[JSC] Lazily create empty RegExp
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Lazily create empty RegExp
4         https://bugs.webkit.org/show_bug.cgi?id=194735
5
6         Reviewed by Keith Miller.
7
8         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
9         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
10         one MarkedBlock.
11
12         * runtime/JSGlobalObject.cpp:
13         (JSC::JSGlobalObject::init):
14         * runtime/RegExpCache.cpp:
15         (JSC::RegExpCache::ensureEmptyRegExpSlow):
16         (JSC::RegExpCache::initialize): Deleted.
17         * runtime/RegExpCache.h:
18         (JSC::RegExpCache::ensureEmptyRegExp):
19         (JSC::RegExpCache::emptyRegExp const): Deleted.
20         * runtime/RegExpCachedResult.cpp:
21         (JSC::RegExpCachedResult::lastResult):
22         * runtime/RegExpCachedResult.h:
23         * runtime/VM.cpp:
24         (JSC::VM::VM):
25
26 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
27
28         [JSC] Make builtin objects more lazily initialized under non-JIT mode
29         https://bugs.webkit.org/show_bug.cgi?id=194727
30
31         Reviewed by Saam Barati.
32
33         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
34         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
35         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
36         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
37         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
38         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
39         MarkedBlock allocation just for Symbols.
40
41         * runtime/JSGlobalObject.cpp:
42         (JSC::JSGlobalObject::init):
43         (JSC::JSGlobalObject::visitChildren):
44         * runtime/JSGlobalObject.h:
45         (JSC::JSGlobalObject::numberToStringWatchpoint):
46         (JSC::JSGlobalObject::booleanPrototype const):
47         (JSC::JSGlobalObject::numberPrototype const):
48         (JSC::JSGlobalObject::symbolPrototype const):
49         (JSC::JSGlobalObject::booleanObjectStructure const):
50         (JSC::JSGlobalObject::symbolObjectStructure const):
51         (JSC::JSGlobalObject::numberObjectStructure const):
52         (JSC::JSGlobalObject::stringObjectStructure const):
53
54 2019-02-15  Michael Saboff  <msaboff@apple.com>
55
56         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
57         https://bugs.webkit.org/show_bug.cgi?id=194558
58
59         Reviewed by Saam Barati.
60
61         Added an in bounds check before the read of the next character for Unicode regular expressions
62         for pattern generation that didn't already have such checks.
63
64         * yarr/YarrJIT.cpp:
65         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
66         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
67         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
68         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
69
70 2019-02-15  Dean Jackson  <dino@apple.com>
71
72         Allow emulation of user gestures from Web Inspector console
73         https://bugs.webkit.org/show_bug.cgi?id=194725
74         <rdar://problem/48126604>
75
76         Reviewed by Joseph Pecoraro and Devin Rousso.
77
78         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
79         to the evaluate function, and mark the function as override so that PageRuntimeAgent
80         can change the behaviour.
81         (Inspector::InspectorRuntimeAgent::evaluate):
82         * inspector/agents/InspectorRuntimeAgent.h:
83         * inspector/protocol/Runtime.json:
84
85 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
86
87         [JSC] Do not initialize Wasm related data if Wasm is not enabled
88         https://bugs.webkit.org/show_bug.cgi?id=194728
89
90         Reviewed by Mark Lam.
91
92         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
93
94         * runtime/InitializeThreading.cpp:
95         (JSC::initializeThreading):
96         * runtime/JSLock.cpp:
97         (JSC::JSLock::didAcquireLock):
98
99 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
100
101         [WTF] Add environment variable helpers
102         https://bugs.webkit.org/show_bug.cgi?id=192405
103
104         Reviewed by Michael Catanzaro.
105
106         * inspector/remote/glib/RemoteInspectorGlib.cpp:
107         (Inspector::RemoteInspector::RemoteInspector):
108         (Inspector::RemoteInspector::start):
109         * jsc.cpp:
110         (startTimeoutThreadIfNeeded):
111         * runtime/Options.cpp:
112         (JSC::overrideOptionWithHeuristic):
113         (JSC::Options::overrideAliasedOptionWithHeuristic):
114         (JSC::Options::initialize):
115         * runtime/VM.cpp:
116         (JSC::enableAssembler):
117         (JSC::VM::VM):
118         * tools/CodeProfiling.cpp:
119         (JSC::CodeProfiling::notifyAllocator):
120         Utilize WTF::Environment where possible.
121
122 2019-02-15  Mark Lam  <mark.lam@apple.com>
123
124         SamplingProfiler::stackTracesAsJSON() should escape strings.
125         https://bugs.webkit.org/show_bug.cgi?id=194649
126         <rdar://problem/48072386>
127
128         Reviewed by Saam Barati.
129
130         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
131
132         * runtime/SamplingProfiler.cpp:
133         (JSC::SamplingProfiler::stackTracesAsJSON):
134         * runtime/TypeSet.cpp:
135         (JSC::TypeSet::toJSONString const):
136         (JSC::StructureShape::toJSONString const):
137
138 2019-02-15  Robin Morisset  <rmorisset@apple.com>
139
140         CodeBlock::jettison should clear related watchpoints
141         https://bugs.webkit.org/show_bug.cgi?id=194544
142
143         Reviewed by Mark Lam.
144
145         * bytecode/CodeBlock.cpp:
146         (JSC::CodeBlock::jettison):
147         * dfg/DFGCommonData.h:
148         (JSC::DFG::CommonData::clearWatchpoints): Added.
149         * dfg/CommonData.cpp:
150         (JSC::DFG::CommonData::clearWatchpoints): Added.
151
152 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
153
154         Move bytecode cache-related filesystem code out of CodeCache
155         https://bugs.webkit.org/show_bug.cgi?id=194675
156
157         Reviewed by Saam Barati.
158
159         That code is only used for the bytecode-cache tests, so it should live in
160         jsc.cpp rather than in the CodeCache.
161
162         * jsc.cpp:
163         (CliSourceProvider::create):
164         (CliSourceProvider::~CliSourceProvider):
165         (CliSourceProvider::cachePath const):
166         (CliSourceProvider::loadBytecode):
167         (CliSourceProvider::CliSourceProvider):
168         (jscSource):
169         (GlobalObject::moduleLoaderFetch):
170         (functionDollarEvalScript):
171         (runWithOptions):
172         * parser/SourceProvider.h:
173         (JSC::SourceProvider::cacheBytecode const):
174         * runtime/CodeCache.cpp:
175         (JSC::writeCodeBlock):
176         * runtime/CodeCache.h:
177         (JSC::CodeCacheMap::fetchFromDiskImpl):
178
179 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
180
181         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
182         https://bugs.webkit.org/show_bug.cgi?id=194714
183
184         Reviewed by Mark Lam.
185
186         Let's consider about the following extreme case.
187
188         1. VM (A) is created.
189         2. Another VM (B) is created on a different thread.
190         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
191         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
192         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
193         6. (A) sees the half-baked worklist, which may be in the middle of creation.
194
195         This patch puts store-store fence just before putting a pointer to a global variable.
196         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
197
198         * dfg/DFGWorklist.cpp:
199         (JSC::DFG::ensureGlobalDFGWorklist):
200         (JSC::DFG::ensureGlobalFTLWorklist):
201         * wasm/WasmWorklist.cpp:
202         (JSC::Wasm::ensureWorklist):
203
204 2019-02-15  Commit Queue  <commit-queue@webkit.org>
205
206         Unreviewed, rolling out r241559 and r241566.
207         https://bugs.webkit.org/show_bug.cgi?id=194710
208
209         Causes layout test crashes under GuardMalloc (Requested by
210         ryanhaddad on #webkit).
211
212         Reverted changesets:
213
214         "[WTF] Add environment variable helpers"
215         https://bugs.webkit.org/show_bug.cgi?id=192405
216         https://trac.webkit.org/changeset/241559
217
218         "Unreviewed build fix for WinCairo Debug after r241559."
219         https://trac.webkit.org/changeset/241566
220
221 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
222
223         [JSC] Do not even allocate JIT worklists in non-JIT mode
224         https://bugs.webkit.org/show_bug.cgi?id=194693
225
226         Reviewed by Mark Lam.
227
228         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
229         And we do not perform any GC operations that are only meaningful in JIT environment.
230
231         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
232         2. We remove DFG marking constraint in non-JIT mode.
233         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
234         4. We do not visit JITStubRoutineSet.
235         5. Align JITWorklist function names to the other worklists.
236
237         * dfg/DFGOSRExitPreparation.cpp:
238         (JSC::DFG::prepareCodeOriginForOSRExit):
239         * dfg/DFGPlan.h:
240         * dfg/DFGWorklist.cpp:
241         (JSC::DFG::markCodeBlocks): Deleted.
242         * dfg/DFGWorklist.h:
243         * heap/Heap.cpp:
244         (JSC::Heap::completeAllJITPlans):
245         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
246         (JSC::Heap::gatherScratchBufferRoots):
247         (JSC::Heap::removeDeadCompilerWorklistEntries):
248         (JSC::Heap::stopThePeriphery):
249         (JSC::Heap::suspendCompilerThreads):
250         (JSC::Heap::resumeCompilerThreads):
251         (JSC::Heap::addCoreConstraints):
252         * jit/JITWorklist.cpp:
253         (JSC::JITWorklist::existingGlobalWorklistOrNull):
254         (JSC::JITWorklist::ensureGlobalWorklist):
255         (JSC::JITWorklist::instance): Deleted.
256         * jit/JITWorklist.h:
257         * llint/LLIntSlowPaths.cpp:
258         (JSC::LLInt::jitCompileAndSetHeuristics):
259         * runtime/VM.cpp:
260         (JSC::VM::~VM):
261         (JSC::VM::gatherScratchBufferRoots):
262         (JSC::VM::gatherConservativeRoots): Deleted.
263         * runtime/VM.h:
264
265 2019-02-15  Saam barati  <sbarati@apple.com>
266
267         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
268         https://bugs.webkit.org/show_bug.cgi?id=194036
269
270         Reviewed by Yusuke Suzuki.
271
272         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
273         use linear scan for register allocation. Instead of linear scan, Air-O0 does
274         mostly block-local register allocation, and it does this as it's emitting
275         code directly. The register allocator uses liveness analysis to reduce
276         the number of spills. Doing register allocation as we're emitting code
277         allows us to skip editing the IR to insert spills, which saves a non trivial
278         amount of compile time. For stack allocation, we give each Tmp its own slot.
279         This is less than ideal. We probably want to do some trivial live range analysis
280         in the future. The reason this isn't a deal breaker for Wasm is that this patch
281         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
282         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
283         
284         This patch is another 25% Wasm startup time speedup. It seems to be worth
285         another 1% on JetStream2.
286
287         * JavaScriptCore.xcodeproj/project.pbxproj:
288         * Sources.txt:
289         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
290         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
291         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
292         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
293         (JSC::B3::Air::callFrameAddr):
294         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
295         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
296         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
297         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
298         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
299         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
300         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
301         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
302         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
303         * b3/air/AirCode.cpp:
304         * b3/air/AirCode.h:
305         * b3/air/AirGenerate.cpp:
306         (JSC::B3::Air::prepareForGeneration):
307         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
308         (JSC::B3::Air::generate):
309         * b3/air/AirHandleCalleeSaves.cpp:
310         (JSC::B3::Air::handleCalleeSaves):
311         * b3/air/AirHandleCalleeSaves.h:
312         * b3/air/AirTmpMap.h:
313         * runtime/Options.h:
314         * wasm/WasmAirIRGenerator.cpp:
315         (JSC::Wasm::AirIRGenerator::didKill):
316         (JSC::Wasm::AirIRGenerator::newTmp):
317         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
318         (JSC::Wasm::parseAndCompileAir):
319         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
320         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
321         * wasm/WasmAirIRGenerator.h:
322         * wasm/WasmB3IRGenerator.cpp:
323         (JSC::Wasm::B3IRGenerator::didKill):
324         * wasm/WasmBBQPlan.cpp:
325         (JSC::Wasm::BBQPlan::compileFunctions):
326         * wasm/WasmFunctionParser.h:
327         (JSC::Wasm::FunctionParser<Context>::parseBody):
328         (JSC::Wasm::FunctionParser<Context>::parseExpression):
329         * wasm/WasmValidate.cpp:
330         (JSC::Wasm::Validate::didKill):
331
332 2019-02-14  Saam barati  <sbarati@apple.com>
333
334         lowerStackArgs should lower Lea32/64 on ARM64 to Add
335         https://bugs.webkit.org/show_bug.cgi?id=194656
336
337         Reviewed by Yusuke Suzuki.
338
339         On arm64, Lea is just implemented as an add. However, Air treats it as an
340         address with a given width. Because of this width, we were incorrectly
341         computing whether or not this immediate could fit into the instruction itself
342         or it needed to be explicitly put into a register. This patch makes
343         AirLowerStackArgs lower Lea to Add on arm64.
344
345         * b3/air/AirLowerStackArgs.cpp:
346         (JSC::B3::Air::lowerStackArgs):
347         * b3/air/AirOpcode.opcodes:
348         * b3/air/testair.cpp:
349
350 2019-02-14  Saam Barati  <sbarati@apple.com>
351
352         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
353         https://bugs.webkit.org/show_bug.cgi?id=194583
354         <rdar://problem/48028140>
355
356         Reviewed by Yusuke Suzuki.
357
358         This patch makes it so that getVariablesUnderTDZ caches a result of
359         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
360         it's called in an environment where there are a lot of variables.
361         This patch makes it so we cache its results. This is profitable when
362         getVariablesUnderTDZ is called repeatedly with the same environment
363         state. This is common since we call this every time we encounter a
364         function definition/expression node.
365
366         * builtins/BuiltinExecutables.cpp:
367         (JSC::BuiltinExecutables::createExecutable):
368         * bytecode/UnlinkedFunctionExecutable.cpp:
369         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
370         * bytecode/UnlinkedFunctionExecutable.h:
371         * bytecompiler/BytecodeGenerator.cpp:
372         (JSC::BytecodeGenerator::popLexicalScopeInternal):
373         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
374         (JSC::BytecodeGenerator::pushTDZVariables):
375         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
376         (JSC::BytecodeGenerator::restoreTDZStack):
377         * bytecompiler/BytecodeGenerator.h:
378         (JSC::BytecodeGenerator::makeFunction):
379         * parser/VariableEnvironment.cpp:
380         (JSC::CompactVariableMap::Handle::Handle):
381         (JSC::CompactVariableMap::Handle::operator=):
382         * parser/VariableEnvironment.h:
383         (JSC::CompactVariableMap::Handle::operator bool const):
384         * runtime/CodeCache.cpp:
385         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
386
387 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
388
389         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
390         https://bugs.webkit.org/show_bug.cgi?id=194659
391
392         Reviewed by Mark Lam.
393
394         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
395         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
396         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
397
398         * dfg/DFGJITCode.h:
399         * dfg/DFGJITFinalizer.cpp:
400         (JSC::DFG::JITFinalizer::finalize):
401         (JSC::DFG::JITFinalizer::finalizeFunction):
402         * jit/JITCode.cpp:
403         (JSC::DirectJITCode::initializeCodeRefForDFG):
404         (JSC::DirectJITCode::initializeCodeRef): Deleted.
405         (JSC::NativeJITCode::initializeCodeRef): Deleted.
406         * jit/JITCode.h:
407         * llint/LLIntEntrypoint.cpp:
408         (JSC::LLInt::setFunctionEntrypoint):
409         (JSC::LLInt::setEvalEntrypoint):
410         (JSC::LLInt::setProgramEntrypoint):
411         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
412
413 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
414
415         [WTF] Add environment variable helpers
416         https://bugs.webkit.org/show_bug.cgi?id=192405
417
418         Reviewed by Michael Catanzaro.
419
420         * inspector/remote/glib/RemoteInspectorGlib.cpp:
421         (Inspector::RemoteInspector::RemoteInspector):
422         (Inspector::RemoteInspector::start):
423         * jsc.cpp:
424         (startTimeoutThreadIfNeeded):
425         * runtime/Options.cpp:
426         (JSC::overrideOptionWithHeuristic):
427         (JSC::Options::overrideAliasedOptionWithHeuristic):
428         (JSC::Options::initialize):
429         * runtime/VM.cpp:
430         (JSC::enableAssembler):
431         (JSC::VM::VM):
432         * tools/CodeProfiling.cpp:
433         (JSC::CodeProfiling::notifyAllocator):
434         Utilize WTF::Environment where possible.
435
436 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
437
438         [JSC] Should have default NativeJITCode
439         https://bugs.webkit.org/show_bug.cgi?id=194634
440
441         Reviewed by Mark Lam.
442
443         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
444         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
445         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
446         allocations, which takes 14KB.
447
448         * runtime/VM.cpp:
449         (JSC::jitCodeForCallTrampoline):
450         (JSC::jitCodeForConstructTrampoline):
451         (JSC::VM::getHostFunction):
452
453 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
454
455         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
456         https://bugs.webkit.org/show_bug.cgi?id=194576
457
458         Reviewed by Saam Barati.
459
460         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
461         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
462
463         * bytecode/UnlinkedFunctionExecutable.cpp:
464         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
465         (JSC::UnlinkedFunctionExecutable::link):
466         * bytecode/UnlinkedFunctionExecutable.h:
467         * runtime/CodeCache.cpp:
468         (JSC::generateUnlinkedCodeBlockForFunctions):
469
470 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
471
472         CachedBitVector's size must be converted from bits to bytes
473         https://bugs.webkit.org/show_bug.cgi?id=194441
474
475         Reviewed by Saam Barati.
476
477         CachedBitVector used its size in bits for memcpy. That didn't cause any
478         issues when encoding, since the size in bits was also used in the allocation,
479         but would overflow the actual BitVector buffer when decoding.
480
481         * runtime/CachedTypes.cpp:
482         (JSC::CachedBitVector::encode):
483         (JSC::CachedBitVector::decode const):
484
485 2019-02-13  Brian Burg  <bburg@apple.com>
486
487         Web Inspector: don't include accessibility role in DOM.Node object payloads
488         https://bugs.webkit.org/show_bug.cgi?id=194623
489         <rdar://problem/36384037>
490
491         Reviewed by Devin Rousso.
492
493         Remove property of DOM.Node that is no longer being sent.
494
495         * inspector/protocol/DOM.json:
496
497 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
498
499         We should only make rope strings when concatenating strings long enough.
500         https://bugs.webkit.org/show_bug.cgi?id=194465
501
502         Reviewed by Mark Lam.
503
504         This patch stops us from allocating a rope string if the resulting
505         rope would be smaller than the size of the JSRopeString object we
506         would need to allocate.
507
508         This patch also adds paths so that we don't unnecessarily allocate
509         JSString cells for primitives we are going to concatenate with a
510         string anyway.
511
512         The important change from the previous one is that we do not apply
513         the above rule to JSRopeStrings generated by JSStrings. If we convert
514         it to JSString, comparison of memory consumption becomes the following,
515         because JSRopeString does not have StringImpl until it is resolved.
516
517             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
518
519         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
520         resolving eagerly increases memory footprint. The point is that we need to
521         account newly created JSString and JSRopeString from the operands. This is the
522         reason why this patch adds different thresholds for each jsString functions.
523
524         This patch also avoids concatenation for ropes conservatively. Many ropes are
525         temporary cells. So we do not resolve eagerly if one of operands is already a
526         rope.
527
528         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
529
530             Before: 159.3778
531             After:  160.72340000000003
532
533         * dfg/DFGOperations.cpp:
534         * runtime/CommonSlowPaths.cpp:
535         (JSC::SLOW_PATH_DECL):
536         * runtime/JSString.h:
537         (JSC::JSString::isRope const):
538         * runtime/Operations.cpp:
539         (JSC::jsAddSlowCase):
540         * runtime/Operations.h:
541         (JSC::jsString):
542         (JSC::jsAddNonNumber):
543         (JSC::jsAdd):
544
545 2019-02-13  Saam Barati  <sbarati@apple.com>
546
547         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
548         https://bugs.webkit.org/show_bug.cgi?id=194610
549
550         Reviewed by Michael Saboff.
551
552         BinarySwitch might use the scratch register. We must model the
553         effects of that properly. This is already caught by our br-table
554         tests on arm64.
555
556         * wasm/WasmAirIRGenerator.cpp:
557         (JSC::Wasm::AirIRGenerator::addSwitch):
558
559 2019-02-13  Mark Lam  <mark.lam@apple.com>
560
561         Create a randomized free list for new StructureIDs on StructureIDTable resize.
562         https://bugs.webkit.org/show_bug.cgi?id=194566
563         <rdar://problem/47975502>
564
565         Reviewed by Michael Saboff.
566
567         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
568         implementation is a little easier to read.
569
570         This patch appears to be perf neutral on JetStream2 (as run from the command line).
571
572         * runtime/StructureIDTable.cpp:
573         (JSC::StructureIDTable::StructureIDTable):
574         (JSC::StructureIDTable::makeFreeListFromRange):
575         (JSC::StructureIDTable::resize):
576         (JSC::StructureIDTable::allocateID):
577         (JSC::StructureIDTable::deallocateID):
578         * runtime/StructureIDTable.h:
579         (JSC::StructureIDTable::get):
580         (JSC::StructureIDTable::deallocateID):
581         (JSC::StructureIDTable::allocateID):
582         (JSC::StructureIDTable::flushOldTables):
583
584 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
585
586         VariableLengthObject::allocate<T> should initialize objects
587         https://bugs.webkit.org/show_bug.cgi?id=194534
588
589         Reviewed by Michael Saboff.
590
591         `buffer()` should not be called for empty VariableLengthObjects, but
592         these cases were not being caught due to the objects not being properly
593         initialized. Fix it so that allocate calls the constructor and fix the
594         assertion failues.
595
596         * runtime/CachedTypes.cpp:
597         (JSC::CachedObject::operator new):
598         (JSC::VariableLengthObject::allocate):
599         (JSC::CachedVector::encode):
600         (JSC::CachedVector::decode const):
601         (JSC::CachedUniquedStringImpl::decode const):
602         (JSC::CachedBitVector::encode):
603         (JSC::CachedBitVector::decode const):
604         (JSC::CachedArray::encode):
605         (JSC::CachedArray::decode const):
606         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
607         (JSC::CachedBigInt::decode const):
608
609 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
610
611         CodeBlocks read from disk should not be re-written
612         https://bugs.webkit.org/show_bug.cgi?id=194535
613
614         Reviewed by Michael Saboff.
615
616         Keep track of which CodeBlocks have been read from disk or have already
617         been serialized in CodeCache.
618
619         * runtime/CodeCache.cpp:
620         (JSC::CodeCache::write):
621         * runtime/CodeCache.h:
622         (JSC::SourceCodeValue::SourceCodeValue):
623         (JSC::CodeCacheMap::fetchFromDiskImpl):
624
625 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
626
627         SourceCode should be copied when generating bytecode for functions
628         https://bugs.webkit.org/show_bug.cgi?id=194536
629
630         Reviewed by Saam Barati.
631
632         The FunctionExecutable might be collected while generating the bytecode
633         for nested functions, in which case the SourceCode reference would no
634         longer be valid.
635
636         * runtime/CodeCache.cpp:
637         (JSC::generateUnlinkedCodeBlockForFunctions):
638
639 2019-02-12  Saam barati  <sbarati@apple.com>
640
641         JSScript needs to retain its cache path NSURL*
642         https://bugs.webkit.org/show_bug.cgi?id=194577
643
644         Reviewed by Tim Horton.
645
646         * API/JSScript.mm:
647         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
648         (-[JSScript dealloc]):
649
650 2019-02-12  Robin Morisset  <rmorisset@apple.com>
651
652         Make B3Value::returnsBool() more precise
653         https://bugs.webkit.org/show_bug.cgi?id=194457
654
655         Reviewed by Saam Barati.
656
657         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
658         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
659         No new tests added as this should be indirectly tested by the already existing tests.
660
661         * b3/B3Value.cpp:
662         (JSC::B3::Value::returnsBool const):
663
664 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
665
666         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
667         https://bugs.webkit.org/show_bug.cgi?id=194399
668         <rdar://problem/47889777>
669
670         * dfg/DFGDoesGC.cpp:
671         (JSC::DFG::doesGC):
672
673 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
674
675         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
676         https://bugs.webkit.org/show_bug.cgi?id=194370
677
678         Reviewed by Darin Adler.
679
680         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
681         necessary, but it will make errors more visible.
682
683         * inspector/remote/glib/RemoteInspectorGlib.cpp:
684         (Inspector::RemoteInspector::start):
685         (Inspector::dbusConnectionCallAsyncReadyCallback):
686         * inspector/remote/glib/RemoteInspectorServer.cpp:
687         (Inspector::RemoteInspectorServer::start):
688
689 2019-02-12  Andy Estes  <aestes@apple.com>
690
691         [iOSMac] Enable Parental Controls Content Filtering
692         https://bugs.webkit.org/show_bug.cgi?id=194521
693         <rdar://39732376>
694
695         Reviewed by Tim Horton.
696
697         * Configurations/FeatureDefines.xcconfig:
698
699 2019-02-11  Mark Lam  <mark.lam@apple.com>
700
701         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
702         https://bugs.webkit.org/show_bug.cgi?id=194512
703         <rdar://problem/47975465>
704
705         Reviewed by Yusuke Suzuki.
706
707         * runtime/StructureIDTable.cpp:
708         (JSC::StructureIDTable::StructureIDTable):
709         (JSC::StructureIDTable::allocateID):
710         (JSC::StructureIDTable::deallocateID):
711         * runtime/StructureIDTable.h:
712
713 2019-02-10  Mark Lam  <mark.lam@apple.com>
714
715         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
716         https://bugs.webkit.org/show_bug.cgi?id=194493
717         <rdar://problem/36380852>
718
719         Reviewed by Yusuke Suzuki.
720
721         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
722         however not good for performance and memory usage.  As such, a debug ASSERT will
723         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
724         possible to be instantiated with duplicate cases in
725         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
726
727         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
728         see duplicate cases.
729
730         * jit/BinarySwitch.cpp:
731         (JSC::BinarySwitch::BinarySwitch):
732
733 2019-02-10  Darin Adler  <darin@apple.com>
734
735         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
736         https://bugs.webkit.org/show_bug.cgi?id=194485
737
738         Reviewed by Daniel Bates.
739
740         * heap/HeapSnapshotBuilder.cpp:
741         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
742         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
743
744         * runtime/JSGlobalObjectFunctions.cpp:
745         (JSC::encode): Removed some unneeded casts in StringBuilder code,
746         including one in a call to appendByteAsHex.
747         (JSC::globalFuncEscape): Ditto.
748
749 2019-02-10  Commit Queue  <commit-queue@webkit.org>
750
751         Unreviewed, rolling out r241230.
752         https://bugs.webkit.org/show_bug.cgi?id=194488
753
754         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
755         #webkit).
756
757         Reverted changeset:
758
759         "We should only make rope strings when concatenating strings
760         long enough."
761         https://bugs.webkit.org/show_bug.cgi?id=194465
762         https://trac.webkit.org/changeset/241230
763
764 2019-02-10  Saam barati  <sbarati@apple.com>
765
766         BBQ-Air: Emit better code for switch
767         https://bugs.webkit.org/show_bug.cgi?id=194053
768
769         Reviewed by Yusuke Suzuki.
770
771         Instead of emitting a linear set of jumps for Switch, this patch
772         makes the BBQ-Air backend emit a binary switch.
773
774         * wasm/WasmAirIRGenerator.cpp:
775         (JSC::Wasm::AirIRGenerator::addSwitch):
776
777 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
778
779         Unreviewed, Lexer should use isLatin1 implementation in WTF
780         https://bugs.webkit.org/show_bug.cgi?id=194466
781
782         Follow-up after r241233 pointed by Darin.
783
784         * parser/Lexer.cpp:
785         (JSC::isLatin1): Deleted.
786
787 2019-02-09  Darin Adler  <darin@apple.com>
788
789         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
790         https://bugs.webkit.org/show_bug.cgi?id=194021
791
792         Reviewed by Geoffrey Garen.
793
794         * inspector/agents/InspectorConsoleAgent.cpp:
795         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
796         makeString do the conversion without allocating/destroying a String.
797         * inspector/agents/InspectorDebuggerAgent.cpp:
798         (Inspector::objectGroupForBreakpointAction): Ditto.
799         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
800         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
801         * runtime/JSGenericTypedArrayViewInlines.h:
802         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
803         * runtime/NumberPrototype.cpp:
804         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
805         of calling numberToFixedWidthString to do the same thing.
806         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
807         numberToFixedPrecisionString to do the same thing.
808         * runtime/SamplingProfiler.cpp:
809         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
810
811 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
812
813         Unreviewed, rolling in r241237 again
814         https://bugs.webkit.org/show_bug.cgi?id=194469
815
816         * runtime/JSString.h:
817         (JSC::jsSubstring):
818
819 2019-02-09  Commit Queue  <commit-queue@webkit.org>
820
821         Unreviewed, rolling out r241237.
822         https://bugs.webkit.org/show_bug.cgi?id=194474
823
824         Shows significant memory increase in WSL (Requested by
825         yusukesuzuki on #webkit).
826
827         Reverted changeset:
828
829         "[WTF] Use BufferInternal StringImpl if substring StringImpl
830         takes more memory"
831         https://bugs.webkit.org/show_bug.cgi?id=194469
832         https://trac.webkit.org/changeset/241237
833
834 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
835
836         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
837         https://bugs.webkit.org/show_bug.cgi?id=194469
838
839         Reviewed by Geoffrey Garen.
840
841         * runtime/JSString.h:
842         (JSC::jsSubstring):
843
844 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] CachedTypes should use jsString instead of JSString::create
847         https://bugs.webkit.org/show_bug.cgi?id=194471
848
849         Reviewed by Mark Lam.
850
851         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
852
853         * runtime/CachedTypes.cpp:
854         (JSC::CachedJSValue::decode const):
855
856 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
857
858         [JSC] Increase StructureIDTable initial capacity
859         https://bugs.webkit.org/show_bug.cgi?id=194468
860
861         Reviewed by Mark Lam.
862
863         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
864         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
865         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
866         more memory dirty. We also remove some structures that are no longer used.
867
868         * runtime/JSGlobalObject.h:
869         (JSC::JSGlobalObject::callbackObjectStructure const):
870         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
871         * runtime/StructureIDTable.h:
872         * runtime/VM.h:
873
874 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
875
876         [JSC] String.fromCharCode's slow path always generates 16bit string
877         https://bugs.webkit.org/show_bug.cgi?id=194466
878
879         Reviewed by Keith Miller.
880
881         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
882         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
883         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
884         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
885         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
886         as much as possible.
887
888         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
889
890         * runtime/StringConstructor.cpp:
891         (JSC::stringFromCharCode):
892
893 2019-02-08  Keith Miller  <keith_miller@apple.com>
894
895         We should only make rope strings when concatenating strings long enough.
896         https://bugs.webkit.org/show_bug.cgi?id=194465
897
898         Reviewed by Saam Barati.
899
900         This patch stops us from allocating a rope string if the resulting
901         rope would be smaller than the size of the JSRopeString object we
902         would need to allocate.
903
904         This patch also adds paths so that we don't unnecessarily allocate
905         JSString cells for primitives we are going to concatenate with a
906         string anyway.
907
908         * dfg/DFGOperations.cpp:
909         * runtime/CommonSlowPaths.cpp:
910         (JSC::SLOW_PATH_DECL):
911         * runtime/JSString.h:
912         * runtime/Operations.cpp:
913         (JSC::jsAddSlowCase):
914         * runtime/Operations.h:
915         (JSC::jsString):
916         (JSC::jsAdd):
917
918 2019-02-08  Saam barati  <sbarati@apple.com>
919
920         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
921         https://bugs.webkit.org/show_bug.cgi?id=194334
922         <rdar://problem/47844327>
923
924         Reviewed by Mark Lam.
925
926         * dfg/DFGAbstractInterpreterInlines.h:
927         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
928         * dfg/DFGArgumentsEliminationPhase.cpp:
929         * dfg/DFGByteCodeParser.cpp:
930         (JSC::DFG::ByteCodeParser::parseBlock):
931         * dfg/DFGClobberize.h:
932         (JSC::DFG::clobberize):
933         * dfg/DFGConstantFoldingPhase.cpp:
934         (JSC::DFG::ConstantFoldingPhase::foldConstants):
935         * dfg/DFGFixupPhase.cpp:
936         (JSC::DFG::FixupPhase::fixupNode):
937         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
938         * dfg/DFGIntegerCheckCombiningPhase.cpp:
939         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
940         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
941         * dfg/DFGNodeType.h:
942         * dfg/DFGSSALoweringPhase.cpp:
943         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
944         * dfg/DFGSpeculativeJIT.cpp:
945         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
946         * ftl/FTLLowerDFGToB3.cpp:
947         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
948         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
949
950 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
951
952         [JSC] Shrink sizeof(CodeBlock) more
953         https://bugs.webkit.org/show_bug.cgi?id=194419
954
955         Reviewed by Mark Lam.
956
957         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
958
959         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
960         has the same information. These data is not touched in CodeBlock::~CodeBlock,
961         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
962
963         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
964         And we do not touch it in CodeBlock::~CodeBlock.
965
966         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
967         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
968         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
969
970         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
971
972         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
973
974         * bytecode/CodeBlock.cpp:
975         (JSC::CodeBlock::hash const):
976         (JSC::CodeBlock::sourceCodeForTools const):
977         (JSC::CodeBlock::dumpAssumingJITType const):
978         (JSC::CodeBlock::dumpSource):
979         (JSC::CodeBlock::CodeBlock):
980         (JSC::CodeBlock::finishCreation):
981         (JSC::CodeBlock::propagateTransitions):
982         (JSC::CodeBlock::finalizeLLIntInlineCaches):
983         (JSC::CodeBlock::setCalleeSaveRegisters):
984         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
985         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
986         (JSC::CodeBlock::lineNumberForBytecodeOffset):
987         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
988         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
989         (JSC::CodeBlock::newReplacement):
990         (JSC::CodeBlock::replacement):
991         (JSC::CodeBlock::computeCapabilityLevel):
992         (JSC::CodeBlock::jettison):
993         (JSC::CodeBlock::calleeSaveRegisters const):
994         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
995         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
996         (JSC::CodeBlock::getArrayProfile):
997         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
998         (JSC::CodeBlock::notifyLexicalBindingUpdate):
999         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1000         (JSC::CodeBlock::validate):
1001         (JSC::CodeBlock::outOfLineJumpTarget):
1002         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1003         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1004         * bytecode/CodeBlock.h:
1005         (JSC::CodeBlock::specializationKind const):
1006         (JSC::CodeBlock::isStrictMode const):
1007         (JSC::CodeBlock::isConstructor const):
1008         (JSC::CodeBlock::codeType const):
1009         (JSC::CodeBlock::isKnownNotImmediate):
1010         (JSC::CodeBlock::instructions const):
1011         (JSC::CodeBlock::ownerExecutable const):
1012         (JSC::CodeBlock::thisRegister const):
1013         (JSC::CodeBlock::source const):
1014         (JSC::CodeBlock::sourceOffset const):
1015         (JSC::CodeBlock::firstLineColumnOffset const):
1016         (JSC::CodeBlock::createRareDataIfNecessary):
1017         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1018         (JSC::CodeBlock::setThisRegister): Deleted.
1019         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1020         * bytecode/EvalCodeBlock.h:
1021         * bytecode/FunctionCodeBlock.h:
1022         * bytecode/GlobalCodeBlock.h:
1023         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1024         * bytecode/ModuleProgramCodeBlock.h:
1025         * bytecode/ProgramCodeBlock.h:
1026         * debugger/Debugger.cpp:
1027         (JSC::Debugger::toggleBreakpoint):
1028         * debugger/DebuggerCallFrame.cpp:
1029         (JSC::DebuggerCallFrame::sourceID const):
1030         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1031         * debugger/DebuggerScope.cpp:
1032         (JSC::DebuggerScope::location const):
1033         * dfg/DFGByteCodeParser.cpp:
1034         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1035         (JSC::DFG::ByteCodeParser::inliningCost):
1036         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1037         * dfg/DFGCapabilities.cpp:
1038         (JSC::DFG::isSupportedForInlining):
1039         (JSC::DFG::mightCompileEval):
1040         (JSC::DFG::mightCompileProgram):
1041         (JSC::DFG::mightCompileFunctionForCall):
1042         (JSC::DFG::mightCompileFunctionForConstruct):
1043         (JSC::DFG::canUseOSRExitFuzzing):
1044         * dfg/DFGGraph.h:
1045         (JSC::DFG::Graph::executableFor):
1046         * dfg/DFGJITCompiler.cpp:
1047         (JSC::DFG::JITCompiler::compileFunction):
1048         * dfg/DFGOSREntry.cpp:
1049         (JSC::DFG::prepareOSREntry):
1050         * dfg/DFGOSRExit.cpp:
1051         (JSC::DFG::restoreCalleeSavesFor):
1052         (JSC::DFG::saveCalleeSavesFor):
1053         (JSC::DFG::saveOrCopyCalleeSavesFor):
1054         * dfg/DFGOSRExitCompilerCommon.cpp:
1055         (JSC::DFG::handleExitCounts):
1056         * dfg/DFGOperations.cpp:
1057         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1058         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1059         * ftl/FTLCapabilities.cpp:
1060         (JSC::FTL::canCompile):
1061         * ftl/FTLLink.cpp:
1062         (JSC::FTL::link):
1063         * ftl/FTLOSRExitCompiler.cpp:
1064         (JSC::FTL::compileStub):
1065         * interpreter/CallFrame.cpp:
1066         (JSC::CallFrame::callerSourceOrigin):
1067         * interpreter/Interpreter.cpp:
1068         (JSC::eval):
1069         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1070         * interpreter/StackVisitor.cpp:
1071         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1072         (JSC::StackVisitor::Frame::sourceURL const):
1073         (JSC::StackVisitor::Frame::sourceID):
1074         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1075         * interpreter/StackVisitor.h:
1076         * jit/AssemblyHelpers.h:
1077         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1078         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1079         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1080         * jit/CallFrameShuffleData.cpp:
1081         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1082         * jit/JIT.cpp:
1083         (JSC::JIT::compileWithoutLinking):
1084         * jit/JITToDFGDeferredCompilationCallback.cpp:
1085         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1086         * jit/JITWorklist.cpp:
1087         (JSC::JITWorklist::Plan::finalize):
1088         (JSC::JITWorklist::compileNow):
1089         * jit/RegisterAtOffsetList.cpp:
1090         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1091         * jit/RegisterAtOffsetList.h:
1092         (JSC::RegisterAtOffsetList::at const):
1093         * runtime/ErrorInstance.cpp:
1094         (JSC::appendSourceToError):
1095         * runtime/ScriptExecutable.cpp:
1096         (JSC::ScriptExecutable::newCodeBlockFor):
1097         * runtime/StackFrame.cpp:
1098         (JSC::StackFrame::sourceID const):
1099         (JSC::StackFrame::sourceURL const):
1100         (JSC::StackFrame::computeLineAndColumn const):
1101
1102 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1103
1104         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1105         https://bugs.webkit.org/show_bug.cgi?id=194460
1106
1107         Reviewed by Mark Lam.
1108
1109         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1110
1111         * b3/B3LowerMacros.cpp:
1112
1113 2019-02-08  Mark Lam  <mark.lam@apple.com>
1114
1115         Use maxSingleCharacterString in comparisons instead of literal constants.
1116         https://bugs.webkit.org/show_bug.cgi?id=194452
1117
1118         Reviewed by Yusuke Suzuki.
1119
1120         This way, if we ever change maxSingleCharacterString, it won't break all this code
1121         that relies on it being 0xff implicitly.
1122
1123         * dfg/DFGSpeculativeJIT.cpp:
1124         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1125         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1126         * ftl/FTLLowerDFGToB3.cpp:
1127         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1128         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1129         * jit/ThunkGenerators.cpp:
1130         (JSC::stringGetByValGenerator):
1131         (JSC::charToString):
1132
1133 2019-02-08  Mark Lam  <mark.lam@apple.com>
1134
1135         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1136         https://bugs.webkit.org/show_bug.cgi?id=194446
1137         <rdar://problem/47926792>
1138
1139         Reviewed by Saam Barati.
1140
1141         Fix doesGC() for the following nodes:
1142
1143             CheckTierUpAtReturn:
1144                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1145                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1146
1147             CheckTierUpInLoop:
1148                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1149                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1150
1151             CheckTierUpAndOSREnter:
1152                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1153                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1154
1155             GetByVal:
1156                 case Array::String calls operationSingleCharacterString(), which calls
1157                 jsSingleCharacterString(), which can allocate a string.
1158
1159             PutByValDirect:
1160             PutByVal:
1161             PutByValAlias:
1162                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1163                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1164                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1165                 slow paths call putByValInternal(), which may create exception objects, or
1166                 call the generic JSValue::put() which may execute arbitrary code.
1167
1168             StringCharAt:
1169                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1170                 which can allocate a string.
1171
1172         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1173         to use the maxSingleCharacterString constant instead of a literal constant.
1174
1175         * dfg/DFGDoesGC.cpp:
1176         (JSC::DFG::doesGC):
1177         * dfg/DFGSpeculativeJIT.cpp:
1178         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1179         * dfg/DFGSpeculativeJIT64.cpp:
1180         (JSC::DFG::SpeculativeJIT::compile):
1181         * ftl/FTLLowerDFGToB3.cpp:
1182         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1183         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1184         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1185
1186 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1187
1188         [JSC] SourceProviderCacheItem should be small
1189         https://bugs.webkit.org/show_bug.cgi?id=194432
1190
1191         Reviewed by Saam Barati.
1192
1193         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1194         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1195         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1196
1197         * parser/Parser.cpp:
1198         (JSC::Parser<LexerType>::parseFunctionInfo):
1199         * parser/ParserModes.h:
1200         * parser/ParserTokens.h:
1201         * parser/SourceProviderCacheItem.h:
1202         (JSC::SourceProviderCacheItem::endFunctionToken const):
1203         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1204
1205 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1206
1207         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1208         https://bugs.webkit.org/show_bug.cgi?id=194420
1209
1210         Reviewed by Saam Barati.
1211
1212         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1213         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1214         This trivial patch fixes both.
1215
1216         * b3/B3ReduceStrength.cpp:
1217         * b3/testb3.cpp:
1218         (JSC::B3::testAbsNegArg):
1219
1220 2019-02-07  Keith Miller  <keith_miller@apple.com>
1221
1222         Better error messages for module loader SPI
1223         https://bugs.webkit.org/show_bug.cgi?id=194421
1224
1225         Reviewed by Saam Barati.
1226
1227         * API/JSAPIGlobalObject.mm:
1228         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1229
1230 2019-02-07  Mark Lam  <mark.lam@apple.com>
1231
1232         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1233         https://bugs.webkit.org/show_bug.cgi?id=194399
1234         <rdar://problem/47889777>
1235
1236         Reviewed by Yusuke Suzuki.
1237
1238         Fix doesGC() for the following nodes:
1239
1240             CheckTraps:
1241                 We normally will not emit this node because Options::usePollingTraps() is
1242                 false by default.  However, as it is implemented now, CheckTraps can GC
1243                 because it can allocate a TerminatedExecutionException.  If we make the
1244                 TerminatedExecutionException a singleton allocated at initialization time,
1245                 doesGC() can return false for CheckTraps.
1246                 https://bugs.webkit.org/show_bug.cgi?id=194323
1247
1248             GetMapBucket:
1249                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1250                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1251                 can resolve a rope.
1252
1253             Switch:
1254                 If switchData kind is SwitchChar, can call operationResolveRope() .
1255                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1256                     can call operationSwitchString() which resolves ropes.
1257
1258             DirectTailCall:
1259             ForceOSRExit:
1260             Return:
1261             TailCallForwardVarargs:
1262             TailCallVarargs:
1263             Throw:
1264                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1265                 for them, but following our conservative practice, unless we have a good
1266                 reason for doesGC() to return false, we should just return true.
1267
1268         * dfg/DFGDoesGC.cpp:
1269         (JSC::DFG::doesGC):
1270
1271 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1272
1273         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1274         https://bugs.webkit.org/show_bug.cgi?id=194250
1275
1276         Reviewed by Saam Barati.
1277
1278         Adds the following optimizations for integers:
1279         - Sub(x, x) => 0
1280             Already covered by the test testSubArg
1281         - Sub(x1, Neg(x2)) => Add (x1, x2)
1282             Added test: testSubNeg
1283         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1284             Added test: testNegSub
1285         - Add(Neg(x1), x2) => Sub(x2, x1)
1286             Added test: testAddNeg1
1287         - Add(x1, Neg(x2)) => Sub(x1, x2)
1288             Added test: testAddNeg2
1289         Adds the following optimization for floating point values:
1290         - Abs(Neg(x)) => Abs(x)
1291             Added test: testAbsNegArg
1292             Adds the following optimization:
1293
1294         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1295
1296         * b3/B3ReduceStrength.cpp:
1297         * b3/testb3.cpp:
1298         (JSC::B3::testAddNeg1):
1299         (JSC::B3::testAddNeg2):
1300         (JSC::B3::testSubNeg):
1301         (JSC::B3::testNegSub):
1302         (JSC::B3::testAbsAbsArg):
1303         (JSC::B3::testAbsNegArg):
1304         (JSC::B3::run):
1305
1306 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1307
1308         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1309         https://bugs.webkit.org/show_bug.cgi?id=194374
1310
1311         Reviewed by Geoffrey Garen.
1312
1313         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1314         But pointer is larger than single character. BufferInternal StringImpl with single character
1315         is more memory efficient.
1316
1317         * runtime/SmallStrings.cpp:
1318         (JSC::SmallStringsStorage::SmallStringsStorage):
1319         (JSC::SmallStrings::SmallStrings):
1320         * runtime/SmallStrings.h:
1321
1322 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1323
1324         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1325         https://bugs.webkit.org/show_bug.cgi?id=194369
1326         <rdar://problem/47813087>
1327
1328         Reviewed by Saam Barati.
1329
1330         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1331         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1332         constant folding phase.
1333
1334         * dfg/DFGAbstractInterpreterInlines.h:
1335         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1336
1337 2019-02-06  Devin Rousso  <drousso@apple.com>
1338
1339         Web Inspector: DOM: don't send the entire function string with each event listener
1340         https://bugs.webkit.org/show_bug.cgi?id=194293
1341         <rdar://problem/47822809>
1342
1343         Reviewed by Joseph Pecoraro.
1344
1345         * inspector/protocol/DOM.json:
1346
1347         * runtime/JSFunction.h:
1348         Export `calculatedDisplayName`.
1349
1350 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1351
1352         [JSC] PrivateName to PublicName hash table is wasteful
1353         https://bugs.webkit.org/show_bug.cgi?id=194277
1354
1355         Reviewed by Michael Saboff.
1356
1357         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1358         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1359         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1360         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1361
1362         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1363
1364         1. PrivateName's content should be the same to PublicName.
1365         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1366            the public name should be easily crafted from the given PrivateName.
1367
1368         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1369         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1370
1371         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1372         WebCore.
1373
1374         * builtins/BuiltinNames.cpp:
1375         (JSC::BuiltinNames::BuiltinNames):
1376         * builtins/BuiltinNames.h:
1377         (JSC::BuiltinNames::lookUpPrivateName const):
1378         (JSC::BuiltinNames::getPublicName const):
1379         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1380         (JSC::BuiltinNames::appendExternalName):
1381         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1382         * builtins/BuiltinUtils.h:
1383         * bytecode/BytecodeDumper.cpp:
1384         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1385         * bytecompiler/NodesCodegen.cpp:
1386         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1387         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1388         * parser/Lexer.cpp:
1389         (JSC::Lexer<LChar>::parseIdentifier):
1390         (JSC::Lexer<UChar>::parseIdentifier):
1391         * parser/Parser.cpp:
1392         (JSC::Parser<LexerType>::createGeneratorParameters):
1393         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1394         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1395         (JSC::Parser<LexerType>::parseClassDeclaration):
1396         (JSC::Parser<LexerType>::parseExportDeclaration):
1397         (JSC::Parser<LexerType>::parseMemberExpression):
1398         * parser/ParserArena.h:
1399         (JSC::IdentifierArena::makeIdentifier):
1400         * runtime/CachedTypes.cpp:
1401         (JSC::CachedUniquedStringImpl::encode):
1402         (JSC::CachedUniquedStringImpl::decode const):
1403         * runtime/CommonIdentifiers.cpp:
1404         (JSC::CommonIdentifiers::CommonIdentifiers):
1405         (JSC::CommonIdentifiers::lookUpPrivateName const):
1406         (JSC::CommonIdentifiers::getPublicName const):
1407         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1408         * runtime/CommonIdentifiers.h:
1409         * runtime/ExceptionHelpers.cpp:
1410         (JSC::createUndefinedVariableError):
1411         * runtime/Identifier.cpp:
1412         (JSC::Identifier::dump const):
1413         * runtime/Identifier.h:
1414         * runtime/IdentifierInlines.h:
1415         (JSC::Identifier::fromUid):
1416         * runtime/JSTypedArrayViewPrototype.cpp:
1417         (JSC::JSTypedArrayViewPrototype::finishCreation):
1418         * tools/JSDollarVM.cpp:
1419         (JSC::functionGetPrivateProperty):
1420
1421 2019-02-06  Keith Rollin  <krollin@apple.com>
1422
1423         Really enable the automatic checking and regenerations of .xcfilelists during builds
1424         https://bugs.webkit.org/show_bug.cgi?id=194357
1425         <rdar://problem/47861231>
1426
1427         Reviewed by Chris Dumez.
1428
1429         Bug 194124 was supposed to enable the automatic checking and
1430         regenerating of .xcfilelist files during the build. While related
1431         changes were included in that patch, the change to actually enable the
1432         operation somehow was omitted. This patch actually enables the
1433         operation. The check-xcfilelist.sh scripts now check
1434         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1435         from the checking.
1436
1437         * Scripts/check-xcfilelists.sh:
1438
1439 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1440
1441         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1442         https://bugs.webkit.org/show_bug.cgi?id=194339
1443
1444         Reviewed by Michael Saboff.
1445
1446         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1447         They have even the same structure. This patch unifies the subspaces for them.
1448
1449         * runtime/DirectEvalExecutable.h:
1450         * runtime/EvalExecutable.h:
1451         (JSC::EvalExecutable::subspaceFor):
1452         * runtime/IndirectEvalExecutable.h:
1453         * runtime/VM.cpp:
1454         * runtime/VM.h:
1455         (JSC::VM::forEachScriptExecutableSpace):
1456
1457 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1458
1459         [JSC] NativeExecutable should be smaller
1460         https://bugs.webkit.org/show_bug.cgi?id=194331
1461
1462         Reviewed by Michael Saboff.
1463
1464         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1465         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1466         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1467         only takes one MarkedBlock for NativeExecutable.
1468
1469         To make NativeExecutable smaller,
1470
1471         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1472            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1473
1474         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1475            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1476            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1477
1478         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1479            Intrinsic for NativeExecutable.
1480
1481         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1482
1483         * CMakeLists.txt:
1484         * JavaScriptCore.xcodeproj/project.pbxproj:
1485         * bytecode/CallVariant.h:
1486         * interpreter/Interpreter.cpp:
1487         * jit/JITCode.cpp:
1488         (JSC::DirectJITCode::DirectJITCode):
1489         (JSC::NativeJITCode::NativeJITCode):
1490         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1491         * jit/JITCode.h:
1492         (JSC::JITCode::signature const):
1493         (JSC::JITCode::intrinsic):
1494         * jit/JITOperations.cpp:
1495         * jit/JITThunks.cpp:
1496         (JSC::JITThunks::hostFunctionStub):
1497         * jit/Repatch.cpp:
1498         * llint/LLIntSlowPaths.cpp:
1499         * runtime/ExecutableBase.cpp:
1500         (JSC::ExecutableBase::dump const):
1501         (JSC::ExecutableBase::hashFor const):
1502         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1503         (JSC::ExecutableBase::clearCode): Deleted.
1504         * runtime/ExecutableBase.h:
1505         (JSC::ExecutableBase::ExecutableBase):
1506         (JSC::ExecutableBase::isModuleProgramExecutable):
1507         (JSC::ExecutableBase::isHostFunction const):
1508         (JSC::ExecutableBase::generatedJITCodeForCall const):
1509         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1510         (JSC::ExecutableBase::generatedJITCodeFor const):
1511         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1512         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1513         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1514         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1515         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1516         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1517         (JSC::ExecutableBase::intrinsic const): Deleted.
1518         * runtime/ExecutableBaseInlines.h: Added.
1519         (JSC::ExecutableBase::intrinsic const):
1520         (JSC::ExecutableBase::hasJITCodeForCall const):
1521         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1522         * runtime/JSBoundFunction.cpp:
1523         * runtime/JSType.cpp:
1524         (WTF::printInternal):
1525         * runtime/JSType.h:
1526         * runtime/NativeExecutable.cpp:
1527         (JSC::NativeExecutable::create):
1528         (JSC::NativeExecutable::createStructure):
1529         (JSC::NativeExecutable::NativeExecutable):
1530         (JSC::NativeExecutable::signatureFor const):
1531         (JSC::NativeExecutable::intrinsic const):
1532         * runtime/NativeExecutable.h:
1533         * runtime/ScriptExecutable.cpp:
1534         (JSC::ScriptExecutable::ScriptExecutable):
1535         (JSC::ScriptExecutable::clearCode):
1536         (JSC::ScriptExecutable::installCode):
1537         (JSC::ScriptExecutable::hasClearableCode const):
1538         * runtime/ScriptExecutable.h:
1539         (JSC::ScriptExecutable::intrinsic const):
1540         (JSC::ScriptExecutable::hasJITCodeForCall const):
1541         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1542         * runtime/VM.cpp:
1543         (JSC::VM::getHostFunction):
1544
1545 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1546
1547         Build failure after r240431
1548         https://bugs.webkit.org/show_bug.cgi?id=194330
1549
1550         Reviewed by Žan Doberšek.
1551
1552         * API/glib/JSCOptions.cpp:
1553
1554 2019-02-05  Mark Lam  <mark.lam@apple.com>
1555
1556         Fix DFG's doesGC() for a few more nodes.
1557         https://bugs.webkit.org/show_bug.cgi?id=194307
1558         <rdar://problem/47832956>
1559
1560         Reviewed by Yusuke Suzuki.
1561
1562         Fix doesGC() for the following nodes:
1563
1564             NumberToStringWithValidRadixConstant:
1565                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1566                 which can allocate a string.
1567                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1568                 which can allocate a string.
1569                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1570                 which can allocate a string.
1571
1572             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1573                 memory for all kinds of objects.
1574             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1575                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1576                 these allocates memory for the match result.
1577             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1578                 calls RegExpObject's collectMatches(), which allocates an array amongst
1579                 other objects.
1580
1581             StringFromCharCode:
1582                 If the uint32 code to convert is greater than maxSingleCharacterString,
1583                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1584                 which allocates a new string if the code is greater than maxSingleCharacterString.
1585
1586         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1587         to use maxSingleCharacterString instead of a literal constant.
1588
1589         * dfg/DFGDoesGC.cpp:
1590         (JSC::DFG::doesGC):
1591         * dfg/DFGSpeculativeJIT.cpp:
1592         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1593         * ftl/FTLLowerDFGToB3.cpp:
1594         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1595
1596 2019-02-05  Keith Rollin  <krollin@apple.com>
1597
1598         Enable the automatic checking and regenerations of .xcfilelists during builds
1599         https://bugs.webkit.org/show_bug.cgi?id=194124
1600         <rdar://problem/47721277>
1601
1602         Reviewed by Tim Horton.
1603
1604         Bug 193790 add a facility for checking -- during build time -- that
1605         any needed .xcfilelist files are up-to-date and for updating them if
1606         they are not. This facility was initially opt-in by setting
1607         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1608         the process seemed robust. Its now time to enable this facility and
1609         make it opt-out. If there is a need to disable this facility, set and
1610         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1611         running `make` or `build-webkit`, or before running Xcode from the
1612         command line.
1613
1614         Additionally, remove the step that generates a list of source files
1615         going into the UnifiedSources build step. It's only necessarily to
1616         specify Sources.txt and SourcesCocoa.txt as inputs.
1617
1618         * JavaScriptCore.xcodeproj/project.pbxproj:
1619         * UnifiedSources-input.xcfilelist: Removed.
1620
1621 2019-02-05  Keith Rollin  <krollin@apple.com>
1622
1623         Update .xcfilelist files
1624         https://bugs.webkit.org/show_bug.cgi?id=194121
1625         <rdar://problem/47720863>
1626
1627         Reviewed by Tim Horton.
1628
1629         Preparatory to enabling the facility for automatically updating the
1630         .xcfilelist files, check in a freshly-updated set so that not everyone
1631         runs up against having to regenerate them themselves.
1632
1633         * DerivedSources-input.xcfilelist:
1634         * DerivedSources-output.xcfilelist:
1635
1636 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1637
1638         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1639         https://bugs.webkit.org/show_bug.cgi?id=185557
1640
1641         Reviewed by Mark Lam.
1642
1643         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1644         where n is the number of characters in the formatted string.
1645         It may be less memory efficient than the previous impl, since the intermediate Vector
1646         is the length of the string, instead of the count of the fields.
1647
1648         * runtime/IntlNumberFormat.cpp:
1649         (JSC::IntlNumberFormat::formatToParts):
1650         * runtime/IntlNumberFormat.h:
1651
1652 2019-02-05  Mark Lam  <mark.lam@apple.com>
1653
1654         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1655         https://bugs.webkit.org/show_bug.cgi?id=194298
1656         <rdar://problem/47827555>
1657
1658         Reviewed by Saam Barati.
1659
1660         We do this for 3 reasons:
1661         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1662         2. If things change in the future where clobberize() no longer reports these nodes
1663            as write(Heap), each node should be vetted first to make sure that it can never
1664            GC before being moved back to the doesGC() list that returns false.
1665         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1666            correct in its claims about the nodes' GCing possibility.
1667
1668         The list of nodes moved are:
1669
1670             ArrayPush
1671             ArrayPop
1672             Call
1673             CallEval
1674             CallForwardVarargs
1675             CallVarargs
1676             Construct
1677             ConstructForwardVarargs
1678             ConstructVarargs
1679             DefineDataProperty
1680             DefineAccessorProperty
1681             DeleteById
1682             DeleteByVal
1683             DirectCall
1684             DirectConstruct
1685             DirectTailCallInlinedCaller
1686             GetById
1687             GetByIdDirect
1688             GetByIdDirectFlush
1689             GetByIdFlush
1690             GetByIdWithThis
1691             GetByValWithThis
1692             GetDirectPname
1693             GetDynamicVar
1694             HasGenericProperty
1695             HasOwnProperty
1696             HasStructureProperty
1697             InById
1698             InByVal
1699             InstanceOf
1700             InstanceOfCustom
1701             LoadVarargs
1702             NumberToStringWithRadix
1703             PutById
1704             PutByIdDirect
1705             PutByIdFlush
1706             PutByIdWithThis
1707             PutByOffset
1708             PutByValWithThis
1709             PutDynamicVar
1710             PutGetterById
1711             PutGetterByVal
1712             PutGetterSetterById
1713             PutSetterById
1714             PutSetterByVal
1715             PutStack
1716             PutToArguments
1717             RegExpExec
1718             RegExpTest
1719             ResolveScope
1720             ResolveScopeForHoistingFuncDeclInEval
1721             TailCall
1722             TailCallForwardVarargsInlinedCaller
1723             TailCallInlinedCaller
1724             TailCallVarargsInlinedCaller
1725             ToNumber
1726             ToPrimitive
1727             ValueNegate
1728
1729         * dfg/DFGDoesGC.cpp:
1730         (JSC::DFG::doesGC):
1731
1732 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1733
1734         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1735         https://bugs.webkit.org/show_bug.cgi?id=194281
1736
1737         Reviewed by Michael Saboff.
1738
1739         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1740         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1741
1742         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1743         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1744         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1745
1746         * bytecode/CodeBlock.cpp:
1747         (JSC::CodeBlock::finishCreation):
1748         * bytecode/CodeBlock.h:
1749         (JSC::CodeBlock::bitVectors const): Deleted.
1750         * bytecode/CodeType.h:
1751         * bytecode/UnlinkedCodeBlock.cpp:
1752         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1753         (JSC::UnlinkedCodeBlock::shrinkToFit):
1754         * bytecode/UnlinkedCodeBlock.h:
1755         (JSC::UnlinkedCodeBlock::bitVector):
1756         (JSC::UnlinkedCodeBlock::addBitVector):
1757         (JSC::UnlinkedCodeBlock::addSetConstant):
1758         (JSC::UnlinkedCodeBlock::constantRegisters):
1759         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1760         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1761         (JSC::UnlinkedCodeBlock::codeType const):
1762         (JSC::UnlinkedCodeBlock::didOptimize const):
1763         (JSC::UnlinkedCodeBlock::setDidOptimize):
1764         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1765         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1766         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1767         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1768         * bytecompiler/BytecodeGenerator.cpp:
1769         (JSC::BytecodeGenerator::emitLoad):
1770         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1771         * bytecompiler/BytecodeGenerator.h:
1772         * runtime/CachedTypes.cpp:
1773         (JSC::CachedCodeBlockRareData::encode):
1774         (JSC::CachedCodeBlockRareData::decode const):
1775         (JSC::CachedCodeBlock::scopeRegister const):
1776         (JSC::CachedCodeBlock::codeType const):
1777         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1778         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1779         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1780         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1781
1782 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1783
1784         Unreviewed, add missing exception checks after r240637
1785         https://bugs.webkit.org/show_bug.cgi?id=193546
1786
1787         * tools/JSDollarVM.cpp:
1788         (JSC::functionShadowChickenFunctionsOnStack):
1789
1790 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1791
1792         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1793         https://bugs.webkit.org/show_bug.cgi?id=193993
1794
1795         Reviewed by Keith Miller.
1796
1797         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1798         And some of them are rarely used. We should allocate it lazily.
1799
1800         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1801         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1802         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1803         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1804         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1805         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1806         by using WTF::storeStoreFence when lazily allocating it.
1807
1808         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1809         existence of the space before touching this. This is not racy because the main thread is stopped when
1810         the constraint solving is working.
1811
1812         This changes sizeof(VM) from 64736 to 56472.
1813
1814         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1815         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1816         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1817         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1818         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1819         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1820         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1821
1822         * API/JSCallbackFunction.h:
1823         * API/ObjCCallbackFunction.h:
1824         (JSC::ObjCCallbackFunction::subspaceFor):
1825         * API/glib/JSCCallbackFunction.h:
1826         * CMakeLists.txt:
1827         * JavaScriptCore.xcodeproj/project.pbxproj:
1828         * bytecode/CodeBlock.cpp:
1829         (JSC::CodeBlock::visitChildren):
1830         (JSC::CodeBlock::finalizeUnconditionally):
1831         * bytecode/CodeBlock.h:
1832         * bytecode/EvalCodeBlock.h:
1833         * bytecode/ExecutableToCodeBlockEdge.h:
1834         * bytecode/FunctionCodeBlock.h:
1835         * bytecode/ModuleProgramCodeBlock.h:
1836         * bytecode/ProgramCodeBlock.h:
1837         * bytecode/UnlinkedFunctionExecutable.cpp:
1838         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1839         * bytecode/UnlinkedFunctionExecutable.h:
1840         * dfg/DFGSpeculativeJIT.cpp:
1841         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1842         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1843         (JSC::DFG::SpeculativeJIT::compileNewObject):
1844         * ftl/FTLLowerDFGToB3.cpp:
1845         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1846         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1847         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1848         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1849         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1850         * heap/Heap.cpp:
1851         (JSC::Heap::finalizeUnconditionalFinalizers):
1852         (JSC::Heap::deleteAllCodeBlocks):
1853         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1854         (JSC::Heap::addCoreConstraints):
1855         * heap/Subspace.cpp:
1856         (JSC::Subspace::initialize):
1857         * jit/AssemblyHelpers.h:
1858         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1859         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1860         * jit/JITOpcodes.cpp:
1861         (JSC::JIT::emit_op_new_object):
1862         * jit/JITOpcodes32_64.cpp:
1863         (JSC::JIT::emit_op_new_object):
1864         * runtime/DirectArguments.h:
1865         * runtime/DirectEvalExecutable.h:
1866         * runtime/ErrorInstance.h:
1867         (JSC::ErrorInstance::subspaceFor):
1868         * runtime/ExecutableBase.h:
1869         * runtime/FunctionExecutable.h:
1870         * runtime/IndirectEvalExecutable.h:
1871         * runtime/InferredValue.cpp:
1872         (JSC::InferredValue::visitChildren):
1873         * runtime/InferredValue.h:
1874         * runtime/InferredValueInlines.h:
1875         (JSC::InferredValue::finalizeUnconditionally):
1876         * runtime/InternalFunction.h:
1877         * runtime/JSAsyncFunction.h:
1878         * runtime/JSAsyncGeneratorFunction.h:
1879         * runtime/JSBoundFunction.h:
1880         * runtime/JSCell.h:
1881         (JSC::subspaceFor):
1882         (JSC::subspaceForConcurrently):
1883         * runtime/JSCellInlines.h:
1884         (JSC::allocatorForNonVirtualConcurrently):
1885         * runtime/JSCustomGetterSetterFunction.h:
1886         * runtime/JSDestructibleObject.h:
1887         * runtime/JSFunction.h:
1888         * runtime/JSGeneratorFunction.h:
1889         * runtime/JSImmutableButterfly.h:
1890         * runtime/JSLexicalEnvironment.h:
1891         (JSC::JSLexicalEnvironment::subspaceFor):
1892         * runtime/JSNativeStdFunction.h:
1893         * runtime/JSSegmentedVariableObject.h:
1894         * runtime/JSString.h:
1895         * runtime/ModuleProgramExecutable.h:
1896         * runtime/NativeExecutable.h:
1897         * runtime/ProgramExecutable.h:
1898         * runtime/PropertyMapHashTable.h:
1899         * runtime/ProxyRevoke.h:
1900         * runtime/ScopedArguments.h:
1901         * runtime/ScriptExecutable.cpp:
1902         (JSC::ScriptExecutable::clearCode):
1903         (JSC::ScriptExecutable::installCode):
1904         * runtime/Structure.h:
1905         * runtime/StructureRareData.h:
1906         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1907         * runtime/VM.cpp:
1908         (JSC::VM::VM):
1909         * runtime/VM.h:
1910         (JSC::VM::SpaceAndSet::SpaceAndSet):
1911         (JSC::VM::SpaceAndSet::setFor):
1912         (JSC::VM::forEachScriptExecutableSpace):
1913         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1914         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1915         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1916         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1917         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1918         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1919         * runtime/WeakMapImpl.h:
1920         (JSC::WeakMapImpl::subspaceFor):
1921         * wasm/js/JSWebAssemblyCodeBlock.h:
1922         * wasm/js/JSWebAssemblyMemory.h:
1923         * wasm/js/WebAssemblyFunction.h:
1924         * wasm/js/WebAssemblyWrapperFunction.h:
1925
1926 2019-02-04  Keith Miller  <keith_miller@apple.com>
1927
1928         Change llint operand macros to inline functions
1929         https://bugs.webkit.org/show_bug.cgi?id=194248
1930
1931         Reviewed by Mark Lam.
1932
1933         * llint/LLIntSlowPaths.cpp:
1934         (JSC::LLInt::getNonConstantOperand):
1935         (JSC::LLInt::getOperand):
1936         (JSC::LLInt::llint_trace_value):
1937         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1938         (JSC::LLInt::getByVal):
1939         (JSC::LLInt::genericCall):
1940         (JSC::LLInt::varargsSetup):
1941         (JSC::LLInt::commonCallEval):
1942
1943 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1944
1945         when lowering AssertNotEmpty, create the value before creating the patchpoint
1946         https://bugs.webkit.org/show_bug.cgi?id=194231
1947
1948         Reviewed by Saam Barati.
1949
1950         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1951         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1952
1953         * ftl/FTLLowerDFGToB3.cpp:
1954         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1955
1956 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1957
1958         [JSC] ExecutableToCodeBlockEdge should be smaller
1959         https://bugs.webkit.org/show_bug.cgi?id=194244
1960
1961         Reviewed by Michael Saboff.
1962
1963         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1964         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1965         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1966         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1967
1968         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1969         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1970         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1971
1972         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1973         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1974         does not touch it if it is called in non-main threads).
1975
1976         * bytecode/ExecutableToCodeBlockEdge.cpp:
1977         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1978         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1979         (JSC::ExecutableToCodeBlockEdge::activate):
1980         (JSC::ExecutableToCodeBlockEdge::deactivate):
1981         (JSC::ExecutableToCodeBlockEdge::isActive const):
1982         * bytecode/ExecutableToCodeBlockEdge.h:
1983         * runtime/JSCell.h:
1984         * runtime/JSCellInlines.h:
1985         (JSC::JSCell::perCellBit const):
1986         (JSC::JSCell::setPerCellBit):
1987         (JSC::JSCell::mayBePrototype const): Deleted.
1988         (JSC::JSCell::didBecomePrototype): Deleted.
1989         * runtime/JSObject.cpp:
1990         (JSC::JSObject::setPrototypeDirect):
1991         * runtime/JSObject.h:
1992         * runtime/JSObjectInlines.h:
1993         (JSC::JSObject::mayBePrototype const):
1994         (JSC::JSObject::didBecomePrototype):
1995         * runtime/JSTypeInfo.h:
1996         (JSC::TypeInfo::perCellBit):
1997         (JSC::TypeInfo::mergeInlineTypeFlags):
1998         (JSC::TypeInfo::mayBePrototype): Deleted.
1999
2000 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2001
2002         [JSC] Shrink size of FunctionExecutable
2003         https://bugs.webkit.org/show_bug.cgi?id=194191
2004
2005         Reviewed by Michael Saboff.
2006
2007         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2008         improves the allocation efficiency.
2009
2010         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2011            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2012
2013         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2014            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2015            the size of FunctionExecutable in the common case.
2016
2017         This patch changes the size of FunctionExecutable from 176 to 144.
2018
2019         * bytecode/CodeBlock.cpp:
2020         (JSC::CodeBlock::dumpSource):
2021         (JSC::CodeBlock::finishCreation):
2022         * dfg/DFGNode.h:
2023         (JSC::DFG::Node::OpInfoWrapper::as const):
2024         * interpreter/StackVisitor.cpp:
2025         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2026         * runtime/ExecutableBase.h:
2027         * runtime/FunctionExecutable.cpp:
2028         (JSC::FunctionExecutable::FunctionExecutable):
2029         (JSC::FunctionExecutable::ensureRareDataSlow):
2030         * runtime/FunctionExecutable.h:
2031         * runtime/Intrinsic.h:
2032         * runtime/ModuleProgramExecutable.cpp:
2033         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2034         * runtime/ProgramExecutable.cpp:
2035         (JSC::ProgramExecutable::ProgramExecutable):
2036         * runtime/ScriptExecutable.cpp:
2037         (JSC::ScriptExecutable::ScriptExecutable):
2038         (JSC::ScriptExecutable::overrideLineNumber const):
2039         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2040         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2041         * runtime/ScriptExecutable.h:
2042         (JSC::ScriptExecutable::firstLine const):
2043         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2044         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2045         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2046         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2047         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2048         * runtime/StackFrame.cpp:
2049         (JSC::StackFrame::computeLineAndColumn const):
2050         * tools/JSDollarVM.cpp:
2051         (JSC::functionReturnTypeFor):
2052
2053 2019-02-04  Mark Lam  <mark.lam@apple.com>
2054
2055         DFG's doesGC() is incorrect about the SameValue node's behavior.
2056         https://bugs.webkit.org/show_bug.cgi?id=194211
2057         <rdar://problem/47608913>
2058
2059         Reviewed by Saam Barati.
2060
2061         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2062         it calls operationSameValue() which may allocate memory for resolving ropes.
2063
2064         * dfg/DFGDoesGC.cpp:
2065         (JSC::DFG::doesGC):
2066
2067 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2068
2069         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2070         https://bugs.webkit.org/show_bug.cgi?id=194031
2071
2072         Reviewed by Saam Barati.
2073
2074         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2075         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2076         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2077         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2078
2079         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2080         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2081
2082         * bytecode/MetadataTable.cpp:
2083         (JSC::MetadataTable::MetadataTable):
2084         (JSC::MetadataTable::~MetadataTable):
2085         * bytecode/UnlinkedCodeBlock.cpp:
2086         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2087         (JSC::UnlinkedCodeBlock::visitChildren):
2088         (JSC::UnlinkedCodeBlock::estimatedSize):
2089         (JSC::UnlinkedCodeBlock::setInstructions):
2090         * bytecode/UnlinkedCodeBlock.h:
2091         (JSC::UnlinkedCodeBlock::metadata):
2092         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2093         * bytecode/UnlinkedMetadataTable.h:
2094         (JSC::UnlinkedMetadataTable::create):
2095         * bytecode/UnlinkedMetadataTableInlines.h:
2096         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2097         * runtime/CachedTypes.cpp:
2098         (JSC::CachedMetadataTable::decode const):
2099         (JSC::CachedCodeBlock::metadata const):
2100         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2101         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2102         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2103
2104 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2105
2106         [JSC] Decouple JIT related data from CodeBlock
2107         https://bugs.webkit.org/show_bug.cgi?id=194187
2108
2109         Reviewed by Saam Barati.
2110
2111         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2112         We have three types of data in CodeBlock.
2113
2114         1. The data which is always used. CodeBlock needs to hold it.
2115         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2116         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2117
2118         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2119         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2120         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2121         in both non-JIT and *JIT* modes.
2122
2123         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2124         by the lock of CodeBlock.
2125
2126         The size of CodeBlock is reduced from 512 to 352.
2127
2128         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2129
2130             Footprint geomean: 36696503 (34.997 MB)
2131             Peak Footprint geomean: 38595988 (36.808 MB)
2132             Score: 37634263 (35.891 MB)
2133
2134             Footprint geomean: 37172768 (35.451 MB)
2135             Peak Footprint geomean: 38978288 (37.173 MB)
2136             Score: 38064824 (36.301 MB)
2137
2138         * bytecode/CodeBlock.cpp:
2139         (JSC::CodeBlock::~CodeBlock):
2140         (JSC::CodeBlock::propagateTransitions):
2141         (JSC::CodeBlock::ensureJITDataSlow):
2142         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2143         (JSC::CodeBlock::getICStatusMap):
2144         (JSC::CodeBlock::addStubInfo):
2145         (JSC::CodeBlock::addJITAddIC):
2146         (JSC::CodeBlock::addJITMulIC):
2147         (JSC::CodeBlock::addJITSubIC):
2148         (JSC::CodeBlock::addJITNegIC):
2149         (JSC::CodeBlock::findStubInfo):
2150         (JSC::CodeBlock::addByValInfo):
2151         (JSC::CodeBlock::addCallLinkInfo):
2152         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2153         (JSC::CodeBlock::addRareCaseProfile):
2154         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2155         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2156         (JSC::CodeBlock::resetJITData):
2157         (JSC::CodeBlock::stronglyVisitStrongReferences):
2158         (JSC::CodeBlock::shrinkToFit):
2159         (JSC::CodeBlock::linkIncomingCall):
2160         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2161         (JSC::CodeBlock::unlinkIncomingCalls):
2162         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2163         (JSC::CodeBlock::dumpValueProfiles):
2164         (JSC::CodeBlock::setPCToCodeOriginMap):
2165         (JSC::CodeBlock::findPC):
2166         (JSC::CodeBlock::dumpMathICStats):
2167         * bytecode/CodeBlock.h:
2168         (JSC::CodeBlock::ensureJITData):
2169         (JSC::CodeBlock::setJITCodeMap):
2170         (JSC::CodeBlock::jitCodeMap):
2171         (JSC::CodeBlock::likelyToTakeSlowCase):
2172         (JSC::CodeBlock::couldTakeSlowCase):
2173         (JSC::CodeBlock::lazyOperandValueProfiles):
2174         (JSC::CodeBlock::stubInfoBegin): Deleted.
2175         (JSC::CodeBlock::stubInfoEnd): Deleted.
2176         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2177         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2178         (JSC::CodeBlock::jitCodeMap const): Deleted.
2179         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2180         * bytecode/MethodOfGettingAValueProfile.cpp:
2181         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2182         (JSC::MethodOfGettingAValueProfile::reportValue):
2183         * dfg/DFGByteCodeParser.cpp:
2184         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2185         * jit/JIT.h:
2186         * jit/JITOperations.cpp:
2187         (JSC::tryGetByValOptimize):
2188         * jit/JITPropertyAccess.cpp:
2189         (JSC::JIT::privateCompileGetByVal):
2190         (JSC::JIT::privateCompilePutByVal):
2191
2192 2018-12-16  Darin Adler  <darin@apple.com>
2193
2194         Convert additional String::format clients to alternative approaches
2195         https://bugs.webkit.org/show_bug.cgi?id=192746
2196
2197         Reviewed by Alexey Proskuryakov.
2198
2199         * inspector/agents/InspectorConsoleAgent.cpp:
2200         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2201         and FormattedNumber::fixedWidth.
2202
2203 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2204
2205         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2206         https://bugs.webkit.org/show_bug.cgi?id=194177
2207
2208         Reviewed by Saam Barati.
2209
2210         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2211         We can share the IsoSubspace for JSFunction.
2212
2213         * runtime/JSAsyncFunction.h:
2214         * runtime/JSAsyncGeneratorFunction.h:
2215         * runtime/JSGeneratorFunction.h:
2216         * runtime/VM.cpp:
2217         (JSC::VM::VM):
2218         * runtime/VM.h:
2219
2220 2019-02-01  Mark Lam  <mark.lam@apple.com>
2221
2222         Remove invalid assertion in DFG's compileDoubleRep().
2223         https://bugs.webkit.org/show_bug.cgi?id=194130
2224         <rdar://problem/47699474>
2225
2226         Reviewed by Saam Barati.
2227
2228         * dfg/DFGSpeculativeJIT.cpp:
2229         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2230
2231 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2232
2233         [JSC] Unify CodeBlock IsoSubspaces
2234         https://bugs.webkit.org/show_bug.cgi?id=194167
2235
2236         Reviewed by Saam Barati.
2237
2238         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2239         But this is not necessary since,
2240
2241         1. They do not override the classInfo methods.
2242         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2243
2244         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2245         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2246         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2247
2248         This patch unifies these IsoSubspaces into one.
2249
2250         * bytecode/CodeBlock.cpp:
2251         (JSC::CodeBlock::destroy):
2252         * bytecode/CodeBlock.h:
2253         * bytecode/EvalCodeBlock.cpp:
2254         (JSC::EvalCodeBlock::destroy): Deleted.
2255         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2256         * bytecode/FunctionCodeBlock.cpp:
2257         (JSC::FunctionCodeBlock::destroy): Deleted.
2258         * bytecode/FunctionCodeBlock.h:
2259         * bytecode/GlobalCodeBlock.h:
2260         * bytecode/ModuleProgramCodeBlock.cpp:
2261         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2262         * bytecode/ModuleProgramCodeBlock.h:
2263         * bytecode/ProgramCodeBlock.cpp:
2264         (JSC::ProgramCodeBlock::destroy): Deleted.
2265         * bytecode/ProgramCodeBlock.h:
2266         * interpreter/Interpreter.cpp:
2267         (JSC::Interpreter::execute):
2268         * runtime/VM.cpp:
2269         (JSC::VM::VM):
2270         * runtime/VM.h:
2271         (JSC::VM::forEachCodeBlockSpace):
2272
2273 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2274
2275         Unreviewed, follow-up after r240859
2276         https://bugs.webkit.org/show_bug.cgi?id=194145
2277
2278         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2279         And rename cellDangerousBitsSpace back to cellSpace.
2280
2281         * runtime/JSCellInlines.h:
2282         (JSC::JSCell::subspaceFor):
2283         * runtime/VM.cpp:
2284         (JSC::VM::VM):
2285         * runtime/VM.h:
2286
2287 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2288
2289         [JSC] Remove cellJSValueOOBSpace
2290         https://bugs.webkit.org/show_bug.cgi?id=194145
2291
2292         Reviewed by Mark Lam.
2293
2294         * runtime/JSObject.h:
2295         (JSC::JSObject::subspaceFor): Deleted.
2296         * runtime/VM.cpp:
2297         (JSC::VM::VM):
2298         * runtime/VM.h:
2299
2300 2019-01-31  Mark Lam  <mark.lam@apple.com>
2301
2302         Remove poisoning from CodeBlock and LLInt code.
2303         https://bugs.webkit.org/show_bug.cgi?id=194113
2304
2305         Reviewed by Yusuke Suzuki.
2306
2307         * bytecode/CodeBlock.cpp:
2308         (JSC::CodeBlock::CodeBlock):
2309         (JSC::CodeBlock::~CodeBlock):
2310         (JSC::CodeBlock::setConstantRegisters):
2311         (JSC::CodeBlock::propagateTransitions):
2312         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2313         (JSC::CodeBlock::jettison):
2314         (JSC::CodeBlock::predictedMachineCodeSize):
2315         * bytecode/CodeBlock.h:
2316         (JSC::CodeBlock::vm const):
2317         (JSC::CodeBlock::addConstant):
2318         (JSC::CodeBlock::heap const):
2319         (JSC::CodeBlock::replaceConstant):
2320         * llint/LLIntOfflineAsmConfig.h:
2321         * llint/LLIntSlowPaths.cpp:
2322         (JSC::LLInt::handleHostCall):
2323         (JSC::LLInt::setUpCall):
2324         * llint/LowLevelInterpreter.asm:
2325         * llint/LowLevelInterpreter32_64.asm:
2326         * llint/LowLevelInterpreter64.asm:
2327
2328 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2329
2330         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2331         https://bugs.webkit.org/show_bug.cgi?id=194107
2332
2333         Reviewed by Saam Barati.
2334
2335         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2336         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2337
2338         * CMakeLists.txt:
2339         * DerivedSources.make:
2340         * JavaScriptCore.xcodeproj/project.pbxproj:
2341         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2342         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2343         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2344         (JSC::AsyncFromSyncIteratorPrototype::create):
2345         * runtime/AsyncFromSyncIteratorPrototype.h:
2346
2347 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2348
2349         Fix `runJITThreadLimitTests` in testapi
2350         https://bugs.webkit.org/show_bug.cgi?id=194064
2351         <rdar://problem/46139147>
2352
2353         Reviewed by Mark Lam.
2354
2355         Fix typo where `targetNumberOfThreads` was not being used.
2356
2357         * API/tests/testapi.mm:
2358         (runJITThreadLimitTests):
2359
2360 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2361
2362         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2363         https://bugs.webkit.org/show_bug.cgi?id=194112
2364
2365         Reviewed by Mark Lam.
2366
2367         `testBytecodeCache` does not populate the bytecode cache for the global
2368         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2369
2370         * API/tests/testapi.mm:
2371         (testBytecodeCache):
2372
2373 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2374
2375         Unreviewed, follow-up after r240796
2376
2377         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2378         when allocating InferredValue in FunctionExecutable::finishCreation.
2379
2380         * runtime/FunctionExecutable.cpp:
2381         (JSC::FunctionExecutable::FunctionExecutable):
2382         (JSC::FunctionExecutable::finishCreation):
2383
2384 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2385
2386         [JSC] Do not use InferredValue in non-JIT configuration
2387         https://bugs.webkit.org/show_bug.cgi?id=194084
2388
2389         Reviewed by Saam Barati.
2390
2391         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2392         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2393         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2394         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2395         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2396         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2397         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2398         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2399
2400         * bytecode/ObjectAllocationProfileInlines.h:
2401         (JSC::ObjectAllocationProfile::initializeProfile):
2402         * runtime/FunctionExecutable.cpp:
2403         (JSC::FunctionExecutable::finishCreation):
2404         (JSC::FunctionExecutable::visitChildren):
2405         * runtime/FunctionExecutable.h:
2406         * runtime/InferredValue.cpp:
2407         (JSC::InferredValue::create):
2408         * runtime/JSAsyncFunction.cpp:
2409         (JSC::JSAsyncFunction::create):
2410         * runtime/JSAsyncGeneratorFunction.cpp:
2411         (JSC::JSAsyncGeneratorFunction::create):
2412         * runtime/JSFunction.cpp:
2413         (JSC::JSFunction::create):
2414         * runtime/JSFunctionInlines.h:
2415         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2416         * runtime/JSGeneratorFunction.cpp:
2417         (JSC::JSGeneratorFunction::create):
2418         * runtime/JSSymbolTableObject.h:
2419         (JSC::JSSymbolTableObject::setSymbolTable):
2420         * runtime/SymbolTable.cpp:
2421         (JSC::SymbolTable::finishCreation):
2422         * runtime/VM.cpp:
2423         (JSC::VM::VM):
2424
2425 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2426
2427         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2428         https://bugs.webkit.org/show_bug.cgi?id=194085
2429
2430         Reviewed by Yusuke Suzuki.
2431
2432         r240730 changed ud_itab.py and caused incremental build failures
2433         for Ninja builds.
2434
2435         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2436
2437 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2438
2439         [JSC] Symbol should be in destructibleCellSpace
2440         https://bugs.webkit.org/show_bug.cgi?id=194082
2441
2442         Reviewed by Saam Barati.
2443
2444         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2445         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2446         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2447         Symbol's space destructibleCellSpace to appropriately call the destructor.
2448
2449         * runtime/Symbol.h:
2450
2451 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2452
2453         Unreviewed, rolling out r240755.
2454
2455         This was not correct
2456
2457         Reverted changeset:
2458
2459         "Unreviewed, fix GCC build after r240730"
2460         https://bugs.webkit.org/show_bug.cgi?id=194041
2461         https://trac.webkit.org/changeset/240755
2462
2463 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2464
2465         Unreviewed, fix GCC build after r240730
2466         https://bugs.webkit.org/show_bug.cgi?id=194041
2467         <rdar://problem/47680981>
2468
2469         * disassembler/udis86/ud_itab.py:
2470         (UdItabGenerator.genOpcodeTablesLookupIndex):
2471
2472 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2473
2474         testapi's `testBytecodeCache` does not need to run the code twice
2475         https://bugs.webkit.org/show_bug.cgi?id=194046
2476
2477         Reviewed by Mark Lam.
2478
2479         Since we populate the cache eagerly (unlike the stress tests) we don't
2480         need to run the code twice.
2481
2482         * API/tests/testapi.mm:
2483         (testBytecodeCache):
2484
2485 2019-01-30  Saam barati  <sbarati@apple.com>
2486
2487         [WebAssembly] Change BBQ to generate Air IR
2488         https://bugs.webkit.org/show_bug.cgi?id=191802
2489         <rdar://problem/47651718>
2490
2491         Reviewed by Keith Miller.
2492
2493         This patch adds a new Wasm compiler for the BBQ tier. Instead
2494         of compiling using  B3-01, we now generate Air code directly.
2495         The goal of doing this was to speed up compile times for Wasm
2496         programs.
2497         
2498         This patch provides us with a 20-30% compile time speedup. However, I
2499         have ideas on how to improve compile times even further. For example,
2500         we should probably implement a faster running register allocator:
2501         https://bugs.webkit.org/show_bug.cgi?id=194036
2502         
2503         We can also improve on the code we generate.
2504         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2505         And we should do better instruction selection in various
2506         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2507
2508         * JavaScriptCore.xcodeproj/project.pbxproj:
2509         * Sources.txt:
2510         * b3/B3LowerToAir.cpp:
2511         * b3/B3StackmapSpecial.h:
2512         * b3/air/AirCode.cpp:
2513         (JSC::B3::Air::Code::emitDefaultPrologue):
2514         * b3/air/AirCode.h:
2515         * b3/air/AirTmp.h:
2516         (JSC::B3::Air::Tmp::Tmp):
2517         * runtime/Options.h:
2518         * wasm/WasmAirIRGenerator.cpp: Added.
2519         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2520         (JSC::Wasm::TypedTmp::TypedTmp):
2521         (JSC::Wasm::TypedTmp::operator== const):
2522         (JSC::Wasm::TypedTmp::operator!= const):
2523         (JSC::Wasm::TypedTmp::operator bool const):
2524         (JSC::Wasm::TypedTmp::operator Tmp const):
2525         (JSC::Wasm::TypedTmp::operator Arg const):
2526         (JSC::Wasm::TypedTmp::tmp const):
2527         (JSC::Wasm::TypedTmp::type const):
2528         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2529         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2530         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2531         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2532         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2533         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2534         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2535         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2536         (JSC::Wasm::AirIRGenerator::emptyExpression):
2537         (JSC::Wasm::AirIRGenerator::fail const):
2538         (JSC::Wasm::AirIRGenerator::setParser):
2539         (JSC::Wasm::AirIRGenerator::toTmpVector):
2540         (JSC::Wasm::AirIRGenerator::validateInst):
2541         (JSC::Wasm::AirIRGenerator::extractArg):
2542         (JSC::Wasm::AirIRGenerator::append):
2543         (JSC::Wasm::AirIRGenerator::appendEffectful):
2544         (JSC::Wasm::AirIRGenerator::newTmp):
2545         (JSC::Wasm::AirIRGenerator::g32):
2546         (JSC::Wasm::AirIRGenerator::g64):
2547         (JSC::Wasm::AirIRGenerator::f32):
2548         (JSC::Wasm::AirIRGenerator::f64):
2549         (JSC::Wasm::AirIRGenerator::tmpForType):
2550         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2551         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2552         (JSC::Wasm::AirIRGenerator::emitCheck):
2553         (JSC::Wasm::AirIRGenerator::emitCCall):
2554         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2555         (JSC::Wasm::AirIRGenerator::instanceValue):
2556         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2557         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2558         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2559         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2560         (JSC::Wasm::AirIRGenerator::emitThrowException):
2561         (JSC::Wasm::AirIRGenerator::addLocal):
2562         (JSC::Wasm::AirIRGenerator::addConstant):
2563         (JSC::Wasm::AirIRGenerator::addArguments):
2564         (JSC::Wasm::AirIRGenerator::getLocal):
2565         (JSC::Wasm::AirIRGenerator::addUnreachable):
2566         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2567         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2568         (JSC::Wasm::AirIRGenerator::setLocal):
2569         (JSC::Wasm::AirIRGenerator::getGlobal):
2570         (JSC::Wasm::AirIRGenerator::setGlobal):
2571         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2572         (JSC::Wasm::sizeOfLoadOp):
2573         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2574         (JSC::Wasm::AirIRGenerator::load):
2575         (JSC::Wasm::sizeOfStoreOp):
2576         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2577         (JSC::Wasm::AirIRGenerator::store):
2578         (JSC::Wasm::AirIRGenerator::addSelect):
2579         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2580         (JSC::Wasm::AirIRGenerator::addLoop):
2581         (JSC::Wasm::AirIRGenerator::addTopLevel):
2582         (JSC::Wasm::AirIRGenerator::addBlock):
2583         (JSC::Wasm::AirIRGenerator::addIf):
2584         (JSC::Wasm::AirIRGenerator::addElse):
2585         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2586         (JSC::Wasm::AirIRGenerator::addReturn):
2587         (JSC::Wasm::AirIRGenerator::addBranch):
2588         (JSC::Wasm::AirIRGenerator::addSwitch):
2589         (JSC::Wasm::AirIRGenerator::endBlock):
2590         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2591         (JSC::Wasm::AirIRGenerator::addCall):
2592         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2593         (JSC::Wasm::AirIRGenerator::unify):
2594         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2595         (JSC::Wasm::AirIRGenerator::dump):
2596         (JSC::Wasm::AirIRGenerator::origin):
2597         (JSC::Wasm::parseAndCompileAir):
2598         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2599         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2600         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2601         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2602         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2603         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2604         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2605         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2606         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2607         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2608         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2609         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2610         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2611         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2612         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2613         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2614         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2615         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2616         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2617         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2618         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2619         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2620         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2621         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2622         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2623         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2624         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2625         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2626         (JSC::Wasm::AirIRGenerator::addShift):
2627         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2628         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2629         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2630         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2631         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2632         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2633         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2634         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2635         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2636         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2637         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2638         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2639         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2640         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2641         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2642         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2643         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2644         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2645         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2646         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2647         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2648         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2649         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2650         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2651         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2652         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2653         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2654         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2655         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2656         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2657         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2658         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2659         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2660         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2661         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2662         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2663         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2664         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2665         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2666         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2667         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2668         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2669         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2670         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2671         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2672         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2673         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2674         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2675         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2676         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2677         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2678         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2679         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2680         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2681         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2682         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2683         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2684         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2685         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2686         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2687         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2688         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2689         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2690         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2691         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2692         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2693         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2694         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2695         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2696         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2697         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2698         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2699         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2700         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2701         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2702         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2703         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2704         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2705         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2706         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2707         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2708         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2709         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2710         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2711         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2712         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2713         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2714         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2715         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2716         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2717         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2718         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2719         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2720         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2721         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2722         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2723         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2724         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2725         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2726         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2727         * wasm/WasmAirIRGenerator.h: Added.
2728         * wasm/WasmB3IRGenerator.cpp:
2729         (JSC::Wasm::B3IRGenerator::emptyExpression):
2730         * wasm/WasmBBQPlan.cpp:
2731         (JSC::Wasm::BBQPlan::compileFunctions):
2732         * wasm/WasmCallingConvention.cpp:
2733         (JSC::Wasm::jscCallingConventionAir):
2734         (JSC::Wasm::wasmCallingConventionAir):
2735         * wasm/WasmCallingConvention.h:
2736         (JSC::Wasm::CallingConvention::CallingConvention):
2737         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2738         (JSC::Wasm::CallingConvention::marshallArgument const):
2739         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2740         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2741         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2742         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2743         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2744         (JSC::Wasm::CallingConventionAir::loadArguments const):
2745         (JSC::Wasm::CallingConventionAir::setupCall const):
2746         (JSC::Wasm::nextJSCOffset):
2747         * wasm/WasmFunctionParser.h:
2748         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2749         * wasm/WasmValidate.cpp:
2750         (JSC::Wasm::Validate::emptyExpression):
2751
2752 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2753
2754         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2755         https://bugs.webkit.org/show_bug.cgi?id=194050
2756         <rdar://problem/47595592>
2757
2758         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2759         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2760
2761         Reviewed by Yusuke Suzuki.
2762
2763         * ftl/FTLOperations.cpp:
2764         (JSC::FTL::operationMaterializeObjectInOSR):
2765
2766 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2767
2768         Remove assertion that CachedSymbolTables should have no RareData
2769         https://bugs.webkit.org/show_bug.cgi?id=194037
2770
2771         Reviewed by Mark Lam.
2772
2773         It turns out that we don't need to cache the SymbolTableRareData and
2774         we should not assert that it's empty.
2775
2776         * runtime/CachedTypes.cpp:
2777         (JSC::CachedSymbolTable::encode):
2778
2779 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2780
2781         CachedBytecode's move constructor should not call `freeDataIfOwned`
2782         https://bugs.webkit.org/show_bug.cgi?id=194045
2783
2784         Reviewed by Mark Lam.
2785
2786         That might result in freeing a garbage value
2787
2788         * parser/SourceProvider.h:
2789         (JSC::CachedBytecode::CachedBytecode):
2790
2791 2019-01-30  Keith Miller  <keith_miller@apple.com>
2792
2793         mul32 should convert powers of 2 to an lshift
2794         https://bugs.webkit.org/show_bug.cgi?id=193957
2795
2796         Reviewed by Yusuke Suzuki.
2797
2798         * assembler/MacroAssembler.h:
2799         (JSC::MacroAssembler::mul32):
2800         * assembler/testmasm.cpp:
2801         (JSC::int32Operands):
2802         (JSC::testMul32WithImmediates):
2803         (JSC::run):
2804
2805 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2806
2807         [JSC] Make disassembler data structures constant read-only data
2808         https://bugs.webkit.org/show_bug.cgi?id=194041
2809
2810         Reviewed by Mark Lam.
2811
2812         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2813         This patch makes them "const".
2814
2815         * disassembler/ARM64/A64DOpcode.cpp:
2816         * disassembler/udis86/ud_itab.py:
2817         (UdItabGenerator.genOpcodeTablesLookupIndex):
2818         (UdItabGenerator.genInsnTable):
2819         (UdItabGenerator.genMnemonicsList):
2820         (genItabH):
2821         * disassembler/udis86/udis86_decode.h:
2822         * disassembler/udis86/udis86_syn.c:
2823         * disassembler/udis86/udis86_syn.h:
2824         * disassembler/udis86/udis86_types.h:
2825
2826 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2827
2828         Unreviewed, update the builtin test results
2829         https://bugs.webkit.org/show_bug.cgi?id=194015
2830
2831         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2832         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2833         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2834         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2835         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2836         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2837         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2838         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2839         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2840         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2841         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2842         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2843         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2844
2845 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2846
2847         [JSC] Make global static variables "const" as much as possible
2848         https://bugs.webkit.org/show_bug.cgi?id=194015
2849
2850         Reviewed by Mark Lam.
2851
2852         Some of global static variables are not "const". For example, `static const char* name = ...`
2853         is not constant variable. We should make it `static const char* const name = ...`.
2854
2855         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2856         (generate_externs_for_object):
2857         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2858         (generate_externs_for_object):
2859         * Scripts/wkbuiltins/builtins_generator.py:
2860         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2861         * assembler/MacroAssembler.h:
2862         (JSC::MacroAssembler::additionBlindedConstant):
2863         * b3/air/AirFormTable.h:
2864         * b3/air/opcode_generator.rb:
2865         * runtime/JSObject.cpp:
2866         (JSC::JSObject::visitButterfly):
2867         * tools/CodeProfile.cpp:
2868         * tools/CodeProfile.h:
2869
2870 2019-01-29  Keith Miller  <keith_miller@apple.com>
2871
2872         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2873         https://bugs.webkit.org/show_bug.cgi?id=194000
2874         <rdar://problem/47642894>
2875
2876         Reviewed by Mark Lam.
2877
2878         default constructor is unused and
2879         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2880         data member which causes sadness.
2881
2882         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2883
2884 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2885
2886         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2887
2888         Rubber-stamped by Yusuke Suzuki.
2889
2890         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2891
2892         * parser/Parser.h:
2893         (JSC::Parser::declareHoistedVariable):
2894
2895 2019-01-29  Mark Lam  <mark.lam@apple.com>
2896
2897         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2898         https://bugs.webkit.org/show_bug.cgi?id=132333
2899
2900         Reviewed by Yusuke Suzuki.
2901
2902         * bytecode/InstructionStream.h:
2903         (JSC::InstructionStreamWriter::write):
2904         - The 32-bit write() function need not invert the order of the bytes written to
2905           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2906           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2907
2908         * llint/LLIntOfflineAsmConfig.h:
2909         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2910
2911 2019-01-29  Mark Lam  <mark.lam@apple.com>
2912
2913         ValueRecovery::recover() should purify NaN values it recovers.
2914         https://bugs.webkit.org/show_bug.cgi?id=193978
2915         <rdar://problem/47625488>
2916
2917         Reviewed by Saam Barati.
2918
2919         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2920         recovered DoubleDisplacedInJSStack values need to be purified.
2921         ValueRecovery::recover() should do the same.
2922
2923         * bytecode/ValueRecovery.cpp:
2924         (JSC::ValueRecovery::recover const):
2925
2926 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2927
2928         [JSC] FTL should handle LocalAllocator*
2929         https://bugs.webkit.org/show_bug.cgi?id=193980
2930
2931         Reviewed by Saam Barati.
2932
2933         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2934         because the FTL still use the incoming value as 32bit integer there.
2935
2936         * ftl/FTLLowerDFGToB3.cpp:
2937         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2938
2939 2019-01-29  Keith Rollin  <krollin@apple.com>
2940
2941         Add .xcfilelists to Run Script build phases
2942         https://bugs.webkit.org/show_bug.cgi?id=193792
2943         <rdar://problem/47201785>
2944
2945         Reviewed by Alex Christensen.
2946
2947         As part of supporting XCBuild, update the necessary Run Script build
2948         phases in their Xcode projects to refer to their associated
2949         .xcfilelist files.
2950
2951         Note that the addition of these files bumps the Xcode project version
2952         number to something that's Xcode 10 compatible. This change means that
2953         older versions of the Xcode IDE can't read these projects. Nor can it
2954         fully load workspaces that refer to these projects (the updated
2955         projects are shown as non-expandable placeholders). `xcodebuild` can
2956         still build these projects; it's just that the IDE can't open them.
2957
2958         * JavaScriptCore.xcodeproj/project.pbxproj:
2959
2960 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2961
2962         [ARM] Check for negative zero instead of just zero
2963         https://bugs.webkit.org/show_bug.cgi?id=193689
2964
2965         Reviewed by Mark Lam.
2966
2967         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2968         of just bailing out for zero.
2969
2970         * assembler/MacroAssemblerARMv7.h:
2971         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2972
2973 2019-01-28  Devin Rousso  <drousso@apple.com>
2974
2975         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2976         https://bugs.webkit.org/show_bug.cgi?id=193863
2977         <rdar://problem/47572764>
2978
2979         Reviewed by Joseph Pecoraro.
2980
2981         * inspector/protocol/Page.json:
2982         Add more values to the `Setting` enum type:
2983          - `ICECandidateFilteringEnabled`
2984          - `MediaCaptureRequiresSecureConnection`
2985          - `MockCaptureDevicesEnabled`
2986
2987 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
2988
2989         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
2990         https://bugs.webkit.org/show_bug.cgi?id=193941
2991
2992         Reviewed by Alex Christensen.
2993
2994         * API/JSWeakObjectMapRefPrivate.cpp:
2995         * bytecompiler/NodesCodegen.cpp:
2996         * heap/MachineStackMarker.cpp:
2997         * jit/ExecutableAllocator.cpp:
2998         * jsc.cpp:
2999         * parser/Nodes.cpp:
3000         * runtime/DateConstructor.cpp:
3001         * runtime/DateConversion.cpp:
3002         * runtime/DateInstance.cpp:
3003         * runtime/DatePrototype.cpp:
3004         * runtime/InitializeThreading.cpp:
3005         * runtime/IteratorOperations.cpp:
3006         * runtime/JSDateMath.cpp:
3007         * runtime/JSGlobalObjectFunctions.cpp:
3008         * runtime/StringPrototype.cpp:
3009         * runtime/VM.cpp:
3010         * testRegExp.cpp:
3011         * tools/JSDollarVM.cpp:
3012         * yarr/YarrInterpreter.cpp:
3013         * yarr/YarrJIT.cpp:
3014         * yarr/YarrPattern.cpp:
3015         * yarr/YarrUnicodeProperties.cpp:
3016
3017 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3018
3019         [JSC] Reduce size of memory used for ShadowChicken
3020         https://bugs.webkit.org/show_bug.cgi?id=193546
3021
3022         Reviewed by Mark Lam.
3023
3024         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3025         The removal of ShadowChicken saves 55KB memory.
3026
3027         * debugger/DebuggerCallFrame.cpp:
3028         (JSC::DebuggerCallFrame::create):
3029         * ftl/FTLLowerDFGToB3.cpp:
3030         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3031         * heap/Heap.cpp:
3032         (JSC::Heap::stopThePeriphery):
3033         (JSC::Heap::addCoreConstraints):
3034         * jit/CCallHelpers.cpp:
3035         (JSC::CCallHelpers::ensureShadowChickenPacket):
3036         * jit/JITExceptions.cpp:
3037         (JSC::genericUnwind):
3038         * jit/JITOpcodes.cpp:
3039         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3040         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3041         * jit/JITOpcodes32_64.cpp:
3042         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3043         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3044         * jit/JITOperations.cpp:
3045         * llint/LLIntSlowPaths.cpp:
3046         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3047         * runtime/JSGlobalObject.cpp:
3048         (JSC::JSGlobalObject::setDebugger):
3049         * runtime/JSGlobalObject.h:
3050         (JSC::JSGlobalObject::setDebugger): Deleted.
3051         * runtime/VM.cpp:
3052         (JSC::VM::VM):
3053         (JSC::VM::ensureShadowChicken):
3054         * runtime/VM.h:
3055         (JSC::VM::shadowChicken):
3056         * tools/JSDollarVM.cpp:
3057         (JSC::functionShadowChickenFunctionsOnStack):
3058         (JSC::changeDebuggerModeWhenIdle):
3059
3060 2019-01-28  Andy Estes  <aestes@apple.com>
3061
3062         [watchOS] Enable Parental Controls content filtering
3063         https://bugs.webkit.org/show_bug.cgi?id=193939
3064         <rdar://problem/46641912>
3065
3066         Reviewed by Ryosuke Niwa.
3067
3068         * Configurations/FeatureDefines.xcconfig:
3069
3070 2019-01-28  Mark Lam  <mark.lam@apple.com>
3071
3072         ToString node actually does GC.
3073         https://bugs.webkit.org/show_bug.cgi?id=193920
3074         <rdar://problem/46695900>
3075
3076         Reviewed by Yusuke Suzuki.
3077
3078         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3079         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3080
3081         * dfg/DFGDoesGC.cpp:
3082         (JSC::DFG::doesGC):
3083
3084 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3085
3086         [JSC] RegExpConstructor should not have own IsoSubspace
3087         https://bugs.webkit.org/show_bug.cgi?id=193801
3088
3089         Reviewed by Mark Lam.
3090
3091         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3092         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3093         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3094         it from RegExpConstructor members.
3095
3096         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3097         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3098         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3099
3100         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3101
3102         * CMakeLists.txt:
3103         * JavaScriptCore.xcodeproj/project.pbxproj:
3104         * Sources.txt:
3105         * dfg/DFGOperations.cpp:
3106         * dfg/DFGSpeculativeJIT.cpp:
3107         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3108         * dfg/DFGStrengthReductionPhase.cpp:
3109         (JSC::DFG::StrengthReductionPhase::handleNode):
3110         * ftl/FTLAbstractHeapRepository.cpp:
3111         * ftl/FTLAbstractHeapRepository.h:
3112         * ftl/FTLLowerDFGToB3.cpp:
3113         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3114         * runtime/JSGlobalObject.cpp:
3115         (JSC::JSGlobalObject::init):
3116         (JSC::JSGlobalObject::visitChildren):
3117         * runtime/JSGlobalObject.h:
3118         (JSC::JSGlobalObject::regExpGlobalData):
3119         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3120         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3121         * runtime/RegExpCache.cpp:
3122         (JSC::RegExpCache::initialize):
3123         * runtime/RegExpCache.h:
3124         (JSC::RegExpCache::emptyRegExp const):
3125         * runtime/RegExpCachedResult.cpp:
3126         (JSC::RegExpCachedResult::visitAggregate):
3127         (JSC::RegExpCachedResult::visitChildren): Deleted.
3128         * runtime/RegExpCachedResult.h:
3129         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3130         * runtime/RegExpConstructor.cpp:
3131         (JSC::RegExpConstructor::RegExpConstructor):
3132         (JSC::regExpConstructorDollar):
3133         (JSC::regExpConstructorInput):
3134         (JSC::regExpConstructorMultiline):
3135         (JSC::regExpConstructorLastMatch):
3136         (JSC::regExpConstructorLastParen):
3137         (JSC::regExpConstructorLeftContext):
3138         (JSC::regExpConstructorRightContext):
3139         (JSC::setRegExpConstructorInput):
3140         (JSC::setRegExpConstructorMultiline):
3141         (JSC::RegExpConstructor::destroy): Deleted.
3142         (JSC::RegExpConstructor::visitChildren): Deleted.
3143         (JSC::RegExpConstructor::getBackref): Deleted.
3144         (JSC::RegExpConstructor::getLastParen): Deleted.
3145         (JSC::RegExpConstructor::getLeftContext): Deleted.
3146         (JSC::RegExpConstructor::getRightContext): Deleted.
3147         * runtime/RegExpConstructor.h:
3148         (JSC::RegExpConstructor::performMatch): Deleted.
3149         (JSC::RegExpConstructor::recordMatch): Deleted.
3150         * runtime/RegExpGlobalData.cpp: Added.
3151         (JSC::RegExpGlobalData::visitAggregate):
3152         (JSC::RegExpGlobalData::getBackref):
3153         (JSC::RegExpGlobalData::getLastParen):
3154         (JSC::RegExpGlobalData::getLeftContext):
3155         (JSC::RegExpGlobalData::getRightContext):
3156         * runtime/RegExpGlobalData.h: Added.
3157         (JSC::RegExpGlobalData::cachedResult):
3158         (JSC::RegExpGlobalData::setMultiline):
3159         (JSC::RegExpGlobalData::multiline const):
3160         (JSC::RegExpGlobalData::input):
3161         (JSC::RegExpGlobalData::offsetOfCachedResult):
3162         * runtime/RegExpGlobalDataInlines.h: Added.
3163         (JSC::RegExpGlobalData::setInput):
3164         (JSC::RegExpGlobalData::performMatch):
3165         (JSC::RegExpGlobalData::recordMatch):
3166         * runtime/RegExpObject.cpp:
3167         (JSC::RegExpObject::matchGlobal):
3168         * runtime/RegExpObjectInlines.h:
3169         (JSC::RegExpObject::execInline):
3170         (JSC::RegExpObject::matchInline):
3171         (JSC::collectMatches):
3172         * runtime/RegExpPrototype.cpp:
3173         (JSC::RegExpPrototype::finishCreation):
3174         (JSC::regExpProtoFuncSearchFast):
3175         (JSC::RegExpPrototype::visitChildren): Deleted.
3176         * runtime/RegExpPrototype.h:
3177         * runtime/StringPrototype.cpp:
3178         (JSC::removeUsingRegExpSearch):
3179         (JSC::replaceUsingRegExpSearch):
3180         * runtime/VM.cpp:
3181         (JSC::VM::VM):
3182         * runtime/VM.h:
3183
3184 2018-12-15  Darin Adler  <darin@apple.com>
3185
3186         Replace many uses of String::format with more type-safe alternatives
3187         https://bugs.webkit.org/show_bug.cgi?id=192742
3188
3189         Reviewed by Mark Lam.
3190
3191         * inspector/InjectedScriptBase.cpp:
3192         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3193         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3194         * inspector/InspectorBackendDispatcher.cpp:
3195         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3196         * inspector/agents/InspectorConsoleAgent.cpp:
3197         (Inspector::InspectorConsoleAgent::enable): Ditto.
3198         * jsc.cpp:
3199         (FunctionJSCStackFunctor::operator() const): Ditto.
3200
3201         * runtime/CodeCache.cpp:
3202         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3203         using String::number.
3204
3205         * runtime/IntlDateTimeFormat.cpp:
3206         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3207         * runtime/IntlObject.cpp:
3208         (JSC::canonicalizeLocaleList): Ditto.
3209
3210 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3211
3212         AX: Introduce a static accessibility tree
3213         https://bugs.webkit.org/show_bug.cgi?id=193348
3214         <rdar://problem/47203295>
3215
3216         Reviewed by Ryosuke Niwa.
3217
3218         * Configurations/FeatureDefines.xcconfig:
3219
3220 2019-01-26  Devin Rousso  <drousso@apple.com>
3221
3222         Web Inspector: provide a way to edit the user agent of a remote target
3223         https://bugs.webkit.org/show_bug.cgi?id=193862
3224         <rdar://problem/47359292>
3225
3226         Reviewed by Joseph Pecoraro.
3227
3228         * inspector/protocol/Page.json:
3229         Add `overrideUserAgent` command.
3230
3231 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3232
3233         [JSC] NativeErrorConstructor should not have own IsoSubspace
3234         https://bugs.webkit.org/show_bug.cgi?id=193713
3235
3236         Reviewed by Saam Barati.
3237
3238         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3239         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3240         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3241         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3242         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3243         referenced.
3244
3245         * CMakeLists.txt:
3246         * JavaScriptCore.xcodeproj/project.pbxproj:
3247         * Sources.txt:
3248         * builtins/BuiltinNames.h:
3249         * interpreter/Interpreter.h:
3250         * runtime/Error.cpp:
3251         (JSC::createEvalError):
3252         (JSC::createRangeError):
3253         (JSC::createReferenceError):
3254         (JSC::createSyntaxError):
3255         (JSC::createTypeError):
3256         (JSC::createURIError):
3257         (WTF::printInternal): Deleted.
3258         * runtime/Error.h:
3259         * runtime/ErrorPrototype.cpp:
3260         (JSC::ErrorPrototype::create):
3261         (JSC::ErrorPrototype::finishCreation):
3262         * runtime/ErrorPrototype.h:
3263         (JSC::ErrorPrototype::create): Deleted.
3264         * runtime/ErrorType.cpp: Added.
3265         (JSC::errorTypeName):
3266         (WTF::printInternal):
3267         * runtime/ErrorType.h: Added.
3268         * runtime/JSGlobalObject.cpp:
3269         (JSC::JSGlobalObject::initializeErrorConstructor):
3270         (JSC::JSGlobalObject::init):
3271         (JSC::JSGlobalObject::visitChildren):
3272         * runtime/JSGlobalObject.h:
3273         (JSC::JSGlobalObject::internalPromiseConstructor const):
3274         (JSC::JSGlobalObject::errorStructure const):
3275         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3276         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3277         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3278         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3279         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3280         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3281         * runtime/NativeErrorConstructor.cpp:
3282         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3283         (JSC::NativeErrorConstructorBase::finishCreation):
3284         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3285         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3286         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3287         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3288         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3289         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3290         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3291         * runtime/NativeErrorConstructor.h:
3292         (JSC::NativeErrorConstructorBase::createStructure):
3293         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3294         * runtime/NativeErrorPrototype.cpp:
3295         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3296         * runtime/NativeErrorPrototype.h:
3297         * runtime/VM.cpp:
3298         (JSC::VM::VM):
3299         * runtime/VM.h:
3300         * wasm/js/WasmToJS.cpp:
3301         (JSC::Wasm::handleBadI64Use):
3302
3303 2019-01-25  Devin Rousso  <drousso@apple.com>
3304
3305         Web Inspector: provide a way to edit page settings on a remote target
3306         https://bugs.webkit.org/show_bug.cgi?id=193813
3307         <rdar://problem/47359510>
3308
3309         Reviewed by Joseph Pecoraro.
3310
3311         * inspector/protocol/Page.json:
3312         Add `overrideSetting` command with supporting `Setting` enum type.
3313
3314 2019-01-25  Keith Rollin  <krollin@apple.com>
3315
3316         Update Xcode projects with "Check .xcfilelists" build phase
3317         https://bugs.webkit.org/show_bug.cgi?id=193790
3318         <rdar://problem/47201374>
3319
3320         Reviewed by Alex Christensen.
3321
3322         Support for XCBuild includes specifying inputs and outputs to various
3323         Run Script build phases. These inputs and outputs are specified as
3324         .xcfilelist files. Once created, these .xcfilelist files need to be
3325         kept up-to-date. In order to check that they are up-to-date or not,
3326         add an Xcode build step that invokes an external script that performs
3327         the checking. If the .xcfilelists are found to be out-of-date, update
3328         them, halt the build, and instruct the developer to restart the build
3329         with up-to-date files.
3330
3331         At this time, the checking and regenerating is performed only if the
3332         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3333         who want to use this facility can set this variable and test out the
3334         checking/regenerating. Once it seems like there are no egregious
3335         issues that upset a developer's workflow, we'll unconditionally enable
3336         this facility.
3337
3338         * JavaScriptCore.xcodeproj/project.pbxproj:
3339         * Scripts/check-xcfilelists.sh: Added.
3340
3341 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3342
3343         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3344         https://bugs.webkit.org/show_bug.cgi?id=193796
3345         <rdar://problem/47532910>
3346
3347         Reviewed by Devin Rousso.
3348
3349         * runtime/SamplingProfiler.cpp:
3350         (JSC::SamplingProfiler::machThread):
3351         * runtime/SamplingProfiler.h:
3352         Expose the mach_port_t of the SamplingProfiler thread
3353         so it can be tested against later.
3354
3355 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3356
3357         Fix Windows build after r240511
3358
3359         * bytecode/UnlinkedFunctionExecutable.cpp:
3360         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3361
3362 2019-01-25  Keith Rollin  <krollin@apple.com>
3363
3364         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3365         https://bugs.webkit.org/show_bug.cgi?id=193781
3366         <rdar://problem/47201153>
3367
3368         Reviewed by Alex Christensen.
3369
3370         Part of generating the .xcfilelists used as part of adopting XCBuild
3371         includes running `make DerivedSources.make` from a standalone script.
3372         It’s important for this invocation to have the same environment as
3373         when the actual build invokes `make DerivedSources.make`. If the
3374         environments are different, then the two invocations will provide
3375         different results. In order to get the same environment in the
3376         standalone script, have the script launch xcodebuild targeting the
3377         "Apply Configuration to XCFileLists" build target, which will then
3378         re-invoke our standalone script. The script is now running again, this
3379         time in an environment with all workspace, project, target, xcconfig
3380         and other environment variables established.
3381
3382         The "Apply Configuration to XCFileLists" build target accomplishes
3383         this task via a small embedded shell script that consists only of:
3384
3385             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3386
3387         The process that invokes "Apply Configuration to XCFileLists" first
3388         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3389         evaluated and exports it into the shell environment. When xcodebuild
3390         is invoked, it inherits the value of this variable and can `eval` the
3391         contents of that variable. Our external standalone script can then set
3392         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3393         of command-line parameters needed to restart itself in the appropriate
3394         state.
3395
3396         * JavaScriptCore.xcodeproj/project.pbxproj:
3397
3398 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3399
3400         Add API to generate and consume cached bytecode
3401         https://bugs.webkit.org/show_bug.cgi?id=193401
3402         <rdar://problem/47514099>
3403
3404         Reviewed by Keith Miller.
3405
3406         Add the `generateBytecode` and `generateModuleBytecode` functions to
3407         generate serialized bytecode for a given `SourceCode`. These functions
3408         will eagerly generate code for all the nested functions.
3409
3410         Additionally, update the API methods in JSScript to generate and use the
3411         bytecode when the bytecodeCache path is provided.
3412
3413         * API/JSAPIGlobalObject.mm:
3414         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3415         * API/JSContext.mm:
3416         (-[JSContext wrapperMap]):
3417         * API/JSContextInternal.h:
3418         * API/JSScript.mm:
3419         (+[JSScript scriptWithSource:inVirtualMachine:]):
3420         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3421         (-[JSScript dealloc]):
3422         (-[JSScript readCache]):
3423         (-[JSScript writeCache]):
3424         (-[JSScript hash]):
3425         (-[JSScript source]):
3426         (-[JSScript cachedBytecode]):
3427         (-[JSScript jsSourceCode:]):
3428         * API/JSScriptInternal.h:
3429         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3430         (JSScriptSourceProvider::create):
3431         (JSScriptSourceProvider::JSScriptSourceProvider):
3432         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3433         (JSScriptSourceProvider::hash const):
3434         (JSScriptSourceProvider::source const):
3435         (JSScriptSourceProvider::cachedBytecode const):
3436         * API/JSVirtualMachine.mm:
3437         (-[JSVirtualMachine vm]):
3438         * API/JSVirtualMachineInternal.h:
3439         * API/tests/testapi.mm:
3440         (testBytecodeCache):
3441         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3442         (testObjectiveCAPI):
3443         * JavaScriptCore.xcodeproj/project.pbxproj:
3444         * SourcesCocoa.txt:
3445         * bytecode/UnlinkedFunctionExecutable.cpp:
3446         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3447         * bytecode/UnlinkedFunctionExecutable.h:
3448         * parser/SourceCodeKey.h:
3449         (JSC::SourceCodeKey::source const):
3450         * parser/SourceProvider.h:
3451         (JSC::CachedBytecode::CachedBytecode):
3452         (JSC::CachedBytecode::operator=):
3453         (JSC::CachedBytecode::data const):
3454         (JSC::CachedBytecode::size const):
3455         (JSC::CachedBytecode::owned const):
3456         (JSC::CachedBytecode::~CachedBytecode):
3457         (JSC::CachedBytecode::freeDataIfOwned):
3458         (JSC::SourceProvider::cachedBytecode const):
3459         * parser/UnlinkedSourceCode.h:
3460         (JSC::UnlinkedSourceCode::provider const):
3461         * runtime/CodeCache.cpp:
3462         (JSC::generateUnlinkedCodeBlockForFunctions):
3463         (JSC::writeCodeBlock):
3464         (JSC::serializeBytecode):
3465         * runtime/CodeCache.h:
3466         (JSC::CodeCacheMap::fetchFromDiskImpl):
3467         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3468         (JSC::generateUnlinkedCodeBlockImpl):
3469         (JSC::generateUnlinkedCodeBlock):
3470         * runtime/Completion.cpp:
3471         (JSC::generateBytecode):
3472         (JSC::generateModuleBytecode):
3473         * runtime/Completion.h:
3474         * runtime/Options.cpp:
3475         (JSC::recomputeDependentOptions):
3476
3477 2019-01-25  Keith Rollin  <krollin@apple.com>
3478
3479         Update WebKitAdditions.xcconfig with correct order of variable definitions
3480         https://bugs.webkit.org/show_bug.cgi?id=193793
3481         <rdar://problem/47532439>
3482
3483         Reviewed by Alex Christensen.
3484
3485         XCBuild changes the way xcconfig variables are evaluated. In short,
3486         all config file assignments are now considered in part of the
3487         evaluation. When using the new build system and an .xcconfig file
3488         contains multiple assignments of the same build setting:
3489
3490         - Later assignments using $(inherited) will inherit from earlier
3491           assignments in the xcconfig file.
3492         - Later assignments not using $(inherited) will take precedence over
3493           earlier assignments. An assignment to a more general setting will
3494           mask an earlier assignment to a less general setting. For example,
3495           an assignment without a condition ('FOO = bar') will completely mask
3496           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3497
3498         This affects some of our .xcconfig files, in that sometimes platform-
3499         or sdk-specific definitions appear before the general definitions.
3500         Under the new evaluations rules, the general definitions alway take
3501         effect because they always overwrite the more-specific definitions. The
3502         solution is to swap the order, so that the general definitions are
3503         established first, and then conditionally overwritten by the
3504         more-specific definitions.
3505
3506         * Configurations/Version.xcconfig:
3507
3508 2019-01-25  Keith Rollin  <krollin@apple.com>
3509
3510         Update existing .xcfilelists
3511         https://bugs.webkit.org/show_bug.cgi?id=193791
3512         <rdar://problem/47201706>
3513
3514         Reviewed by Alex Christensen.
3515
3516         Many .xcfilelist files were added in r238824 in order to support
3517         XCBuild. Update these with recent changes to the set of build files
3518         and with the current generate-xcfilelist script.
3519
3520         * DerivedSources-input.xcfilelist:
3521         * DerivedSources-output.xcfilelist:
3522         * UnifiedSources-input.xcfilelist:
3523         * UnifiedSources-output.xcfilelist:
3524
3525 2019-01-25  Jon Davis  <jond@apple.com>
3526
3527         Update JavaScriptCore feature status entries.
3528         https://bugs.webkit.org/show_bug.cgi?id=193797
3529
3530         Reviewed by Mark Lam.
3531         
3532         Updated feature status for Async Iteration, and Object rest/spread.
3533
3534         * features.json:
3535
3536 2019-01-24  Keith Miller  <keith_miller@apple.com>
3537
3538         Remove usage of internal macro from private header
3539         https://bugs.webkit.org/show_bug.cgi?id=193809
3540
3541         Reviewed by Saam Barati.
3542
3543         Also, add a new file to include all of our API headers to make sure
3544         they don't accidentally include C++ or internal values.
3545
3546         * API/JSScript.h:
3547         * API/tests/testIncludes.m: Added.
3548         * JavaScriptCore.xcodeproj/project.pbxproj:
3549
3550 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3551
3552         [JSC] ErrorConstructor should not have own IsoSubspace
3553         https://bugs.webkit.org/show_bug.cgi?id=193800
3554
3555         Reviewed by Saam Barati.
3556
3557         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3558         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3559         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3560         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3561         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3562         into IsoSubspaces) described,
3563
3564             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3565             appear to just override methods, which are called dynamically via the structure or class of the object.
3566             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3567
3568         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3569         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3570         This reduces the memory usage.
3571
3572         * interpreter/Interpreter.h:
3573         * runtime/Error.cpp:
3574         (JSC::getStackTrace):
3575         * runtime/ErrorConstructor.cpp:
3576         (JSC::ErrorConstructor::ErrorConstructor):
3577         (JSC::ErrorConstructor::finishCreation):
3578         (JSC::constructErrorConstructor):
3579         (JSC::callErrorConstructor):
3580         (JSC::ErrorConstructor::put):
3581         (JSC::ErrorConstructor::deleteProperty):
3582         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3583         (JSC::Interpreter::callErrorConstructor): Deleted.
3584         * runtime/ErrorConstructor.h:
3585         * runtime/JSGlobalObject.cpp:
3586         (JSC::JSGlobalObject::JSGlobalObject):
3587         (JSC::JSGlobalObject::init):
3588         (JSC::JSGlobalObject::visitChildren):
3589         * runtime/JSGlobalObject.h:
3590         (JSC::JSGlobalObject::stackTraceLimit const):
3591         (JSC::JSGlobalObject::setStackTraceLimit):
3592         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3593         * runtime/VM.cpp:
3594         (JSC::VM::VM):
3595         * runtime/VM.h:
3596
3597 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3598
3599         Web Inspector: CPU Usage Timeline
3600         https://bugs.webkit.org/show_bug.cgi?id=193730
3601         <rdar://problem/46797201>
3602
3603         Reviewed by Devin Rousso.
3604
3605         * CMakeLists.txt:
3606         * DerivedSources-input.xcfilelist:
3607         * DerivedSources.make:
3608         New files.
3609
3610         * inspector/protocol/CPUProfiler.json: Added.
3611         New domain that follows the pattern of Memory/ScriptProfiler.
3612
3613         * inspector/protocol/Timeline.json:
3614         New enum to auto-start a CPU instrument in the backend.
3615
3616 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3617
3618         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3619         https://bugs.webkit.org/show_bug.cgi?id=193774
3620
3621         Reviewed by Mark Lam.
3622
3623         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3624         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3625         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3626         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3627         for these two constructor instances. They are only two instances per JSGlobalObject.
3628
3629         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3630         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3631         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3632         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3633         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3634         for ArrayBufferConstructors, and reduces the memory usage.
3635
3636         * runtime/JSArrayBufferConstructor.cpp:
3637         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3638         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3639         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3640         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3641         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3642         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3643         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3644         (JSC::JSArrayBufferConstructor::create): Deleted.
3645         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3646         (JSC::constructArrayBuffer): Deleted.
3647         * runtime/JSArrayBufferConstructor.h:
3648         * runtime/JSGlobalObject.cpp:
3649         (JSC::JSGlobalObject::init):
3650         * runtime/JSGlobalObject.h:
3651         * runtime/VM.cpp:
3652         (JSC::VM::VM):
3653         * runtime/VM.h:
3654
3655 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3656
3657         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3658         https://bugs.webkit.org/show_bug.cgi?id=190693
3659
3660         Reviewed by Michael Saboff.
3661
3662         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3663         This becomes true when we find the executable address in our conservative roots, which
3664         means that we could be executing it right now. This means that object liveness in
3665         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3666         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3667         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3668         executing JITStubRoutine because "Conservative Scan" finds it later.
3669         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3670         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3671         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3672         attempt to mark the depending objects, and encounter the dead objects which are collected
3673         in the previous cycles.
3674
3675         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3676         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3677         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3678         GC stop time.
3679
3680         * heap/ConservativeRoots.h:
3681         (JSC::ConservativeRoots::roots const):
3682         (JSC::ConservativeRoots::roots): Deleted.
3683         * heap/Heap.cpp:
3684         (JSC::Heap::addCoreConstraints):
3685         * heap/SlotVisitor.cpp:
3686         (JSC::SlotVisitor::append):
3687         * heap/SlotVisitor.h:
3688         * jit/GCAwareJITStubRoutine.cpp:
3689         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3690         * jit/GCAwareJITStubRoutine.h:
3691
3692 2019-01-24  Saam Barati  <sbarati@apple.com>
3693
3694         Update ARM64EHash
3695         https://bugs.webkit.org/show_bug.cgi?id=193776
3696         <rdar://problem/47526457>
3697
3698         Reviewed by Mark Lam.
3699
3700         See radar for details.
3701
3702         * assembler/AssemblerBuffer.h:
3703         (JSC::ARM64EHash::update):
3704         (JSC::ARM64EHash::finalHash const):
3705
3706 2019-01-24  Saam Barati  <sbarati@apple.com>
3707
3708         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3709         https://bugs.webkit.org/show_bug.cgi?id=193751
3710         <rdar://problem/47280215>
3711
3712         Reviewed by Michael Saboff.
3713
3714         The Object Allocation Sinking phase may move allocations around inside
3715         of the program. However, it was not ensuring that it's still possible 
3716         to walk the stack at the point in the program that it moved the allocation to.
3717         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3718         All allocation sites can do a stack walk (we do a stack walk when we GC).
3719         Conservatively, this patch says we're ok to move this allocation if we are
3720         moving within the same InlineCallFrame. We could be more precise and do an
3721         analysis of stack writes. However, this scenario is so rare that we just
3722         take the conservative-and-straight-forward approach of checking that the place
3723         we're moving to is the same InlineCallFrame as the allocation site.
3724         
3725         In general, this issue arises anytime we do any kind of code motion.
3726         Interestingly, LICM gets this right. It gets it right because the only
3727         InlineCallFrames we can't move out of are the InlineCallFrames that
3728         have metadata stored on the stack (callee for closure calls and argument
3729         count for varargs calls). LICM doesn't have this issue because it relies
3730         on Clobberize for doing its effects analysis. In clobberize, we model every
3731         node within an InlineCallFrame that meets the above criteria as reading
3732         from those stack fields. Consequently, LICM won't hoist any node in that
3733         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3734         we generate to set up such an InlineCallFrame contains writes to that
3735         stack location.
3736
3737         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3738
3739 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3740
3741         [JSC] Reenable baseline JIT on mips
3742         https://bugs.webkit.org/show_bug.cgi?id=192983
3743
3744         Reviewed by Mark Lam.
3745
3746         Use $s0 as metadata register and make sure it's properly saved and
3747         restored.
3748
3749         * jit/GPRInfo.h:
3750         * jit/RegisterSet.cpp:
3751         (JSC::RegisterSet::vmCalleeSaveRegisters):
3752         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3753         * llint/LowLevelInterpreter.asm:
3754         * offlineasm/mips.rb:
3755
3756 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3757
3758         [GLIB] Expose JavaScriptCore options in GLib public API
3759         https://bugs.webkit.org/show_bug.cgi?id=188742
3760
3761         Reviewed by Michael Catanzaro.
3762
3763         Add new API to set, get and iterate JSC options.
3764
3765         * API/glib/JSCOptions.cpp: Added.
3766         (valueFromGValue):
3767         (valueToGValue):
3768         (jscOptionsSetValue):
3769         (jscOptionsGetValue):
3770         (jsc_options_set_boolean):
3771         (jsc_options_get_boolean):
3772         (jsc_options_set_int):
3773         (jsc_options_get_int):
3774         (jsc_options_set_uint):
3775         (jsc_options_get_uint):
3776         (jsc_options_set_size):
3777         (jsc_options_get_size):
3778         (jsc_options_set_double):
3779         (jsc_options_get_double):
3780         (jsc_options_set_string):
3781         (jsc_options_get_string):
3782         (jsc_options_set_range_string):
3783         (jsc_options_get_range_string):
3784         (jscOptionsType):
3785         (jsc_options_foreach):
3786         (setOptionEntry):
3787         (jsc_options_get_option_group):
3788         * API/glib/JSCOptions.h: Added.
3789         * API/glib/docs/jsc-glib-4.0-sections.txt:
3790         * API/glib/docs/jsc-glib-docs.sgml:
3791         * API/glib/jsc.h:
3792         * GLib.cmake:
3793
3794 2019-01-23  Mark Lam  <mark.lam@apple.com>
3795
3796         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
3797         https://bugs.webkit.org/show_bug.cgi?id=193744
3798         <rdar://problem/46262952>
3799
3800         Reviewed by Saam Barati.
3801
3802         * assembler/LinkBuffer.cpp:
3803         (JSC::LinkBuffer::copyCompactAndLinkCode):
3804
3805 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3806
3807         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3808         https://bugs.webkit.org/show_bug.cgi?id=193711
3809         <rdar://problem/47250262>
3810
3811         Reviewed by Saam Barati.
3812
3813         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
3814         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
3815         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
3816         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
3817         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
3818         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
3819         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
3820         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
3821         as follows.
3822
3823             BB0 -> BB1 -> BB2 -> BB4
3824              |        \        ^
3825              v          > BB3 /
3826             BB5
3827
3828         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
3829
3830             BB0 does nothing
3831                 head: loc1 is dead
3832                 tail: loc1 is dead
3833
3834             BB1 has MovHint @1, loc1
3835                 head: loc1 is dead
3836                 tail: loc1 is live
3837
3838             BB2 does nothing
3839                 head: loc1 is live
3840                 tail: loc1 is live
3841
3842             BB3 has PutStack @1, loc1
3843                 head: loc1 is live
3844                 tail: loc1 is live
3845
3846             BB4 has OSR exit using loc1
3847                 head: loc1 is live
3848                 tail: loc1 is live (in bytecode)
3849
3850             BB5 does nothing
3851                 head: loc1 is dead
3852                 tail: loc1 is dead
3853
3854         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
3855         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
3856
3857         So, the flush format of loc1 in each tail of BB is like this.
3858
3859             BB0
3860                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
3861             BB1
3862                 DeadFlush+@1 (pruning clears it)
3863             BB2
3864                 DeadFlush+@1 (since it is propagated from BB1)
3865             BB3
3866                 FlushedJSValue+@1 with loc1 (since it has PutStack)
3867             BB4
3868                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
3869             BB5
3870                 DeadFlush (pruning clears it)
3871
3872         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
3873         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
3874
3875         * dfg/DFGAvailabilityMap.cpp:
3876         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
3877         and copy the calculated value from the current availability map.
3878         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3879         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
3880
3881 2019-01-23  David Kilzer  <ddkilzer@apple.com>
3882
3883         [JSC] Duplicate global variables: JSC::opcodeLengths
3884         <https://webkit.org/b/193714>
3885         <rdar://problem/47340200>
3886
3887         Reviewed by Mark Lam.
3888
3889         * bytecode/Opcode.cpp:
3890         (JSC::opcodeLengths): Move array implementation here and mark
3891         const.