypedTmp):
2742         (JSC::Wasm::TypedTmp::operator== const):
2743         (JSC::Wasm::TypedTmp::operator!= const):
2744         (JSC::Wasm::TypedTmp::operator bool const):
2745         (JSC::Wasm::TypedTmp::operator Tmp const):
2746         (JSC::Wasm::TypedTmp::operator Arg const):
2747         (JSC::Wasm::TypedTmp::tmp const):
2748         (JSC::Wasm::TypedTmp::type const):
2749         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2750         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2751         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2752         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2753         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2754         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2755         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2756         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2757         (JSC::Wasm::AirIRGenerator::emptyExpression):
2758         (JSC::Wasm::AirIRGenerator::fail const):
2759         (JSC::Wasm::AirIRGenerator::setParser):
2760         (JSC::Wasm::AirIRGenerator::toTmpVector):
2761         (JSC::Wasm::AirIRGenerator::validateInst):
2762         (JSC::Wasm::AirIRGenerator::extractArg):
2763         (JSC::Wasm::AirIRGenerator::append):
2764         (JSC::Wasm::AirIRGenerator::appendEffectful):
2765         (JSC::Wasm::AirIRGenerator::newTmp):
2766         (JSC::Wasm::AirIRGenerator::g32):
2767         (JSC::Wasm::AirIRGenerator::g64):
2768         (JSC::Wasm::AirIRGenerator::f32):
2769         (JSC::Wasm::AirIRGenerator::f64):
2770         (JSC::Wasm::AirIRGenerator::tmpForType):
2771         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2772         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2773         (JSC::Wasm::AirIRGenerator::emitCheck):
2774         (JSC::Wasm::AirIRGenerator::emitCCall):
2775         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2776         (JSC::Wasm::AirIRGenerator::instanceValue):
2777         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2778         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2779         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2780         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2781         (JSC::Wasm::AirIRGenerator::emitThrowException):
2782         (JSC::Wasm::AirIRGenerator::addLocal):
2783         (JSC::Wasm::AirIRGenerator::addConstant):
2784         (JSC::Wasm::AirIRGenerator::addArguments):
2785         (JSC::Wasm::AirIRGenerator::getLocal):
2786         (JSC::Wasm::AirIRGenerator::addUnreachable):
2787         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2788         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2789         (JSC::Wasm::AirIRGenerator::setLocal):
2790         (JSC::Wasm::AirIRGenerator::getGlobal):
2791         (JSC::Wasm::AirIRGenerator::setGlobal):
2792         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2793         (JSC::Wasm::sizeOfLoadOp):
2794         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2795         (JSC::Wasm::AirIRGenerator::load):
2796         (JSC::Wasm::sizeOfStoreOp):
2797         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2798         (JSC::Wasm::AirIRGenerator::store):
2799         (JSC::Wasm::AirIRGenerator::addSelect):
2800         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2801         (JSC::Wasm::AirIRGenerator::addLoop):
2802         (JSC::Wasm::AirIRGenerator::addTopLevel):
2803         (JSC::Wasm::AirIRGenerator::addBlock):
2804         (JSC::Wasm::AirIRGenerator::addIf):
2805         (JSC::Wasm::AirIRGenerator::addElse):
2806         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2807         (JSC::Wasm::AirIRGenerator::addReturn):
2808         (JSC::Wasm::AirIRGenerator::addBranch):
2809         (JSC::Wasm::AirIRGenerator::addSwitch):
2810         (JSC::Wasm::AirIRGenerator::endBlock):
2811         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2812         (JSC::Wasm::AirIRGenerator::addCall):
2813         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2814         (JSC::Wasm::AirIRGenerator::unify):
2815         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2816         (JSC::Wasm::AirIRGenerator::dump):
2817         (JSC::Wasm::AirIRGenerator::origin):
2818         (JSC::Wasm::parseAndCompileAir):
2819         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2820         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2821         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2822         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2823         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2824         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2825         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2826         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2827         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2828         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2829         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2830         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2831         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2832         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2833         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2834         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2835         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2836         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2837         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2838         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2839         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2840         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2841         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2842         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2843         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2844         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2845         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2846         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2847         (JSC::Wasm::AirIRGenerator::addShift):
2848         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2849         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2850         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2851         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2852         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2853         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2854         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2855         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2856         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2857         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2858         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2859         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2860         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2861         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2862         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2863         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2864         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2865         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2866         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2867         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2868         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2869         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2870         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2871         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2872         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2873         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2874         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2875         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2876         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2877         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2878         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2879         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2880         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2881         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2882         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2883         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2884         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2885         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2886         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2887         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2888         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2889         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2890         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2891         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2892         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2893         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2894         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2895         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2896         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2897         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2898         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2899         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2900         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2901         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2902         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2903         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2904         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2905         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2906         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2907         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2908         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2909         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2910         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2911         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2912         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2913         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2914         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2915         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2916         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2917         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2918         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2919         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2920         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2921         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2922         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2923         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2924         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2925         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2926         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2927         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2928         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2929         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2930         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2931         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2932         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2933         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2934         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2935         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2936         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2937         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2941         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2942         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2943         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2944         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2948         * wasm/WasmAirIRGenerator.h: Added.
2949         * wasm/WasmB3IRGenerator.cpp:
2950         (JSC::Wasm::B3IRGenerator::emptyExpression):
2951         * wasm/WasmBBQPlan.cpp:
2952         (JSC::Wasm::BBQPlan::compileFunctions):
2953         * wasm/WasmCallingConvention.cpp:
2954         (JSC::Wasm::jscCallingConventionAir):
2955         (JSC::Wasm::wasmCallingConventionAir):
2956         * wasm/WasmCallingConvention.h:
2957         (JSC::Wasm::CallingConvention::CallingConvention):
2958         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2959         (JSC::Wasm::CallingConvention::marshallArgument const):
2960         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2961         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2962         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2963         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2964         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2965         (JSC::Wasm::CallingConventionAir::loadArguments const):
2966         (JSC::Wasm::CallingConventionAir::setupCall const):
2967         (JSC::Wasm::nextJSCOffset):
2968         * wasm/WasmFunctionParser.h:
2969         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2970         * wasm/WasmValidate.cpp:
2971         (JSC::Wasm::Validate::emptyExpression):
2972
2973 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2974
2975         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2976         https://bugs.webkit.org/show_bug.cgi?id=194050
2977         <rdar://problem/47595592>
2978
2979         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2980         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2981
2982         Reviewed by Yusuke Suzuki.
2983
2984         * ftl/FTLOperations.cpp:
2985         (JSC::FTL::operationMaterializeObjectInOSR):
2986
2987 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2988
2989         Remove assertion that CachedSymbolTables should have no RareData
2990         https://bugs.webkit.org/show_bug.cgi?id=194037
2991
2992         Reviewed by Mark Lam.
2993
2994         It turns out that we don't need to cache the SymbolTableRareData and
2995         we should not assert that it's empty.
2996
2997         * runtime/CachedTypes.cpp:
2998         (JSC::CachedSymbolTable::encode):
2999
3000 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3001
3002         CachedBytecode's move constructor should not call `freeDataIfOwned`
3003         https://bugs.webkit.org/show_bug.cgi?id=194045
3004
3005         Reviewed by Mark Lam.
3006
3007         That might result in freeing a garbage value
3008
3009         * parser/SourceProvider.h:
3010         (JSC::CachedBytecode::CachedBytecode):
3011
3012 2019-01-30  Keith Miller  <keith_miller@apple.com>
3013
3014         mul32 should convert powers of 2 to an lshift
3015         https://bugs.webkit.org/show_bug.cgi?id=193957
3016
3017         Reviewed by Yusuke Suzuki.
3018
3019         * assembler/MacroAssembler.h:
3020         (JSC::MacroAssembler::mul32):
3021         * assembler/testmasm.cpp:
3022         (JSC::int32Operands):
3023         (JSC::testMul32WithImmediates):
3024         (JSC::run):
3025
3026 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3027
3028         [JSC] Make disassembler data structures constant read-only data
3029         https://bugs.webkit.org/show_bug.cgi?id=194041
3030
3031         Reviewed by Mark Lam.
3032
3033         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3034         This patch makes them "const".
3035
3036         * disassembler/ARM64/A64DOpcode.cpp:
3037         * disassembler/udis86/ud_itab.py:
3038         (UdItabGenerator.genOpcodeTablesLookupIndex):
3039         (UdItabGenerator.genInsnTable):
3040         (UdItabGenerator.genMnemonicsList):
3041         (genItabH):
3042         * disassembler/udis86/udis86_decode.h:
3043         * disassembler/udis86/udis86_syn.c:
3044         * disassembler/udis86/udis86_syn.h:
3045         * disassembler/udis86/udis86_types.h:
3046
3047 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3048
3049         Unreviewed, update the builtin test results
3050         https://bugs.webkit.org/show_bug.cgi?id=194015
3051
3052         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3053         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3054         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3055         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3056         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3057         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3058         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3059         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3060         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3061         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3062         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3063         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3064         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3065
3066 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3067
3068         [JSC] Make global static variables "const" as much as possible
3069         https://bugs.webkit.org/show_bug.cgi?id=194015
3070
3071         Reviewed by Mark Lam.
3072
3073         Some of global static variables are not "const". For example, `static const char* name = ...`
3074         is not constant variable. We should make it `static const char* const name = ...`.
3075
3076         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3077         (generate_externs_for_object):
3078         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3079         (generate_externs_for_object):
3080         * Scripts/wkbuiltins/builtins_generator.py:
3081         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3082         * assembler/MacroAssembler.h:
3083         (JSC::MacroAssembler::additionBlindedConstant):
3084         * b3/air/AirFormTable.h:
3085         * b3/air/opcode_generator.rb:
3086         * runtime/JSObject.cpp:
3087         (JSC::JSObject::visitButterfly):
3088         * tools/CodeProfile.cpp:
3089         * tools/CodeProfile.h:
3090
3091 2019-01-29  Keith Miller  <keith_miller@apple.com>
3092
3093         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3094         https://bugs.webkit.org/show_bug.cgi?id=194000
3095         <rdar://problem/47642894>
3096
3097         Reviewed by Mark Lam.
3098
3099         default constructor is unused and
3100         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3101         data member which causes sadness.
3102
3103         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3104
3105 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3106
3107         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3108
3109         Rubber-stamped by Yusuke Suzuki.
3110
3111         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3112
3113         * parser/Parser.h:
3114         (JSC::Parser::declareHoistedVariable):
3115
3116 2019-01-29  Mark Lam  <mark.lam@apple.com>
3117
3118         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3119         https://bugs.webkit.org/show_bug.cgi?id=132333
3120
3121         Reviewed by Yusuke Suzuki.
3122
3123         * bytecode/InstructionStream.h:
3124         (JSC::InstructionStreamWriter::write):
3125         - The 32-bit write() function need not invert the order of the bytes written to
3126           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3127           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3128
3129         * llint/LLIntOfflineAsmConfig.h:
3130         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3131
3132 2019-01-29  Mark Lam  <mark.lam@apple.com>
3133
3134         ValueRecovery::recover() should purify NaN values it recovers.
3135         https://bugs.webkit.org/show_bug.cgi?id=193978
3136         <rdar://problem/47625488>
3137
3138         Reviewed by Saam Barati.
3139
3140         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3141         recovered DoubleDisplacedInJSStack values need to be purified.
3142         ValueRecovery::recover() should do the same.
3143
3144         * bytecode/ValueRecovery.cpp:
3145         (JSC::ValueRecovery::recover const):
3146
3147 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3148
3149         [JSC] FTL should handle LocalAllocator*
3150         https://bugs.webkit.org/show_bug.cgi?id=193980
3151
3152         Reviewed by Saam Barati.
3153
3154         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3155         because the FTL still use the incoming value as 32bit integer there.
3156
3157         * ftl/FTLLowerDFGToB3.cpp:
3158         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3159
3160 2019-01-29  Keith Rollin  <krollin@apple.com>
3161
3162         Add .xcfilelists to Run Script build phases
3163         https://bugs.webkit.org/show_bug.cgi?id=193792
3164         <rdar://problem/47201785>
3165
3166         Reviewed by Alex Christensen.
3167
3168         As part of supporting XCBuild, update the necessary Run Script build
3169         phases in their Xcode projects to refer to their associated
3170         .xcfilelist files.
3171
3172         Note that the addition of these files bumps the Xcode project version
3173         number to something that's Xcode 10 compatible. This change means that
3174         older versions of the Xcode IDE can't read these projects. Nor can it
3175         fully load workspaces that refer to these projects (the updated
3176         projects are shown as non-expandable placeholders). `xcodebuild` can
3177         still build these projects; it's just that the IDE can't open them.
3178
3179         * JavaScriptCore.xcodeproj/project.pbxproj:
3180
3181 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3182
3183         [ARM] Check for negative zero instead of just zero
3184         https://bugs.webkit.org/show_bug.cgi?id=193689
3185
3186         Reviewed by Mark Lam.
3187
3188         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3189         of just bailing out for zero.
3190
3191         * assembler/MacroAssemblerARMv7.h:
3192         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3193
3194 2019-01-28  Devin Rousso  <drousso@apple.com>
3195
3196         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3197         https://bugs.webkit.org/show_bug.cgi?id=193863
3198         <rdar://problem/47572764>
3199
3200         Reviewed by Joseph Pecoraro.
3201
3202         * inspector/protocol/Page.json:
3203         Add more values to the `Setting` enum type:
3204          - `ICECandidateFilteringEnabled`
3205          - `MediaCaptureRequiresSecureConnection`
3206          - `MockCaptureDevicesEnabled`
3207
3208 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3209
3210         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3211         https://bugs.webkit.org/show_bug.cgi?id=193941
3212
3213         Reviewed by Alex Christensen.
3214
3215         * API/JSWeakObjectMapRefPrivate.cpp:
3216         * bytecompiler/NodesCodegen.cpp:
3217         * heap/MachineStackMarker.cpp:
3218         * jit/ExecutableAllocator.cpp:
3219         * jsc.cpp:
3220         * parser/Nodes.cpp:
3221         * runtime/DateConstructor.cpp:
3222         * runtime/DateConversion.cpp:
3223         * runtime/DateInstance.cpp:
3224         * runtime/DatePrototype.cpp:
3225         * runtime/InitializeThreading.cpp:
3226         * runtime/IteratorOperations.cpp:
3227         * runtime/JSDateMath.cpp:
3228         * runtime/JSGlobalObjectFunctions.cpp:
3229         * runtime/StringPrototype.cpp:
3230         * runtime/VM.cpp:
3231         * testRegExp.cpp:
3232         * tools/JSDollarVM.cpp:
3233         * yarr/YarrInterpreter.cpp:
3234         * yarr/YarrJIT.cpp:
3235         * yarr/YarrPattern.cpp:
3236         * yarr/YarrUnicodeProperties.cpp:
3237
3238 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3239
3240         [JSC] Reduce size of memory used for ShadowChicken
3241         https://bugs.webkit.org/show_bug.cgi?id=193546
3242
3243         Reviewed by Mark Lam.
3244
3245         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3246         The removal of ShadowChicken saves 55KB memory.
3247
3248         * debugger/DebuggerCallFrame.cpp:
3249         (JSC::DebuggerCallFrame::create):
3250         * ftl/FTLLowerDFGToB3.cpp:
3251         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3252         * heap/Heap.cpp:
3253         (JSC::Heap::stopThePeriphery):
3254         (JSC::Heap::addCoreConstraints):
3255         * jit/CCallHelpers.cpp:
3256         (JSC::CCallHelpers::ensureShadowChickenPacket):
3257         * jit/JITExceptions.cpp:
3258         (JSC::genericUnwind):
3259         * jit/JITOpcodes.cpp:
3260         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3261         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3262         * jit/JITOpcodes32_64.cpp:
3263         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3264         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3265         * jit/JITOperations.cpp:
3266         * llint/LLIntSlowPaths.cpp:
3267         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3268         * runtime/JSGlobalObject.cpp:
3269         (JSC::JSGlobalObject::setDebugger):
3270         * runtime/JSGlobalObject.h:
3271         (JSC::JSGlobalObject::setDebugger): Deleted.
3272         * runtime/VM.cpp:
3273         (JSC::VM::VM):
3274         (JSC::VM::ensureShadowChicken):
3275         * runtime/VM.h:
3276         (JSC::VM::shadowChicken):
3277         * tools/JSDollarVM.cpp:
3278         (JSC::functionShadowChickenFunctionsOnStack):
3279         (JSC::changeDebuggerModeWhenIdle):
3280
3281 2019-01-28  Andy Estes  <aestes@apple.com>
3282
3283         [watchOS] Enable Parental Controls content filtering
3284         https://bugs.webkit.org/show_bug.cgi?id=193939
3285         <rdar://problem/46641912>
3286
3287         Reviewed by Ryosuke Niwa.
3288
3289         * Configurations/FeatureDefines.xcconfig:
3290
3291 2019-01-28  Mark Lam  <mark.lam@apple.com>
3292
3293         ToString node actually does GC.
3294         https://bugs.webkit.org/show_bug.cgi?id=193920
3295         <rdar://problem/46695900>
3296
3297         Reviewed by Yusuke Suzuki.
3298
3299         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3300         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3301
3302         * dfg/DFGDoesGC.cpp:
3303         (JSC::DFG::doesGC):
3304
3305 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3306
3307         [JSC] RegExpConstructor should not have own IsoSubspace
3308         https://bugs.webkit.org/show_bug.cgi?id=193801
3309
3310         Reviewed by Mark Lam.
3311
3312         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3313         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3314         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3315         it from RegExpConstructor members.
3316
3317         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3318         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3319         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3320
3321         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3322
3323         * CMakeLists.txt:
3324         * JavaScriptCore.xcodeproj/project.pbxproj:
3325         * Sources.txt:
3326         * dfg/DFGOperations.cpp:
3327         * dfg/DFGSpeculativeJIT.cpp:
3328         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3329         * dfg/DFGStrengthReductionPhase.cpp:
3330         (JSC::DFG::StrengthReductionPhase::handleNode):
3331         * ftl/FTLAbstractHeapRepository.cpp:
3332         * ftl/FTLAbstractHeapRepository.h:
3333         * ftl/FTLLowerDFGToB3.cpp:
3334         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3335         * runtime/JSGlobalObject.cpp:
3336         (JSC::JSGlobalObject::init):
3337         (JSC::JSGlobalObject::visitChildren):
3338         * runtime/JSGlobalObject.h:
3339         (JSC::JSGlobalObject::regExpGlobalData):
3340         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3341         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3342         * runtime/RegExpCache.cpp:
3343         (JSC::RegExpCache::initialize):
3344         * runtime/RegExpCache.h:
3345         (JSC::RegExpCache::emptyRegExp const):
3346         * runtime/RegExpCachedResult.cpp:
3347         (JSC::RegExpCachedResult::visitAggregate):
3348         (JSC::RegExpCachedResult::visitChildren): Deleted.
3349         * runtime/RegExpCachedResult.h:
3350         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3351         * runtime/RegExpConstructor.cpp:
3352         (JSC::RegExpConstructor::RegExpConstructor):
3353         (JSC::regExpConstructorDollar):
3354         (JSC::regExpConstructorInput):
3355         (JSC::regExpConstructorMultiline):
3356         (JSC::regExpConstructorLastMatch):
3357         (JSC::regExpConstructorLastParen):
3358         (JSC::regExpConstructorLeftContext):
3359         (JSC::regExpConstructorRightContext):
3360         (JSC::setRegExpConstructorInput):
3361         (JSC::setRegExpConstructorMultiline):
3362         (JSC::RegExpConstructor::destroy): Deleted.
3363         (JSC::RegExpConstructor::visitChildren): Deleted.
3364         (JSC::RegExpConstructor::getBackref): Deleted.
3365         (JSC::RegExpConstructor::getLastParen): Deleted.
3366         (JSC::RegExpConstructor::getLeftContext): Deleted.
3367         (JSC::RegExpConstructor::getRightContext): Deleted.
3368         * runtime/RegExpConstructor.h:
3369         (JSC::RegExpConstructor::performMatch): Deleted.
3370         (JSC::RegExpConstructor::recordMatch): Deleted.
3371         * runtime/RegExpGlobalData.cpp: Added.
3372         (JSC::RegExpGlobalData::visitAggregate):
3373         (JSC::RegExpGlobalData::getBackref):
3374         (JSC::RegExpGlobalData::getLastParen):
3375         (JSC::RegExpGlobalData::getLeftContext):
3376         (JSC::RegExpGlobalData::getRightContext):
3377         * runtime/RegExpGlobalData.h: Added.
3378         (JSC::RegExpGlobalData::cachedResult):
3379         (JSC::RegExpGlobalData::setMultiline):
3380         (JSC::RegExpGlobalData::multiline const):
3381         (JSC::RegExpGlobalData::input):
3382         (JSC::RegExpGlobalData::offsetOfCachedResult):
3383         * runtime/RegExpGlobalDataInlines.h: Added.
3384         (JSC::RegExpGlobalData::setInput):
3385         (JSC::RegExpGlobalData::performMatch):
3386         (JSC::RegExpGlobalData::recordMatch):
3387         * runtime/RegExpObject.cpp:
3388         (JSC::RegExpObject::matchGlobal):
3389         * runtime/RegExpObjectInlines.h:
3390         (JSC::RegExpObject::execInline):
3391         (JSC::RegExpObject::matchInline):
3392         (JSC::collectMatches):
3393         * runtime/RegExpPrototype.cpp:
3394         (JSC::RegExpPrototype::finishCreation):
3395         (JSC::regExpProtoFuncSearchFast):
3396         (JSC::RegExpPrototype::visitChildren): Deleted.
3397         * runtime/RegExpPrototype.h:
3398         * runtime/StringPrototype.cpp:
3399         (JSC::removeUsingRegExpSearch):
3400         (JSC::replaceUsingRegExpSearch):
3401         * runtime/VM.cpp:
3402         (JSC::VM::VM):
3403         * runtime/VM.h:
3404
3405 2018-12-15  Darin Adler  <darin@apple.com>
3406
3407         Replace many uses of String::format with more type-safe alternatives
3408         https://bugs.webkit.org/show_bug.cgi?id=192742
3409
3410         Reviewed by Mark Lam.
3411
3412         * inspector/InjectedScriptBase.cpp:
3413         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3414         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3415         * inspector/InspectorBackendDispatcher.cpp:
3416         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3417         * inspector/agents/InspectorConsoleAgent.cpp:
3418         (Inspector::InspectorConsoleAgent::enable): Ditto.
3419         * jsc.cpp:
3420         (FunctionJSCStackFunctor::operator() const): Ditto.
3421
3422         * runtime/CodeCache.cpp:
3423         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3424         using String::number.
3425
3426         * runtime/IntlDateTimeFormat.cpp:
3427         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3428         * runtime/IntlObject.cpp:
3429         (JSC::canonicalizeLocaleList): Ditto.
3430
3431 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3432
3433         AX: Introduce a static accessibility tree
3434         https://bugs.webkit.org/show_bug.cgi?id=193348
3435         <rdar://problem/47203295>
3436
3437         Reviewed by Ryosuke Niwa.
3438
3439         * Configurations/FeatureDefines.xcconfig:
3440
3441 2019-01-26  Devin Rousso  <drousso@apple.com>
3442
3443         Web Inspector: provide a way to edit the user agent of a remote target
3444         https://bugs.webkit.org/show_bug.cgi?id=193862
3445         <rdar://problem/47359292>
3446
3447         Reviewed by Joseph Pecoraro.
3448
3449         * inspector/protocol/Page.json:
3450         Add `overrideUserAgent` command.
3451
3452 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3453
3454         [JSC] NativeErrorConstructor should not have own IsoSubspace
3455         https://bugs.webkit.org/show_bug.cgi?id=193713
3456
3457         Reviewed by Saam Barati.
3458
3459         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3460         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3461         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3462         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3463         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3464         referenced.
3465
3466         * CMakeLists.txt:
3467         * JavaScriptCore.xcodeproj/project.pbxproj:
3468         * Sources.txt:
3469         * builtins/BuiltinNames.h:
3470         * interpreter/Interpreter.h:
3471         * runtime/Error.cpp:
3472         (JSC::createEvalError):
3473         (JSC::createRangeError):
3474         (JSC::createReferenceError):
3475         (JSC::createSyntaxError):
3476         (JSC::createTypeError):
3477         (JSC::createURIError):
3478         (WTF::printInternal): Deleted.
3479         * runtime/Error.h:
3480         * runtime/ErrorPrototype.cpp:
3481         (JSC::ErrorPrototype::create):
3482         (JSC::ErrorPrototype::finishCreation):
3483         * runtime/ErrorPrototype.h:
3484         (JSC::ErrorPrototype::create): Deleted.
3485         * runtime/ErrorType.cpp: Added.
3486         (JSC::errorTypeName):
3487         (WTF::printInternal):
3488         * runtime/ErrorType.h: Added.
3489         * runtime/JSGlobalObject.cpp:
3490         (JSC::JSGlobalObject::initializeErrorConstructor):
3491         (JSC::JSGlobalObject::init):
3492         (JSC::JSGlobalObject::visitChildren):
3493         * runtime/JSGlobalObject.h:
3494         (JSC::JSGlobalObject::internalPromiseConstructor const):
3495         (JSC::JSGlobalObject::errorStructure const):
3496         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3497         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3498         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3499         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3500         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3501         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3502         * runtime/NativeErrorConstructor.cpp:
3503         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3504         (JSC::NativeErrorConstructorBase::finishCreation):
3505         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3506         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3507         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3508         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3509         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3510         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3511         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3512         * runtime/NativeErrorConstructor.h:
3513         (JSC::NativeErrorConstructorBase::createStructure):
3514         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3515         * runtime/NativeErrorPrototype.cpp:
3516         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3517         * runtime/NativeErrorPrototype.h:
3518         * runtime/VM.cpp:
3519         (JSC::VM::VM):
3520         * runtime/VM.h:
3521         * wasm/js/WasmToJS.cpp:
3522         (JSC::Wasm::handleBadI64Use):
3523
3524 2019-01-25  Devin Rousso  <drousso@apple.com>
3525
3526         Web Inspector: provide a way to edit page settings on a remote target
3527         https://bugs.webkit.org/show_bug.cgi?id=193813
3528         <rdar://problem/47359510>
3529
3530         Reviewed by Joseph Pecoraro.
3531
3532         * inspector/protocol/Page.json:
3533         Add `overrideSetting` command with supporting `Setting` enum type.
3534
3535 2019-01-25  Keith Rollin  <krollin@apple.com>
3536
3537         Update Xcode projects with "Check .xcfilelists" build phase
3538         https://bugs.webkit.org/show_bug.cgi?id=193790
3539         <rdar://problem/47201374>
3540
3541         Reviewed by Alex Christensen.
3542
3543         Support for XCBuild includes specifying inputs and outputs to various
3544         Run Script build phases. These inputs and outputs are specified as
3545         .xcfilelist files. Once created, these .xcfilelist files need to be
3546         kept up-to-date. In order to check that they are up-to-date or not,
3547         add an Xcode build step that invokes an external script that performs
3548         the checking. If the .xcfilelists are found to be out-of-date, update
3549         them, halt the build, and instruct the developer to restart the build
3550         with up-to-date files.
3551
3552         At this time, the checking and regenerating is performed only if the
3553         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3554         who want to use this facility can set this variable and test out the
3555         checking/regenerating. Once it seems like there are no egregious
3556         issues that upset a developer's workflow, we'll unconditionally enable
3557         this facility.
3558
3559         * JavaScriptCore.xcodeproj/project.pbxproj:
3560         * Scripts/check-xcfilelists.sh: Added.
3561
3562 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3563
3564         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3565         https://bugs.webkit.org/show_bug.cgi?id=193796
3566         <rdar://problem/47532910>
3567
3568         Reviewed by Devin Rousso.
3569
3570         * runtime/SamplingProfiler.cpp:
3571         (JSC::SamplingProfiler::machThread):
3572         * runtime/SamplingProfiler.h:
3573         Expose the mach_port_t of the SamplingProfiler thread
3574         so it can be tested against later.
3575
3576 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3577
3578         Fix Windows build after r240511
3579
3580         * bytecode/UnlinkedFunctionExecutable.cpp:
3581         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3582
3583 2019-01-25  Keith Rollin  <krollin@apple.com>
3584
3585         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3586         https://bugs.webkit.org/show_bug.cgi?id=193781
3587         <rdar://problem/47201153>
3588
3589         Reviewed by Alex Christensen.
3590
3591         Part of generating the .xcfilelists used as part of adopting XCBuild
3592         includes running `make DerivedSources.make` from a standalone script.
3593         It’s important for this invocation to have the same environment as
3594         when the actual build invokes `make DerivedSources.make`. If the
3595         environments are different, then the two invocations will provide
3596         different results. In order to get the same environment in the
3597         standalone script, have the script launch xcodebuild targeting the
3598         "Apply Configuration to XCFileLists" build target, which will then
3599         re-invoke our standalone script. The script is now running again, this
3600         time in an environment with all workspace, project, target, xcconfig
3601         and other environment variables established.
3602
3603         The "Apply Configuration to XCFileLists" build target accomplishes
3604         this task via a small embedded shell script that consists only of:
3605
3606             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3607
3608         The process that invokes "Apply Configuration to XCFileLists" first
3609         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3610         evaluated and exports it into the shell environment. When xcodebuild
3611         is invoked, it inherits the value of this variable and can `eval` the
3612         contents of that variable. Our external standalone script can then set
3613         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3614         of command-line parameters needed to restart itself in the appropriate
3615         state.
3616
3617         * JavaScriptCore.xcodeproj/project.pbxproj:
3618
3619 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3620
3621         Add API to generate and consume cached bytecode
3622         https://bugs.webkit.org/show_bug.cgi?id=193401
3623         <rdar://problem/47514099>
3624
3625         Reviewed by Keith Miller.
3626
3627         Add the `generateBytecode` and `generateModuleBytecode` functions to
3628         generate serialized bytecode for a given `SourceCode`. These functions
3629         will eagerly generate code for all the nested functions.
3630
3631         Additionally, update the API methods in JSScript to generate and use the
3632         bytecode when the bytecodeCache path is provided.
3633
3634         * API/JSAPIGlobalObject.mm:
3635         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3636         * API/JSContext.mm:
3637         (-[JSContext wrapperMap]):
3638         * API/JSContextInternal.h:
3639         * API/JSScript.mm:
3640         (+[JSScript scriptWithSource:inVirtualMachine:]):
3641         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3642         (-[JSScript dealloc]):
3643         (-[JSScript readCache]):
3644         (-[JSScript writeCache]):
3645         (-[JSScript hash]):
3646         (-[JSScript source]):
3647         (-[JSScript cachedBytecode]):
3648         (-[JSScript jsSourceCode:]):
3649         * API/JSScriptInternal.h:
3650         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3651         (JSScriptSourceProvider::create):
3652         (JSScriptSourceProvider::JSScriptSourceProvider):
3653         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3654         (JSScriptSourceProvider::hash const):
3655         (JSScriptSourceProvider::source const):
3656         (JSScriptSourceProvider::cachedBytecode const):
3657         * API/JSVirtualMachine.mm:
3658         (-[JSVirtualMachine vm]):
3659         * API/JSVirtualMachineInternal.h:
3660         * API/tests/testapi.mm:
3661         (testBytecodeCache):
3662         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3663         (testObjectiveCAPI):
3664         * JavaScriptCore.xcodeproj/project.pbxproj:
3665         * SourcesCocoa.txt:
3666         * bytecode/UnlinkedFunctionExecutable.cpp:
3667         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3668         * bytecode/UnlinkedFunctionExecutable.h:
3669         * parser/SourceCodeKey.h:
3670         (JSC::SourceCodeKey::source const):
3671         * parser/SourceProvider.h:
3672         (JSC::CachedBytecode::CachedBytecode):
3673         (JSC::CachedBytecode::operator=):
3674         (JSC::CachedBytecode::data const):
3675         (JSC::CachedBytecode::size const):
3676         (JSC::CachedBytecode::owned const):
3677         (JSC::CachedBytecode::~CachedBytecode):
3678         (JSC::CachedBytecode::freeDataIfOwned):
3679         (JSC::SourceProvider::cachedBytecode const):
3680         * parser/UnlinkedSourceCode.h:
3681         (JSC::UnlinkedSourceCode::provider const):
3682         * runtime/CodeCache.cpp:
3683         (JSC::generateUnlinkedCodeBlockForFunctions):
3684         (JSC::writeCodeBlock):
3685         (JSC::serializeBytecode):
3686         * runtime/CodeCache.h:
3687         (JSC::CodeCacheMap::fetchFromDiskImpl):
3688         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3689         (JSC::generateUnlinkedCodeBlockImpl):
3690         (JSC::generateUnlinkedCodeBlock):
3691         * runtime/Completion.cpp:
3692         (JSC::generateBytecode):
3693         (JSC::generateModuleBytecode):
3694         * runtime/Completion.h:
3695         * runtime/Options.cpp:
3696         (JSC::recomputeDependentOptions):
3697
3698 2019-01-25  Keith Rollin  <krollin@apple.com>
3699
3700         Update WebKitAdditions.xcconfig with correct order of variable definitions
3701         https://bugs.webkit.org/show_bug.cgi?id=193793
3702         <rdar://problem/47532439>
3703
3704         Reviewed by Alex Christensen.
3705
3706         XCBuild changes the way xcconfig variables are evaluated. In short,
3707         all config file assignments are now considered in part of the
3708         evaluation. When using the new build system and an .xcconfig file
3709         contains multiple assignments of the same build setting:
3710
3711         - Later assignments using $(inherited) will inherit from earlier
3712           assignments in the xcconfig file.
3713         - Later assignments not using $(inherited) will take precedence over
3714           earlier assignments. An assignment to a more general setting will
3715           mask an earlier assignment to a less general setting. For example,
3716           an assignment without a condition ('FOO = bar') will completely mask
3717           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3718
3719         This affects some of our .xcconfig files, in that sometimes platform-
3720         or sdk-specific definitions appear before the general definitions.
3721         Under the new evaluations rules, the general definitions alway take
3722         effect because they always overwrite the more-specific definitions. The
3723         solution is to swap the order, so that the general definitions are
3724         established first, and then conditionally overwritten by the
3725         more-specific definitions.
3726
3727         * Configurations/Version.xcconfig:
3728
3729 2019-01-25  Keith Rollin  <krollin@apple.com>
3730
3731         Update existing .xcfilelists
3732         https://bugs.webkit.org/show_bug.cgi?id=193791
3733         <rdar://problem/47201706>
3734
3735         Reviewed by Alex Christensen.
3736
3737         Many .xcfilelist files were added in r238824 in order to support
3738         XCBuild. Update these with recent changes to the set of build files
3739         and with the current generate-xcfilelist script.
3740
3741         * DerivedSources-input.xcfilelist:
3742         * DerivedSources-output.xcfilelist:
3743         * UnifiedSources-input.xcfilelist:
3744         * UnifiedSources-output.xcfilelist:
3745
3746 2019-01-25  Jon Davis  <jond@apple.com>
3747
3748         Update JavaScriptCore feature status entries.
3749         https://bugs.webkit.org/show_bug.cgi?id=193797
3750
3751         Reviewed by Mark Lam.
3752         
3753         Updated feature status for Async Iteration, and Object rest/spread.
3754
3755         * features.json:
3756
3757 2019-01-24  Keith Miller  <keith_miller@apple.com>
3758
3759         Remove usage of internal macro from private header
3760         https://bugs.webkit.org/show_bug.cgi?id=193809
3761
3762         Reviewed by Saam Barati.
3763
3764         Also, add a new file to include all of our API headers to make sure
3765         they don't accidentally include C++ or internal values.
3766
3767         * API/JSScript.h:
3768         * API/tests/testIncludes.m: Added.
3769         * JavaScriptCore.xcodeproj/project.pbxproj:
3770
3771 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3772
3773         [JSC] ErrorConstructor should not have own IsoSubspace
3774         https://bugs.webkit.org/show_bug.cgi?id=193800
3775
3776         Reviewed by Saam Barati.
3777
3778         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3779         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3780         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3781         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3782         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3783         into IsoSubspaces) described,
3784
3785             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3786             appear to just override methods, which are called dynamically via the structure or class of the object.
3787             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3788
3789         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3790         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3791         This reduces the memory usage.
3792
3793         * interpreter/Interpreter.h:
3794         * runtime/Error.cpp:
3795         (JSC::getStackTrace):
3796         * runtime/ErrorConstructor.cpp:
3797         (JSC::ErrorConstructor::ErrorConstructor):
3798         (JSC::ErrorConstructor::finishCreation):
3799         (JSC::constructErrorConstructor):
3800         (JSC::callErrorConstructor):
3801         (JSC::ErrorConstructor::put):
3802         (JSC::ErrorConstructor::deleteProperty):
3803         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3804         (JSC::Interpreter::callErrorConstructor): Deleted.
3805         * runtime/ErrorConstructor.h:
3806         * runtime/JSGlobalObject.cpp:
3807         (JSC::JSGlobalObject::JSGlobalObject):
3808         (JSC::JSGlobalObject::init):
3809         (JSC::JSGlobalObject::visitChildren):
3810         * runtime/JSGlobalObject.h:
3811         (JSC::JSGlobalObject::stackTraceLimit const):
3812         (JSC::JSGlobalObject::setStackTraceLimit):
3813         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3814         * runtime/VM.cpp:
3815         (JSC::VM::VM):
3816         * runtime/VM.h:
3817
3818 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3819
3820         Web Inspector: CPU Usage Timeline
3821         https://bugs.webkit.org/show_bug.cgi?id=193730
3822         <rdar://problem/46797201>
3823
3824         Reviewed by Devin Rousso.
3825
3826         * CMakeLists.txt:
3827         * DerivedSources-input.xcfilelist:
3828         * DerivedSources.make:
3829         New files.
3830
3831         * inspector/protocol/CPUProfiler.json: Added.
3832         New domain that follows the pattern of Memory/ScriptProfiler.
3833
3834         * inspector/protocol/Timeline.json:
3835         New enum to auto-start a CPU instrument in the backend.
3836
3837 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3838
3839         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3840         https://bugs.webkit.org/show_bug.cgi?id=193774
3841
3842         Reviewed by Mark Lam.
3843
3844         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3845         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3846         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3847         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3848         for these two constructor instances. They are only two instances per JSGlobalObject.
3849
3850         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3851         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3852         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3853         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3854         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3855         for ArrayBufferConstructors, and reduces the memory usage.
3856
3857         * runtime/JSArrayBufferConstructor.cpp:
3858         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3859         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3860         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3861         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3862         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3863         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3864         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3865         (JSC::JSArrayBufferConstructor::create): Deleted.
3866         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3867         (JSC::constructArrayBuffer): Deleted.
3868         * runtime/JSArrayBufferConstructor.h:
3869         * runtime/JSGlobalObject.cpp:
3870         (JSC::JSGlobalObject::init):
3871         * runtime/JSGlobalObject.h:
3872         * runtime/VM.cpp:
3873         (JSC::VM::VM):
3874         * runtime/VM.h:
3875
3876 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3877
3878         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3879         https://bugs.webkit.org/show_bug.cgi?id=190693
3880
3881         Reviewed by Michael Saboff.
3882
3883         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3884         This becomes true when we find the executable address in our conservative roots, which
3885         means that we could be executing it right now. This means that object liveness in
3886         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3887         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3888         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3889         executing JITStubRoutine because "Conservative Scan" finds it later.
3890         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3891         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3892         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3893         attempt to mark the depending objects, and encounter the dead objects which are collected
3894         in the previous cycles.
3895
3896         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3897         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3898         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3899         GC stop time.
3900
3901         * heap/ConservativeRoots.h:
3902         (JSC::ConservativeRoots::roots const):
3903         (JSC::ConservativeRoots::roots): Deleted.
3904         * heap/Heap.cpp:
3905         (JSC::Heap::addCoreConstraints):
3906         * heap/SlotVisitor.cpp:
3907         (JSC::SlotVisitor::append):
3908         * heap/SlotVisitor.h:
3909         * jit/GCAwareJITStubRoutine.cpp:
3910         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3911         * jit/GCAwareJITStubRoutine.h:
3912
3913 2019-01-24  Saam Barati  <sbarati@apple.com>
3914
3915         Update ARM64EHash
3916         https://bugs.webkit.org/show_bug.cgi?id=193776
3917         <rdar://problem/47526457>
3918