Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Mark Lam  <mark.lam@apple.com>
2
3         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
4         https://bugs.webkit.org/show_bug.cgi?id=194800
5         <rdar://problem/48183773>
6
7         Reviewed by Yusuke Suzuki.
8
9         Fix doesGC() for the following nodes:
10
11             CompareEq:
12             CompareLess:
13             CompareLessEq:
14             CompareGreater:
15             CompareGreaterEq:
16             CompareStrictEq:
17                 Only return false (i.e. does not GC) for child node use kinds that have
18                 been vetted to not do anything that can GC.  For all other use kinds
19                 (including StringUse and BigIntUse), we return true (i.e. does GC).
20
21         * dfg/DFGDoesGC.cpp:
22         (JSC::DFG::doesGC):
23
24 2019-02-16  Darin Adler  <darin@apple.com>
25
26         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
27         https://bugs.webkit.org/show_bug.cgi?id=194752
28
29         Reviewed by Daniel Bates.
30
31         * heap/HeapSnapshotBuilder.cpp:
32         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
33         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
34         keep behavior the same, so let's do that.
35
36         * parser/Lexer.cpp:
37         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
38         String::format and "%04x".
39
40 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
41
42         [JSC] Add LazyClassStructure::getInitializedOnMainThread
43         https://bugs.webkit.org/show_bug.cgi?id=194784
44         <rdar://problem/48154820>
45
46         Reviewed by Mark Lam.
47
48         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
49         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
50         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
51         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
52         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
53
54         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
55         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
56         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
57         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
58
59         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
60         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
61
62         * runtime/JSGlobalObject.h:
63         (JSC::JSGlobalObject::booleanPrototype const):
64         (JSC::JSGlobalObject::numberPrototype const):
65         (JSC::JSGlobalObject::symbolPrototype const):
66         * runtime/LazyClassStructure.h:
67         (JSC::LazyClassStructure::getInitializedOnMainThread const):
68         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
69         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
70         * runtime/LazyProperty.h:
71         (JSC::LazyProperty::get const):
72         (JSC::LazyProperty::getInitializedOnMainThread const):
73
74 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
75
76         Web Inspector: Better categorize CPU usage per-thread / worker
77         https://bugs.webkit.org/show_bug.cgi?id=194564
78
79         Reviewed by Devin Rousso.
80
81         * inspector/protocol/CPUProfiler.json:
82         Add additional properties per-Event, and new per-Thread object info.
83
84 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
85
86         Bytecode cache should a have a boot-specific validation
87         https://bugs.webkit.org/show_bug.cgi?id=194769
88         <rdar://problem/48149509>
89
90         Reviewed by Keith Miller.
91
92         Add the boot UUID to the cached bytecode to enforce that it is not reused
93         across reboots.
94
95         * runtime/CachedTypes.cpp:
96         (JSC::Encoder::malloc):
97         (JSC::GenericCacheEntry::GenericCacheEntry):
98         (JSC::GenericCacheEntry::tag const):
99         (JSC::CacheEntry::CacheEntry):
100         (JSC::CacheEntry::decode const):
101         (JSC::GenericCacheEntry::decode const):
102         (JSC::encodeCodeBlock):
103
104 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
105
106         Add MSE logging configuration
107         https://bugs.webkit.org/show_bug.cgi?id=194719
108         <rdar://problem/48122151>
109
110         Reviewed by Joseph Pecoraro.
111
112         * inspector/ConsoleMessage.cpp:
113         (Inspector::messageSourceValue):
114         * inspector/protocol/Console.json:
115         * inspector/scripts/codegen/generator.py:
116         * runtime/ConsoleTypes.h:
117
118 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
119
120         Add version number to cached bytecode
121         https://bugs.webkit.org/show_bug.cgi?id=194768
122         <rdar://problem/48147968>
123
124         Reviewed by Saam Barati.
125
126         Add a version number to the bytecode cache that should be unique per build.
127
128         * CMakeLists.txt:
129         * DerivedSources-output.xcfilelist:
130         * DerivedSources.make:
131         * runtime/CachedTypes.cpp:
132         (JSC::Encoder::malloc):
133         (JSC::GenericCacheEntry::GenericCacheEntry):
134         (JSC::CacheEntry::CacheEntry):
135         (JSC::CacheEntry::encode):
136         (JSC::CacheEntry::decode const):
137         (JSC::GenericCacheEntry::decode const):
138         (JSC::decodeCodeBlockImpl):
139         * runtime/CodeCache.h:
140         (JSC::CodeCacheMap::fetchFromDiskImpl):
141
142 2019-02-17  Saam Barati  <sbarati@apple.com>
143
144         WasmB3IRGenerator models some effects incorrectly
145         https://bugs.webkit.org/show_bug.cgi?id=194038
146
147         Reviewed by Keith Miller.
148
149         * wasm/WasmB3IRGenerator.cpp:
150         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
151         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
152         These two functions were using global state instead of the
153         arguments passed into the function.
154
155         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
156         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
157         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
158         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
159         Any patchpoint that allows scratch register usage must
160         also say that it clobbers the scratch registers.
161
162 2019-02-17  Saam Barati  <sbarati@apple.com>
163
164         Deadlock when adding a Structure property transition and then doing incremental marking
165         https://bugs.webkit.org/show_bug.cgi?id=194767
166
167         Reviewed by Mark Lam.
168
169         This can happen in the following scenario:
170         
171         You have a Structure S. S is on the mark stack. Then:
172         1. S grabs its lock
173         2. S adds a new property transition
174         3. We find out we need to do some incremental marking
175         4. We mark S
176         5. visitChildren on S will try to grab its lock
177         6. We are now in a deadlock
178
179         * heap/Heap.cpp:
180         (JSC::Heap::performIncrement):
181         * runtime/Structure.cpp:
182         (JSC::Structure::addNewPropertyTransition):
183
184 2019-02-17  David Kilzer  <ddkilzer@apple.com>
185
186         Unreviewed, rolling out r241620.
187
188         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
189         (Requested by ddkilzer on #webkit.)
190
191         Reverted changeset:
192
193         "[WTF] Add environment variable helpers"
194         https://bugs.webkit.org/show_bug.cgi?id=192405
195         https://trac.webkit.org/changeset/241620
196
197 2019-02-17  Commit Queue  <commit-queue@webkit.org>
198
199         Unreviewed, rolling out r241612.
200         https://bugs.webkit.org/show_bug.cgi?id=194762
201
202         "It regressed JetStream2 parsing tests by ~40%" (Requested by
203         saamyjoon on #webkit).
204
205         Reverted changeset:
206
207         "Move bytecode cache-related filesystem code out of CodeCache"
208         https://bugs.webkit.org/show_bug.cgi?id=194675
209         https://trac.webkit.org/changeset/241612
210
211 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
212
213         [JSC] JSWrapperObject should not be destructible
214         https://bugs.webkit.org/show_bug.cgi?id=194743
215
216         Reviewed by Saam Barati.
217
218         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
219         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
220         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
221
222         * runtime/BigIntObject.cpp:
223         (JSC::BigIntObject::BigIntObject):
224         * runtime/BooleanConstructor.cpp:
225         (JSC::BooleanConstructor::finishCreation):
226         * runtime/BooleanObject.cpp:
227         (JSC::BooleanObject::BooleanObject):
228         * runtime/BooleanObject.h:
229         * runtime/DateInstance.cpp:
230         (JSC::DateInstance::DateInstance):
231         (JSC::DateInstance::finishCreation):
232         * runtime/DateInstance.h:
233         * runtime/DatePrototype.cpp:
234         (JSC::dateProtoFuncGetTime):
235         (JSC::dateProtoFuncSetTime):
236         (JSC::setNewValueFromTimeArgs):
237         (JSC::setNewValueFromDateArgs):
238         (JSC::dateProtoFuncSetYear):
239         * runtime/JSCPoison.h:
240         * runtime/JSWrapperObject.h:
241         (JSC::JSWrapperObject::JSWrapperObject):
242         * runtime/NumberObject.cpp:
243         (JSC::NumberObject::NumberObject):
244         * runtime/NumberObject.h:
245         * runtime/StringConstructor.cpp:
246         (JSC::StringConstructor::finishCreation):
247         * runtime/StringObject.cpp:
248         (JSC::StringObject::StringObject):
249         * runtime/StringObject.h:
250         (JSC::StringObject::internalValue const):
251         * runtime/SymbolObject.cpp:
252         (JSC::SymbolObject::SymbolObject):
253         * runtime/SymbolObject.h:
254
255 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
256
257         [JSC] Shrink UnlinkedFunctionExecutable
258         https://bugs.webkit.org/show_bug.cgi?id=194733
259
260         Reviewed by Mark Lam.
261
262         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
263         directives can be found in the comment of non typical function's source code (Program,
264         Eval code, and Global function from function constructor etc.), and tricky thing is that
265         SourceProvider's directives are updated by Parser. The reason why we have these fields in
266         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
267         if we skip parsing by using CodeCache. These fields are effective only if (1)
268         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
269         or sourceMappingURLDirective. This is rare enough to purge them to a separated
270         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
271         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
272         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
273         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
274         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
275         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
276         one of size class.
277
278         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
279         And kill one MarkedBlock allocation in JSC initialization phase.
280
281         * bytecode/UnlinkedFunctionExecutable.cpp:
282         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
283         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
284         * bytecode/UnlinkedFunctionExecutable.h:
285         * debugger/DebuggerLocation.cpp:
286         (JSC::DebuggerLocation::DebuggerLocation):
287         * inspector/ScriptDebugServer.cpp:
288         (Inspector::ScriptDebugServer::dispatchDidParseSource):
289         * parser/Lexer.h:
290         (JSC::Lexer::sourceURLDirective const):
291         (JSC::Lexer::sourceMappingURLDirective const):
292         (JSC::Lexer::sourceURL const): Deleted.
293         (JSC::Lexer::sourceMappingURL const): Deleted.
294         * parser/Parser.h:
295         (JSC::Parser<LexerType>::parse):
296         * parser/SourceProvider.h:
297         (JSC::SourceProvider::sourceURLDirective const):
298         (JSC::SourceProvider::sourceMappingURLDirective const):
299         (JSC::SourceProvider::setSourceURLDirective):
300         (JSC::SourceProvider::setSourceMappingURLDirective):
301         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
302         since it is the correct name.
303         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
304         sourceMappingURLDirective since it is the correct name.
305         * runtime/CachedTypes.cpp:
306         (JSC::CachedSourceProviderShape::encode):
307         (JSC::CachedFunctionExecutableRareData::encode):
308         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
309         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
310         (JSC::CachedFunctionExecutable::rareData const):
311         (JSC::CachedFunctionExecutable::encode):
312         (JSC::CachedFunctionExecutable::decode const):
313         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
314         * runtime/CodeCache.cpp:
315         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
316         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
317         * runtime/CodeCache.h:
318         (JSC::generateUnlinkedCodeBlockImpl):
319         * runtime/FunctionExecutable.h:
320         * runtime/SamplingProfiler.cpp:
321         (JSC::SamplingProfiler::StackFrame::url):
322
323 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
324
325         [JSC] Remove unused global private variables
326         https://bugs.webkit.org/show_bug.cgi?id=194741
327
328         Reviewed by Joseph Pecoraro.
329
330         There are some private functions and constants that are no longer referenced from builtin JS code.
331         This patch cleans up them.
332
333         * builtins/BuiltinNames.h:
334         * builtins/ObjectConstructor.js:
335         (entries):
336         * runtime/JSGlobalObject.cpp:
337         (JSC::JSGlobalObject::init):
338
339 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
340
341         [JSC] Lazily create empty RegExp
342         https://bugs.webkit.org/show_bug.cgi?id=194735
343
344         Reviewed by Keith Miller.
345
346         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
347         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
348         one MarkedBlock.
349
350         * runtime/JSGlobalObject.cpp:
351         (JSC::JSGlobalObject::init):
352         * runtime/RegExpCache.cpp:
353         (JSC::RegExpCache::ensureEmptyRegExpSlow):
354         (JSC::RegExpCache::initialize): Deleted.
355         * runtime/RegExpCache.h:
356         (JSC::RegExpCache::ensureEmptyRegExp):
357         (JSC::RegExpCache::emptyRegExp const): Deleted.
358         * runtime/RegExpCachedResult.cpp:
359         (JSC::RegExpCachedResult::lastResult):
360         * runtime/RegExpCachedResult.h:
361         * runtime/VM.cpp:
362         (JSC::VM::VM):
363
364 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
365
366         [JSC] Make builtin objects more lazily initialized under non-JIT mode
367         https://bugs.webkit.org/show_bug.cgi?id=194727
368
369         Reviewed by Saam Barati.
370
371         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
372         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
373         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
374         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
375         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
376         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
377         MarkedBlock allocation just for Symbols.
378
379         * runtime/JSGlobalObject.cpp:
380         (JSC::JSGlobalObject::init):
381         (JSC::JSGlobalObject::visitChildren):
382         * runtime/JSGlobalObject.h:
383         (JSC::JSGlobalObject::numberToStringWatchpoint):
384         (JSC::JSGlobalObject::booleanPrototype const):
385         (JSC::JSGlobalObject::numberPrototype const):
386         (JSC::JSGlobalObject::symbolPrototype const):
387         (JSC::JSGlobalObject::booleanObjectStructure const):
388         (JSC::JSGlobalObject::symbolObjectStructure const):
389         (JSC::JSGlobalObject::numberObjectStructure const):
390         (JSC::JSGlobalObject::stringObjectStructure const):
391
392 2019-02-15  Michael Saboff  <msaboff@apple.com>
393
394         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
395         https://bugs.webkit.org/show_bug.cgi?id=194558
396
397         Reviewed by Saam Barati.
398
399         Added an in bounds check before the read of the next character for Unicode regular expressions
400         for pattern generation that didn't already have such checks.
401
402         * yarr/YarrJIT.cpp:
403         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
404         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
405         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
406         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
407
408 2019-02-15  Dean Jackson  <dino@apple.com>
409
410         Allow emulation of user gestures from Web Inspector console
411         https://bugs.webkit.org/show_bug.cgi?id=194725
412         <rdar://problem/48126604>
413
414         Reviewed by Joseph Pecoraro and Devin Rousso.
415
416         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
417         to the evaluate function, and mark the function as override so that PageRuntimeAgent
418         can change the behaviour.
419         (Inspector::InspectorRuntimeAgent::evaluate):
420         * inspector/agents/InspectorRuntimeAgent.h:
421         * inspector/protocol/Runtime.json:
422
423 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
424
425         [JSC] Do not initialize Wasm related data if Wasm is not enabled
426         https://bugs.webkit.org/show_bug.cgi?id=194728
427
428         Reviewed by Mark Lam.
429
430         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
431
432         * runtime/InitializeThreading.cpp:
433         (JSC::initializeThreading):
434         * runtime/JSLock.cpp:
435         (JSC::JSLock::didAcquireLock):
436
437 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
438
439         [WTF] Add environment variable helpers
440         https://bugs.webkit.org/show_bug.cgi?id=192405
441
442         Reviewed by Michael Catanzaro.
443
444         * inspector/remote/glib/RemoteInspectorGlib.cpp:
445         (Inspector::RemoteInspector::RemoteInspector):
446         (Inspector::RemoteInspector::start):
447         * jsc.cpp:
448         (startTimeoutThreadIfNeeded):
449         * runtime/Options.cpp:
450         (JSC::overrideOptionWithHeuristic):
451         (JSC::Options::overrideAliasedOptionWithHeuristic):
452         (JSC::Options::initialize):
453         * runtime/VM.cpp:
454         (JSC::enableAssembler):
455         (JSC::VM::VM):
456         * tools/CodeProfiling.cpp:
457         (JSC::CodeProfiling::notifyAllocator):
458         Utilize WTF::Environment where possible.
459
460 2019-02-15  Mark Lam  <mark.lam@apple.com>
461
462         SamplingProfiler::stackTracesAsJSON() should escape strings.
463         https://bugs.webkit.org/show_bug.cgi?id=194649
464         <rdar://problem/48072386>
465
466         Reviewed by Saam Barati.
467
468         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
469
470         * runtime/SamplingProfiler.cpp:
471         (JSC::SamplingProfiler::stackTracesAsJSON):
472         * runtime/TypeSet.cpp:
473         (JSC::TypeSet::toJSONString const):
474         (JSC::StructureShape::toJSONString const):
475
476 2019-02-15  Robin Morisset  <rmorisset@apple.com>
477
478         CodeBlock::jettison should clear related watchpoints
479         https://bugs.webkit.org/show_bug.cgi?id=194544
480
481         Reviewed by Mark Lam.
482
483         * bytecode/CodeBlock.cpp:
484         (JSC::CodeBlock::jettison):
485         * dfg/DFGCommonData.h:
486         (JSC::DFG::CommonData::clearWatchpoints): Added.
487         * dfg/CommonData.cpp:
488         (JSC::DFG::CommonData::clearWatchpoints): Added.
489
490 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
491
492         Move bytecode cache-related filesystem code out of CodeCache
493         https://bugs.webkit.org/show_bug.cgi?id=194675
494
495         Reviewed by Saam Barati.
496
497         That code is only used for the bytecode-cache tests, so it should live in
498         jsc.cpp rather than in the CodeCache.
499
500         * jsc.cpp:
501         (CliSourceProvider::create):
502         (CliSourceProvider::~CliSourceProvider):
503         (CliSourceProvider::cachePath const):
504         (CliSourceProvider::loadBytecode):
505         (CliSourceProvider::CliSourceProvider):
506         (jscSource):
507         (GlobalObject::moduleLoaderFetch):
508         (functionDollarEvalScript):
509         (runWithOptions):
510         * parser/SourceProvider.h:
511         (JSC::SourceProvider::cacheBytecode const):
512         * runtime/CodeCache.cpp:
513         (JSC::writeCodeBlock):
514         * runtime/CodeCache.h:
515         (JSC::CodeCacheMap::fetchFromDiskImpl):
516
517 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
518
519         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
520         https://bugs.webkit.org/show_bug.cgi?id=194714
521
522         Reviewed by Mark Lam.
523
524         Let's consider about the following extreme case.
525
526         1. VM (A) is created.
527         2. Another VM (B) is created on a different thread.
528         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
529         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
530         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
531         6. (A) sees the half-baked worklist, which may be in the middle of creation.
532
533         This patch puts store-store fence just before putting a pointer to a global variable.
534         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
535
536         * dfg/DFGWorklist.cpp:
537         (JSC::DFG::ensureGlobalDFGWorklist):
538         (JSC::DFG::ensureGlobalFTLWorklist):
539         * wasm/WasmWorklist.cpp:
540         (JSC::Wasm::ensureWorklist):
541
542 2019-02-15  Commit Queue  <commit-queue@webkit.org>
543
544         Unreviewed, rolling out r241559 and r241566.
545         https://bugs.webkit.org/show_bug.cgi?id=194710
546
547         Causes layout test crashes under GuardMalloc (Requested by
548         ryanhaddad on #webkit).
549
550         Reverted changesets:
551
552         "[WTF] Add environment variable helpers"
553         https://bugs.webkit.org/show_bug.cgi?id=192405
554         https://trac.webkit.org/changeset/241559
555
556         "Unreviewed build fix for WinCairo Debug after r241559."
557         https://trac.webkit.org/changeset/241566
558
559 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
560
561         [JSC] Do not even allocate JIT worklists in non-JIT mode
562         https://bugs.webkit.org/show_bug.cgi?id=194693
563
564         Reviewed by Mark Lam.
565
566         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
567         And we do not perform any GC operations that are only meaningful in JIT environment.
568
569         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
570         2. We remove DFG marking constraint in non-JIT mode.
571         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
572         4. We do not visit JITStubRoutineSet.
573         5. Align JITWorklist function names to the other worklists.
574
575         * dfg/DFGOSRExitPreparation.cpp:
576         (JSC::DFG::prepareCodeOriginForOSRExit):
577         * dfg/DFGPlan.h:
578         * dfg/DFGWorklist.cpp:
579         (JSC::DFG::markCodeBlocks): Deleted.
580         * dfg/DFGWorklist.h:
581         * heap/Heap.cpp:
582         (JSC::Heap::completeAllJITPlans):
583         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
584         (JSC::Heap::gatherScratchBufferRoots):
585         (JSC::Heap::removeDeadCompilerWorklistEntries):
586         (JSC::Heap::stopThePeriphery):
587         (JSC::Heap::suspendCompilerThreads):
588         (JSC::Heap::resumeCompilerThreads):
589         (JSC::Heap::addCoreConstraints):
590         * jit/JITWorklist.cpp:
591         (JSC::JITWorklist::existingGlobalWorklistOrNull):
592         (JSC::JITWorklist::ensureGlobalWorklist):
593         (JSC::JITWorklist::instance): Deleted.
594         * jit/JITWorklist.h:
595         * llint/LLIntSlowPaths.cpp:
596         (JSC::LLInt::jitCompileAndSetHeuristics):
597         * runtime/VM.cpp:
598         (JSC::VM::~VM):
599         (JSC::VM::gatherScratchBufferRoots):
600         (JSC::VM::gatherConservativeRoots): Deleted.
601         * runtime/VM.h:
602
603 2019-02-15  Saam barati  <sbarati@apple.com>
604
605         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
606         https://bugs.webkit.org/show_bug.cgi?id=194036
607
608         Reviewed by Yusuke Suzuki.
609
610         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
611         use linear scan for register allocation. Instead of linear scan, Air-O0 does
612         mostly block-local register allocation, and it does this as it's emitting
613         code directly. The register allocator uses liveness analysis to reduce
614         the number of spills. Doing register allocation as we're emitting code
615         allows us to skip editing the IR to insert spills, which saves a non trivial
616         amount of compile time. For stack allocation, we give each Tmp its own slot.
617         This is less than ideal. We probably want to do some trivial live range analysis
618         in the future. The reason this isn't a deal breaker for Wasm is that this patch
619         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
620         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
621         
622         This patch is another 25% Wasm startup time speedup. It seems to be worth
623         another 1% on JetStream2.
624
625         * JavaScriptCore.xcodeproj/project.pbxproj:
626         * Sources.txt:
627         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
628         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
629         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
630         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
631         (JSC::B3::Air::callFrameAddr):
632         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
633         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
634         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
635         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
636         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
637         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
638         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
639         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
640         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
641         * b3/air/AirCode.cpp:
642         * b3/air/AirCode.h:
643         * b3/air/AirGenerate.cpp:
644         (JSC::B3::Air::prepareForGeneration):
645         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
646         (JSC::B3::Air::generate):
647         * b3/air/AirHandleCalleeSaves.cpp:
648         (JSC::B3::Air::handleCalleeSaves):
649         * b3/air/AirHandleCalleeSaves.h:
650         * b3/air/AirTmpMap.h:
651         * runtime/Options.h:
652         * wasm/WasmAirIRGenerator.cpp:
653         (JSC::Wasm::AirIRGenerator::didKill):
654         (JSC::Wasm::AirIRGenerator::newTmp):
655         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
656         (JSC::Wasm::parseAndCompileAir):
657         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
658         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
659         * wasm/WasmAirIRGenerator.h:
660         * wasm/WasmB3IRGenerator.cpp:
661         (JSC::Wasm::B3IRGenerator::didKill):
662         * wasm/WasmBBQPlan.cpp:
663         (JSC::Wasm::BBQPlan::compileFunctions):
664         * wasm/WasmFunctionParser.h:
665         (JSC::Wasm::FunctionParser<Context>::parseBody):
666         (JSC::Wasm::FunctionParser<Context>::parseExpression):
667         * wasm/WasmValidate.cpp:
668         (JSC::Wasm::Validate::didKill):
669
670 2019-02-14  Saam barati  <sbarati@apple.com>
671
672         lowerStackArgs should lower Lea32/64 on ARM64 to Add
673         https://bugs.webkit.org/show_bug.cgi?id=194656
674
675         Reviewed by Yusuke Suzuki.
676
677         On arm64, Lea is just implemented as an add. However, Air treats it as an
678         address with a given width. Because of this width, we were incorrectly
679         computing whether or not this immediate could fit into the instruction itself
680         or it needed to be explicitly put into a register. This patch makes
681         AirLowerStackArgs lower Lea to Add on arm64.
682
683         * b3/air/AirLowerStackArgs.cpp:
684         (JSC::B3::Air::lowerStackArgs):
685         * b3/air/AirOpcode.opcodes:
686         * b3/air/testair.cpp:
687
688 2019-02-14  Saam Barati  <sbarati@apple.com>
689
690         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
691         https://bugs.webkit.org/show_bug.cgi?id=194583
692         <rdar://problem/48028140>
693
694         Reviewed by Yusuke Suzuki.
695
696         This patch makes it so that getVariablesUnderTDZ caches a result of
697         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
698         it's called in an environment where there are a lot of variables.
699         This patch makes it so we cache its results. This is profitable when
700         getVariablesUnderTDZ is called repeatedly with the same environment
701         state. This is common since we call this every time we encounter a
702         function definition/expression node.
703
704         * builtins/BuiltinExecutables.cpp:
705         (JSC::BuiltinExecutables::createExecutable):
706         * bytecode/UnlinkedFunctionExecutable.cpp:
707         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
708         * bytecode/UnlinkedFunctionExecutable.h:
709         * bytecompiler/BytecodeGenerator.cpp:
710         (JSC::BytecodeGenerator::popLexicalScopeInternal):
711         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
712         (JSC::BytecodeGenerator::pushTDZVariables):
713         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
714         (JSC::BytecodeGenerator::restoreTDZStack):
715         * bytecompiler/BytecodeGenerator.h:
716         (JSC::BytecodeGenerator::makeFunction):
717         * parser/VariableEnvironment.cpp:
718         (JSC::CompactVariableMap::Handle::Handle):
719         (JSC::CompactVariableMap::Handle::operator=):
720         * parser/VariableEnvironment.h:
721         (JSC::CompactVariableMap::Handle::operator bool const):
722         * runtime/CodeCache.cpp:
723         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
724
725 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
726
727         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
728         https://bugs.webkit.org/show_bug.cgi?id=194659
729
730         Reviewed by Mark Lam.
731
732         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
733         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
734         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
735
736         * dfg/DFGJITCode.h:
737         * dfg/DFGJITFinalizer.cpp:
738         (JSC::DFG::JITFinalizer::finalize):
739         (JSC::DFG::JITFinalizer::finalizeFunction):
740         * jit/JITCode.cpp:
741         (JSC::DirectJITCode::initializeCodeRefForDFG):
742         (JSC::DirectJITCode::initializeCodeRef): Deleted.
743         (JSC::NativeJITCode::initializeCodeRef): Deleted.
744         * jit/JITCode.h:
745         * llint/LLIntEntrypoint.cpp:
746         (JSC::LLInt::setFunctionEntrypoint):
747         (JSC::LLInt::setEvalEntrypoint):
748         (JSC::LLInt::setProgramEntrypoint):
749         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
750
751 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
752
753         [WTF] Add environment variable helpers
754         https://bugs.webkit.org/show_bug.cgi?id=192405
755
756         Reviewed by Michael Catanzaro.
757
758         * inspector/remote/glib/RemoteInspectorGlib.cpp:
759         (Inspector::RemoteInspector::RemoteInspector):
760         (Inspector::RemoteInspector::start):
761         * jsc.cpp:
762         (startTimeoutThreadIfNeeded):
763         * runtime/Options.cpp:
764         (JSC::overrideOptionWithHeuristic):
765         (JSC::Options::overrideAliasedOptionWithHeuristic):
766         (JSC::Options::initialize):
767         * runtime/VM.cpp:
768         (JSC::enableAssembler):
769         (JSC::VM::VM):
770         * tools/CodeProfiling.cpp:
771         (JSC::CodeProfiling::notifyAllocator):
772         Utilize WTF::Environment where possible.
773
774 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
775
776         [JSC] Should have default NativeJITCode
777         https://bugs.webkit.org/show_bug.cgi?id=194634
778
779         Reviewed by Mark Lam.
780
781         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
782         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
783         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
784         allocations, which takes 14KB.
785
786         * runtime/VM.cpp:
787         (JSC::jitCodeForCallTrampoline):
788         (JSC::jitCodeForConstructTrampoline):
789         (JSC::VM::getHostFunction):
790
791 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
792
793         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
794         https://bugs.webkit.org/show_bug.cgi?id=194576
795
796         Reviewed by Saam Barati.
797
798         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
799         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
800
801         * bytecode/UnlinkedFunctionExecutable.cpp:
802         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
803         (JSC::UnlinkedFunctionExecutable::link):
804         * bytecode/UnlinkedFunctionExecutable.h:
805         * runtime/CodeCache.cpp:
806         (JSC::generateUnlinkedCodeBlockForFunctions):
807
808 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
809
810         CachedBitVector's size must be converted from bits to bytes
811         https://bugs.webkit.org/show_bug.cgi?id=194441
812
813         Reviewed by Saam Barati.
814
815         CachedBitVector used its size in bits for memcpy. That didn't cause any
816         issues when encoding, since the size in bits was also used in the allocation,
817         but would overflow the actual BitVector buffer when decoding.
818
819         * runtime/CachedTypes.cpp:
820         (JSC::CachedBitVector::encode):
821         (JSC::CachedBitVector::decode const):
822
823 2019-02-13  Brian Burg  <bburg@apple.com>
824
825         Web Inspector: don't include accessibility role in DOM.Node object payloads
826         https://bugs.webkit.org/show_bug.cgi?id=194623
827         <rdar://problem/36384037>
828
829         Reviewed by Devin Rousso.
830
831         Remove property of DOM.Node that is no longer being sent.
832
833         * inspector/protocol/DOM.json:
834
835 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
836
837         We should only make rope strings when concatenating strings long enough.
838         https://bugs.webkit.org/show_bug.cgi?id=194465
839
840         Reviewed by Mark Lam.
841
842         This patch stops us from allocating a rope string if the resulting
843         rope would be smaller than the size of the JSRopeString object we
844         would need to allocate.
845
846         This patch also adds paths so that we don't unnecessarily allocate
847         JSString cells for primitives we are going to concatenate with a
848         string anyway.
849
850         The important change from the previous one is that we do not apply
851         the above rule to JSRopeStrings generated by JSStrings. If we convert
852         it to JSString, comparison of memory consumption becomes the following,
853         because JSRopeString does not have StringImpl until it is resolved.
854
855             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
856
857         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
858         resolving eagerly increases memory footprint. The point is that we need to
859         account newly created JSString and JSRopeString from the operands. This is the
860         reason why this patch adds different thresholds for each jsString functions.
861
862         This patch also avoids concatenation for ropes conservatively. Many ropes are
863         temporary cells. So we do not resolve eagerly if one of operands is already a
864         rope.
865
866         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
867
868             Before: 159.3778
869             After:  160.72340000000003
870
871         * dfg/DFGOperations.cpp:
872         * runtime/CommonSlowPaths.cpp:
873         (JSC::SLOW_PATH_DECL):
874         * runtime/JSString.h:
875         (JSC::JSString::isRope const):
876         * runtime/Operations.cpp:
877         (JSC::jsAddSlowCase):
878         * runtime/Operations.h:
879         (JSC::jsString):
880         (JSC::jsAddNonNumber):
881         (JSC::jsAdd):
882
883 2019-02-13  Saam Barati  <sbarati@apple.com>
884
885         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
886         https://bugs.webkit.org/show_bug.cgi?id=194610
887
888         Reviewed by Michael Saboff.
889
890         BinarySwitch might use the scratch register. We must model the
891         effects of that properly. This is already caught by our br-table
892         tests on arm64.
893
894         * wasm/WasmAirIRGenerator.cpp:
895         (JSC::Wasm::AirIRGenerator::addSwitch):
896
897 2019-02-13  Mark Lam  <mark.lam@apple.com>
898
899         Create a randomized free list for new StructureIDs on StructureIDTable resize.
900         https://bugs.webkit.org/show_bug.cgi?id=194566
901         <rdar://problem/47975502>
902
903         Reviewed by Michael Saboff.
904
905         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
906         implementation is a little easier to read.
907
908         This patch appears to be perf neutral on JetStream2 (as run from the command line).
909
910         * runtime/StructureIDTable.cpp:
911         (JSC::StructureIDTable::StructureIDTable):
912         (JSC::StructureIDTable::makeFreeListFromRange):
913         (JSC::StructureIDTable::resize):
914         (JSC::StructureIDTable::allocateID):
915         (JSC::StructureIDTable::deallocateID):
916         * runtime/StructureIDTable.h:
917         (JSC::StructureIDTable::get):
918         (JSC::StructureIDTable::deallocateID):
919         (JSC::StructureIDTable::allocateID):
920         (JSC::StructureIDTable::flushOldTables):
921
922 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
923
924         VariableLengthObject::allocate<T> should initialize objects
925         https://bugs.webkit.org/show_bug.cgi?id=194534
926
927         Reviewed by Michael Saboff.
928
929         `buffer()` should not be called for empty VariableLengthObjects, but
930         these cases were not being caught due to the objects not being properly
931         initialized. Fix it so that allocate calls the constructor and fix the
932         assertion failues.
933
934         * runtime/CachedTypes.cpp:
935         (JSC::CachedObject::operator new):
936         (JSC::VariableLengthObject::allocate):
937         (JSC::CachedVector::encode):
938         (JSC::CachedVector::decode const):
939         (JSC::CachedUniquedStringImpl::decode const):
940         (JSC::CachedBitVector::encode):
941         (JSC::CachedBitVector::decode const):
942         (JSC::CachedArray::encode):
943         (JSC::CachedArray::decode const):
944         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
945         (JSC::CachedBigInt::decode const):
946
947 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
948
949         CodeBlocks read from disk should not be re-written
950         https://bugs.webkit.org/show_bug.cgi?id=194535
951
952         Reviewed by Michael Saboff.
953
954         Keep track of which CodeBlocks have been read from disk or have already
955         been serialized in CodeCache.
956
957         * runtime/CodeCache.cpp:
958         (JSC::CodeCache::write):
959         * runtime/CodeCache.h:
960         (JSC::SourceCodeValue::SourceCodeValue):
961         (JSC::CodeCacheMap::fetchFromDiskImpl):
962
963 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
964
965         SourceCode should be copied when generating bytecode for functions
966         https://bugs.webkit.org/show_bug.cgi?id=194536
967
968         Reviewed by Saam Barati.
969
970         The FunctionExecutable might be collected while generating the bytecode
971         for nested functions, in which case the SourceCode reference would no
972         longer be valid.
973
974         * runtime/CodeCache.cpp:
975         (JSC::generateUnlinkedCodeBlockForFunctions):
976
977 2019-02-12  Saam barati  <sbarati@apple.com>
978
979         JSScript needs to retain its cache path NSURL*
980         https://bugs.webkit.org/show_bug.cgi?id=194577
981
982         Reviewed by Tim Horton.
983
984         * API/JSScript.mm:
985         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
986         (-[JSScript dealloc]):
987
988 2019-02-12  Robin Morisset  <rmorisset@apple.com>
989
990         Make B3Value::returnsBool() more precise
991         https://bugs.webkit.org/show_bug.cgi?id=194457
992
993         Reviewed by Saam Barati.
994
995         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
996         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
997         No new tests added as this should be indirectly tested by the already existing tests.
998
999         * b3/B3Value.cpp:
1000         (JSC::B3::Value::returnsBool const):
1001
1002 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1003
1004         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1005         https://bugs.webkit.org/show_bug.cgi?id=194399
1006         <rdar://problem/47889777>
1007
1008         * dfg/DFGDoesGC.cpp:
1009         (JSC::DFG::doesGC):
1010
1011 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1012
1013         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1014         https://bugs.webkit.org/show_bug.cgi?id=194370
1015
1016         Reviewed by Darin Adler.
1017
1018         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1019         necessary, but it will make errors more visible.
1020
1021         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1022         (Inspector::RemoteInspector::start):
1023         (Inspector::dbusConnectionCallAsyncReadyCallback):
1024         * inspector/remote/glib/RemoteInspectorServer.cpp:
1025         (Inspector::RemoteInspectorServer::start):
1026
1027 2019-02-12  Andy Estes  <aestes@apple.com>
1028
1029         [iOSMac] Enable Parental Controls Content Filtering
1030         https://bugs.webkit.org/show_bug.cgi?id=194521
1031         <rdar://39732376>
1032
1033         Reviewed by Tim Horton.
1034
1035         * Configurations/FeatureDefines.xcconfig:
1036
1037 2019-02-11  Mark Lam  <mark.lam@apple.com>
1038
1039         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1040         https://bugs.webkit.org/show_bug.cgi?id=194512
1041         <rdar://problem/47975465>
1042
1043         Reviewed by Yusuke Suzuki.
1044
1045         * runtime/StructureIDTable.cpp:
1046         (JSC::StructureIDTable::StructureIDTable):
1047         (JSC::StructureIDTable::allocateID):
1048         (JSC::StructureIDTable::deallocateID):
1049         * runtime/StructureIDTable.h:
1050
1051 2019-02-10  Mark Lam  <mark.lam@apple.com>
1052
1053         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1054         https://bugs.webkit.org/show_bug.cgi?id=194493
1055         <rdar://problem/36380852>
1056
1057         Reviewed by Yusuke Suzuki.
1058
1059         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1060         however not good for performance and memory usage.  As such, a debug ASSERT will
1061         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1062         possible to be instantiated with duplicate cases in
1063         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1064
1065         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1066         see duplicate cases.
1067
1068         * jit/BinarySwitch.cpp:
1069         (JSC::BinarySwitch::BinarySwitch):
1070
1071 2019-02-10  Darin Adler  <darin@apple.com>
1072
1073         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1074         https://bugs.webkit.org/show_bug.cgi?id=194485
1075
1076         Reviewed by Daniel Bates.
1077
1078         * heap/HeapSnapshotBuilder.cpp:
1079         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1080         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1081
1082         * runtime/JSGlobalObjectFunctions.cpp:
1083         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1084         including one in a call to appendByteAsHex.
1085         (JSC::globalFuncEscape): Ditto.
1086
1087 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1088
1089         Unreviewed, rolling out r241230.
1090         https://bugs.webkit.org/show_bug.cgi?id=194488
1091
1092         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1093         #webkit).
1094
1095         Reverted changeset:
1096
1097         "We should only make rope strings when concatenating strings
1098         long enough."
1099         https://bugs.webkit.org/show_bug.cgi?id=194465
1100         https://trac.webkit.org/changeset/241230
1101
1102 2019-02-10  Saam barati  <sbarati@apple.com>
1103
1104         BBQ-Air: Emit better code for switch
1105         https://bugs.webkit.org/show_bug.cgi?id=194053
1106
1107         Reviewed by Yusuke Suzuki.
1108
1109         Instead of emitting a linear set of jumps for Switch, this patch
1110         makes the BBQ-Air backend emit a binary switch.
1111
1112         * wasm/WasmAirIRGenerator.cpp:
1113         (JSC::Wasm::AirIRGenerator::addSwitch):
1114
1115 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1116
1117         Unreviewed, Lexer should use isLatin1 implementation in WTF
1118         https://bugs.webkit.org/show_bug.cgi?id=194466
1119
1120         Follow-up after r241233 pointed by Darin.
1121
1122         * parser/Lexer.cpp:
1123         (JSC::isLatin1): Deleted.
1124
1125 2019-02-09  Darin Adler  <darin@apple.com>
1126
1127         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1128         https://bugs.webkit.org/show_bug.cgi?id=194021
1129
1130         Reviewed by Geoffrey Garen.
1131
1132         * inspector/agents/InspectorConsoleAgent.cpp:
1133         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1134         makeString do the conversion without allocating/destroying a String.
1135         * inspector/agents/InspectorDebuggerAgent.cpp:
1136         (Inspector::objectGroupForBreakpointAction): Ditto.
1137         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1138         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1139         * runtime/JSGenericTypedArrayViewInlines.h:
1140         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1141         * runtime/NumberPrototype.cpp:
1142         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1143         of calling numberToFixedWidthString to do the same thing.
1144         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1145         numberToFixedPrecisionString to do the same thing.
1146         * runtime/SamplingProfiler.cpp:
1147         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1148
1149 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1150
1151         Unreviewed, rolling in r241237 again
1152         https://bugs.webkit.org/show_bug.cgi?id=194469
1153
1154         * runtime/JSString.h:
1155         (JSC::jsSubstring):
1156
1157 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1158
1159         Unreviewed, rolling out r241237.
1160         https://bugs.webkit.org/show_bug.cgi?id=194474
1161
1162         Shows significant memory increase in WSL (Requested by
1163         yusukesuzuki on #webkit).
1164
1165         Reverted changeset:
1166
1167         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1168         takes more memory"
1169         https://bugs.webkit.org/show_bug.cgi?id=194469
1170         https://trac.webkit.org/changeset/241237
1171
1172 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1173
1174         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1175         https://bugs.webkit.org/show_bug.cgi?id=194469
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         * runtime/JSString.h:
1180         (JSC::jsSubstring):
1181
1182 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1183
1184         [JSC] CachedTypes should use jsString instead of JSString::create
1185         https://bugs.webkit.org/show_bug.cgi?id=194471
1186
1187         Reviewed by Mark Lam.
1188
1189         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1190
1191         * runtime/CachedTypes.cpp:
1192         (JSC::CachedJSValue::decode const):
1193
1194 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1195
1196         [JSC] Increase StructureIDTable initial capacity
1197         https://bugs.webkit.org/show_bug.cgi?id=194468
1198
1199         Reviewed by Mark Lam.
1200
1201         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1202         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1203         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1204         more memory dirty. We also remove some structures that are no longer used.
1205
1206         * runtime/JSGlobalObject.h:
1207         (JSC::JSGlobalObject::callbackObjectStructure const):
1208         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1209         * runtime/StructureIDTable.h:
1210         * runtime/VM.h:
1211
1212 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1213
1214         [JSC] String.fromCharCode's slow path always generates 16bit string
1215         https://bugs.webkit.org/show_bug.cgi?id=194466
1216
1217         Reviewed by Keith Miller.
1218
1219         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1220         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1221         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1222         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1223         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1224         as much as possible.
1225
1226         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1227
1228         * runtime/StringConstructor.cpp:
1229         (JSC::stringFromCharCode):
1230
1231 2019-02-08  Keith Miller  <keith_miller@apple.com>
1232
1233         We should only make rope strings when concatenating strings long enough.
1234         https://bugs.webkit.org/show_bug.cgi?id=194465
1235
1236         Reviewed by Saam Barati.
1237
1238         This patch stops us from allocating a rope string if the resulting
1239         rope would be smaller than the size of the JSRopeString object we
1240         would need to allocate.
1241
1242         This patch also adds paths so that we don't unnecessarily allocate
1243         JSString cells for primitives we are going to concatenate with a
1244         string anyway.
1245
1246         * dfg/DFGOperations.cpp:
1247         * runtime/CommonSlowPaths.cpp:
1248         (JSC::SLOW_PATH_DECL):
1249         * runtime/JSString.h:
1250         * runtime/Operations.cpp:
1251         (JSC::jsAddSlowCase):
1252         * runtime/Operations.h:
1253         (JSC::jsString):
1254         (JSC::jsAdd):
1255
1256 2019-02-08  Saam barati  <sbarati@apple.com>
1257
1258         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1259         https://bugs.webkit.org/show_bug.cgi?id=194334
1260         <rdar://problem/47844327>
1261
1262         Reviewed by Mark Lam.
1263
1264         * dfg/DFGAbstractInterpreterInlines.h:
1265         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1266         * dfg/DFGArgumentsEliminationPhase.cpp:
1267         * dfg/DFGByteCodeParser.cpp:
1268         (JSC::DFG::ByteCodeParser::parseBlock):
1269         * dfg/DFGClobberize.h:
1270         (JSC::DFG::clobberize):
1271         * dfg/DFGConstantFoldingPhase.cpp:
1272         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1273         * dfg/DFGFixupPhase.cpp:
1274         (JSC::DFG::FixupPhase::fixupNode):
1275         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1276         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1277         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1278         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1279         * dfg/DFGNodeType.h:
1280         * dfg/DFGSSALoweringPhase.cpp:
1281         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1282         * dfg/DFGSpeculativeJIT.cpp:
1283         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1284         * ftl/FTLLowerDFGToB3.cpp:
1285         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1286         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1287
1288 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1289
1290         [JSC] Shrink sizeof(CodeBlock) more
1291         https://bugs.webkit.org/show_bug.cgi?id=194419
1292
1293         Reviewed by Mark Lam.
1294
1295         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1296
1297         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1298         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1299         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1300
1301         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1302         And we do not touch it in CodeBlock::~CodeBlock.
1303
1304         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1305         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1306         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1307
1308         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1309
1310         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1311
1312         * bytecode/CodeBlock.cpp:
1313         (JSC::CodeBlock::hash const):
1314         (JSC::CodeBlock::sourceCodeForTools const):
1315         (JSC::CodeBlock::dumpAssumingJITType const):
1316         (JSC::CodeBlock::dumpSource):
1317         (JSC::CodeBlock::CodeBlock):
1318         (JSC::CodeBlock::finishCreation):
1319         (JSC::CodeBlock::propagateTransitions):
1320         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1321         (JSC::CodeBlock::setCalleeSaveRegisters):
1322         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1323         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1324         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1325         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1326         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1327         (JSC::CodeBlock::newReplacement):
1328         (JSC::CodeBlock::replacement):
1329         (JSC::CodeBlock::computeCapabilityLevel):
1330         (JSC::CodeBlock::jettison):
1331         (JSC::CodeBlock::calleeSaveRegisters const):
1332         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1333         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1334         (JSC::CodeBlock::getArrayProfile):
1335         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1336         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1337         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1338         (JSC::CodeBlock::validate):
1339         (JSC::CodeBlock::outOfLineJumpTarget):
1340         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1341         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1342         * bytecode/CodeBlock.h:
1343         (JSC::CodeBlock::specializationKind const):
1344         (JSC::CodeBlock::isStrictMode const):
1345         (JSC::CodeBlock::isConstructor const):
1346         (JSC::CodeBlock::codeType const):
1347         (JSC::CodeBlock::isKnownNotImmediate):
1348         (JSC::CodeBlock::instructions const):
1349         (JSC::CodeBlock::ownerExecutable const):
1350         (JSC::CodeBlock::thisRegister const):
1351         (JSC::CodeBlock::source const):
1352         (JSC::CodeBlock::sourceOffset const):
1353         (JSC::CodeBlock::firstLineColumnOffset const):
1354         (JSC::CodeBlock::createRareDataIfNecessary):
1355         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1356         (JSC::CodeBlock::setThisRegister): Deleted.
1357         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1358         * bytecode/EvalCodeBlock.h:
1359         * bytecode/FunctionCodeBlock.h:
1360         * bytecode/GlobalCodeBlock.h:
1361         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1362         * bytecode/ModuleProgramCodeBlock.h:
1363         * bytecode/ProgramCodeBlock.h:
1364         * debugger/Debugger.cpp:
1365         (JSC::Debugger::toggleBreakpoint):
1366         * debugger/DebuggerCallFrame.cpp:
1367         (JSC::DebuggerCallFrame::sourceID const):
1368         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1369         * debugger/DebuggerScope.cpp:
1370         (JSC::DebuggerScope::location const):
1371         * dfg/DFGByteCodeParser.cpp:
1372         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1373         (JSC::DFG::ByteCodeParser::inliningCost):
1374         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1375         * dfg/DFGCapabilities.cpp:
1376         (JSC::DFG::isSupportedForInlining):
1377         (JSC::DFG::mightCompileEval):
1378         (JSC::DFG::mightCompileProgram):
1379         (JSC::DFG::mightCompileFunctionForCall):
1380         (JSC::DFG::mightCompileFunctionForConstruct):
1381         (JSC::DFG::canUseOSRExitFuzzing):
1382         * dfg/DFGGraph.h:
1383         (JSC::DFG::Graph::executableFor):
1384         * dfg/DFGJITCompiler.cpp:
1385         (JSC::DFG::JITCompiler::compileFunction):
1386         * dfg/DFGOSREntry.cpp:
1387         (JSC::DFG::prepareOSREntry):
1388         * dfg/DFGOSRExit.cpp:
1389         (JSC::DFG::restoreCalleeSavesFor):
1390         (JSC::DFG::saveCalleeSavesFor):
1391         (JSC::DFG::saveOrCopyCalleeSavesFor):
1392         * dfg/DFGOSRExitCompilerCommon.cpp:
1393         (JSC::DFG::handleExitCounts):
1394         * dfg/DFGOperations.cpp:
1395         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1396         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1397         * ftl/FTLCapabilities.cpp:
1398         (JSC::FTL::canCompile):
1399         * ftl/FTLLink.cpp:
1400         (JSC::FTL::link):
1401         * ftl/FTLOSRExitCompiler.cpp:
1402         (JSC::FTL::compileStub):
1403         * interpreter/CallFrame.cpp:
1404         (JSC::CallFrame::callerSourceOrigin):
1405         * interpreter/Interpreter.cpp:
1406         (JSC::eval):
1407         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1408         * interpreter/StackVisitor.cpp:
1409         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1410         (JSC::StackVisitor::Frame::sourceURL const):
1411         (JSC::StackVisitor::Frame::sourceID):
1412         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1413         * interpreter/StackVisitor.h:
1414         * jit/AssemblyHelpers.h:
1415         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1416         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1417         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1418         * jit/CallFrameShuffleData.cpp:
1419         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1420         * jit/JIT.cpp:
1421         (JSC::JIT::compileWithoutLinking):
1422         * jit/JITToDFGDeferredCompilationCallback.cpp:
1423         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1424         * jit/JITWorklist.cpp:
1425         (JSC::JITWorklist::Plan::finalize):
1426         (JSC::JITWorklist::compileNow):
1427         * jit/RegisterAtOffsetList.cpp:
1428         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1429         * jit/RegisterAtOffsetList.h:
1430         (JSC::RegisterAtOffsetList::at const):
1431         * runtime/ErrorInstance.cpp:
1432         (JSC::appendSourceToError):
1433         * runtime/ScriptExecutable.cpp:
1434         (JSC::ScriptExecutable::newCodeBlockFor):
1435         * runtime/StackFrame.cpp:
1436         (JSC::StackFrame::sourceID const):
1437         (JSC::StackFrame::sourceURL const):
1438         (JSC::StackFrame::computeLineAndColumn const):
1439
1440 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1441
1442         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1443         https://bugs.webkit.org/show_bug.cgi?id=194460
1444
1445         Reviewed by Mark Lam.
1446
1447         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1448
1449         * b3/B3LowerMacros.cpp:
1450
1451 2019-02-08  Mark Lam  <mark.lam@apple.com>
1452
1453         Use maxSingleCharacterString in comparisons instead of literal constants.
1454         https://bugs.webkit.org/show_bug.cgi?id=194452
1455
1456         Reviewed by Yusuke Suzuki.
1457
1458         This way, if we ever change maxSingleCharacterString, it won't break all this code
1459         that relies on it being 0xff implicitly.
1460
1461         * dfg/DFGSpeculativeJIT.cpp:
1462         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1463         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1464         * ftl/FTLLowerDFGToB3.cpp:
1465         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1466         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1467         * jit/ThunkGenerators.cpp:
1468         (JSC::stringGetByValGenerator):
1469         (JSC::charToString):
1470
1471 2019-02-08  Mark Lam  <mark.lam@apple.com>
1472
1473         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1474         https://bugs.webkit.org/show_bug.cgi?id=194446
1475         <rdar://problem/47926792>
1476
1477         Reviewed by Saam Barati.
1478
1479         Fix doesGC() for the following nodes:
1480
1481             CheckTierUpAtReturn:
1482                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1483                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1484
1485             CheckTierUpInLoop:
1486                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1487                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1488
1489             CheckTierUpAndOSREnter:
1490                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1491                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1492
1493             GetByVal:
1494                 case Array::String calls operationSingleCharacterString(), which calls
1495                 jsSingleCharacterString(), which can allocate a string.
1496
1497             PutByValDirect:
1498             PutByVal:
1499             PutByValAlias:
1500                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1501                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1502                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1503                 slow paths call putByValInternal(), which may create exception objects, or
1504                 call the generic JSValue::put() which may execute arbitrary code.
1505
1506             StringCharAt:
1507                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1508                 which can allocate a string.
1509
1510         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1511         to use the maxSingleCharacterString constant instead of a literal constant.
1512
1513         * dfg/DFGDoesGC.cpp:
1514         (JSC::DFG::doesGC):
1515         * dfg/DFGSpeculativeJIT.cpp:
1516         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1517         * dfg/DFGSpeculativeJIT64.cpp:
1518         (JSC::DFG::SpeculativeJIT::compile):
1519         * ftl/FTLLowerDFGToB3.cpp:
1520         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1521         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1522         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1523
1524 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1525
1526         [JSC] SourceProviderCacheItem should be small
1527         https://bugs.webkit.org/show_bug.cgi?id=194432
1528
1529         Reviewed by Saam Barati.
1530
1531         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1532         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1533         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1534
1535         * parser/Parser.cpp:
1536         (JSC::Parser<LexerType>::parseFunctionInfo):
1537         * parser/ParserModes.h:
1538         * parser/ParserTokens.h:
1539         * parser/SourceProviderCacheItem.h:
1540         (JSC::SourceProviderCacheItem::endFunctionToken const):
1541         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1542
1543 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1544
1545         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1546         https://bugs.webkit.org/show_bug.cgi?id=194420
1547
1548         Reviewed by Saam Barati.
1549
1550         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1551         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1552         This trivial patch fixes both.
1553
1554         * b3/B3ReduceStrength.cpp:
1555         * b3/testb3.cpp:
1556         (JSC::B3::testAbsNegArg):
1557
1558 2019-02-07  Keith Miller  <keith_miller@apple.com>
1559
1560         Better error messages for module loader SPI
1561         https://bugs.webkit.org/show_bug.cgi?id=194421
1562
1563         Reviewed by Saam Barati.
1564
1565         * API/JSAPIGlobalObject.mm:
1566         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1567
1568 2019-02-07  Mark Lam  <mark.lam@apple.com>
1569
1570         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1571         https://bugs.webkit.org/show_bug.cgi?id=194399
1572         <rdar://problem/47889777>
1573
1574         Reviewed by Yusuke Suzuki.
1575
1576         Fix doesGC() for the following nodes:
1577
1578             CheckTraps:
1579                 We normally will not emit this node because Options::usePollingTraps() is
1580                 false by default.  However, as it is implemented now, CheckTraps can GC
1581                 because it can allocate a TerminatedExecutionException.  If we make the
1582                 TerminatedExecutionException a singleton allocated at initialization time,
1583                 doesGC() can return false for CheckTraps.
1584                 https://bugs.webkit.org/show_bug.cgi?id=194323
1585
1586             GetMapBucket:
1587                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1588                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1589                 can resolve a rope.
1590
1591             Switch:
1592                 If switchData kind is SwitchChar, can call operationResolveRope() .
1593                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1594                     can call operationSwitchString() which resolves ropes.
1595
1596             DirectTailCall:
1597             ForceOSRExit:
1598             Return:
1599             TailCallForwardVarargs:
1600             TailCallVarargs:
1601             Throw:
1602                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1603                 for them, but following our conservative practice, unless we have a good
1604                 reason for doesGC() to return false, we should just return true.
1605
1606         * dfg/DFGDoesGC.cpp:
1607         (JSC::DFG::doesGC):
1608
1609 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1610
1611         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1612         https://bugs.webkit.org/show_bug.cgi?id=194250
1613
1614         Reviewed by Saam Barati.
1615
1616         Adds the following optimizations for integers:
1617         - Sub(x, x) => 0
1618             Already covered by the test testSubArg
1619         - Sub(x1, Neg(x2)) => Add (x1, x2)
1620             Added test: testSubNeg
1621         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1622             Added test: testNegSub
1623         - Add(Neg(x1), x2) => Sub(x2, x1)
1624             Added test: testAddNeg1
1625         - Add(x1, Neg(x2)) => Sub(x1, x2)
1626             Added test: testAddNeg2
1627         Adds the following optimization for floating point values:
1628         - Abs(Neg(x)) => Abs(x)
1629             Added test: testAbsNegArg
1630             Adds the following optimization:
1631
1632         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1633
1634         * b3/B3ReduceStrength.cpp:
1635         * b3/testb3.cpp:
1636         (JSC::B3::testAddNeg1):
1637         (JSC::B3::testAddNeg2):
1638         (JSC::B3::testSubNeg):
1639         (JSC::B3::testNegSub):
1640         (JSC::B3::testAbsAbsArg):
1641         (JSC::B3::testAbsNegArg):
1642         (JSC::B3::run):
1643
1644 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1645
1646         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1647         https://bugs.webkit.org/show_bug.cgi?id=194374
1648
1649         Reviewed by Geoffrey Garen.
1650
1651         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1652         But pointer is larger than single character. BufferInternal StringImpl with single character
1653         is more memory efficient.
1654
1655         * runtime/SmallStrings.cpp:
1656         (JSC::SmallStringsStorage::SmallStringsStorage):
1657         (JSC::SmallStrings::SmallStrings):
1658         * runtime/SmallStrings.h:
1659
1660 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1661
1662         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1663         https://bugs.webkit.org/show_bug.cgi?id=194369
1664         <rdar://problem/47813087>
1665
1666         Reviewed by Saam Barati.
1667
1668         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1669         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1670         constant folding phase.
1671
1672         * dfg/DFGAbstractInterpreterInlines.h:
1673         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1674
1675 2019-02-06  Devin Rousso  <drousso@apple.com>
1676
1677         Web Inspector: DOM: don't send the entire function string with each event listener
1678         https://bugs.webkit.org/show_bug.cgi?id=194293
1679         <rdar://problem/47822809>
1680
1681         Reviewed by Joseph Pecoraro.
1682
1683         * inspector/protocol/DOM.json:
1684
1685         * runtime/JSFunction.h:
1686         Export `calculatedDisplayName`.
1687
1688 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1689
1690         [JSC] PrivateName to PublicName hash table is wasteful
1691         https://bugs.webkit.org/show_bug.cgi?id=194277
1692
1693         Reviewed by Michael Saboff.
1694
1695         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1696         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1697         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1698         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1699
1700         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1701
1702         1. PrivateName's content should be the same to PublicName.
1703         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1704            the public name should be easily crafted from the given PrivateName.
1705
1706         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1707         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1708
1709         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1710         WebCore.
1711
1712         * builtins/BuiltinNames.cpp:
1713         (JSC::BuiltinNames::BuiltinNames):
1714         * builtins/BuiltinNames.h:
1715         (JSC::BuiltinNames::lookUpPrivateName const):
1716         (JSC::BuiltinNames::getPublicName const):
1717         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1718         (JSC::BuiltinNames::appendExternalName):
1719         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1720         * builtins/BuiltinUtils.h:
1721         * bytecode/BytecodeDumper.cpp:
1722         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1723         * bytecompiler/NodesCodegen.cpp:
1724         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1725         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1726         * parser/Lexer.cpp:
1727         (JSC::Lexer<LChar>::parseIdentifier):
1728         (JSC::Lexer<UChar>::parseIdentifier):
1729         * parser/Parser.cpp:
1730         (JSC::Parser<LexerType>::createGeneratorParameters):
1731         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1732         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1733         (JSC::Parser<LexerType>::parseClassDeclaration):
1734         (JSC::Parser<LexerType>::parseExportDeclaration):
1735         (JSC::Parser<LexerType>::parseMemberExpression):
1736         * parser/ParserArena.h:
1737         (JSC::IdentifierArena::makeIdentifier):
1738         * runtime/CachedTypes.cpp:
1739         (JSC::CachedUniquedStringImpl::encode):
1740         (JSC::CachedUniquedStringImpl::decode const):
1741         * runtime/CommonIdentifiers.cpp:
1742         (JSC::CommonIdentifiers::CommonIdentifiers):
1743         (JSC::CommonIdentifiers::lookUpPrivateName const):
1744         (JSC::CommonIdentifiers::getPublicName const):
1745         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1746         * runtime/CommonIdentifiers.h:
1747         * runtime/ExceptionHelpers.cpp:
1748         (JSC::createUndefinedVariableError):
1749         * runtime/Identifier.cpp:
1750         (JSC::Identifier::dump const):
1751         * runtime/Identifier.h:
1752         * runtime/IdentifierInlines.h:
1753         (JSC::Identifier::fromUid):
1754         * runtime/JSTypedArrayViewPrototype.cpp:
1755         (JSC::JSTypedArrayViewPrototype::finishCreation):
1756         * tools/JSDollarVM.cpp:
1757         (JSC::functionGetPrivateProperty):
1758
1759 2019-02-06  Keith Rollin  <krollin@apple.com>
1760
1761         Really enable the automatic checking and regenerations of .xcfilelists during builds
1762         https://bugs.webkit.org/show_bug.cgi?id=194357
1763         <rdar://problem/47861231>
1764
1765         Reviewed by Chris Dumez.
1766
1767         Bug 194124 was supposed to enable the automatic checking and
1768         regenerating of .xcfilelist files during the build. While related
1769         changes were included in that patch, the change to actually enable the
1770         operation somehow was omitted. This patch actually enables the
1771         operation. The check-xcfilelist.sh scripts now check
1772         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1773         from the checking.
1774
1775         * Scripts/check-xcfilelists.sh:
1776
1777 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1778
1779         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1780         https://bugs.webkit.org/show_bug.cgi?id=194339
1781
1782         Reviewed by Michael Saboff.
1783
1784         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1785         They have even the same structure. This patch unifies the subspaces for them.
1786
1787         * runtime/DirectEvalExecutable.h:
1788         * runtime/EvalExecutable.h:
1789         (JSC::EvalExecutable::subspaceFor):
1790         * runtime/IndirectEvalExecutable.h:
1791         * runtime/VM.cpp:
1792         * runtime/VM.h:
1793         (JSC::VM::forEachScriptExecutableSpace):
1794
1795 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1796
1797         [JSC] NativeExecutable should be smaller
1798         https://bugs.webkit.org/show_bug.cgi?id=194331
1799
1800         Reviewed by Michael Saboff.
1801
1802         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1803         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1804         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1805         only takes one MarkedBlock for NativeExecutable.
1806
1807         To make NativeExecutable smaller,
1808
1809         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1810            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1811
1812         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1813            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1814            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1815
1816         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1817            Intrinsic for NativeExecutable.
1818
1819         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1820
1821         * CMakeLists.txt:
1822         * JavaScriptCore.xcodeproj/project.pbxproj:
1823         * bytecode/CallVariant.h:
1824         * interpreter/Interpreter.cpp:
1825         * jit/JITCode.cpp:
1826         (JSC::DirectJITCode::DirectJITCode):
1827         (JSC::NativeJITCode::NativeJITCode):
1828         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1829         * jit/JITCode.h:
1830         (JSC::JITCode::signature const):
1831         (JSC::JITCode::intrinsic):
1832         * jit/JITOperations.cpp:
1833         * jit/JITThunks.cpp:
1834         (JSC::JITThunks::hostFunctionStub):
1835         * jit/Repatch.cpp:
1836         * llint/LLIntSlowPaths.cpp:
1837         * runtime/ExecutableBase.cpp:
1838         (JSC::ExecutableBase::dump const):
1839         (JSC::ExecutableBase::hashFor const):
1840         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1841         (JSC::ExecutableBase::clearCode): Deleted.
1842         * runtime/ExecutableBase.h:
1843         (JSC::ExecutableBase::ExecutableBase):
1844         (JSC::ExecutableBase::isModuleProgramExecutable):
1845         (JSC::ExecutableBase::isHostFunction const):
1846         (JSC::ExecutableBase::generatedJITCodeForCall const):
1847         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1848         (JSC::ExecutableBase::generatedJITCodeFor const):
1849         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1850         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1851         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1852         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1853         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1854         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1855         (JSC::ExecutableBase::intrinsic const): Deleted.
1856         * runtime/ExecutableBaseInlines.h: Added.
1857         (JSC::ExecutableBase::intrinsic const):
1858         (JSC::ExecutableBase::hasJITCodeForCall const):
1859         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1860         * runtime/JSBoundFunction.cpp:
1861         * runtime/JSType.cpp:
1862         (WTF::printInternal):
1863         * runtime/JSType.h:
1864         * runtime/NativeExecutable.cpp:
1865         (JSC::NativeExecutable::create):
1866         (JSC::NativeExecutable::createStructure):
1867         (JSC::NativeExecutable::NativeExecutable):
1868         (JSC::NativeExecutable::signatureFor const):
1869         (JSC::NativeExecutable::intrinsic const):
1870         * runtime/NativeExecutable.h:
1871         * runtime/ScriptExecutable.cpp:
1872         (JSC::ScriptExecutable::ScriptExecutable):
1873         (JSC::ScriptExecutable::clearCode):
1874         (JSC::ScriptExecutable::installCode):
1875         (JSC::ScriptExecutable::hasClearableCode const):
1876         * runtime/ScriptExecutable.h:
1877         (JSC::ScriptExecutable::intrinsic const):
1878         (JSC::ScriptExecutable::hasJITCodeForCall const):
1879         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1880         * runtime/VM.cpp:
1881         (JSC::VM::getHostFunction):
1882
1883 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1884
1885         Build failure after r240431
1886         https://bugs.webkit.org/show_bug.cgi?id=194330
1887
1888         Reviewed by Žan Doberšek.
1889
1890         * API/glib/JSCOptions.cpp:
1891
1892 2019-02-05  Mark Lam  <mark.lam@apple.com>
1893
1894         Fix DFG's doesGC() for a few more nodes.
1895         https://bugs.webkit.org/show_bug.cgi?id=194307
1896         <rdar://problem/47832956>
1897
1898         Reviewed by Yusuke Suzuki.
1899
1900         Fix doesGC() for the following nodes:
1901
1902             NumberToStringWithValidRadixConstant:
1903                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1904                 which can allocate a string.
1905                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1906                 which can allocate a string.
1907                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1908                 which can allocate a string.
1909
1910             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1911                 memory for all kinds of objects.
1912             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1913                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1914                 these allocates memory for the match result.
1915             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1916                 calls RegExpObject's collectMatches(), which allocates an array amongst
1917                 other objects.
1918
1919             StringFromCharCode:
1920                 If the uint32 code to convert is greater than maxSingleCharacterString,
1921                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1922                 which allocates a new string if the code is greater than maxSingleCharacterString.
1923
1924         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1925         to use maxSingleCharacterString instead of a literal constant.
1926
1927         * dfg/DFGDoesGC.cpp:
1928         (JSC::DFG::doesGC):
1929         * dfg/DFGSpeculativeJIT.cpp:
1930         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1931         * ftl/FTLLowerDFGToB3.cpp:
1932         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1933
1934 2019-02-05  Keith Rollin  <krollin@apple.com>
1935
1936         Enable the automatic checking and regenerations of .xcfilelists during builds
1937         https://bugs.webkit.org/show_bug.cgi?id=194124
1938         <rdar://problem/47721277>
1939
1940         Reviewed by Tim Horton.
1941
1942         Bug 193790 add a facility for checking -- during build time -- that
1943         any needed .xcfilelist files are up-to-date and for updating them if
1944         they are not. This facility was initially opt-in by setting
1945         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1946         the process seemed robust. Its now time to enable this facility and
1947         make it opt-out. If there is a need to disable this facility, set and
1948         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1949         running `make` or `build-webkit`, or before running Xcode from the
1950         command line.
1951
1952         Additionally, remove the step that generates a list of source files
1953         going into the UnifiedSources build step. It's only necessarily to
1954         specify Sources.txt and SourcesCocoa.txt as inputs.
1955
1956         * JavaScriptCore.xcodeproj/project.pbxproj:
1957         * UnifiedSources-input.xcfilelist: Removed.
1958
1959 2019-02-05  Keith Rollin  <krollin@apple.com>
1960
1961         Update .xcfilelist files
1962         https://bugs.webkit.org/show_bug.cgi?id=194121
1963         <rdar://problem/47720863>
1964
1965         Reviewed by Tim Horton.
1966
1967         Preparatory to enabling the facility for automatically updating the
1968         .xcfilelist files, check in a freshly-updated set so that not everyone
1969         runs up against having to regenerate them themselves.
1970
1971         * DerivedSources-input.xcfilelist:
1972         * DerivedSources-output.xcfilelist:
1973
1974 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1975
1976         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1977         https://bugs.webkit.org/show_bug.cgi?id=185557
1978
1979         Reviewed by Mark Lam.
1980
1981         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1982         where n is the number of characters in the formatted string.
1983         It may be less memory efficient than the previous impl, since the intermediate Vector
1984         is the length of the string, instead of the count of the fields.
1985
1986         * runtime/IntlNumberFormat.cpp:
1987         (JSC::IntlNumberFormat::formatToParts):
1988         * runtime/IntlNumberFormat.h:
1989
1990 2019-02-05  Mark Lam  <mark.lam@apple.com>
1991
1992         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1993         https://bugs.webkit.org/show_bug.cgi?id=194298
1994         <rdar://problem/47827555>
1995
1996         Reviewed by Saam Barati.
1997
1998         We do this for 3 reasons:
1999         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2000         2. If things change in the future where clobberize() no longer reports these nodes
2001            as write(Heap), each node should be vetted first to make sure that it can never
2002            GC before being moved back to the doesGC() list that returns false.
2003         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2004            correct in its claims about the nodes' GCing possibility.
2005
2006         The list of nodes moved are:
2007
2008             ArrayPush
2009             ArrayPop
2010             Call
2011             CallEval
2012             CallForwardVarargs
2013             CallVarargs
2014             Construct
2015             ConstructForwardVarargs
2016             ConstructVarargs
2017             DefineDataProperty
2018             DefineAccessorProperty
2019             DeleteById
2020             DeleteByVal
2021             DirectCall
2022             DirectConstruct
2023             DirectTailCallInlinedCaller
2024             GetById
2025             GetByIdDirect
2026             GetByIdDirectFlush
2027             GetByIdFlush
2028             GetByIdWithThis
2029             GetByValWithThis
2030             GetDirectPname
2031             GetDynamicVar
2032             HasGenericProperty
2033             HasOwnProperty
2034             HasStructureProperty
2035             InById
2036             InByVal
2037             InstanceOf
2038             InstanceOfCustom
2039             LoadVarargs
2040             NumberToStringWithRadix
2041             PutById
2042             PutByIdDirect
2043             PutByIdFlush
2044             PutByIdWithThis
2045             PutByOffset
2046             PutByValWithThis
2047             PutDynamicVar
2048             PutGetterById
2049             PutGetterByVal
2050             PutGetterSetterById
2051             PutSetterById
2052             PutSetterByVal
2053             PutStack
2054             PutToArguments
2055             RegExpExec
2056             RegExpTest
2057             ResolveScope
2058             ResolveScopeForHoistingFuncDeclInEval
2059             TailCall
2060             TailCallForwardVarargsInlinedCaller
2061             TailCallInlinedCaller
2062             TailCallVarargsInlinedCaller
2063             ToNumber
2064             ToPrimitive
2065             ValueNegate
2066
2067         * dfg/DFGDoesGC.cpp:
2068         (JSC::DFG::doesGC):
2069
2070 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2071
2072         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2073         https://bugs.webkit.org/show_bug.cgi?id=194281
2074
2075         Reviewed by Michael Saboff.
2076
2077         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2078         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2079
2080         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2081         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2082         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2083
2084         * bytecode/CodeBlock.cpp:
2085         (JSC::CodeBlock::finishCreation):
2086         * bytecode/CodeBlock.h:
2087         (JSC::CodeBlock::bitVectors const): Deleted.
2088         * bytecode/CodeType.h:
2089         * bytecode/UnlinkedCodeBlock.cpp:
2090         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2091         (JSC::UnlinkedCodeBlock::shrinkToFit):
2092         * bytecode/UnlinkedCodeBlock.h:
2093         (JSC::UnlinkedCodeBlock::bitVector):
2094         (JSC::UnlinkedCodeBlock::addBitVector):
2095         (JSC::UnlinkedCodeBlock::addSetConstant):
2096         (JSC::UnlinkedCodeBlock::constantRegisters):
2097         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2098         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2099         (JSC::UnlinkedCodeBlock::codeType const):
2100         (JSC::UnlinkedCodeBlock::didOptimize const):
2101         (JSC::UnlinkedCodeBlock::setDidOptimize):
2102         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2103         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2104         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2105         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2106         * bytecompiler/BytecodeGenerator.cpp:
2107         (JSC::BytecodeGenerator::emitLoad):
2108         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2109         * bytecompiler/BytecodeGenerator.h:
2110         * runtime/CachedTypes.cpp:
2111         (JSC::CachedCodeBlockRareData::encode):
2112         (JSC::CachedCodeBlockRareData::decode const):
2113         (JSC::CachedCodeBlock::scopeRegister const):
2114         (JSC::CachedCodeBlock::codeType const):
2115         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2116         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2117         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2118         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2119
2120 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2121
2122         Unreviewed, add missing exception checks after r240637
2123         https://bugs.webkit.org/show_bug.cgi?id=193546
2124
2125         * tools/JSDollarVM.cpp:
2126         (JSC::functionShadowChickenFunctionsOnStack):
2127
2128 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2129
2130         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2131         https://bugs.webkit.org/show_bug.cgi?id=193993
2132
2133         Reviewed by Keith Miller.
2134
2135         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2136         And some of them are rarely used. We should allocate it lazily.
2137
2138         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2139         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2140         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2141         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2142         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2143         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2144         by using WTF::storeStoreFence when lazily allocating it.
2145
2146         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2147         existence of the space before touching this. This is not racy because the main thread is stopped when
2148         the constraint solving is working.
2149
2150         This changes sizeof(VM) from 64736 to 56472.
2151
2152         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2153         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2154         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2155         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2156         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2157         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2158         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2159
2160         * API/JSCallbackFunction.h:
2161         * API/ObjCCallbackFunction.h:
2162         (JSC::ObjCCallbackFunction::subspaceFor):
2163         * API/glib/JSCCallbackFunction.h:
2164         * CMakeLists.txt:
2165         * JavaScriptCore.xcodeproj/project.pbxproj:
2166         * bytecode/CodeBlock.cpp:
2167         (JSC::CodeBlock::visitChildren):
2168         (JSC::CodeBlock::finalizeUnconditionally):
2169         * bytecode/CodeBlock.h:
2170         * bytecode/EvalCodeBlock.h:
2171         * bytecode/ExecutableToCodeBlockEdge.h:
2172         * bytecode/FunctionCodeBlock.h:
2173         * bytecode/ModuleProgramCodeBlock.h:
2174         * bytecode/ProgramCodeBlock.h:
2175         * bytecode/UnlinkedFunctionExecutable.cpp:
2176         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2177         * bytecode/UnlinkedFunctionExecutable.h:
2178         * dfg/DFGSpeculativeJIT.cpp:
2179         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2180         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2181         (JSC::DFG::SpeculativeJIT::compileNewObject):
2182         * ftl/FTLLowerDFGToB3.cpp:
2183         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2184         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2185         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2186         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2187         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2188         * heap/Heap.cpp:
2189         (JSC::Heap::finalizeUnconditionalFinalizers):
2190         (JSC::Heap::deleteAllCodeBlocks):
2191         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2192         (JSC::Heap::addCoreConstraints):
2193         * heap/Subspace.cpp:
2194         (JSC::Subspace::initialize):
2195         * jit/AssemblyHelpers.h:
2196         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2197         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2198         * jit/JITOpcodes.cpp:
2199         (JSC::JIT::emit_op_new_object):
2200         * jit/JITOpcodes32_64.cpp:
2201         (JSC::JIT::emit_op_new_object):
2202         * runtime/DirectArguments.h:
2203         * runtime/DirectEvalExecutable.h:
2204         * runtime/ErrorInstance.h:
2205         (JSC::ErrorInstance::subspaceFor):
2206         * runtime/ExecutableBase.h:
2207         * runtime/FunctionExecutable.h:
2208         * runtime/IndirectEvalExecutable.h:
2209         * runtime/InferredValue.cpp:
2210         (JSC::InferredValue::visitChildren):
2211         * runtime/InferredValue.h:
2212         * runtime/InferredValueInlines.h:
2213         (JSC::InferredValue::finalizeUnconditionally):
2214         * runtime/InternalFunction.h:
2215         * runtime/JSAsyncFunction.h:
2216         * runtime/JSAsyncGeneratorFunction.h:
2217         * runtime/JSBoundFunction.h:
2218         * runtime/JSCell.h:
2219         (JSC::subspaceFor):
2220         (JSC::subspaceForConcurrently):
2221         * runtime/JSCellInlines.h:
2222         (JSC::allocatorForNonVirtualConcurrently):
2223         * runtime/JSCustomGetterSetterFunction.h:
2224         * runtime/JSDestructibleObject.h:
2225         * runtime/JSFunction.h:
2226         * runtime/JSGeneratorFunction.h:
2227         * runtime/JSImmutableButterfly.h:
2228         * runtime/JSLexicalEnvironment.h:
2229         (JSC::JSLexicalEnvironment::subspaceFor):
2230         * runtime/JSNativeStdFunction.h:
2231         * runtime/JSSegmentedVariableObject.h:
2232         * runtime/JSString.h:
2233         * runtime/ModuleProgramExecutable.h:
2234         * runtime/NativeExecutable.h:
2235         * runtime/ProgramExecutable.h:
2236         * runtime/PropertyMapHashTable.h:
2237         * runtime/ProxyRevoke.h:
2238         * runtime/ScopedArguments.h:
2239         * runtime/ScriptExecutable.cpp:
2240         (JSC::ScriptExecutable::clearCode):
2241         (JSC::ScriptExecutable::installCode):
2242         * runtime/Structure.h:
2243         * runtime/StructureRareData.h:
2244         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2245         * runtime/VM.cpp:
2246         (JSC::VM::VM):
2247         * runtime/VM.h:
2248         (JSC::VM::SpaceAndSet::SpaceAndSet):
2249         (JSC::VM::SpaceAndSet::setFor):
2250         (JSC::VM::forEachScriptExecutableSpace):
2251         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2252         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2253         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2254         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2255         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2256         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2257         * runtime/WeakMapImpl.h:
2258         (JSC::WeakMapImpl::subspaceFor):
2259         * wasm/js/JSWebAssemblyCodeBlock.h:
2260         * wasm/js/JSWebAssemblyMemory.h:
2261         * wasm/js/WebAssemblyFunction.h:
2262         * wasm/js/WebAssemblyWrapperFunction.h:
2263
2264 2019-02-04  Keith Miller  <keith_miller@apple.com>
2265
2266         Change llint operand macros to inline functions
2267         https://bugs.webkit.org/show_bug.cgi?id=194248
2268
2269         Reviewed by Mark Lam.
2270
2271         * llint/LLIntSlowPaths.cpp:
2272         (JSC::LLInt::getNonConstantOperand):
2273         (JSC::LLInt::getOperand):
2274         (JSC::LLInt::llint_trace_value):
2275         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2276         (JSC::LLInt::getByVal):
2277         (JSC::LLInt::genericCall):
2278         (JSC::LLInt::varargsSetup):
2279         (JSC::LLInt::commonCallEval):
2280
2281 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2282
2283         when lowering AssertNotEmpty, create the value before creating the patchpoint
2284         https://bugs.webkit.org/show_bug.cgi?id=194231
2285
2286         Reviewed by Saam Barati.
2287
2288         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2289         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2290
2291         * ftl/FTLLowerDFGToB3.cpp:
2292         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2293
2294 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2295
2296         [JSC] ExecutableToCodeBlockEdge should be smaller
2297         https://bugs.webkit.org/show_bug.cgi?id=194244
2298
2299         Reviewed by Michael Saboff.
2300
2301         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2302         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2303         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2304         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2305
2306         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2307         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2308         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2309
2310         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2311         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2312         does not touch it if it is called in non-main threads).
2313
2314         * bytecode/ExecutableToCodeBlockEdge.cpp:
2315         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2316         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2317         (JSC::ExecutableToCodeBlockEdge::activate):
2318         (JSC::ExecutableToCodeBlockEdge::deactivate):
2319         (JSC::ExecutableToCodeBlockEdge::isActive const):
2320         * bytecode/ExecutableToCodeBlockEdge.h:
2321         * runtime/JSCell.h:
2322         * runtime/JSCellInlines.h:
2323         (JSC::JSCell::perCellBit const):
2324         (JSC::JSCell::setPerCellBit):
2325         (JSC::JSCell::mayBePrototype const): Deleted.
2326         (JSC::JSCell::didBecomePrototype): Deleted.
2327         * runtime/JSObject.cpp:
2328         (JSC::JSObject::setPrototypeDirect):
2329         * runtime/JSObject.h:
2330         * runtime/JSObjectInlines.h:
2331         (JSC::JSObject::mayBePrototype const):
2332         (JSC::JSObject::didBecomePrototype):
2333         * runtime/JSTypeInfo.h:
2334         (JSC::TypeInfo::perCellBit):
2335         (JSC::TypeInfo::mergeInlineTypeFlags):
2336         (JSC::TypeInfo::mayBePrototype): Deleted.
2337
2338 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2339
2340         [JSC] Shrink size of FunctionExecutable
2341         https://bugs.webkit.org/show_bug.cgi?id=194191
2342
2343         Reviewed by Michael Saboff.
2344
2345         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2346         improves the allocation efficiency.
2347
2348         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2349            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2350
2351         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2352            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2353            the size of FunctionExecutable in the common case.
2354
2355         This patch changes the size of FunctionExecutable from 176 to 144.
2356
2357         * bytecode/CodeBlock.cpp:
2358         (JSC::CodeBlock::dumpSource):
2359         (JSC::CodeBlock::finishCreation):
2360         * dfg/DFGNode.h:
2361         (JSC::DFG::Node::OpInfoWrapper::as const):
2362         * interpreter/StackVisitor.cpp:
2363         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2364         * runtime/ExecutableBase.h:
2365         * runtime/FunctionExecutable.cpp:
2366         (JSC::FunctionExecutable::FunctionExecutable):
2367         (JSC::FunctionExecutable::ensureRareDataSlow):
2368         * runtime/FunctionExecutable.h:
2369         * runtime/Intrinsic.h:
2370         * runtime/ModuleProgramExecutable.cpp:
2371         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2372         * runtime/ProgramExecutable.cpp:
2373         (JSC::ProgramExecutable::ProgramExecutable):
2374         * runtime/ScriptExecutable.cpp:
2375         (JSC::ScriptExecutable::ScriptExecutable):
2376         (JSC::ScriptExecutable::overrideLineNumber const):
2377         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2378         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2379         * runtime/ScriptExecutable.h:
2380         (JSC::ScriptExecutable::firstLine const):
2381         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2382         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2383         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2384         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2385         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2386         * runtime/StackFrame.cpp:
2387         (JSC::StackFrame::computeLineAndColumn const):
2388         * tools/JSDollarVM.cpp:
2389         (JSC::functionReturnTypeFor):
2390
2391 2019-02-04  Mark Lam  <mark.lam@apple.com>
2392
2393         DFG's doesGC() is incorrect about the SameValue node's behavior.
2394         https://bugs.webkit.org/show_bug.cgi?id=194211
2395         <rdar://problem/47608913>
2396
2397         Reviewed by Saam Barati.
2398
2399         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2400         it calls operationSameValue() which may allocate memory for resolving ropes.
2401
2402         * dfg/DFGDoesGC.cpp:
2403         (JSC::DFG::doesGC):
2404
2405 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2406
2407         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2408         https://bugs.webkit.org/show_bug.cgi?id=194031
2409
2410         Reviewed by Saam Barati.
2411
2412         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2413         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2414         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2415         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2416
2417         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2418         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2419
2420         * bytecode/MetadataTable.cpp:
2421         (JSC::MetadataTable::MetadataTable):
2422         (JSC::MetadataTable::~MetadataTable):
2423         * bytecode/UnlinkedCodeBlock.cpp:
2424         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2425         (JSC::UnlinkedCodeBlock::visitChildren):
2426         (JSC::UnlinkedCodeBlock::estimatedSize):
2427         (JSC::UnlinkedCodeBlock::setInstructions):
2428         * bytecode/UnlinkedCodeBlock.h:
2429         (JSC::UnlinkedCodeBlock::metadata):
2430         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2431         * bytecode/UnlinkedMetadataTable.h:
2432         (JSC::UnlinkedMetadataTable::create):
2433         * bytecode/UnlinkedMetadataTableInlines.h:
2434         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2435         * runtime/CachedTypes.cpp:
2436         (JSC::CachedMetadataTable::decode const):
2437         (JSC::CachedCodeBlock::metadata const):
2438         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2439         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2440         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2441
2442 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2443
2444         [JSC] Decouple JIT related data from CodeBlock
2445         https://bugs.webkit.org/show_bug.cgi?id=194187
2446
2447         Reviewed by Saam Barati.
2448
2449         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2450         We have three types of data in CodeBlock.
2451
2452         1. The data which is always used. CodeBlock needs to hold it.
2453         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2454         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2455
2456         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2457         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2458         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2459         in both non-JIT and *JIT* modes.
2460
2461         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2462         by the lock of CodeBlock.
2463
2464         The size of CodeBlock is reduced from 512 to 352.
2465
2466         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2467
2468             Footprint geomean: 36696503 (34.997 MB)
2469             Peak Footprint geomean: 38595988 (36.808 MB)
2470             Score: 37634263 (35.891 MB)
2471
2472             Footprint geomean: 37172768 (35.451 MB)
2473             Peak Footprint geomean: 38978288 (37.173 MB)
2474             Score: 38064824 (36.301 MB)
2475
2476         * bytecode/CodeBlock.cpp:
2477         (JSC::CodeBlock::~CodeBlock):
2478         (JSC::CodeBlock::propagateTransitions):
2479         (JSC::CodeBlock::ensureJITDataSlow):
2480         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2481         (JSC::CodeBlock::getICStatusMap):
2482         (JSC::CodeBlock::addStubInfo):
2483         (JSC::CodeBlock::addJITAddIC):
2484         (JSC::CodeBlock::addJITMulIC):
2485         (JSC::CodeBlock::addJITSubIC):
2486         (JSC::CodeBlock::addJITNegIC):
2487         (JSC::CodeBlock::findStubInfo):
2488         (JSC::CodeBlock::addByValInfo):
2489         (JSC::CodeBlock::addCallLinkInfo):
2490         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2491         (JSC::CodeBlock::addRareCaseProfile):
2492         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2493         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2494         (JSC::CodeBlock::resetJITData):
2495         (JSC::CodeBlock::stronglyVisitStrongReferences):
2496         (JSC::CodeBlock::shrinkToFit):
2497         (JSC::CodeBlock::linkIncomingCall):
2498         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2499         (JSC::CodeBlock::unlinkIncomingCalls):
2500         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2501         (JSC::CodeBlock::dumpValueProfiles):
2502         (JSC::CodeBlock::setPCToCodeOriginMap):
2503         (JSC::CodeBlock::findPC):
2504         (JSC::CodeBlock::dumpMathICStats):
2505         * bytecode/CodeBlock.h:
2506         (JSC::CodeBlock::ensureJITData):
2507         (JSC::CodeBlock::setJITCodeMap):
2508         (JSC::CodeBlock::jitCodeMap):
2509         (JSC::CodeBlock::likelyToTakeSlowCase):
2510         (JSC::CodeBlock::couldTakeSlowCase):
2511         (JSC::CodeBlock::lazyOperandValueProfiles):
2512         (JSC::CodeBlock::stubInfoBegin): Deleted.
2513         (JSC::CodeBlock::stubInfoEnd): Deleted.
2514         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2515         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2516         (JSC::CodeBlock::jitCodeMap const): Deleted.
2517         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2518         * bytecode/MethodOfGettingAValueProfile.cpp:
2519         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2520         (JSC::MethodOfGettingAValueProfile::reportValue):
2521         * dfg/DFGByteCodeParser.cpp:
2522         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2523         * jit/JIT.h:
2524         * jit/JITOperations.cpp:
2525         (JSC::tryGetByValOptimize):
2526         * jit/JITPropertyAccess.cpp:
2527         (JSC::JIT::privateCompileGetByVal):
2528         (JSC::JIT::privateCompilePutByVal):
2529
2530 2018-12-16  Darin Adler  <darin@apple.com>
2531
2532         Convert additional String::format clients to alternative approaches
2533         https://bugs.webkit.org/show_bug.cgi?id=192746
2534
2535         Reviewed by Alexey Proskuryakov.
2536
2537         * inspector/agents/InspectorConsoleAgent.cpp:
2538         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2539         and FormattedNumber::fixedWidth.
2540
2541 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2542
2543         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2544         https://bugs.webkit.org/show_bug.cgi?id=194177
2545
2546         Reviewed by Saam Barati.
2547
2548         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2549         We can share the IsoSubspace for JSFunction.
2550
2551         * runtime/JSAsyncFunction.h:
2552         * runtime/JSAsyncGeneratorFunction.h:
2553         * runtime/JSGeneratorFunction.h:
2554         * runtime/VM.cpp:
2555         (JSC::VM::VM):
2556         * runtime/VM.h:
2557
2558 2019-02-01  Mark Lam  <mark.lam@apple.com>
2559
2560         Remove invalid assertion in DFG's compileDoubleRep().
2561         https://bugs.webkit.org/show_bug.cgi?id=194130
2562         <rdar://problem/47699474>
2563
2564         Reviewed by Saam Barati.
2565
2566         * dfg/DFGSpeculativeJIT.cpp:
2567         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2568
2569 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2570
2571         [JSC] Unify CodeBlock IsoSubspaces
2572         https://bugs.webkit.org/show_bug.cgi?id=194167
2573
2574         Reviewed by Saam Barati.
2575
2576         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2577         But this is not necessary since,
2578
2579         1. They do not override the classInfo methods.
2580         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2581
2582         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2583         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2584         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2585
2586         This patch unifies these IsoSubspaces into one.
2587
2588         * bytecode/CodeBlock.cpp:
2589         (JSC::CodeBlock::destroy):
2590         * bytecode/CodeBlock.h:
2591         * bytecode/EvalCodeBlock.cpp:
2592         (JSC::EvalCodeBlock::destroy): Deleted.
2593         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2594         * bytecode/FunctionCodeBlock.cpp:
2595         (JSC::FunctionCodeBlock::destroy): Deleted.
2596         * bytecode/FunctionCodeBlock.h:
2597         * bytecode/GlobalCodeBlock.h:
2598         * bytecode/ModuleProgramCodeBlock.cpp:
2599         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2600         * bytecode/ModuleProgramCodeBlock.h:
2601         * bytecode/ProgramCodeBlock.cpp:
2602         (JSC::ProgramCodeBlock::destroy): Deleted.
2603         * bytecode/ProgramCodeBlock.h:
2604         * interpreter/Interpreter.cpp:
2605         (JSC::Interpreter::execute):
2606         * runtime/VM.cpp:
2607         (JSC::VM::VM):
2608         * runtime/VM.h:
2609         (JSC::VM::forEachCodeBlockSpace):
2610
2611 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2612
2613         Unreviewed, follow-up after r240859
2614         https://bugs.webkit.org/show_bug.cgi?id=194145
2615
2616         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2617         And rename cellDangerousBitsSpace back to cellSpace.
2618
2619         * runtime/JSCellInlines.h:
2620         (JSC::JSCell::subspaceFor):
2621         * runtime/VM.cpp:
2622         (JSC::VM::VM):
2623         * runtime/VM.h:
2624
2625 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2626
2627         [JSC] Remove cellJSValueOOBSpace
2628         https://bugs.webkit.org/show_bug.cgi?id=194145
2629
2630         Reviewed by Mark Lam.
2631
2632         * runtime/JSObject.h:
2633         (JSC::JSObject::subspaceFor): Deleted.
2634         * runtime/VM.cpp:
2635         (JSC::VM::VM):
2636         * runtime/VM.h:
2637
2638 2019-01-31  Mark Lam  <mark.lam@apple.com>
2639
2640         Remove poisoning from CodeBlock and LLInt code.
2641         https://bugs.webkit.org/show_bug.cgi?id=194113
2642
2643         Reviewed by Yusuke Suzuki.
2644
2645         * bytecode/CodeBlock.cpp:
2646         (JSC::CodeBlock::CodeBlock):
2647         (JSC::CodeBlock::~CodeBlock):
2648         (JSC::CodeBlock::setConstantRegisters):
2649         (JSC::CodeBlock::propagateTransitions):
2650         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2651         (JSC::CodeBlock::jettison):
2652         (JSC::CodeBlock::predictedMachineCodeSize):
2653         * bytecode/CodeBlock.h:
2654         (JSC::CodeBlock::vm const):
2655         (JSC::CodeBlock::addConstant):
2656         (JSC::CodeBlock::heap const):
2657         (JSC::CodeBlock::replaceConstant):
2658         * llint/LLIntOfflineAsmConfig.h:
2659         * llint/LLIntSlowPaths.cpp:
2660         (JSC::LLInt::handleHostCall):
2661         (JSC::LLInt::setUpCall):
2662         * llint/LowLevelInterpreter.asm:
2663         * llint/LowLevelInterpreter32_64.asm:
2664         * llint/LowLevelInterpreter64.asm:
2665
2666 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2667
2668         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2669         https://bugs.webkit.org/show_bug.cgi?id=194107
2670
2671         Reviewed by Saam Barati.
2672
2673         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2674         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2675
2676         * CMakeLists.txt:
2677         * DerivedSources.make:
2678         * JavaScriptCore.xcodeproj/project.pbxproj:
2679         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2680         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2681         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2682         (JSC::AsyncFromSyncIteratorPrototype::create):
2683         * runtime/AsyncFromSyncIteratorPrototype.h:
2684
2685 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2686
2687         Fix `runJITThreadLimitTests` in testapi
2688         https://bugs.webkit.org/show_bug.cgi?id=194064
2689         <rdar://problem/46139147>
2690
2691         Reviewed by Mark Lam.
2692
2693         Fix typo where `targetNumberOfThreads` was not being used.
2694
2695         * API/tests/testapi.mm:
2696         (runJITThreadLimitTests):
2697
2698 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2699
2700         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2701         https://bugs.webkit.org/show_bug.cgi?id=194112
2702
2703         Reviewed by Mark Lam.
2704
2705         `testBytecodeCache` does not populate the bytecode cache for the global
2706         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2707
2708         * API/tests/testapi.mm:
2709         (testBytecodeCache):
2710
2711 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2712
2713         Unreviewed, follow-up after r240796
2714
2715         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2716         when allocating InferredValue in FunctionExecutable::finishCreation.
2717
2718         * runtime/FunctionExecutable.cpp:
2719         (JSC::FunctionExecutable::FunctionExecutable):
2720         (JSC::FunctionExecutable::finishCreation):
2721
2722 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2723
2724         [JSC] Do not use InferredValue in non-JIT configuration
2725         https://bugs.webkit.org/show_bug.cgi?id=194084
2726
2727         Reviewed by Saam Barati.
2728
2729         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2730         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2731         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2732         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2733         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2734         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2735         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2736         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2737
2738         * bytecode/ObjectAllocationProfileInlines.h:
2739         (JSC::ObjectAllocationProfile::initializeProfile):
2740         * runtime/FunctionExecutable.cpp:
2741         (JSC::FunctionExecutable::finishCreation):
2742         (JSC::FunctionExecutable::visitChildren):
2743         * runtime/FunctionExecutable.h:
2744         * runtime/InferredValue.cpp:
2745         (JSC::InferredValue::create):
2746         * runtime/JSAsyncFunction.cpp:
2747         (JSC::JSAsyncFunction::create):
2748         * runtime/JSAsyncGeneratorFunction.cpp:
2749         (JSC::JSAsyncGeneratorFunction::create):
2750         * runtime/JSFunction.cpp:
2751         (JSC::JSFunction::create):
2752         * runtime/JSFunctionInlines.h:
2753         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2754         * runtime/JSGeneratorFunction.cpp:
2755         (JSC::JSGeneratorFunction::create):
2756         * runtime/JSSymbolTableObject.h:
2757         (JSC::JSSymbolTableObject::setSymbolTable):
2758         * runtime/SymbolTable.cpp:
2759         (JSC::SymbolTable::finishCreation):
2760         * runtime/VM.cpp:
2761         (JSC::VM::VM):
2762
2763 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2764
2765         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2766         https://bugs.webkit.org/show_bug.cgi?id=194085
2767
2768         Reviewed by Yusuke Suzuki.
2769
2770         r240730 changed ud_itab.py and caused incremental build failures
2771         for Ninja builds.
2772
2773         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2774
2775 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2776
2777         [JSC] Symbol should be in destructibleCellSpace
2778         https://bugs.webkit.org/show_bug.cgi?id=194082
2779
2780         Reviewed by Saam Barati.
2781
2782         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2783         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2784         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2785         Symbol's space destructibleCellSpace to appropriately call the destructor.
2786
2787         * runtime/Symbol.h:
2788
2789 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2790
2791         Unreviewed, rolling out r240755.
2792
2793         This was not correct
2794
2795         Reverted changeset:
2796
2797         "Unreviewed, fix GCC build after r240730"
2798         https://bugs.webkit.org/show_bug.cgi?id=194041
2799         https://trac.webkit.org/changeset/240755
2800
2801 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2802
2803         Unreviewed, fix GCC build after r240730
2804         https://bugs.webkit.org/show_bug.cgi?id=194041
2805         <rdar://problem/47680981>
2806
2807         * disassembler/udis86/ud_itab.py:
2808         (UdItabGenerator.genOpcodeTablesLookupIndex):
2809
2810 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2811
2812         testapi's `testBytecodeCache` does not need to run the code twice
2813         https://bugs.webkit.org/show_bug.cgi?id=194046
2814
2815         Reviewed by Mark Lam.
2816
2817         Since we populate the cache eagerly (unlike the stress tests) we don't
2818         need to run the code twice.
2819
2820         * API/tests/testapi.mm:
2821         (testBytecodeCache):
2822
2823 2019-01-30  Saam barati  <sbarati@apple.com>
2824
2825         [WebAssembly] Change BBQ to generate Air IR
2826         https://bugs.webkit.org/show_bug.cgi?id=191802
2827         <rdar://problem/47651718>
2828
2829         Reviewed by Keith Miller.
2830
2831         This patch adds a new Wasm compiler for the BBQ tier. Instead
2832         of compiling using  B3-01, we now generate Air code directly.
2833         The goal of doing this was to speed up compile times for Wasm
2834         programs.
2835         
2836         This patch provides us with a 20-30% compile time speedup. However, I
2837         have ideas on how to improve compile times even further. For example,
2838         we should probably implement a faster running register allocator:
2839         https://bugs.webkit.org/show_bug.cgi?id=194036
2840         
2841         We can also improve on the code we generate.
2842         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2843         And we should do better instruction selection in various
2844         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2845
2846         * JavaScriptCore.xcodeproj/project.pbxproj:
2847         * Sources.txt:
2848         * b3/B3LowerToAir.cpp:
2849         * b3/B3StackmapSpecial.h:
2850         * b3/air/AirCode.cpp:
2851         (JSC::B3::Air::Code::emitDefaultPrologue):
2852         * b3/air/AirCode.h:
2853         * b3/air/AirTmp.h:
2854         (JSC::B3::Air::Tmp::Tmp):
2855         * runtime/Options.h:
2856         * wasm/WasmAirIRGenerator.cpp: Added.
2857         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2858         (JSC::Wasm::TypedTmp::TypedTmp):
2859         (JSC::Wasm::TypedTmp::operator== const):
2860         (JSC::Wasm::TypedTmp::operator!= const):
2861         (JSC::Wasm::TypedTmp::operator bool const):
2862         (JSC::Wasm::TypedTmp::operator Tmp const):
2863         (JSC::Wasm::TypedTmp::operator Arg const):
2864         (JSC::Wasm::TypedTmp::tmp const):
2865         (JSC::Wasm::TypedTmp::type const):
2866         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2867         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2868         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2869         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2870         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2871         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2872         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2873         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2874         (JSC::Wasm::AirIRGenerator::emptyExpression):
2875         (JSC::Wasm::AirIRGenerator::fail const):
2876         (JSC::Wasm::AirIRGenerator::setParser):
2877         (JSC::Wasm::AirIRGenerator::toTmpVector):
2878         (JSC::Wasm::AirIRGenerator::validateInst):
2879         (JSC::Wasm::AirIRGenerator::extractArg):
2880         (JSC::Wasm::AirIRGenerator::append):
2881         (JSC::Wasm::AirIRGenerator::appendEffectful):
2882         (JSC::Wasm::AirIRGenerator::newTmp):
2883         (JSC::Wasm::AirIRGenerator::g32):
2884         (JSC::Wasm::AirIRGenerator::g64):
2885         (JSC::Wasm::AirIRGenerator::f32):
2886         (JSC::Wasm::AirIRGenerator::f64):
2887         (JSC::Wasm::AirIRGenerator::tmpForType):
2888         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2889         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2890         (JSC::Wasm::AirIRGenerator::emitCheck):
2891         (JSC::Wasm::AirIRGenerator::emitCCall):
2892         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2893         (JSC::Wasm::AirIRGenerator::instanceValue):
2894         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2895         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2896         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2897         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2898         (JSC::Wasm::AirIRGenerator::emitThrowException):
2899         (JSC::Wasm::AirIRGenerator::addLocal):
2900         (JSC::Wasm::AirIRGenerator::addConstant):
2901         (JSC::Wasm::AirIRGenerator::addArguments):
2902         (JSC::Wasm::AirIRGenerator::getLocal):
2903         (JSC::Wasm::AirIRGenerator::addUnreachable):
2904         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2905         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2906         (JSC::Wasm::AirIRGenerator::setLocal):
2907         (JSC::Wasm::AirIRGenerator::getGlobal):
2908         (JSC::Wasm::AirIRGenerator::setGlobal):
2909         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2910         (JSC::Wasm::sizeOfLoadOp):
2911         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2912         (JSC::Wasm::AirIRGenerator::load):
2913         (JSC::Wasm::sizeOfStoreOp):
2914         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2915         (JSC::Wasm::AirIRGenerator::store):
2916         (JSC::Wasm::AirIRGenerator::addSelect):
2917         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2918         (JSC::Wasm::AirIRGenerator::addLoop):
2919         (JSC::Wasm::AirIRGenerator::addTopLevel):
2920         (JSC::Wasm::AirIRGenerator::addBlock):
2921         (JSC::Wasm::AirIRGenerator::addIf):
2922         (JSC::Wasm::AirIRGenerator::addElse):
2923         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2924         (JSC::Wasm::AirIRGenerator::addReturn):
2925         (JSC::Wasm::AirIRGenerator::addBranch):
2926         (JSC::Wasm::AirIRGenerator::addSwitch):
2927         (JSC::Wasm::AirIRGenerator::endBlock):
2928         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2929         (JSC::Wasm::AirIRGenerator::addCall):
2930         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2931         (JSC::Wasm::AirIRGenerator::unify):
2932         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2933         (JSC::Wasm::AirIRGenerator::dump):
2934         (JSC::Wasm::AirIRGenerator::origin):
2935         (JSC::Wasm::parseAndCompileAir):
2936         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2937         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2941         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2942         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2943         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2944         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2948         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2949         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2950         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2951         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2952         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2953         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2954         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2955         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2962         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2963         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2964         (JSC::Wasm::AirIRGenerator::addShift):
2965         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2966         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2967         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2968         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2969         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2970         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2971         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2972         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2973         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2974         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2975         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2976         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2977         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2978         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2979         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2980         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2981         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2982         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2983         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2984         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2985         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2992         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2993         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2994         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2995         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2996         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2997         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2998         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2999         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3000         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3001         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3002         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3003         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3004         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3005         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3006         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3007         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3011         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3012         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3013         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3014         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3020         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3026         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3027         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3028         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3029         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3030         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3031         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3032         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3033         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3034         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3035         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3036         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3037         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3038         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3039         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3040         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3041         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3042         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3043         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3044         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3045         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3046         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3047         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3048         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3049         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3050         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3051         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3052         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3053         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3054         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3055         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3056         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3057         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3058         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3059         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3060         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3061         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3062         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3063         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3064         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3065         * wasm/WasmAirIRGenerator.h: Added.
3066         * wasm/WasmB3IRGenerator.cpp:
3067         (JSC::Wasm::B3IRGenerator::emptyExpression):
3068         * wasm/WasmBBQPlan.cpp:
3069         (JSC::Wasm::BBQPlan::compileFunctions):
3070         * wasm/WasmCallingConvention.cpp:
3071         (JSC::Wasm::jscCallingConventionAir):
3072         (JSC::Wasm::wasmCallingConventionAir):
3073         * wasm/WasmCallingConvention.h:
3074         (JSC::Wasm::CallingConvention::CallingConvention):
3075         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3076         (JSC::Wasm::CallingConvention::marshallArgument const):
3077         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3078         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3079         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3080         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3081         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3082         (JSC::Wasm::CallingConventionAir::loadArguments const):
3083         (JSC::Wasm::CallingConventionAir::setupCall const):
3084         (JSC::Wasm::nextJSCOffset):
3085         * wasm/WasmFunctionParser.h:
3086         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3087         * wasm/WasmValidate.cpp:
3088         (JSC::Wasm::Validate::emptyExpression):
3089
3090 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3091
3092         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3093         https://bugs.webkit.org/show_bug.cgi?id=194050
3094         <rdar://problem/47595592>
3095
3096         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3097         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3098
3099         Reviewed by Yusuke Suzuki.
3100
3101         * ftl/FTLOperations.cpp:
3102         (JSC::FTL::operationMaterializeObjectInOSR):
3103
3104 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3105
3106         Remove assertion that CachedSymbolTables should have no RareData
3107         https://bugs.webkit.org/show_bug.cgi?id=194037
3108
3109         Reviewed by Mark Lam.
3110
3111         It turns out that we don't need to cache the SymbolTableRareData and
3112         we should not assert that it's empty.
3113
3114         * runtime/CachedTypes.cpp:
3115         (JSC::CachedSymbolTable::encode):
3116
3117 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3118
3119         CachedBytecode's move constructor should not call `freeDataIfOwned`
3120         https://bugs.webkit.org/show_bug.cgi?id=194045
3121
3122         Reviewed by Mark Lam.
3123
3124         That might result in freeing a garbage value
3125
3126         * parser/SourceProvider.h:
3127         (JSC::CachedBytecode::CachedBytecode):
3128
3129 2019-01-30  Keith Miller  <keith_miller@apple.com>
3130
3131         mul32 should convert powers of 2 to an lshift
3132         https://bugs.webkit.org/show_bug.cgi?id=193957
3133
3134         Reviewed by Yusuke Suzuki.
3135
3136         * assembler/MacroAssembler.h:
3137         (JSC::MacroAssembler::mul32):
3138         * assembler/testmasm.cpp:
3139         (JSC::int32Operands):
3140         (JSC::testMul32WithImmediates):
3141         (JSC::run):
3142
3143 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3144
3145         [JSC] Make disassembler data structures constant read-only data
3146         https://bugs.webkit.org/show_bug.cgi?id=194041
3147
3148         Reviewed by Mark Lam.
3149
3150         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3151         This patch makes them "const".
3152
3153         * disassembler/ARM64/A64DOpcode.cpp:
3154         * disassembler/udis86/ud_itab.py:
3155         (UdItabGenerator.genOpcodeTablesLookupIndex):
3156         (UdItabGenerator.genInsnTable):
3157         (UdItabGenerator.genMnemonicsList):
3158         (genItabH):
3159         * disassembler/udis86/udis86_decode.h:
3160         * disassembler/udis86/udis86_syn.c:
3161         * disassembler/udis86/udis86_syn.h:
3162         * disassembler/udis86/udis86_types.h:
3163
3164 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3165
3166         Unreviewed, update the builtin test results
3167         https://bugs.webkit.org/show_bug.cgi?id=194015
3168
3169         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3170         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3171         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3172         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3173         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3174         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3175         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3176         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3177         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3178         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3179         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3180         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3181         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3182
3183 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3184
3185         [JSC] Make global static variables "const" as much as possible
3186         https://bugs.webkit.org/show_bug.cgi?id=194015
3187
3188         Reviewed by Mark Lam.
3189
3190         Some of global static variables are not "const". For example, `static const char* name = ...`
3191         is not constant variable. We should make it `static const char* const name = ...`.
3192
3193         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3194         (generate_externs_for_object):
3195         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3196         (generate_externs_for_object):
3197         * Scripts/wkbuiltins/builtins_generator.py:
3198         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3199         * assembler/MacroAssembler.h:
3200         (JSC::MacroAssembler::additionBlindedConstant):
3201         * b3/air/AirFormTable.h:
3202         * b3/air/opcode_generator.rb:
3203         * runtime/JSObject.cpp:
3204         (JSC::JSObject::visitButterfly):
3205         * tools/CodeProfile.cpp:
3206         * tools/CodeProfile.h:
3207
3208 2019-01-29  Keith Miller  <keith_miller@apple.com>
3209
3210         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3211         https://bugs.webkit.org/show_bug.cgi?id=194000
3212         <rdar://problem/47642894>
3213
3214         Reviewed by Mark Lam.
3215
3216         default constructor is unused and
3217         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3218         data member which causes sadness.
3219
3220         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3221
3222 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3223
3224         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3225
3226         Rubber-stamped by Yusuke Suzuki.
3227
3228         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3229
3230         * parser/Parser.h:
3231         (JSC::Parser::declareHoistedVariable):
3232
3233 2019-01-29  Mark Lam  <mark.lam@apple.com>
3234
3235         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3236         https://bugs.webkit.org/show_bug.cgi?id=132333
3237
3238         Reviewed by Yusuke Suzuki.
3239
3240         * bytecode/InstructionStream.h:
3241         (JSC::InstructionStreamWriter::write):
3242         - The 32-bit write() function need not invert the order of the bytes written to
3243           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3244           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3245
3246         * llint/LLIntOfflineAsmConfig.h:
3247         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3248
3249 2019-01-29  Mark Lam  <mark.lam@apple.com>
3250
3251         ValueRecovery::recover() should purify NaN values it recovers.
3252         https://bugs.webkit.org/show_bug.cgi?id=193978
3253         <rdar://problem/47625488>
3254
3255         Reviewed by Saam Barati.
3256
3257         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3258         recovered DoubleDisplacedInJSStack values need to be purified.
3259         ValueRecovery::recover() should do the same.
3260
3261         * bytecode/ValueRecovery.cpp:
3262         (JSC::ValueRecovery::recover const):
3263
3264 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3265
3266         [JSC] FTL should handle LocalAllocator*
3267         https://bugs.webkit.org/show_bug.cgi?id=193980
3268
3269         Reviewed by Saam Barati.
3270
3271         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3272         because the FTL still use the incoming value as 32bit integer there.
3273
3274         * ftl/FTLLowerDFGToB3.cpp:
3275         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3276
3277 2019-01-29  Keith Rollin  <krollin@apple.com>
3278
3279         Add .xcfilelists to Run Script build phases
3280         https://bugs.webkit.org/show_bug.cgi?id=193792
3281         <rdar://problem/47201785>
3282
3283         Reviewed by Alex Christensen.
3284
3285         As part of supporting XCBuild, update the necessary Run Script build
3286         phases in their Xcode projects to refer to their associated
3287         .xcfilelist files.
3288
3289         Note that the addition of these files bumps the Xcode project version
3290         number to something that's Xcode 10 compatible. This change means that
3291         older versions of the Xcode IDE can't read these projects. Nor can it
3292         fully load workspaces that refer to these projects (the updated
3293         projects are shown as non-expandable placeholders). `xcodebuild` can
3294         still build these projects; it's just that the IDE can't open them.
3295
3296         * JavaScriptCore.xcodeproj/project.pbxproj:
3297
3298 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3299
3300         [ARM] Check for negative zero instead of just zero
3301         https://bugs.webkit.org/show_bug.cgi?id=193689
3302
3303         Reviewed by Mark Lam.
3304
3305         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3306         of just bailing out for zero.
3307
3308         * assembler/MacroAssemblerARMv7.h:
3309         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3310
3311 2019-01-28  Devin Rousso  <drousso@apple.com>
3312
3313         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3314         https://bugs.webkit.org/show_bug.cgi?id=193863
3315         <rdar://problem/47572764>
3316
3317         Reviewed by Joseph Pecoraro.
3318
3319         * inspector/protocol/Page.json:
3320         Add more values to the `Setting` enum type:
3321          - `ICECandidateFilteringEnabled`
3322          - `MediaCaptureRequiresSecureConnection`
3323          - `MockCaptureDevicesEnabled`
3324
3325 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3326
3327         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3328         https://bugs.webkit.org/show_bug.cgi?id=193941
3329
3330         Reviewed by Alex Christensen.
3331
3332         * API/JSWeakObjectMapRefPrivate.cpp:
3333         * bytecompiler/NodesCodegen.cpp:
3334         * heap/MachineStackMarker.cpp:
3335         * jit/ExecutableAllocator.cpp:
3336         * jsc.cpp:
3337         * parser/Nodes.cpp:
3338         * runtime/DateConstructor.cpp:
3339         * runtime/DateConversion.cpp:
3340         * runtime/DateInstance.cpp:
3341         * runtime/DatePrototype.cpp:
3342         * runtime/InitializeThreading.cpp:
3343         * runtime/IteratorOperations.cpp:
3344         * runtime/JSDateMath.cpp:
3345         * runtime/JSGlobalObjectFunctions.cpp:
3346         * runtime/StringPrototype.cpp:
3347         * runtime/VM.cpp:
3348         * testRegExp.cpp:
3349         * tools/JSDollarVM.cpp:
3350         * yarr/YarrInterpreter.cpp:
3351         * yarr/YarrJIT.cpp:
3352         * yarr/YarrPattern.cpp:
3353         * yarr/YarrUnicodeProperties.cpp:
3354
3355 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3356
3357         [JSC] Reduce size of memory used for ShadowChicken
3358         https://bugs.webkit.org/show_bug.cgi?id=193546
3359
3360         Reviewed by Mark Lam.
3361
3362         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3363         The removal of ShadowChicken saves 55KB memory.
3364
3365         * debugger/DebuggerCallFrame.cpp:
3366         (JSC::DebuggerCallFrame::create):
3367         * ftl/FTLLowerDFGToB3.cpp:
3368         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3369         * heap/Heap.cpp:
3370         (JSC::Heap::stopThePeriphery):
3371         (JSC::Heap::addCoreConstraints):
3372         * jit/CCallHelpers.cpp:
3373         (JSC::CCallHelpers::ensureShadowChickenPacket):
3374         * jit/JITExceptions.cpp:
3375         (JSC::genericUnwind):
3376         * jit/JITOpcodes.cpp:
3377         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3378         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3379         * jit/JITOpcodes32_64.cpp:
3380         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3381         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3382         * jit/JITOperations.cpp:
3383         * llint/LLIntSlowPaths.cpp:
3384         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3385         * runtime/JSGlobalObject.cpp:
3386         (JSC::JSGlobalObject::setDebugger):
3387         * runtime/JSGlobalObject.h:
3388         (JSC::JSGlobalObject::setDebugger): Deleted.
3389         * runtime/VM.cpp:
3390         (JSC::VM::VM):
3391         (JSC::VM::ensureShadowChicken):
3392         * runtime/VM.h:
3393         (JSC::VM::shadowChicken):
3394         * tools/JSDollarVM.cpp:
3395         (JSC::functionShadowChickenFunctionsOnStack):
3396         (JSC::changeDebuggerModeWhenIdle):
3397
3398 2019-01-28  Andy Estes  <aestes@apple.com>
3399
3400         [watchOS] Enable Parental Controls content filtering
3401         https://bugs.webkit.org/show_bug.cgi?id=193939
3402         <rdar://problem/46641912>
3403
3404         Reviewed by Ryosuke Niwa.
3405
3406         * Configurations/FeatureDefines.xcconfig:
3407
3408 2019-01-28  Mark Lam  <mark.lam@apple.com>
3409
3410         ToString node actually does GC.
3411         https://bugs.webkit.org/show_bug.cgi?id=193920
3412         <rdar://problem/46695900>
3413
3414         Reviewed by Yusuke Suzuki.
3415
3416         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3417         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3418
3419         * dfg/DFGDoesGC.cpp:
3420         (JSC::DFG::doesGC):
3421
3422 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3423
3424         [JSC] RegExpConstructor should not have own IsoSubspace
3425         https://bugs.webkit.org/show_bug.cgi?id=193801
3426
3427         Reviewed by Mark Lam.
3428
3429         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3430         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3431         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3432         it from RegExpConstructor members.
3433
3434         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3435         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3436         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3437
3438         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3439
3440         * CMakeLists.txt:
3441         * JavaScriptCore.xcodeproj/project.pbxproj:
3442         * Sources.txt:
3443         * dfg/DFGOperations.cpp:
3444         * dfg/DFGSpeculativeJIT.cpp:
3445         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3446         * dfg/DFGStrengthReductionPhase.cpp:
3447         (JSC::DFG::StrengthReductionPhase::handleNode):
3448         * ftl/FTLAbstractHeapRepository.cpp:
3449         * ftl/FTLAbstractHeapRepository.h:
3450         * ftl/FTLLowerDFGToB3.cpp:
3451         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3452         * runtime/JSGlobalObject.cpp:
3453         (JSC::JSGlobalObject::init):
3454         (JSC::JSGlobalObject::visitChildren):
3455         * runtime/JSGlobalObject.h:
3456         (JSC::JSGlobalObject::regExpGlobalData):
3457         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3458         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3459         * runtime/RegExpCache.cpp:
3460         (JSC::RegExpCache::initialize):
3461         * runtime/RegExpCache.h:
3462         (JSC::RegExpCache::emptyRegExp const):
3463         * runtime/RegExpCachedResult.cpp:
3464         (JSC::RegExpCachedResult::visitAggregate):
3465         (JSC::RegExpCachedResult::visitChildren): Deleted.
3466         * runtime/RegExpCachedResult.h:
3467         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3468         * runtime/RegExpConstructor.cpp:
3469         (JSC::RegExpConstructor::RegExpConstructor):
3470         (JSC::regExpConstructorDollar):
3471         (JSC::regExpConstructorInput):
3472         (JSC::regExpConstructorMultiline):
3473         (JSC::regExpConstructorLastMatch):
3474         (JSC::regExpConstructorLastParen):
3475         (JSC::regExpConstructorLeftContext):
3476         (JSC::regExpConstructorRightContext):
3477         (JSC::setRegExpConstructorInput):
3478         (JSC::setRegExpConstructorMultiline):
3479         (JSC::RegExpConstructor::destroy): Deleted.
3480         (JSC::RegExpConstructor::visitChildren): Deleted.
3481         (JSC::RegExpConstructor::getBackref): Deleted.
3482         (JSC::RegExpConstructor::getLastParen): Deleted.
3483         (JSC::RegExpConstructor::getLeftContext): Deleted.
3484         (JSC::RegExpConstructor::getRightContext): Deleted.
3485         * runtime/RegExpConstructor.h:
3486         (JSC::RegExpConstructor::performMatch): Deleted.
3487         (JSC::RegExpConstructor::recordMatch): Deleted.
3488         * runtime/RegExpGlobalData.cpp: Added.
3489         (JSC::RegExpGlobalData::visitAggregate):
3490         (JSC::RegExpGlobalData::getBackref):
3491         (JSC::RegExpGlobalData::getLastParen):
3492         (JSC::RegExpGlobalData::getLeftContext):
3493         (JSC::RegExpGlobalData::getRightContext):
3494         * runtime/RegExpGlobalData.h: Added.
3495         (JSC::RegExpGlobalData::cachedResult):
3496         (JSC::RegExpGlobalData::setMultiline):
3497         (JSC::RegExpGlobalData::multiline const):
3498         (JSC::RegExpGlobalData::input):
3499         (JSC::RegExpGlobalData::offsetOfCachedResult):
3500         * runtime/RegExpGlobalDataInlines.h: Added.
3501         (JSC::RegExpGlobalData::setInput):
3502         (JSC::RegExpGlobalData::performMatch):
3503         (JSC::RegExpGlobalData::recordMatch):
3504         * runtime/RegExpObject.cpp:
3505         (JSC::RegExpObject::matchGlobal):
3506         * runtime/RegExpObjectInlines.h:
3507         (JSC::RegExpObject::execInline):
3508         (JSC::RegExpObject::matchInline):
3509         (JSC::collectMatches):
3510         * runtime/RegExpPrototype.cpp:
3511         (JSC::RegExpPrototype::finishCreation):
3512         (JSC::regExpProtoFuncSearchFast):
3513         (JSC::RegExpPrototype::visitChildren): Deleted.
3514         * runtime/RegExpPrototype.h:
3515         * runtime/StringPrototype.cpp:
3516         (JSC::removeUsingRegExpSearch):
3517         (JSC::replaceUsingRegExpSearch):
3518         * runtime/VM.cpp:
3519         (JSC::VM::VM):
3520         * runtime/VM.h:
3521
3522 2018-12-15  Darin Adler  <darin@apple.com>
3523
3524         Replace many uses of String::format with more type-safe alternatives
3525         https://bugs.webkit.org/show_bug.cgi?id=192742
3526
3527         Reviewed by Mark Lam.
3528
3529         * inspector/InjectedScriptBase.cpp:
3530         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3531         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3532         * inspector/InspectorBackendDispatcher.cpp:
3533         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3534         * inspector/agents/InspectorConsoleAgent.cpp:
3535         (Inspector::InspectorConsoleAgent::enable): Ditto.
3536         * jsc.cpp:
3537         (FunctionJSCStackFunctor::operator() const): Ditto.
3538
3539         * runtime/CodeCache.cpp:
3540         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3541         using String::number.
3542
3543         * runtime/IntlDateTimeFormat.cpp:
3544         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3545         * runtime/IntlObject.cpp:
3546         (JSC::canonicalizeLocaleList): Ditto.
3547
3548 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3549
3550         AX: Introduce a static accessibility tree
3551         https://bugs.webkit.org/show_bug.cgi?id=193348
3552         <rdar://problem/47203295>
3553
3554         Reviewed by Ryosuke Niwa.
3555
3556         * Configurations/FeatureDefines.xcconfig:
3557
3558 2019-01-26  Devin Rousso  <drousso@apple.com>
3559
3560         Web Inspector: provide a way to edit the user agent of a remote target
3561         https://bugs.webkit.org/show_bug.cgi?id=193862
3562         <rdar://problem/47359292>
3563
3564         Reviewed by Joseph Pecoraro.
3565
3566         * inspector/protocol/Page.json:
3567         Add `overrideUserAgent` command.
3568
3569 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3570
3571         [JSC] NativeErrorConstructor should not have own IsoSubspace
3572         https://bugs.webkit.org/show_bug.cgi?id=193713
3573
3574         Reviewed by Saam Barati.
3575
3576         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3577         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3578         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3579         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3580         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3581         referenced.
3582
3583         * CMakeLists.txt:
3584         * JavaScriptCore.xcodeproj/project.pbxproj:
3585         * Sources.txt:
3586         * builtins/BuiltinNames.h:
3587         * interpreter/Interpreter.h:
3588         * runtime/Error.cpp:
3589         (JSC::createEvalError):
3590         (JSC::createRangeError):
3591         (JSC::createReferenceError):
3592         (JSC::createSyntaxError):
3593         (JSC::createTypeError):
3594         (JSC::createURIError):
3595         (WTF::printInternal): Deleted.
3596         * runtime/Error.h:
3597         * runtime/ErrorPrototype.cpp:
3598         (JSC::ErrorPrototype::create):
3599         (JSC::ErrorPrototype::finishCreation):
3600         * runtime/ErrorPrototype.h:
3601         (JSC::ErrorPrototype::create): Deleted.
3602         * runtime/ErrorType.cpp: Added.
3603         (JSC::errorTypeName):
3604         (WTF::printInternal):
3605         * runtime/ErrorType.h: Added.
3606         * runtime/JSGlobalObject.cpp:
3607         (JSC::JSGlobalObject::initializeErrorConstructor):
3608         (JSC::JSGlobalObject::init):
3609         (JSC::JSGlobalObject::visitChildren):
3610         * runtime/JSGlobalObject.h:
3611         (JSC::JSGlobalObject::internalPromiseConstructor const):
3612         (JSC::JSGlobalObject::errorStructure const):
3613         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3614         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3615         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3616         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3617         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3618         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3619         * runtime/NativeErrorConstructor.cpp:
3620         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3621         (JSC::NativeErrorConstructorBase::finishCreation):
3622         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3623         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3624         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3625         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3626         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3627         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3628         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3629         * runtime/NativeErrorConstructor.h:
3630         (JSC::NativeErrorConstructorBase::createStructure):
3631         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3632         * runtime/NativeErrorPrototype.cpp:
3633         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3634         * runtime/NativeErrorPrototype.h:
3635         * runtime/VM.cpp:
3636         (JSC::VM::VM):
3637         * runtime/VM.h:
3638         * wasm/js/WasmToJS.cpp:
3639         (JSC::Wasm::handleBadI64Use):
3640
3641 2019-01-25  Devin Rousso  <drousso@apple.com>
3642
3643         Web Inspector: provide a way to edit page settings on a remote target
3644         https://bugs.webkit.org/show_bug.cgi?id=193813
3645         <rdar://problem/47359510>
3646
3647         Reviewed by Joseph Pecoraro.
3648
3649         * inspector/protocol/Page.json:
3650         Add `overrideSetting` command with supporting `Setting` enum type.
3651
3652 2019-01-25  Keith Rollin  <krollin@apple.com>
3653
3654         Update Xcode projects with "Check .xcfilelists" build phase
3655         https://bugs.webkit.org/show_bug.cgi?id=193790
3656         <rdar://problem/47201374>
3657
3658         Reviewed by Alex Christensen.
3659
3660         Support for XCBuild includes specifying inputs and outputs to various
3661         Run Script build phases. These inputs and outputs are specified as
3662         .xcfilelist files. Once created, these .xcfilelist files need to be
3663         kept up-to-date. In order to check that they are up-to-date or not,
3664         add an Xcode build step that invokes an external script that performs
3665         the checking. If the .xcfilelists are found to be out-of-date, update
3666         them, halt the build, and instruct the developer to restart the build
3667         with up-to-date files.
3668
3669         At this time, the checking and regenerating is performed only if the
3670         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3671         who want to use this facility can set this variable and test out the
3672         checking/regenerating. Once it seems like there are no egregious
3673         issues that upset a developer's workflow, we'll unconditionally enable
3674         this facility.
3675
3676         * JavaScriptCore.xcodeproj/project.pbxproj:
3677         * Scripts/check-xcfilelists.sh: Added.
3678
3679 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3680
3681         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3682         https://bugs.webkit.org/show_bug.cgi?id=193796
3683         <rdar://problem/47532910>
3684
3685         Reviewed by Devin Rousso.
3686
3687         * runtime/SamplingProfiler.cpp:
3688         (JSC::SamplingProfiler::machThread):
3689         * runtime/SamplingProfiler.h:
3690         Expose the mach_port_t of the SamplingProfiler thread
3691         so it can be tested against later.
3692
3693 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3694
3695         Fix Windows build after r240511
3696
3697         * bytecode/UnlinkedFunctionExecutable.cpp:
3698         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3699
3700 2019-01-25  Keith Rollin  <krollin@apple.com>
3701
3702         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3703         https://bugs.webkit.org/show_bug.cgi?id=193781
3704         <rdar://problem/47201153>
3705
3706         Reviewed by Alex Christensen.
3707
3708         Part of generating the .xcfilelists used as part of adopting XCBuild
3709         includes running `make DerivedSources.make` from a standalone script.
3710         It’s important for this invocation to have the same environment as
3711         when the actual build invokes `make DerivedSources.make`. If the
3712         environments are different, then the two invocations will provide
3713         different results. In order to get the same environment in the
3714         standalone script, have the script launch xcodebuild targeting the
3715         "Apply Configuration to XCFileLists" build target, which will then
3716         re-invoke our standalone script. The script is now running again, this
3717         time in an environment with all workspace, project, target, xcconfig
3718         and other environment variables established.
3719
3720         The "Apply Configuration to XCFileLists" build target accomplishes
3721         this task via a small embedded shell script that consists only of:
3722
3723             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3724
3725         The process that invokes "Apply Configuration to XCFileLists" first
3726         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3727         evaluated and exports it into the shell environment. When xcodebuild
3728         is invoked, it inherits the value of this variable and can `eval` the
3729         contents of that variable. Our external standalone script can then set
3730         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3731         of command-line parameters needed to restart itself in the appropriate
3732         state.
3733
3734         * JavaScriptCore.xcodeproj/project.pbxproj:
3735
3736 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3737
3738         Add API to generate and consume cached bytecode
3739         https://bugs.webkit.org/show_bug.cgi?id=193401
3740         <rdar://problem/47514099>
3741
3742         Reviewed by Keith Miller.
3743
3744         Add the `generateBytecode` and `generateModuleBytecode` functions to
3745         generate serialized bytecode for a given `SourceCode`. These functions
3746         will eagerly generate code for all the nested functions.
3747
3748         Additionally, update the API methods in JSScript to generate and use the
3749         bytecode when the bytecodeCache path is provided.
3750
3751         * API/JSAPIGlobalObject.mm:
3752         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3753         * API/JSContext.mm:
3754         (-[JSContext wrapperMap]):
3755         * API/JSContextInternal.h:
3756         * API/JSScript.mm:
3757         (+[JSScript scriptWithSource:inVirtualMachine:]):
3758         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3759         (-[JSScript dealloc]):
3760         (-[JSScript readCache]):
3761         (-[JSScript writeCache]):
3762         (-[JSScript hash]):
3763         (-[JSScript source]):
3764         (-[JSScript cachedBytecode]):
3765         (-[JSScript jsSourceCode:]):
3766         * API/JSScriptInternal.h:
3767         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3768         (JSScriptSourceProvider::create):
3769         (JSScriptSourceProvider::JSScriptSourceProvider):
3770         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3771         (JSScriptSourceProvider::hash const):
3772         (JSScriptSourceProvider::source const):
3773         (JSScriptSourceProvider::cachedBytecode const):
3774         * API/JSVirtualMachine.mm:
3775         (-[JSVirtualMachine vm]):
3776         * API/JSVirtualMachineInternal.h:
3777         * API/tests/testapi.mm:
3778         (testBytecodeCache):
3779         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3780         (testObjectiveCAPI):
3781         * JavaScriptCore.xcodeproj/project.pbxproj:
3782         * SourcesCocoa.txt:
3783         * bytecode/UnlinkedFunctionExecutable.cpp:
3784         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3785         * bytecode/UnlinkedFunctionExecutable.h:
3786         * parser/SourceCodeKey.h:
3787         (JSC::SourceCodeKey::source const):
3788         * parser/SourceProvider.h:
3789         (JSC::CachedBytecode::CachedBytecode):
3790         (JSC::CachedBytecode::operator=):
3791         (JSC::CachedBytecode::data const):
3792         (JSC::CachedBytecode::size const):
3793         (JSC::CachedBytecode::owned const):
3794         (JSC::CachedBytecode::~CachedBytecode):
3795         (JSC::CachedBytecode::freeDataIfOwned):
3796         (JSC::SourceProvider::cachedBytecode const):
3797         * parser/UnlinkedSourceCode.h:
3798         (JSC::UnlinkedSourceCode::provider const):
3799         * runtime/CodeCache.cpp:
3800         (JSC::generateUnlinkedCodeBlockForFunctions):
3801         (JSC::writeCodeBlock):
3802         (JSC::serializeBytecode):
3803         * runtime/CodeCache.h:
3804         (JSC::CodeCacheMap::fetchFromDiskImpl):
3805         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3806         (JSC::generateUnlinkedCodeBlockImpl):
3807         (JSC::generateUnlinkedCodeBlock):
3808         * runtime/Completion.cpp:
3809         (JSC::generateBytecode):
3810         (JSC::generateModuleBytecode):
3811         * runtime/Completion.h:
3812         * runtime/Options.cpp:
3813         (JSC::recomputeDependentOptions):
3814
3815 2019-01-25  Keith Rollin  <krollin@apple.com>
3816
3817         Update WebKitAdditions.xcconfig with correct order of variable definitions
3818         https://bugs.webkit.org/show_bug.cgi?id=193793
3819         <rdar://problem/47532439>
3820
3821         Reviewed by Alex Christensen.
3822
3823         XCBuild changes the way xcconfig variables are evaluated. In short,
3824         all config file assignments are now considered in part of the
3825         evaluation. When using the new build system and an .xcconfig file
3826         contains multiple assignments of the same build setting:
3827
3828         - Later assignments using $(inherited) will inherit from earlier
3829           assignments in the xcconfig file.
3830         - Later assignments not using $(inherited) will take precedence over
3831           earlier assignments. An assignment to a more general setting will
3832           mask an earlier assignment to a less general setting. For example,
3833           an assignment without a condition ('FOO = bar') will completely mask
3834           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3835
3836         This affects some of our .xcconfig files, in that sometimes platform-
3837         or sdk-specific definitions appear before the general definitions.
3838         Under the new evaluations rules, the general definitions alway take
3839         effect because they always overwrite the more-specific definitions. The
3840         solution is to swap the order, so that the general definitions are
3841         established first, and then conditionally overwritten by the
3842         more-specific definitions.
3843
3844         * Configurations/Version.xcconfig:
3845
3846 2019-01-25  Keith Rollin  <krollin@apple.com>
3847
3848         Update existing .xcfilelists
3849         https://bugs.webkit.org/show_bug.cgi?id=193791
3850         <rdar://problem/47201706>
3851
3852         Reviewed by Alex Christensen.
3853
3854         Many .xcfilelist files were added in r238824 in order to support
3855         XCBuild. Update these with recent changes to the set of build files
3856         and with the current generate-xcfilelist script.
3857
3858         * DerivedSources-input.xcfilelist:
3859         * DerivedSources-output.xcfilelist:
3860         * UnifiedSources-input.xcfilelist:
3861         * UnifiedSources-output.xcfilelist:
3862
3863 2019-01-25  Jon Davis  <jond@apple.com>
3864
3865         Update JavaScriptCore feature status entries.
3866         https://bugs.webkit.org/show_bug.cgi?id=193797
3867
3868         Reviewed by Mark Lam.
3869         
3870         Updated feature status for Async Iteration, and Object rest/spread.
3871
3872         * features.json:
3873
3874 2019-01-24  Keith Miller  <keith_miller@apple.com>
3875
3876         Remove usage of internal macro from private header
3877         https://bugs.webkit.org/show_bug.cgi?id=193809
3878
3879         Reviewed by Saam Barati.
3880
3881         Also, add a new file to include all of our API headers to make sure
3882         they don't accidentally include C++ or internal values.
3883
3884         * API/JSScript.h:
3885         * API/tests/testIncludes.m: Added.
3886         * JavaScriptCore.xcodeproj/project.pbxproj:
3887
3888 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3889
3890         [JSC] ErrorConstructor should not have own IsoSubspace
3891         https://bugs.webkit.org/show_bug.cgi?id=193800
3892
3893         Reviewed by Saam Barati.
3894
3895         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3896         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3897         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3898         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3899         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3900         into IsoSubspaces) described,
3901
3902             "subclasses that are the&nbs