[JSC] Add LazyClassStructure::getInitializedOnMainThread
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Add LazyClassStructure::getInitializedOnMainThread
4         https://bugs.webkit.org/show_bug.cgi?id=194784
5         <rdar://problem/48154820>
6
7         Reviewed by Mark Lam.
8
9         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
10         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
11         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
12         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
13         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
14
15         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
16         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
17         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
18         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
19
20         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
21         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
22
23         * runtime/JSGlobalObject.h:
24         (JSC::JSGlobalObject::booleanPrototype const):
25         (JSC::JSGlobalObject::numberPrototype const):
26         (JSC::JSGlobalObject::symbolPrototype const):
27         * runtime/LazyClassStructure.h:
28         (JSC::LazyClassStructure::getInitializedOnMainThread const):
29         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
30         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
31         * runtime/LazyProperty.h:
32         (JSC::LazyProperty::get const):
33         (JSC::LazyProperty::getInitializedOnMainThread const):
34
35 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
36
37         Web Inspector: Better categorize CPU usage per-thread / worker
38         https://bugs.webkit.org/show_bug.cgi?id=194564
39
40         Reviewed by Devin Rousso.
41
42         * inspector/protocol/CPUProfiler.json:
43         Add additional properties per-Event, and new per-Thread object info.
44
45 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
46
47         Bytecode cache should a have a boot-specific validation
48         https://bugs.webkit.org/show_bug.cgi?id=194769
49         <rdar://problem/48149509>
50
51         Reviewed by Keith Miller.
52
53         Add the boot UUID to the cached bytecode to enforce that it is not reused
54         across reboots.
55
56         * runtime/CachedTypes.cpp:
57         (JSC::Encoder::malloc):
58         (JSC::GenericCacheEntry::GenericCacheEntry):
59         (JSC::GenericCacheEntry::tag const):
60         (JSC::CacheEntry::CacheEntry):
61         (JSC::CacheEntry::decode const):
62         (JSC::GenericCacheEntry::decode const):
63         (JSC::encodeCodeBlock):
64
65 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
66
67         Add MSE logging configuration
68         https://bugs.webkit.org/show_bug.cgi?id=194719
69         <rdar://problem/48122151>
70
71         Reviewed by Joseph Pecoraro.
72
73         * inspector/ConsoleMessage.cpp:
74         (Inspector::messageSourceValue):
75         * inspector/protocol/Console.json:
76         * inspector/scripts/codegen/generator.py:
77         * runtime/ConsoleTypes.h:
78
79 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
80
81         Add version number to cached bytecode
82         https://bugs.webkit.org/show_bug.cgi?id=194768
83         <rdar://problem/48147968>
84
85         Reviewed by Saam Barati.
86
87         Add a version number to the bytecode cache that should be unique per build.
88
89         * CMakeLists.txt:
90         * DerivedSources-output.xcfilelist:
91         * DerivedSources.make:
92         * runtime/CachedTypes.cpp:
93         (JSC::Encoder::malloc):
94         (JSC::GenericCacheEntry::GenericCacheEntry):
95         (JSC::CacheEntry::CacheEntry):
96         (JSC::CacheEntry::encode):
97         (JSC::CacheEntry::decode const):
98         (JSC::GenericCacheEntry::decode const):
99         (JSC::decodeCodeBlockImpl):
100         * runtime/CodeCache.h:
101         (JSC::CodeCacheMap::fetchFromDiskImpl):
102
103 2019-02-17  Saam Barati  <sbarati@apple.com>
104
105         WasmB3IRGenerator models some effects incorrectly
106         https://bugs.webkit.org/show_bug.cgi?id=194038
107
108         Reviewed by Keith Miller.
109
110         * wasm/WasmB3IRGenerator.cpp:
111         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
112         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
113         These two functions were using global state instead of the
114         arguments passed into the function.
115
116         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
117         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
118         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
119         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
120         Any patchpoint that allows scratch register usage must
121         also say that it clobbers the scratch registers.
122
123 2019-02-17  Saam Barati  <sbarati@apple.com>
124
125         Deadlock when adding a Structure property transition and then doing incremental marking
126         https://bugs.webkit.org/show_bug.cgi?id=194767
127
128         Reviewed by Mark Lam.
129
130         This can happen in the following scenario:
131         
132         You have a Structure S. S is on the mark stack. Then:
133         1. S grabs its lock
134         2. S adds a new property transition
135         3. We find out we need to do some incremental marking
136         4. We mark S
137         5. visitChildren on S will try to grab its lock
138         6. We are now in a deadlock
139
140         * heap/Heap.cpp:
141         (JSC::Heap::performIncrement):
142         * runtime/Structure.cpp:
143         (JSC::Structure::addNewPropertyTransition):
144
145 2019-02-17  David Kilzer  <ddkilzer@apple.com>
146
147         Unreviewed, rolling out r241620.
148
149         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
150         (Requested by ddkilzer on #webkit.)
151
152         Reverted changeset:
153
154         "[WTF] Add environment variable helpers"
155         https://bugs.webkit.org/show_bug.cgi?id=192405
156         https://trac.webkit.org/changeset/241620
157
158 2019-02-17  Commit Queue  <commit-queue@webkit.org>
159
160         Unreviewed, rolling out r241612.
161         https://bugs.webkit.org/show_bug.cgi?id=194762
162
163         "It regressed JetStream2 parsing tests by ~40%" (Requested by
164         saamyjoon on #webkit).
165
166         Reverted changeset:
167
168         "Move bytecode cache-related filesystem code out of CodeCache"
169         https://bugs.webkit.org/show_bug.cgi?id=194675
170         https://trac.webkit.org/changeset/241612
171
172 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
173
174         [JSC] JSWrapperObject should not be destructible
175         https://bugs.webkit.org/show_bug.cgi?id=194743
176
177         Reviewed by Saam Barati.
178
179         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
180         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
181         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
182
183         * runtime/BigIntObject.cpp:
184         (JSC::BigIntObject::BigIntObject):
185         * runtime/BooleanConstructor.cpp:
186         (JSC::BooleanConstructor::finishCreation):
187         * runtime/BooleanObject.cpp:
188         (JSC::BooleanObject::BooleanObject):
189         * runtime/BooleanObject.h:
190         * runtime/DateInstance.cpp:
191         (JSC::DateInstance::DateInstance):
192         (JSC::DateInstance::finishCreation):
193         * runtime/DateInstance.h:
194         * runtime/DatePrototype.cpp:
195         (JSC::dateProtoFuncGetTime):
196         (JSC::dateProtoFuncSetTime):
197         (JSC::setNewValueFromTimeArgs):
198         (JSC::setNewValueFromDateArgs):
199         (JSC::dateProtoFuncSetYear):
200         * runtime/JSCPoison.h:
201         * runtime/JSWrapperObject.h:
202         (JSC::JSWrapperObject::JSWrapperObject):
203         * runtime/NumberObject.cpp:
204         (JSC::NumberObject::NumberObject):
205         * runtime/NumberObject.h:
206         * runtime/StringConstructor.cpp:
207         (JSC::StringConstructor::finishCreation):
208         * runtime/StringObject.cpp:
209         (JSC::StringObject::StringObject):
210         * runtime/StringObject.h:
211         (JSC::StringObject::internalValue const):
212         * runtime/SymbolObject.cpp:
213         (JSC::SymbolObject::SymbolObject):
214         * runtime/SymbolObject.h:
215
216 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
217
218         [JSC] Shrink UnlinkedFunctionExecutable
219         https://bugs.webkit.org/show_bug.cgi?id=194733
220
221         Reviewed by Mark Lam.
222
223         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
224         directives can be found in the comment of non typical function's source code (Program,
225         Eval code, and Global function from function constructor etc.), and tricky thing is that
226         SourceProvider's directives are updated by Parser. The reason why we have these fields in
227         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
228         if we skip parsing by using CodeCache. These fields are effective only if (1)
229         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
230         or sourceMappingURLDirective. This is rare enough to purge them to a separated
231         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
232         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
233         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
234         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
235         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
236         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
237         one of size class.
238
239         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
240         And kill one MarkedBlock allocation in JSC initialization phase.
241
242         * bytecode/UnlinkedFunctionExecutable.cpp:
243         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
244         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
245         * bytecode/UnlinkedFunctionExecutable.h:
246         * debugger/DebuggerLocation.cpp:
247         (JSC::DebuggerLocation::DebuggerLocation):
248         * inspector/ScriptDebugServer.cpp:
249         (Inspector::ScriptDebugServer::dispatchDidParseSource):
250         * parser/Lexer.h:
251         (JSC::Lexer::sourceURLDirective const):
252         (JSC::Lexer::sourceMappingURLDirective const):
253         (JSC::Lexer::sourceURL const): Deleted.
254         (JSC::Lexer::sourceMappingURL const): Deleted.
255         * parser/Parser.h:
256         (JSC::Parser<LexerType>::parse):
257         * parser/SourceProvider.h:
258         (JSC::SourceProvider::sourceURLDirective const):
259         (JSC::SourceProvider::sourceMappingURLDirective const):
260         (JSC::SourceProvider::setSourceURLDirective):
261         (JSC::SourceProvider::setSourceMappingURLDirective):
262         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
263         since it is the correct name.
264         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
265         sourceMappingURLDirective since it is the correct name.
266         * runtime/CachedTypes.cpp:
267         (JSC::CachedSourceProviderShape::encode):
268         (JSC::CachedFunctionExecutableRareData::encode):
269         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
270         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
271         (JSC::CachedFunctionExecutable::rareData const):
272         (JSC::CachedFunctionExecutable::encode):
273         (JSC::CachedFunctionExecutable::decode const):
274         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
275         * runtime/CodeCache.cpp:
276         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
277         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
278         * runtime/CodeCache.h:
279         (JSC::generateUnlinkedCodeBlockImpl):
280         * runtime/FunctionExecutable.h:
281         * runtime/SamplingProfiler.cpp:
282         (JSC::SamplingProfiler::StackFrame::url):
283
284 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
285
286         [JSC] Remove unused global private variables
287         https://bugs.webkit.org/show_bug.cgi?id=194741
288
289         Reviewed by Joseph Pecoraro.
290
291         There are some private functions and constants that are no longer referenced from builtin JS code.
292         This patch cleans up them.
293
294         * builtins/BuiltinNames.h:
295         * builtins/ObjectConstructor.js:
296         (entries):
297         * runtime/JSGlobalObject.cpp:
298         (JSC::JSGlobalObject::init):
299
300 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
301
302         [JSC] Lazily create empty RegExp
303         https://bugs.webkit.org/show_bug.cgi?id=194735
304
305         Reviewed by Keith Miller.
306
307         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
308         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
309         one MarkedBlock.
310
311         * runtime/JSGlobalObject.cpp:
312         (JSC::JSGlobalObject::init):
313         * runtime/RegExpCache.cpp:
314         (JSC::RegExpCache::ensureEmptyRegExpSlow):
315         (JSC::RegExpCache::initialize): Deleted.
316         * runtime/RegExpCache.h:
317         (JSC::RegExpCache::ensureEmptyRegExp):
318         (JSC::RegExpCache::emptyRegExp const): Deleted.
319         * runtime/RegExpCachedResult.cpp:
320         (JSC::RegExpCachedResult::lastResult):
321         * runtime/RegExpCachedResult.h:
322         * runtime/VM.cpp:
323         (JSC::VM::VM):
324
325 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
326
327         [JSC] Make builtin objects more lazily initialized under non-JIT mode
328         https://bugs.webkit.org/show_bug.cgi?id=194727
329
330         Reviewed by Saam Barati.
331
332         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
333         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
334         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
335         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
336         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
337         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
338         MarkedBlock allocation just for Symbols.
339
340         * runtime/JSGlobalObject.cpp:
341         (JSC::JSGlobalObject::init):
342         (JSC::JSGlobalObject::visitChildren):
343         * runtime/JSGlobalObject.h:
344         (JSC::JSGlobalObject::numberToStringWatchpoint):
345         (JSC::JSGlobalObject::booleanPrototype const):
346         (JSC::JSGlobalObject::numberPrototype const):
347         (JSC::JSGlobalObject::symbolPrototype const):
348         (JSC::JSGlobalObject::booleanObjectStructure const):
349         (JSC::JSGlobalObject::symbolObjectStructure const):
350         (JSC::JSGlobalObject::numberObjectStructure const):
351         (JSC::JSGlobalObject::stringObjectStructure const):
352
353 2019-02-15  Michael Saboff  <msaboff@apple.com>
354
355         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
356         https://bugs.webkit.org/show_bug.cgi?id=194558
357
358         Reviewed by Saam Barati.
359
360         Added an in bounds check before the read of the next character for Unicode regular expressions
361         for pattern generation that didn't already have such checks.
362
363         * yarr/YarrJIT.cpp:
364         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
365         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
366         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
367         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
368
369 2019-02-15  Dean Jackson  <dino@apple.com>
370
371         Allow emulation of user gestures from Web Inspector console
372         https://bugs.webkit.org/show_bug.cgi?id=194725
373         <rdar://problem/48126604>
374
375         Reviewed by Joseph Pecoraro and Devin Rousso.
376
377         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
378         to the evaluate function, and mark the function as override so that PageRuntimeAgent
379         can change the behaviour.
380         (Inspector::InspectorRuntimeAgent::evaluate):
381         * inspector/agents/InspectorRuntimeAgent.h:
382         * inspector/protocol/Runtime.json:
383
384 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
385
386         [JSC] Do not initialize Wasm related data if Wasm is not enabled
387         https://bugs.webkit.org/show_bug.cgi?id=194728
388
389         Reviewed by Mark Lam.
390
391         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
392
393         * runtime/InitializeThreading.cpp:
394         (JSC::initializeThreading):
395         * runtime/JSLock.cpp:
396         (JSC::JSLock::didAcquireLock):
397
398 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
399
400         [WTF] Add environment variable helpers
401         https://bugs.webkit.org/show_bug.cgi?id=192405
402
403         Reviewed by Michael Catanzaro.
404
405         * inspector/remote/glib/RemoteInspectorGlib.cpp:
406         (Inspector::RemoteInspector::RemoteInspector):
407         (Inspector::RemoteInspector::start):
408         * jsc.cpp:
409         (startTimeoutThreadIfNeeded):
410         * runtime/Options.cpp:
411         (JSC::overrideOptionWithHeuristic):
412         (JSC::Options::overrideAliasedOptionWithHeuristic):
413         (JSC::Options::initialize):
414         * runtime/VM.cpp:
415         (JSC::enableAssembler):
416         (JSC::VM::VM):
417         * tools/CodeProfiling.cpp:
418         (JSC::CodeProfiling::notifyAllocator):
419         Utilize WTF::Environment where possible.
420
421 2019-02-15  Mark Lam  <mark.lam@apple.com>
422
423         SamplingProfiler::stackTracesAsJSON() should escape strings.
424         https://bugs.webkit.org/show_bug.cgi?id=194649
425         <rdar://problem/48072386>
426
427         Reviewed by Saam Barati.
428
429         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
430
431         * runtime/SamplingProfiler.cpp:
432         (JSC::SamplingProfiler::stackTracesAsJSON):
433         * runtime/TypeSet.cpp:
434         (JSC::TypeSet::toJSONString const):
435         (JSC::StructureShape::toJSONString const):
436
437 2019-02-15  Robin Morisset  <rmorisset@apple.com>
438
439         CodeBlock::jettison should clear related watchpoints
440         https://bugs.webkit.org/show_bug.cgi?id=194544
441
442         Reviewed by Mark Lam.
443
444         * bytecode/CodeBlock.cpp:
445         (JSC::CodeBlock::jettison):
446         * dfg/DFGCommonData.h:
447         (JSC::DFG::CommonData::clearWatchpoints): Added.
448         * dfg/CommonData.cpp:
449         (JSC::DFG::CommonData::clearWatchpoints): Added.
450
451 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
452
453         Move bytecode cache-related filesystem code out of CodeCache
454         https://bugs.webkit.org/show_bug.cgi?id=194675
455
456         Reviewed by Saam Barati.
457
458         That code is only used for the bytecode-cache tests, so it should live in
459         jsc.cpp rather than in the CodeCache.
460
461         * jsc.cpp:
462         (CliSourceProvider::create):
463         (CliSourceProvider::~CliSourceProvider):
464         (CliSourceProvider::cachePath const):
465         (CliSourceProvider::loadBytecode):
466         (CliSourceProvider::CliSourceProvider):
467         (jscSource):
468         (GlobalObject::moduleLoaderFetch):
469         (functionDollarEvalScript):
470         (runWithOptions):
471         * parser/SourceProvider.h:
472         (JSC::SourceProvider::cacheBytecode const):
473         * runtime/CodeCache.cpp:
474         (JSC::writeCodeBlock):
475         * runtime/CodeCache.h:
476         (JSC::CodeCacheMap::fetchFromDiskImpl):
477
478 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
479
480         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
481         https://bugs.webkit.org/show_bug.cgi?id=194714
482
483         Reviewed by Mark Lam.
484
485         Let's consider about the following extreme case.
486
487         1. VM (A) is created.
488         2. Another VM (B) is created on a different thread.
489         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
490         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
491         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
492         6. (A) sees the half-baked worklist, which may be in the middle of creation.
493
494         This patch puts store-store fence just before putting a pointer to a global variable.
495         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
496
497         * dfg/DFGWorklist.cpp:
498         (JSC::DFG::ensureGlobalDFGWorklist):
499         (JSC::DFG::ensureGlobalFTLWorklist):
500         * wasm/WasmWorklist.cpp:
501         (JSC::Wasm::ensureWorklist):
502
503 2019-02-15  Commit Queue  <commit-queue@webkit.org>
504
505         Unreviewed, rolling out r241559 and r241566.
506         https://bugs.webkit.org/show_bug.cgi?id=194710
507
508         Causes layout test crashes under GuardMalloc (Requested by
509         ryanhaddad on #webkit).
510
511         Reverted changesets:
512
513         "[WTF] Add environment variable helpers"
514         https://bugs.webkit.org/show_bug.cgi?id=192405
515         https://trac.webkit.org/changeset/241559
516
517         "Unreviewed build fix for WinCairo Debug after r241559."
518         https://trac.webkit.org/changeset/241566
519
520 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
521
522         [JSC] Do not even allocate JIT worklists in non-JIT mode
523         https://bugs.webkit.org/show_bug.cgi?id=194693
524
525         Reviewed by Mark Lam.
526
527         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
528         And we do not perform any GC operations that are only meaningful in JIT environment.
529
530         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
531         2. We remove DFG marking constraint in non-JIT mode.
532         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
533         4. We do not visit JITStubRoutineSet.
534         5. Align JITWorklist function names to the other worklists.
535
536         * dfg/DFGOSRExitPreparation.cpp:
537         (JSC::DFG::prepareCodeOriginForOSRExit):
538         * dfg/DFGPlan.h:
539         * dfg/DFGWorklist.cpp:
540         (JSC::DFG::markCodeBlocks): Deleted.
541         * dfg/DFGWorklist.h:
542         * heap/Heap.cpp:
543         (JSC::Heap::completeAllJITPlans):
544         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
545         (JSC::Heap::gatherScratchBufferRoots):
546         (JSC::Heap::removeDeadCompilerWorklistEntries):
547         (JSC::Heap::stopThePeriphery):
548         (JSC::Heap::suspendCompilerThreads):
549         (JSC::Heap::resumeCompilerThreads):
550         (JSC::Heap::addCoreConstraints):
551         * jit/JITWorklist.cpp:
552         (JSC::JITWorklist::existingGlobalWorklistOrNull):
553         (JSC::JITWorklist::ensureGlobalWorklist):
554         (JSC::JITWorklist::instance): Deleted.
555         * jit/JITWorklist.h:
556         * llint/LLIntSlowPaths.cpp:
557         (JSC::LLInt::jitCompileAndSetHeuristics):
558         * runtime/VM.cpp:
559         (JSC::VM::~VM):
560         (JSC::VM::gatherScratchBufferRoots):
561         (JSC::VM::gatherConservativeRoots): Deleted.
562         * runtime/VM.h:
563
564 2019-02-15  Saam barati  <sbarati@apple.com>
565
566         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
567         https://bugs.webkit.org/show_bug.cgi?id=194036
568
569         Reviewed by Yusuke Suzuki.
570
571         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
572         use linear scan for register allocation. Instead of linear scan, Air-O0 does
573         mostly block-local register allocation, and it does this as it's emitting
574         code directly. The register allocator uses liveness analysis to reduce
575         the number of spills. Doing register allocation as we're emitting code
576         allows us to skip editing the IR to insert spills, which saves a non trivial
577         amount of compile time. For stack allocation, we give each Tmp its own slot.
578         This is less than ideal. We probably want to do some trivial live range analysis
579         in the future. The reason this isn't a deal breaker for Wasm is that this patch
580         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
581         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
582         
583         This patch is another 25% Wasm startup time speedup. It seems to be worth
584         another 1% on JetStream2.
585
586         * JavaScriptCore.xcodeproj/project.pbxproj:
587         * Sources.txt:
588         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
589         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
590         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
591         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
592         (JSC::B3::Air::callFrameAddr):
593         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
594         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
595         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
596         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
597         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
598         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
599         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
600         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
601         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
602         * b3/air/AirCode.cpp:
603         * b3/air/AirCode.h:
604         * b3/air/AirGenerate.cpp:
605         (JSC::B3::Air::prepareForGeneration):
606         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
607         (JSC::B3::Air::generate):
608         * b3/air/AirHandleCalleeSaves.cpp:
609         (JSC::B3::Air::handleCalleeSaves):
610         * b3/air/AirHandleCalleeSaves.h:
611         * b3/air/AirTmpMap.h:
612         * runtime/Options.h:
613         * wasm/WasmAirIRGenerator.cpp:
614         (JSC::Wasm::AirIRGenerator::didKill):
615         (JSC::Wasm::AirIRGenerator::newTmp):
616         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
617         (JSC::Wasm::parseAndCompileAir):
618         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
619         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
620         * wasm/WasmAirIRGenerator.h:
621         * wasm/WasmB3IRGenerator.cpp:
622         (JSC::Wasm::B3IRGenerator::didKill):
623         * wasm/WasmBBQPlan.cpp:
624         (JSC::Wasm::BBQPlan::compileFunctions):
625         * wasm/WasmFunctionParser.h:
626         (JSC::Wasm::FunctionParser<Context>::parseBody):
627         (JSC::Wasm::FunctionParser<Context>::parseExpression):
628         * wasm/WasmValidate.cpp:
629         (JSC::Wasm::Validate::didKill):
630
631 2019-02-14  Saam barati  <sbarati@apple.com>
632
633         lowerStackArgs should lower Lea32/64 on ARM64 to Add
634         https://bugs.webkit.org/show_bug.cgi?id=194656
635
636         Reviewed by Yusuke Suzuki.
637
638         On arm64, Lea is just implemented as an add. However, Air treats it as an
639         address with a given width. Because of this width, we were incorrectly
640         computing whether or not this immediate could fit into the instruction itself
641         or it needed to be explicitly put into a register. This patch makes
642         AirLowerStackArgs lower Lea to Add on arm64.
643
644         * b3/air/AirLowerStackArgs.cpp:
645         (JSC::B3::Air::lowerStackArgs):
646         * b3/air/AirOpcode.opcodes:
647         * b3/air/testair.cpp:
648
649 2019-02-14  Saam Barati  <sbarati@apple.com>
650
651         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
652         https://bugs.webkit.org/show_bug.cgi?id=194583
653         <rdar://problem/48028140>
654
655         Reviewed by Yusuke Suzuki.
656
657         This patch makes it so that getVariablesUnderTDZ caches a result of
658         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
659         it's called in an environment where there are a lot of variables.
660         This patch makes it so we cache its results. This is profitable when
661         getVariablesUnderTDZ is called repeatedly with the same environment
662         state. This is common since we call this every time we encounter a
663         function definition/expression node.
664
665         * builtins/BuiltinExecutables.cpp:
666         (JSC::BuiltinExecutables::createExecutable):
667         * bytecode/UnlinkedFunctionExecutable.cpp:
668         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
669         * bytecode/UnlinkedFunctionExecutable.h:
670         * bytecompiler/BytecodeGenerator.cpp:
671         (JSC::BytecodeGenerator::popLexicalScopeInternal):
672         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
673         (JSC::BytecodeGenerator::pushTDZVariables):
674         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
675         (JSC::BytecodeGenerator::restoreTDZStack):
676         * bytecompiler/BytecodeGenerator.h:
677         (JSC::BytecodeGenerator::makeFunction):
678         * parser/VariableEnvironment.cpp:
679         (JSC::CompactVariableMap::Handle::Handle):
680         (JSC::CompactVariableMap::Handle::operator=):
681         * parser/VariableEnvironment.h:
682         (JSC::CompactVariableMap::Handle::operator bool const):
683         * runtime/CodeCache.cpp:
684         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
685
686 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
687
688         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
689         https://bugs.webkit.org/show_bug.cgi?id=194659
690
691         Reviewed by Mark Lam.
692
693         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
694         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
695         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
696
697         * dfg/DFGJITCode.h:
698         * dfg/DFGJITFinalizer.cpp:
699         (JSC::DFG::JITFinalizer::finalize):
700         (JSC::DFG::JITFinalizer::finalizeFunction):
701         * jit/JITCode.cpp:
702         (JSC::DirectJITCode::initializeCodeRefForDFG):
703         (JSC::DirectJITCode::initializeCodeRef): Deleted.
704         (JSC::NativeJITCode::initializeCodeRef): Deleted.
705         * jit/JITCode.h:
706         * llint/LLIntEntrypoint.cpp:
707         (JSC::LLInt::setFunctionEntrypoint):
708         (JSC::LLInt::setEvalEntrypoint):
709         (JSC::LLInt::setProgramEntrypoint):
710         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
711
712 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
713
714         [WTF] Add environment variable helpers
715         https://bugs.webkit.org/show_bug.cgi?id=192405
716
717         Reviewed by Michael Catanzaro.
718
719         * inspector/remote/glib/RemoteInspectorGlib.cpp:
720         (Inspector::RemoteInspector::RemoteInspector):
721         (Inspector::RemoteInspector::start):
722         * jsc.cpp:
723         (startTimeoutThreadIfNeeded):
724         * runtime/Options.cpp:
725         (JSC::overrideOptionWithHeuristic):
726         (JSC::Options::overrideAliasedOptionWithHeuristic):
727         (JSC::Options::initialize):
728         * runtime/VM.cpp:
729         (JSC::enableAssembler):
730         (JSC::VM::VM):
731         * tools/CodeProfiling.cpp:
732         (JSC::CodeProfiling::notifyAllocator):
733         Utilize WTF::Environment where possible.
734
735 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
736
737         [JSC] Should have default NativeJITCode
738         https://bugs.webkit.org/show_bug.cgi?id=194634
739
740         Reviewed by Mark Lam.
741
742         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
743         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
744         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
745         allocations, which takes 14KB.
746
747         * runtime/VM.cpp:
748         (JSC::jitCodeForCallTrampoline):
749         (JSC::jitCodeForConstructTrampoline):
750         (JSC::VM::getHostFunction):
751
752 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
753
754         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
755         https://bugs.webkit.org/show_bug.cgi?id=194576
756
757         Reviewed by Saam Barati.
758
759         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
760         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
761
762         * bytecode/UnlinkedFunctionExecutable.cpp:
763         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
764         (JSC::UnlinkedFunctionExecutable::link):
765         * bytecode/UnlinkedFunctionExecutable.h:
766         * runtime/CodeCache.cpp:
767         (JSC::generateUnlinkedCodeBlockForFunctions):
768
769 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
770
771         CachedBitVector's size must be converted from bits to bytes
772         https://bugs.webkit.org/show_bug.cgi?id=194441
773
774         Reviewed by Saam Barati.
775
776         CachedBitVector used its size in bits for memcpy. That didn't cause any
777         issues when encoding, since the size in bits was also used in the allocation,
778         but would overflow the actual BitVector buffer when decoding.
779
780         * runtime/CachedTypes.cpp:
781         (JSC::CachedBitVector::encode):
782         (JSC::CachedBitVector::decode const):
783
784 2019-02-13  Brian Burg  <bburg@apple.com>
785
786         Web Inspector: don't include accessibility role in DOM.Node object payloads
787         https://bugs.webkit.org/show_bug.cgi?id=194623
788         <rdar://problem/36384037>
789
790         Reviewed by Devin Rousso.
791
792         Remove property of DOM.Node that is no longer being sent.
793
794         * inspector/protocol/DOM.json:
795
796 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
797
798         We should only make rope strings when concatenating strings long enough.
799         https://bugs.webkit.org/show_bug.cgi?id=194465
800
801         Reviewed by Mark Lam.
802
803         This patch stops us from allocating a rope string if the resulting
804         rope would be smaller than the size of the JSRopeString object we
805         would need to allocate.
806
807         This patch also adds paths so that we don't unnecessarily allocate
808         JSString cells for primitives we are going to concatenate with a
809         string anyway.
810
811         The important change from the previous one is that we do not apply
812         the above rule to JSRopeStrings generated by JSStrings. If we convert
813         it to JSString, comparison of memory consumption becomes the following,
814         because JSRopeString does not have StringImpl until it is resolved.
815
816             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
817
818         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
819         resolving eagerly increases memory footprint. The point is that we need to
820         account newly created JSString and JSRopeString from the operands. This is the
821         reason why this patch adds different thresholds for each jsString functions.
822
823         This patch also avoids concatenation for ropes conservatively. Many ropes are
824         temporary cells. So we do not resolve eagerly if one of operands is already a
825         rope.
826
827         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
828
829             Before: 159.3778
830             After:  160.72340000000003
831
832         * dfg/DFGOperations.cpp:
833         * runtime/CommonSlowPaths.cpp:
834         (JSC::SLOW_PATH_DECL):
835         * runtime/JSString.h:
836         (JSC::JSString::isRope const):
837         * runtime/Operations.cpp:
838         (JSC::jsAddSlowCase):
839         * runtime/Operations.h:
840         (JSC::jsString):
841         (JSC::jsAddNonNumber):
842         (JSC::jsAdd):
843
844 2019-02-13  Saam Barati  <sbarati@apple.com>
845
846         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
847         https://bugs.webkit.org/show_bug.cgi?id=194610
848
849         Reviewed by Michael Saboff.
850
851         BinarySwitch might use the scratch register. We must model the
852         effects of that properly. This is already caught by our br-table
853         tests on arm64.
854
855         * wasm/WasmAirIRGenerator.cpp:
856         (JSC::Wasm::AirIRGenerator::addSwitch):
857
858 2019-02-13  Mark Lam  <mark.lam@apple.com>
859
860         Create a randomized free list for new StructureIDs on StructureIDTable resize.
861         https://bugs.webkit.org/show_bug.cgi?id=194566
862         <rdar://problem/47975502>
863
864         Reviewed by Michael Saboff.
865
866         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
867         implementation is a little easier to read.
868
869         This patch appears to be perf neutral on JetStream2 (as run from the command line).
870
871         * runtime/StructureIDTable.cpp:
872         (JSC::StructureIDTable::StructureIDTable):
873         (JSC::StructureIDTable::makeFreeListFromRange):
874         (JSC::StructureIDTable::resize):
875         (JSC::StructureIDTable::allocateID):
876         (JSC::StructureIDTable::deallocateID):
877         * runtime/StructureIDTable.h:
878         (JSC::StructureIDTable::get):
879         (JSC::StructureIDTable::deallocateID):
880         (JSC::StructureIDTable::allocateID):
881         (JSC::StructureIDTable::flushOldTables):
882
883 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
884
885         VariableLengthObject::allocate<T> should initialize objects
886         https://bugs.webkit.org/show_bug.cgi?id=194534
887
888         Reviewed by Michael Saboff.
889
890         `buffer()` should not be called for empty VariableLengthObjects, but
891         these cases were not being caught due to the objects not being properly
892         initialized. Fix it so that allocate calls the constructor and fix the
893         assertion failues.
894
895         * runtime/CachedTypes.cpp:
896         (JSC::CachedObject::operator new):
897         (JSC::VariableLengthObject::allocate):
898         (JSC::CachedVector::encode):
899         (JSC::CachedVector::decode const):
900         (JSC::CachedUniquedStringImpl::decode const):
901         (JSC::CachedBitVector::encode):
902         (JSC::CachedBitVector::decode const):
903         (JSC::CachedArray::encode):
904         (JSC::CachedArray::decode const):
905         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
906         (JSC::CachedBigInt::decode const):
907
908 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
909
910         CodeBlocks read from disk should not be re-written
911         https://bugs.webkit.org/show_bug.cgi?id=194535
912
913         Reviewed by Michael Saboff.
914
915         Keep track of which CodeBlocks have been read from disk or have already
916         been serialized in CodeCache.
917
918         * runtime/CodeCache.cpp:
919         (JSC::CodeCache::write):
920         * runtime/CodeCache.h:
921         (JSC::SourceCodeValue::SourceCodeValue):
922         (JSC::CodeCacheMap::fetchFromDiskImpl):
923
924 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
925
926         SourceCode should be copied when generating bytecode for functions
927         https://bugs.webkit.org/show_bug.cgi?id=194536
928
929         Reviewed by Saam Barati.
930
931         The FunctionExecutable might be collected while generating the bytecode
932         for nested functions, in which case the SourceCode reference would no
933         longer be valid.
934
935         * runtime/CodeCache.cpp:
936         (JSC::generateUnlinkedCodeBlockForFunctions):
937
938 2019-02-12  Saam barati  <sbarati@apple.com>
939
940         JSScript needs to retain its cache path NSURL*
941         https://bugs.webkit.org/show_bug.cgi?id=194577
942
943         Reviewed by Tim Horton.
944
945         * API/JSScript.mm:
946         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
947         (-[JSScript dealloc]):
948
949 2019-02-12  Robin Morisset  <rmorisset@apple.com>
950
951         Make B3Value::returnsBool() more precise
952         https://bugs.webkit.org/show_bug.cgi?id=194457
953
954         Reviewed by Saam Barati.
955
956         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
957         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
958         No new tests added as this should be indirectly tested by the already existing tests.
959
960         * b3/B3Value.cpp:
961         (JSC::B3::Value::returnsBool const):
962
963 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
964
965         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
966         https://bugs.webkit.org/show_bug.cgi?id=194399
967         <rdar://problem/47889777>
968
969         * dfg/DFGDoesGC.cpp:
970         (JSC::DFG::doesGC):
971
972 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
973
974         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
975         https://bugs.webkit.org/show_bug.cgi?id=194370
976
977         Reviewed by Darin Adler.
978
979         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
980         necessary, but it will make errors more visible.
981
982         * inspector/remote/glib/RemoteInspectorGlib.cpp:
983         (Inspector::RemoteInspector::start):
984         (Inspector::dbusConnectionCallAsyncReadyCallback):
985         * inspector/remote/glib/RemoteInspectorServer.cpp:
986         (Inspector::RemoteInspectorServer::start):
987
988 2019-02-12  Andy Estes  <aestes@apple.com>
989
990         [iOSMac] Enable Parental Controls Content Filtering
991         https://bugs.webkit.org/show_bug.cgi?id=194521
992         <rdar://39732376>
993
994         Reviewed by Tim Horton.
995
996         * Configurations/FeatureDefines.xcconfig:
997
998 2019-02-11  Mark Lam  <mark.lam@apple.com>
999
1000         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1001         https://bugs.webkit.org/show_bug.cgi?id=194512
1002         <rdar://problem/47975465>
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         * runtime/StructureIDTable.cpp:
1007         (JSC::StructureIDTable::StructureIDTable):
1008         (JSC::StructureIDTable::allocateID):
1009         (JSC::StructureIDTable::deallocateID):
1010         * runtime/StructureIDTable.h:
1011
1012 2019-02-10  Mark Lam  <mark.lam@apple.com>
1013
1014         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1015         https://bugs.webkit.org/show_bug.cgi?id=194493
1016         <rdar://problem/36380852>
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1021         however not good for performance and memory usage.  As such, a debug ASSERT will
1022         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1023         possible to be instantiated with duplicate cases in
1024         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1025
1026         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1027         see duplicate cases.
1028
1029         * jit/BinarySwitch.cpp:
1030         (JSC::BinarySwitch::BinarySwitch):
1031
1032 2019-02-10  Darin Adler  <darin@apple.com>
1033
1034         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1035         https://bugs.webkit.org/show_bug.cgi?id=194485
1036
1037         Reviewed by Daniel Bates.
1038
1039         * heap/HeapSnapshotBuilder.cpp:
1040         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1041         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1042
1043         * runtime/JSGlobalObjectFunctions.cpp:
1044         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1045         including one in a call to appendByteAsHex.
1046         (JSC::globalFuncEscape): Ditto.
1047
1048 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1049
1050         Unreviewed, rolling out r241230.
1051         https://bugs.webkit.org/show_bug.cgi?id=194488
1052
1053         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1054         #webkit).
1055
1056         Reverted changeset:
1057
1058         "We should only make rope strings when concatenating strings
1059         long enough."
1060         https://bugs.webkit.org/show_bug.cgi?id=194465
1061         https://trac.webkit.org/changeset/241230
1062
1063 2019-02-10  Saam barati  <sbarati@apple.com>
1064
1065         BBQ-Air: Emit better code for switch
1066         https://bugs.webkit.org/show_bug.cgi?id=194053
1067
1068         Reviewed by Yusuke Suzuki.
1069
1070         Instead of emitting a linear set of jumps for Switch, this patch
1071         makes the BBQ-Air backend emit a binary switch.
1072
1073         * wasm/WasmAirIRGenerator.cpp:
1074         (JSC::Wasm::AirIRGenerator::addSwitch):
1075
1076 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1077
1078         Unreviewed, Lexer should use isLatin1 implementation in WTF
1079         https://bugs.webkit.org/show_bug.cgi?id=194466
1080
1081         Follow-up after r241233 pointed by Darin.
1082
1083         * parser/Lexer.cpp:
1084         (JSC::isLatin1): Deleted.
1085
1086 2019-02-09  Darin Adler  <darin@apple.com>
1087
1088         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1089         https://bugs.webkit.org/show_bug.cgi?id=194021
1090
1091         Reviewed by Geoffrey Garen.
1092
1093         * inspector/agents/InspectorConsoleAgent.cpp:
1094         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1095         makeString do the conversion without allocating/destroying a String.
1096         * inspector/agents/InspectorDebuggerAgent.cpp:
1097         (Inspector::objectGroupForBreakpointAction): Ditto.
1098         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1099         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1100         * runtime/JSGenericTypedArrayViewInlines.h:
1101         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1102         * runtime/NumberPrototype.cpp:
1103         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1104         of calling numberToFixedWidthString to do the same thing.
1105         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1106         numberToFixedPrecisionString to do the same thing.
1107         * runtime/SamplingProfiler.cpp:
1108         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1109
1110 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1111
1112         Unreviewed, rolling in r241237 again
1113         https://bugs.webkit.org/show_bug.cgi?id=194469
1114
1115         * runtime/JSString.h:
1116         (JSC::jsSubstring):
1117
1118 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1119
1120         Unreviewed, rolling out r241237.
1121         https://bugs.webkit.org/show_bug.cgi?id=194474
1122
1123         Shows significant memory increase in WSL (Requested by
1124         yusukesuzuki on #webkit).
1125
1126         Reverted changeset:
1127
1128         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1129         takes more memory"
1130         https://bugs.webkit.org/show_bug.cgi?id=194469
1131         https://trac.webkit.org/changeset/241237
1132
1133 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1134
1135         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1136         https://bugs.webkit.org/show_bug.cgi?id=194469
1137
1138         Reviewed by Geoffrey Garen.
1139
1140         * runtime/JSString.h:
1141         (JSC::jsSubstring):
1142
1143 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1144
1145         [JSC] CachedTypes should use jsString instead of JSString::create
1146         https://bugs.webkit.org/show_bug.cgi?id=194471
1147
1148         Reviewed by Mark Lam.
1149
1150         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1151
1152         * runtime/CachedTypes.cpp:
1153         (JSC::CachedJSValue::decode const):
1154
1155 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1156
1157         [JSC] Increase StructureIDTable initial capacity
1158         https://bugs.webkit.org/show_bug.cgi?id=194468
1159
1160         Reviewed by Mark Lam.
1161
1162         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1163         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1164         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1165         more memory dirty. We also remove some structures that are no longer used.
1166
1167         * runtime/JSGlobalObject.h:
1168         (JSC::JSGlobalObject::callbackObjectStructure const):
1169         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1170         * runtime/StructureIDTable.h:
1171         * runtime/VM.h:
1172
1173 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1174
1175         [JSC] String.fromCharCode's slow path always generates 16bit string
1176         https://bugs.webkit.org/show_bug.cgi?id=194466
1177
1178         Reviewed by Keith Miller.
1179
1180         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1181         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1182         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1183         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1184         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1185         as much as possible.
1186
1187         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1188
1189         * runtime/StringConstructor.cpp:
1190         (JSC::stringFromCharCode):
1191
1192 2019-02-08  Keith Miller  <keith_miller@apple.com>
1193
1194         We should only make rope strings when concatenating strings long enough.
1195         https://bugs.webkit.org/show_bug.cgi?id=194465
1196
1197         Reviewed by Saam Barati.
1198
1199         This patch stops us from allocating a rope string if the resulting
1200         rope would be smaller than the size of the JSRopeString object we
1201         would need to allocate.
1202
1203         This patch also adds paths so that we don't unnecessarily allocate
1204         JSString cells for primitives we are going to concatenate with a
1205         string anyway.
1206
1207         * dfg/DFGOperations.cpp:
1208         * runtime/CommonSlowPaths.cpp:
1209         (JSC::SLOW_PATH_DECL):
1210         * runtime/JSString.h:
1211         * runtime/Operations.cpp:
1212         (JSC::jsAddSlowCase):
1213         * runtime/Operations.h:
1214         (JSC::jsString):
1215         (JSC::jsAdd):
1216
1217 2019-02-08  Saam barati  <sbarati@apple.com>
1218
1219         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1220         https://bugs.webkit.org/show_bug.cgi?id=194334
1221         <rdar://problem/47844327>
1222
1223         Reviewed by Mark Lam.
1224
1225         * dfg/DFGAbstractInterpreterInlines.h:
1226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1227         * dfg/DFGArgumentsEliminationPhase.cpp:
1228         * dfg/DFGByteCodeParser.cpp:
1229         (JSC::DFG::ByteCodeParser::parseBlock):
1230         * dfg/DFGClobberize.h:
1231         (JSC::DFG::clobberize):
1232         * dfg/DFGConstantFoldingPhase.cpp:
1233         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1234         * dfg/DFGFixupPhase.cpp:
1235         (JSC::DFG::FixupPhase::fixupNode):
1236         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1237         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1238         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1239         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1240         * dfg/DFGNodeType.h:
1241         * dfg/DFGSSALoweringPhase.cpp:
1242         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1243         * dfg/DFGSpeculativeJIT.cpp:
1244         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1245         * ftl/FTLLowerDFGToB3.cpp:
1246         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1247         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1248
1249 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1250
1251         [JSC] Shrink sizeof(CodeBlock) more
1252         https://bugs.webkit.org/show_bug.cgi?id=194419
1253
1254         Reviewed by Mark Lam.
1255
1256         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1257
1258         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1259         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1260         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1261
1262         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1263         And we do not touch it in CodeBlock::~CodeBlock.
1264
1265         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1266         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1267         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1268
1269         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1270
1271         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1272
1273         * bytecode/CodeBlock.cpp:
1274         (JSC::CodeBlock::hash const):
1275         (JSC::CodeBlock::sourceCodeForTools const):
1276         (JSC::CodeBlock::dumpAssumingJITType const):
1277         (JSC::CodeBlock::dumpSource):
1278         (JSC::CodeBlock::CodeBlock):
1279         (JSC::CodeBlock::finishCreation):
1280         (JSC::CodeBlock::propagateTransitions):
1281         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1282         (JSC::CodeBlock::setCalleeSaveRegisters):
1283         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1284         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1285         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1286         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1287         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1288         (JSC::CodeBlock::newReplacement):
1289         (JSC::CodeBlock::replacement):
1290         (JSC::CodeBlock::computeCapabilityLevel):
1291         (JSC::CodeBlock::jettison):
1292         (JSC::CodeBlock::calleeSaveRegisters const):
1293         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1294         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1295         (JSC::CodeBlock::getArrayProfile):
1296         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1297         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1298         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1299         (JSC::CodeBlock::validate):
1300         (JSC::CodeBlock::outOfLineJumpTarget):
1301         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1302         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1303         * bytecode/CodeBlock.h:
1304         (JSC::CodeBlock::specializationKind const):
1305         (JSC::CodeBlock::isStrictMode const):
1306         (JSC::CodeBlock::isConstructor const):
1307         (JSC::CodeBlock::codeType const):
1308         (JSC::CodeBlock::isKnownNotImmediate):
1309         (JSC::CodeBlock::instructions const):
1310         (JSC::CodeBlock::ownerExecutable const):
1311         (JSC::CodeBlock::thisRegister const):
1312         (JSC::CodeBlock::source const):
1313         (JSC::CodeBlock::sourceOffset const):
1314         (JSC::CodeBlock::firstLineColumnOffset const):
1315         (JSC::CodeBlock::createRareDataIfNecessary):
1316         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1317         (JSC::CodeBlock::setThisRegister): Deleted.
1318         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1319         * bytecode/EvalCodeBlock.h:
1320         * bytecode/FunctionCodeBlock.h:
1321         * bytecode/GlobalCodeBlock.h:
1322         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1323         * bytecode/ModuleProgramCodeBlock.h:
1324         * bytecode/ProgramCodeBlock.h:
1325         * debugger/Debugger.cpp:
1326         (JSC::Debugger::toggleBreakpoint):
1327         * debugger/DebuggerCallFrame.cpp:
1328         (JSC::DebuggerCallFrame::sourceID const):
1329         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1330         * debugger/DebuggerScope.cpp:
1331         (JSC::DebuggerScope::location const):
1332         * dfg/DFGByteCodeParser.cpp:
1333         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1334         (JSC::DFG::ByteCodeParser::inliningCost):
1335         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1336         * dfg/DFGCapabilities.cpp:
1337         (JSC::DFG::isSupportedForInlining):
1338         (JSC::DFG::mightCompileEval):
1339         (JSC::DFG::mightCompileProgram):
1340         (JSC::DFG::mightCompileFunctionForCall):
1341         (JSC::DFG::mightCompileFunctionForConstruct):
1342         (JSC::DFG::canUseOSRExitFuzzing):
1343         * dfg/DFGGraph.h:
1344         (JSC::DFG::Graph::executableFor):
1345         * dfg/DFGJITCompiler.cpp:
1346         (JSC::DFG::JITCompiler::compileFunction):
1347         * dfg/DFGOSREntry.cpp:
1348         (JSC::DFG::prepareOSREntry):
1349         * dfg/DFGOSRExit.cpp:
1350         (JSC::DFG::restoreCalleeSavesFor):
1351         (JSC::DFG::saveCalleeSavesFor):
1352         (JSC::DFG::saveOrCopyCalleeSavesFor):
1353         * dfg/DFGOSRExitCompilerCommon.cpp:
1354         (JSC::DFG::handleExitCounts):
1355         * dfg/DFGOperations.cpp:
1356         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1357         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1358         * ftl/FTLCapabilities.cpp:
1359         (JSC::FTL::canCompile):
1360         * ftl/FTLLink.cpp:
1361         (JSC::FTL::link):
1362         * ftl/FTLOSRExitCompiler.cpp:
1363         (JSC::FTL::compileStub):
1364         * interpreter/CallFrame.cpp:
1365         (JSC::CallFrame::callerSourceOrigin):
1366         * interpreter/Interpreter.cpp:
1367         (JSC::eval):
1368         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1369         * interpreter/StackVisitor.cpp:
1370         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1371         (JSC::StackVisitor::Frame::sourceURL const):
1372         (JSC::StackVisitor::Frame::sourceID):
1373         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1374         * interpreter/StackVisitor.h:
1375         * jit/AssemblyHelpers.h:
1376         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1377         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1378         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1379         * jit/CallFrameShuffleData.cpp:
1380         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1381         * jit/JIT.cpp:
1382         (JSC::JIT::compileWithoutLinking):
1383         * jit/JITToDFGDeferredCompilationCallback.cpp:
1384         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1385         * jit/JITWorklist.cpp:
1386         (JSC::JITWorklist::Plan::finalize):
1387         (JSC::JITWorklist::compileNow):
1388         * jit/RegisterAtOffsetList.cpp:
1389         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1390         * jit/RegisterAtOffsetList.h:
1391         (JSC::RegisterAtOffsetList::at const):
1392         * runtime/ErrorInstance.cpp:
1393         (JSC::appendSourceToError):
1394         * runtime/ScriptExecutable.cpp:
1395         (JSC::ScriptExecutable::newCodeBlockFor):
1396         * runtime/StackFrame.cpp:
1397         (JSC::StackFrame::sourceID const):
1398         (JSC::StackFrame::sourceURL const):
1399         (JSC::StackFrame::computeLineAndColumn const):
1400
1401 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1402
1403         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1404         https://bugs.webkit.org/show_bug.cgi?id=194460
1405
1406         Reviewed by Mark Lam.
1407
1408         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1409
1410         * b3/B3LowerMacros.cpp:
1411
1412 2019-02-08  Mark Lam  <mark.lam@apple.com>
1413
1414         Use maxSingleCharacterString in comparisons instead of literal constants.
1415         https://bugs.webkit.org/show_bug.cgi?id=194452
1416
1417         Reviewed by Yusuke Suzuki.
1418
1419         This way, if we ever change maxSingleCharacterString, it won't break all this code
1420         that relies on it being 0xff implicitly.
1421
1422         * dfg/DFGSpeculativeJIT.cpp:
1423         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1424         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1425         * ftl/FTLLowerDFGToB3.cpp:
1426         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1427         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1428         * jit/ThunkGenerators.cpp:
1429         (JSC::stringGetByValGenerator):
1430         (JSC::charToString):
1431
1432 2019-02-08  Mark Lam  <mark.lam@apple.com>
1433
1434         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1435         https://bugs.webkit.org/show_bug.cgi?id=194446
1436         <rdar://problem/47926792>
1437
1438         Reviewed by Saam Barati.
1439
1440         Fix doesGC() for the following nodes:
1441
1442             CheckTierUpAtReturn:
1443                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1444                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1445
1446             CheckTierUpInLoop:
1447                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1448                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1449
1450             CheckTierUpAndOSREnter:
1451                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1452                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1453
1454             GetByVal:
1455                 case Array::String calls operationSingleCharacterString(), which calls
1456                 jsSingleCharacterString(), which can allocate a string.
1457
1458             PutByValDirect:
1459             PutByVal:
1460             PutByValAlias:
1461                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1462                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1463                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1464                 slow paths call putByValInternal(), which may create exception objects, or
1465                 call the generic JSValue::put() which may execute arbitrary code.
1466
1467             StringCharAt:
1468                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1469                 which can allocate a string.
1470
1471         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1472         to use the maxSingleCharacterString constant instead of a literal constant.
1473
1474         * dfg/DFGDoesGC.cpp:
1475         (JSC::DFG::doesGC):
1476         * dfg/DFGSpeculativeJIT.cpp:
1477         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1478         * dfg/DFGSpeculativeJIT64.cpp:
1479         (JSC::DFG::SpeculativeJIT::compile):
1480         * ftl/FTLLowerDFGToB3.cpp:
1481         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1482         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1483         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1484
1485 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1486
1487         [JSC] SourceProviderCacheItem should be small
1488         https://bugs.webkit.org/show_bug.cgi?id=194432
1489
1490         Reviewed by Saam Barati.
1491
1492         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1493         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1494         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1495
1496         * parser/Parser.cpp:
1497         (JSC::Parser<LexerType>::parseFunctionInfo):
1498         * parser/ParserModes.h:
1499         * parser/ParserTokens.h:
1500         * parser/SourceProviderCacheItem.h:
1501         (JSC::SourceProviderCacheItem::endFunctionToken const):
1502         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1503
1504 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1505
1506         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1507         https://bugs.webkit.org/show_bug.cgi?id=194420
1508
1509         Reviewed by Saam Barati.
1510
1511         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1512         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1513         This trivial patch fixes both.
1514
1515         * b3/B3ReduceStrength.cpp:
1516         * b3/testb3.cpp:
1517         (JSC::B3::testAbsNegArg):
1518
1519 2019-02-07  Keith Miller  <keith_miller@apple.com>
1520
1521         Better error messages for module loader SPI
1522         https://bugs.webkit.org/show_bug.cgi?id=194421
1523
1524         Reviewed by Saam Barati.
1525
1526         * API/JSAPIGlobalObject.mm:
1527         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1528
1529 2019-02-07  Mark Lam  <mark.lam@apple.com>
1530
1531         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1532         https://bugs.webkit.org/show_bug.cgi?id=194399
1533         <rdar://problem/47889777>
1534
1535         Reviewed by Yusuke Suzuki.
1536
1537         Fix doesGC() for the following nodes:
1538
1539             CheckTraps:
1540                 We normally will not emit this node because Options::usePollingTraps() is
1541                 false by default.  However, as it is implemented now, CheckTraps can GC
1542                 because it can allocate a TerminatedExecutionException.  If we make the
1543                 TerminatedExecutionException a singleton allocated at initialization time,
1544                 doesGC() can return false for CheckTraps.
1545                 https://bugs.webkit.org/show_bug.cgi?id=194323
1546
1547             GetMapBucket:
1548                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1549                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1550                 can resolve a rope.
1551
1552             Switch:
1553                 If switchData kind is SwitchChar, can call operationResolveRope() .
1554                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1555                     can call operationSwitchString() which resolves ropes.
1556
1557             DirectTailCall:
1558             ForceOSRExit:
1559             Return:
1560             TailCallForwardVarargs:
1561             TailCallVarargs:
1562             Throw:
1563                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1564                 for them, but following our conservative practice, unless we have a good
1565                 reason for doesGC() to return false, we should just return true.
1566
1567         * dfg/DFGDoesGC.cpp:
1568         (JSC::DFG::doesGC):
1569
1570 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1571
1572         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1573         https://bugs.webkit.org/show_bug.cgi?id=194250
1574
1575         Reviewed by Saam Barati.
1576
1577         Adds the following optimizations for integers:
1578         - Sub(x, x) => 0
1579             Already covered by the test testSubArg
1580         - Sub(x1, Neg(x2)) => Add (x1, x2)
1581             Added test: testSubNeg
1582         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1583             Added test: testNegSub
1584         - Add(Neg(x1), x2) => Sub(x2, x1)
1585             Added test: testAddNeg1
1586         - Add(x1, Neg(x2)) => Sub(x1, x2)
1587             Added test: testAddNeg2
1588         Adds the following optimization for floating point values:
1589         - Abs(Neg(x)) => Abs(x)
1590             Added test: testAbsNegArg
1591             Adds the following optimization:
1592
1593         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1594
1595         * b3/B3ReduceStrength.cpp:
1596         * b3/testb3.cpp:
1597         (JSC::B3::testAddNeg1):
1598         (JSC::B3::testAddNeg2):
1599         (JSC::B3::testSubNeg):
1600         (JSC::B3::testNegSub):
1601         (JSC::B3::testAbsAbsArg):
1602         (JSC::B3::testAbsNegArg):
1603         (JSC::B3::run):
1604
1605 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1606
1607         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1608         https://bugs.webkit.org/show_bug.cgi?id=194374
1609
1610         Reviewed by Geoffrey Garen.
1611
1612         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1613         But pointer is larger than single character. BufferInternal StringImpl with single character
1614         is more memory efficient.
1615
1616         * runtime/SmallStrings.cpp:
1617         (JSC::SmallStringsStorage::SmallStringsStorage):
1618         (JSC::SmallStrings::SmallStrings):
1619         * runtime/SmallStrings.h:
1620
1621 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1622
1623         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1624         https://bugs.webkit.org/show_bug.cgi?id=194369
1625         <rdar://problem/47813087>
1626
1627         Reviewed by Saam Barati.
1628
1629         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1630         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1631         constant folding phase.
1632
1633         * dfg/DFGAbstractInterpreterInlines.h:
1634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1635
1636 2019-02-06  Devin Rousso  <drousso@apple.com>
1637
1638         Web Inspector: DOM: don't send the entire function string with each event listener
1639         https://bugs.webkit.org/show_bug.cgi?id=194293
1640         <rdar://problem/47822809>
1641
1642         Reviewed by Joseph Pecoraro.
1643
1644         * inspector/protocol/DOM.json:
1645
1646         * runtime/JSFunction.h:
1647         Export `calculatedDisplayName`.
1648
1649 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1650
1651         [JSC] PrivateName to PublicName hash table is wasteful
1652         https://bugs.webkit.org/show_bug.cgi?id=194277
1653
1654         Reviewed by Michael Saboff.
1655
1656         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1657         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1658         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1659         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1660
1661         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1662
1663         1. PrivateName's content should be the same to PublicName.
1664         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1665            the public name should be easily crafted from the given PrivateName.
1666
1667         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1668         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1669
1670         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1671         WebCore.
1672
1673         * builtins/BuiltinNames.cpp:
1674         (JSC::BuiltinNames::BuiltinNames):
1675         * builtins/BuiltinNames.h:
1676         (JSC::BuiltinNames::lookUpPrivateName const):
1677         (JSC::BuiltinNames::getPublicName const):
1678         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1679         (JSC::BuiltinNames::appendExternalName):
1680         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1681         * builtins/BuiltinUtils.h:
1682         * bytecode/BytecodeDumper.cpp:
1683         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1684         * bytecompiler/NodesCodegen.cpp:
1685         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1686         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1687         * parser/Lexer.cpp:
1688         (JSC::Lexer<LChar>::parseIdentifier):
1689         (JSC::Lexer<UChar>::parseIdentifier):
1690         * parser/Parser.cpp:
1691         (JSC::Parser<LexerType>::createGeneratorParameters):
1692         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1693         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1694         (JSC::Parser<LexerType>::parseClassDeclaration):
1695         (JSC::Parser<LexerType>::parseExportDeclaration):
1696         (JSC::Parser<LexerType>::parseMemberExpression):
1697         * parser/ParserArena.h:
1698         (JSC::IdentifierArena::makeIdentifier):
1699         * runtime/CachedTypes.cpp:
1700         (JSC::CachedUniquedStringImpl::encode):
1701         (JSC::CachedUniquedStringImpl::decode const):
1702         * runtime/CommonIdentifiers.cpp:
1703         (JSC::CommonIdentifiers::CommonIdentifiers):
1704         (JSC::CommonIdentifiers::lookUpPrivateName const):
1705         (JSC::CommonIdentifiers::getPublicName const):
1706         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1707         * runtime/CommonIdentifiers.h:
1708         * runtime/ExceptionHelpers.cpp:
1709         (JSC::createUndefinedVariableError):
1710         * runtime/Identifier.cpp:
1711         (JSC::Identifier::dump const):
1712         * runtime/Identifier.h:
1713         * runtime/IdentifierInlines.h:
1714         (JSC::Identifier::fromUid):
1715         * runtime/JSTypedArrayViewPrototype.cpp:
1716         (JSC::JSTypedArrayViewPrototype::finishCreation):
1717         * tools/JSDollarVM.cpp:
1718         (JSC::functionGetPrivateProperty):
1719
1720 2019-02-06  Keith Rollin  <krollin@apple.com>
1721
1722         Really enable the automatic checking and regenerations of .xcfilelists during builds
1723         https://bugs.webkit.org/show_bug.cgi?id=194357
1724         <rdar://problem/47861231>
1725
1726         Reviewed by Chris Dumez.
1727
1728         Bug 194124 was supposed to enable the automatic checking and
1729         regenerating of .xcfilelist files during the build. While related
1730         changes were included in that patch, the change to actually enable the
1731         operation somehow was omitted. This patch actually enables the
1732         operation. The check-xcfilelist.sh scripts now check
1733         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1734         from the checking.
1735
1736         * Scripts/check-xcfilelists.sh:
1737
1738 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1739
1740         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1741         https://bugs.webkit.org/show_bug.cgi?id=194339
1742
1743         Reviewed by Michael Saboff.
1744
1745         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1746         They have even the same structure. This patch unifies the subspaces for them.
1747
1748         * runtime/DirectEvalExecutable.h:
1749         * runtime/EvalExecutable.h:
1750         (JSC::EvalExecutable::subspaceFor):
1751         * runtime/IndirectEvalExecutable.h:
1752         * runtime/VM.cpp:
1753         * runtime/VM.h:
1754         (JSC::VM::forEachScriptExecutableSpace):
1755
1756 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1757
1758         [JSC] NativeExecutable should be smaller
1759         https://bugs.webkit.org/show_bug.cgi?id=194331
1760
1761         Reviewed by Michael Saboff.
1762
1763         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1764         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1765         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1766         only takes one MarkedBlock for NativeExecutable.
1767
1768         To make NativeExecutable smaller,
1769
1770         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1771            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1772
1773         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1774            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1775            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1776
1777         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1778            Intrinsic for NativeExecutable.
1779
1780         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1781
1782         * CMakeLists.txt:
1783         * JavaScriptCore.xcodeproj/project.pbxproj:
1784         * bytecode/CallVariant.h:
1785         * interpreter/Interpreter.cpp:
1786         * jit/JITCode.cpp:
1787         (JSC::DirectJITCode::DirectJITCode):
1788         (JSC::NativeJITCode::NativeJITCode):
1789         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1790         * jit/JITCode.h:
1791         (JSC::JITCode::signature const):
1792         (JSC::JITCode::intrinsic):
1793         * jit/JITOperations.cpp:
1794         * jit/JITThunks.cpp:
1795         (JSC::JITThunks::hostFunctionStub):
1796         * jit/Repatch.cpp:
1797         * llint/LLIntSlowPaths.cpp:
1798         * runtime/ExecutableBase.cpp:
1799         (JSC::ExecutableBase::dump const):
1800         (JSC::ExecutableBase::hashFor const):
1801         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1802         (JSC::ExecutableBase::clearCode): Deleted.
1803         * runtime/ExecutableBase.h:
1804         (JSC::ExecutableBase::ExecutableBase):
1805         (JSC::ExecutableBase::isModuleProgramExecutable):
1806         (JSC::ExecutableBase::isHostFunction const):
1807         (JSC::ExecutableBase::generatedJITCodeForCall const):
1808         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1809         (JSC::ExecutableBase::generatedJITCodeFor const):
1810         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1811         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1812         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1813         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1814         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1815         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1816         (JSC::ExecutableBase::intrinsic const): Deleted.
1817         * runtime/ExecutableBaseInlines.h: Added.
1818         (JSC::ExecutableBase::intrinsic const):
1819         (JSC::ExecutableBase::hasJITCodeForCall const):
1820         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1821         * runtime/JSBoundFunction.cpp:
1822         * runtime/JSType.cpp:
1823         (WTF::printInternal):
1824         * runtime/JSType.h:
1825         * runtime/NativeExecutable.cpp:
1826         (JSC::NativeExecutable::create):
1827         (JSC::NativeExecutable::createStructure):
1828         (JSC::NativeExecutable::NativeExecutable):
1829         (JSC::NativeExecutable::signatureFor const):
1830         (JSC::NativeExecutable::intrinsic const):
1831         * runtime/NativeExecutable.h:
1832         * runtime/ScriptExecutable.cpp:
1833         (JSC::ScriptExecutable::ScriptExecutable):
1834         (JSC::ScriptExecutable::clearCode):
1835         (JSC::ScriptExecutable::installCode):
1836         (JSC::ScriptExecutable::hasClearableCode const):
1837         * runtime/ScriptExecutable.h:
1838         (JSC::ScriptExecutable::intrinsic const):
1839         (JSC::ScriptExecutable::hasJITCodeForCall const):
1840         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1841         * runtime/VM.cpp:
1842         (JSC::VM::getHostFunction):
1843
1844 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1845
1846         Build failure after r240431
1847         https://bugs.webkit.org/show_bug.cgi?id=194330
1848
1849         Reviewed by Žan Doberšek.
1850
1851         * API/glib/JSCOptions.cpp:
1852
1853 2019-02-05  Mark Lam  <mark.lam@apple.com>
1854
1855         Fix DFG's doesGC() for a few more nodes.
1856         https://bugs.webkit.org/show_bug.cgi?id=194307
1857         <rdar://problem/47832956>
1858
1859         Reviewed by Yusuke Suzuki.
1860
1861         Fix doesGC() for the following nodes:
1862
1863             NumberToStringWithValidRadixConstant:
1864                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1865                 which can allocate a string.
1866                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1867                 which can allocate a string.
1868                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1869                 which can allocate a string.
1870
1871             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1872                 memory for all kinds of objects.
1873             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1874                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1875                 these allocates memory for the match result.
1876             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1877                 calls RegExpObject's collectMatches(), which allocates an array amongst
1878                 other objects.
1879
1880             StringFromCharCode:
1881                 If the uint32 code to convert is greater than maxSingleCharacterString,
1882                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1883                 which allocates a new string if the code is greater than maxSingleCharacterString.
1884
1885         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1886         to use maxSingleCharacterString instead of a literal constant.
1887
1888         * dfg/DFGDoesGC.cpp:
1889         (JSC::DFG::doesGC):
1890         * dfg/DFGSpeculativeJIT.cpp:
1891         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1892         * ftl/FTLLowerDFGToB3.cpp:
1893         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1894
1895 2019-02-05  Keith Rollin  <krollin@apple.com>
1896
1897         Enable the automatic checking and regenerations of .xcfilelists during builds
1898         https://bugs.webkit.org/show_bug.cgi?id=194124
1899         <rdar://problem/47721277>
1900
1901         Reviewed by Tim Horton.
1902
1903         Bug 193790 add a facility for checking -- during build time -- that
1904         any needed .xcfilelist files are up-to-date and for updating them if
1905         they are not. This facility was initially opt-in by setting
1906         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1907         the process seemed robust. Its now time to enable this facility and
1908         make it opt-out. If there is a need to disable this facility, set and
1909         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1910         running `make` or `build-webkit`, or before running Xcode from the
1911         command line.
1912
1913         Additionally, remove the step that generates a list of source files
1914         going into the UnifiedSources build step. It's only necessarily to
1915         specify Sources.txt and SourcesCocoa.txt as inputs.
1916
1917         * JavaScriptCore.xcodeproj/project.pbxproj:
1918         * UnifiedSources-input.xcfilelist: Removed.
1919
1920 2019-02-05  Keith Rollin  <krollin@apple.com>
1921
1922         Update .xcfilelist files
1923         https://bugs.webkit.org/show_bug.cgi?id=194121
1924         <rdar://problem/47720863>
1925
1926         Reviewed by Tim Horton.
1927
1928         Preparatory to enabling the facility for automatically updating the
1929         .xcfilelist files, check in a freshly-updated set so that not everyone
1930         runs up against having to regenerate them themselves.
1931
1932         * DerivedSources-input.xcfilelist:
1933         * DerivedSources-output.xcfilelist:
1934
1935 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1936
1937         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1938         https://bugs.webkit.org/show_bug.cgi?id=185557
1939
1940         Reviewed by Mark Lam.
1941
1942         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1943         where n is the number of characters in the formatted string.
1944         It may be less memory efficient than the previous impl, since the intermediate Vector
1945         is the length of the string, instead of the count of the fields.
1946
1947         * runtime/IntlNumberFormat.cpp:
1948         (JSC::IntlNumberFormat::formatToParts):
1949         * runtime/IntlNumberFormat.h:
1950
1951 2019-02-05  Mark Lam  <mark.lam@apple.com>
1952
1953         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1954         https://bugs.webkit.org/show_bug.cgi?id=194298
1955         <rdar://problem/47827555>
1956
1957         Reviewed by Saam Barati.
1958
1959         We do this for 3 reasons:
1960         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1961         2. If things change in the future where clobberize() no longer reports these nodes
1962            as write(Heap), each node should be vetted first to make sure that it can never
1963            GC before being moved back to the doesGC() list that returns false.
1964         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1965            correct in its claims about the nodes' GCing possibility.
1966
1967         The list of nodes moved are:
1968
1969             ArrayPush
1970             ArrayPop
1971             Call
1972             CallEval
1973             CallForwardVarargs
1974             CallVarargs
1975             Construct
1976             ConstructForwardVarargs
1977             ConstructVarargs
1978             DefineDataProperty
1979             DefineAccessorProperty
1980             DeleteById
1981             DeleteByVal
1982             DirectCall
1983             DirectConstruct
1984             DirectTailCallInlinedCaller
1985             GetById
1986             GetByIdDirect
1987             GetByIdDirectFlush
1988             GetByIdFlush
1989             GetByIdWithThis
1990             GetByValWithThis
1991             GetDirectPname
1992             GetDynamicVar
1993             HasGenericProperty
1994             HasOwnProperty
1995             HasStructureProperty
1996             InById
1997             InByVal
1998             InstanceOf
1999             InstanceOfCustom
2000             LoadVarargs
2001             NumberToStringWithRadix
2002             PutById
2003             PutByIdDirect
2004             PutByIdFlush
2005             PutByIdWithThis
2006             PutByOffset
2007             PutByValWithThis
2008             PutDynamicVar
2009             PutGetterById
2010             PutGetterByVal
2011             PutGetterSetterById
2012             PutSetterById
2013             PutSetterByVal
2014             PutStack
2015             PutToArguments
2016             RegExpExec
2017             RegExpTest
2018             ResolveScope
2019             ResolveScopeForHoistingFuncDeclInEval
2020             TailCall
2021             TailCallForwardVarargsInlinedCaller
2022             TailCallInlinedCaller
2023             TailCallVarargsInlinedCaller
2024             ToNumber
2025             ToPrimitive
2026             ValueNegate
2027
2028         * dfg/DFGDoesGC.cpp:
2029         (JSC::DFG::doesGC):
2030
2031 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2032
2033         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2034         https://bugs.webkit.org/show_bug.cgi?id=194281
2035
2036         Reviewed by Michael Saboff.
2037
2038         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2039         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2040
2041         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2042         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2043         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2044
2045         * bytecode/CodeBlock.cpp:
2046         (JSC::CodeBlock::finishCreation):
2047         * bytecode/CodeBlock.h:
2048         (JSC::CodeBlock::bitVectors const): Deleted.
2049         * bytecode/CodeType.h:
2050         * bytecode/UnlinkedCodeBlock.cpp:
2051         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2052         (JSC::UnlinkedCodeBlock::shrinkToFit):
2053         * bytecode/UnlinkedCodeBlock.h:
2054         (JSC::UnlinkedCodeBlock::bitVector):
2055         (JSC::UnlinkedCodeBlock::addBitVector):
2056         (JSC::UnlinkedCodeBlock::addSetConstant):
2057         (JSC::UnlinkedCodeBlock::constantRegisters):
2058         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2059         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2060         (JSC::UnlinkedCodeBlock::codeType const):
2061         (JSC::UnlinkedCodeBlock::didOptimize const):
2062         (JSC::UnlinkedCodeBlock::setDidOptimize):
2063         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2064         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2065         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2066         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2067         * bytecompiler/BytecodeGenerator.cpp:
2068         (JSC::BytecodeGenerator::emitLoad):
2069         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2070         * bytecompiler/BytecodeGenerator.h:
2071         * runtime/CachedTypes.cpp:
2072         (JSC::CachedCodeBlockRareData::encode):
2073         (JSC::CachedCodeBlockRareData::decode const):
2074         (JSC::CachedCodeBlock::scopeRegister const):
2075         (JSC::CachedCodeBlock::codeType const):
2076         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2077         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2078         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2079         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2080
2081 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2082
2083         Unreviewed, add missing exception checks after r240637
2084         https://bugs.webkit.org/show_bug.cgi?id=193546
2085
2086         * tools/JSDollarVM.cpp:
2087         (JSC::functionShadowChickenFunctionsOnStack):
2088
2089 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2090
2091         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2092         https://bugs.webkit.org/show_bug.cgi?id=193993
2093
2094         Reviewed by Keith Miller.
2095
2096         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2097         And some of them are rarely used. We should allocate it lazily.
2098
2099         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2100         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2101         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2102         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2103         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2104         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2105         by using WTF::storeStoreFence when lazily allocating it.
2106
2107         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2108         existence of the space before touching this. This is not racy because the main thread is stopped when
2109         the constraint solving is working.
2110
2111         This changes sizeof(VM) from 64736 to 56472.
2112
2113         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2114         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2115         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2116         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2117         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2118         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2119         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2120
2121         * API/JSCallbackFunction.h:
2122         * API/ObjCCallbackFunction.h:
2123         (JSC::ObjCCallbackFunction::subspaceFor):
2124         * API/glib/JSCCallbackFunction.h:
2125         * CMakeLists.txt:
2126         * JavaScriptCore.xcodeproj/project.pbxproj:
2127         * bytecode/CodeBlock.cpp:
2128         (JSC::CodeBlock::visitChildren):
2129         (JSC::CodeBlock::finalizeUnconditionally):
2130         * bytecode/CodeBlock.h:
2131         * bytecode/EvalCodeBlock.h:
2132         * bytecode/ExecutableToCodeBlockEdge.h:
2133         * bytecode/FunctionCodeBlock.h:
2134         * bytecode/ModuleProgramCodeBlock.h:
2135         * bytecode/ProgramCodeBlock.h:
2136         * bytecode/UnlinkedFunctionExecutable.cpp:
2137         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2138         * bytecode/UnlinkedFunctionExecutable.h:
2139         * dfg/DFGSpeculativeJIT.cpp:
2140         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2141         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2142         (JSC::DFG::SpeculativeJIT::compileNewObject):
2143         * ftl/FTLLowerDFGToB3.cpp:
2144         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2145         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2146         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2147         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2148         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2149         * heap/Heap.cpp:
2150         (JSC::Heap::finalizeUnconditionalFinalizers):
2151         (JSC::Heap::deleteAllCodeBlocks):
2152         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2153         (JSC::Heap::addCoreConstraints):
2154         * heap/Subspace.cpp:
2155         (JSC::Subspace::initialize):
2156         * jit/AssemblyHelpers.h:
2157         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2158         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2159         * jit/JITOpcodes.cpp:
2160         (JSC::JIT::emit_op_new_object):
2161         * jit/JITOpcodes32_64.cpp:
2162         (JSC::JIT::emit_op_new_object):
2163         * runtime/DirectArguments.h:
2164         * runtime/DirectEvalExecutable.h:
2165         * runtime/ErrorInstance.h:
2166         (JSC::ErrorInstance::subspaceFor):
2167         * runtime/ExecutableBase.h:
2168         * runtime/FunctionExecutable.h:
2169         * runtime/IndirectEvalExecutable.h:
2170         * runtime/InferredValue.cpp:
2171         (JSC::InferredValue::visitChildren):
2172         * runtime/InferredValue.h:
2173         * runtime/InferredValueInlines.h:
2174         (JSC::InferredValue::finalizeUnconditionally):
2175         * runtime/InternalFunction.h:
2176         * runtime/JSAsyncFunction.h:
2177         * runtime/JSAsyncGeneratorFunction.h:
2178         * runtime/JSBoundFunction.h:
2179         * runtime/JSCell.h:
2180         (JSC::subspaceFor):
2181         (JSC::subspaceForConcurrently):
2182         * runtime/JSCellInlines.h:
2183         (JSC::allocatorForNonVirtualConcurrently):
2184         * runtime/JSCustomGetterSetterFunction.h:
2185         * runtime/JSDestructibleObject.h:
2186         * runtime/JSFunction.h:
2187         * runtime/JSGeneratorFunction.h:
2188         * runtime/JSImmutableButterfly.h:
2189         * runtime/JSLexicalEnvironment.h:
2190         (JSC::JSLexicalEnvironment::subspaceFor):
2191         * runtime/JSNativeStdFunction.h:
2192         * runtime/JSSegmentedVariableObject.h:
2193         * runtime/JSString.h:
2194         * runtime/ModuleProgramExecutable.h:
2195         * runtime/NativeExecutable.h:
2196         * runtime/ProgramExecutable.h:
2197         * runtime/PropertyMapHashTable.h:
2198         * runtime/ProxyRevoke.h:
2199         * runtime/ScopedArguments.h:
2200         * runtime/ScriptExecutable.cpp:
2201         (JSC::ScriptExecutable::clearCode):
2202         (JSC::ScriptExecutable::installCode):
2203         * runtime/Structure.h:
2204         * runtime/StructureRareData.h:
2205         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2206         * runtime/VM.cpp:
2207         (JSC::VM::VM):
2208         * runtime/VM.h:
2209         (JSC::VM::SpaceAndSet::SpaceAndSet):
2210         (JSC::VM::SpaceAndSet::setFor):
2211         (JSC::VM::forEachScriptExecutableSpace):
2212         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2213         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2214         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2215         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2216         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2217         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2218         * runtime/WeakMapImpl.h:
2219         (JSC::WeakMapImpl::subspaceFor):
2220         * wasm/js/JSWebAssemblyCodeBlock.h:
2221         * wasm/js/JSWebAssemblyMemory.h:
2222         * wasm/js/WebAssemblyFunction.h:
2223         * wasm/js/WebAssemblyWrapperFunction.h:
2224
2225 2019-02-04  Keith Miller  <keith_miller@apple.com>
2226
2227         Change llint operand macros to inline functions
2228         https://bugs.webkit.org/show_bug.cgi?id=194248
2229
2230         Reviewed by Mark Lam.
2231
2232         * llint/LLIntSlowPaths.cpp:
2233         (JSC::LLInt::getNonConstantOperand):
2234         (JSC::LLInt::getOperand):
2235         (JSC::LLInt::llint_trace_value):
2236         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2237         (JSC::LLInt::getByVal):
2238         (JSC::LLInt::genericCall):
2239         (JSC::LLInt::varargsSetup):
2240         (JSC::LLInt::commonCallEval):
2241
2242 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2243
2244         when lowering AssertNotEmpty, create the value before creating the patchpoint
2245         https://bugs.webkit.org/show_bug.cgi?id=194231
2246
2247         Reviewed by Saam Barati.
2248
2249         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2250         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2251
2252         * ftl/FTLLowerDFGToB3.cpp:
2253         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2254
2255 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2256
2257         [JSC] ExecutableToCodeBlockEdge should be smaller
2258         https://bugs.webkit.org/show_bug.cgi?id=194244
2259
2260         Reviewed by Michael Saboff.
2261
2262         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2263         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2264         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2265         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2266
2267         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2268         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2269         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2270
2271         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2272         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2273         does not touch it if it is called in non-main threads).
2274
2275         * bytecode/ExecutableToCodeBlockEdge.cpp:
2276         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2277         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2278         (JSC::ExecutableToCodeBlockEdge::activate):
2279         (JSC::ExecutableToCodeBlockEdge::deactivate):
2280         (JSC::ExecutableToCodeBlockEdge::isActive const):
2281         * bytecode/ExecutableToCodeBlockEdge.h:
2282         * runtime/JSCell.h:
2283         * runtime/JSCellInlines.h:
2284         (JSC::JSCell::perCellBit const):
2285         (JSC::JSCell::setPerCellBit):
2286         (JSC::JSCell::mayBePrototype const): Deleted.
2287         (JSC::JSCell::didBecomePrototype): Deleted.
2288         * runtime/JSObject.cpp:
2289         (JSC::JSObject::setPrototypeDirect):
2290         * runtime/JSObject.h:
2291         * runtime/JSObjectInlines.h:
2292         (JSC::JSObject::mayBePrototype const):
2293         (JSC::JSObject::didBecomePrototype):
2294         * runtime/JSTypeInfo.h:
2295         (JSC::TypeInfo::perCellBit):
2296         (JSC::TypeInfo::mergeInlineTypeFlags):
2297         (JSC::TypeInfo::mayBePrototype): Deleted.
2298
2299 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2300
2301         [JSC] Shrink size of FunctionExecutable
2302         https://bugs.webkit.org/show_bug.cgi?id=194191
2303
2304         Reviewed by Michael Saboff.
2305
2306         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2307         improves the allocation efficiency.
2308
2309         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2310            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2311
2312         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2313            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2314            the size of FunctionExecutable in the common case.
2315
2316         This patch changes the size of FunctionExecutable from 176 to 144.
2317
2318         * bytecode/CodeBlock.cpp:
2319         (JSC::CodeBlock::dumpSource):
2320         (JSC::CodeBlock::finishCreation):
2321         * dfg/DFGNode.h:
2322         (JSC::DFG::Node::OpInfoWrapper::as const):
2323         * interpreter/StackVisitor.cpp:
2324         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2325         * runtime/ExecutableBase.h:
2326         * runtime/FunctionExecutable.cpp:
2327         (JSC::FunctionExecutable::FunctionExecutable):
2328         (JSC::FunctionExecutable::ensureRareDataSlow):
2329         * runtime/FunctionExecutable.h:
2330         * runtime/Intrinsic.h:
2331         * runtime/ModuleProgramExecutable.cpp:
2332         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2333         * runtime/ProgramExecutable.cpp:
2334         (JSC::ProgramExecutable::ProgramExecutable):
2335         * runtime/ScriptExecutable.cpp:
2336         (JSC::ScriptExecutable::ScriptExecutable):
2337         (JSC::ScriptExecutable::overrideLineNumber const):
2338         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2339         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2340         * runtime/ScriptExecutable.h:
2341         (JSC::ScriptExecutable::firstLine const):
2342         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2343         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2344         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2345         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2346         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2347         * runtime/StackFrame.cpp:
2348         (JSC::StackFrame::computeLineAndColumn const):
2349         * tools/JSDollarVM.cpp:
2350         (JSC::functionReturnTypeFor):
2351
2352 2019-02-04  Mark Lam  <mark.lam@apple.com>
2353
2354         DFG's doesGC() is incorrect about the SameValue node's behavior.
2355         https://bugs.webkit.org/show_bug.cgi?id=194211
2356         <rdar://problem/47608913>
2357
2358         Reviewed by Saam Barati.
2359
2360         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2361         it calls operationSameValue() which may allocate memory for resolving ropes.
2362
2363         * dfg/DFGDoesGC.cpp:
2364         (JSC::DFG::doesGC):
2365
2366 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2367
2368         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2369         https://bugs.webkit.org/show_bug.cgi?id=194031
2370
2371         Reviewed by Saam Barati.
2372
2373         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2374         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2375         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2376         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2377
2378         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2379         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2380
2381         * bytecode/MetadataTable.cpp:
2382         (JSC::MetadataTable::MetadataTable):
2383         (JSC::MetadataTable::~MetadataTable):
2384         * bytecode/UnlinkedCodeBlock.cpp:
2385         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2386         (JSC::UnlinkedCodeBlock::visitChildren):
2387         (JSC::UnlinkedCodeBlock::estimatedSize):
2388         (JSC::UnlinkedCodeBlock::setInstructions):
2389         * bytecode/UnlinkedCodeBlock.h:
2390         (JSC::UnlinkedCodeBlock::metadata):
2391         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2392         * bytecode/UnlinkedMetadataTable.h:
2393         (JSC::UnlinkedMetadataTable::create):
2394         * bytecode/UnlinkedMetadataTableInlines.h:
2395         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2396         * runtime/CachedTypes.cpp:
2397         (JSC::CachedMetadataTable::decode const):
2398         (JSC::CachedCodeBlock::metadata const):
2399         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2400         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2401         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2402
2403 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2404
2405         [JSC] Decouple JIT related data from CodeBlock
2406         https://bugs.webkit.org/show_bug.cgi?id=194187
2407
2408         Reviewed by Saam Barati.
2409
2410         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2411         We have three types of data in CodeBlock.
2412
2413         1. The data which is always used. CodeBlock needs to hold it.
2414         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2415         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2416
2417         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2418         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2419         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2420         in both non-JIT and *JIT* modes.
2421
2422         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2423         by the lock of CodeBlock.
2424
2425         The size of CodeBlock is reduced from 512 to 352.
2426
2427         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2428
2429             Footprint geomean: 36696503 (34.997 MB)
2430             Peak Footprint geomean: 38595988 (36.808 MB)
2431             Score: 37634263 (35.891 MB)
2432
2433             Footprint geomean: 37172768 (35.451 MB)
2434             Peak Footprint geomean: 38978288 (37.173 MB)
2435             Score: 38064824 (36.301 MB)
2436
2437         * bytecode/CodeBlock.cpp:
2438         (JSC::CodeBlock::~CodeBlock):
2439         (JSC::CodeBlock::propagateTransitions):
2440         (JSC::CodeBlock::ensureJITDataSlow):
2441         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2442         (JSC::CodeBlock::getICStatusMap):
2443         (JSC::CodeBlock::addStubInfo):
2444         (JSC::CodeBlock::addJITAddIC):
2445         (JSC::CodeBlock::addJITMulIC):
2446         (JSC::CodeBlock::addJITSubIC):
2447         (JSC::CodeBlock::addJITNegIC):
2448         (JSC::CodeBlock::findStubInfo):
2449         (JSC::CodeBlock::addByValInfo):
2450         (JSC::CodeBlock::addCallLinkInfo):
2451         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2452         (JSC::CodeBlock::addRareCaseProfile):
2453         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2454         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2455         (JSC::CodeBlock::resetJITData):
2456         (JSC::CodeBlock::stronglyVisitStrongReferences):
2457         (JSC::CodeBlock::shrinkToFit):
2458         (JSC::CodeBlock::linkIncomingCall):
2459         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2460         (JSC::CodeBlock::unlinkIncomingCalls):
2461         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2462         (JSC::CodeBlock::dumpValueProfiles):
2463         (JSC::CodeBlock::setPCToCodeOriginMap):
2464         (JSC::CodeBlock::findPC):
2465         (JSC::CodeBlock::dumpMathICStats):
2466         * bytecode/CodeBlock.h:
2467         (JSC::CodeBlock::ensureJITData):
2468         (JSC::CodeBlock::setJITCodeMap):
2469         (JSC::CodeBlock::jitCodeMap):
2470         (JSC::CodeBlock::likelyToTakeSlowCase):
2471         (JSC::CodeBlock::couldTakeSlowCase):
2472         (JSC::CodeBlock::lazyOperandValueProfiles):
2473         (JSC::CodeBlock::stubInfoBegin): Deleted.
2474         (JSC::CodeBlock::stubInfoEnd): Deleted.
2475         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2476         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2477         (JSC::CodeBlock::jitCodeMap const): Deleted.
2478         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2479         * bytecode/MethodOfGettingAValueProfile.cpp:
2480         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2481         (JSC::MethodOfGettingAValueProfile::reportValue):
2482         * dfg/DFGByteCodeParser.cpp:
2483         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2484         * jit/JIT.h:
2485         * jit/JITOperations.cpp:
2486         (JSC::tryGetByValOptimize):
2487         * jit/JITPropertyAccess.cpp:
2488         (JSC::JIT::privateCompileGetByVal):
2489         (JSC::JIT::privateCompilePutByVal):
2490
2491 2018-12-16  Darin Adler  <darin@apple.com>
2492
2493         Convert additional String::format clients to alternative approaches
2494         https://bugs.webkit.org/show_bug.cgi?id=192746
2495
2496         Reviewed by Alexey Proskuryakov.
2497
2498         * inspector/agents/InspectorConsoleAgent.cpp:
2499         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2500         and FormattedNumber::fixedWidth.
2501
2502 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2503
2504         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2505         https://bugs.webkit.org/show_bug.cgi?id=194177
2506
2507         Reviewed by Saam Barati.
2508
2509         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2510         We can share the IsoSubspace for JSFunction.
2511
2512         * runtime/JSAsyncFunction.h:
2513         * runtime/JSAsyncGeneratorFunction.h:
2514         * runtime/JSGeneratorFunction.h:
2515         * runtime/VM.cpp:
2516         (JSC::VM::VM):
2517         * runtime/VM.h:
2518
2519 2019-02-01  Mark Lam  <mark.lam@apple.com>
2520
2521         Remove invalid assertion in DFG's compileDoubleRep().
2522         https://bugs.webkit.org/show_bug.cgi?id=194130
2523         <rdar://problem/47699474>
2524
2525         Reviewed by Saam Barati.
2526
2527         * dfg/DFGSpeculativeJIT.cpp:
2528         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2529
2530 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2531
2532         [JSC] Unify CodeBlock IsoSubspaces
2533         https://bugs.webkit.org/show_bug.cgi?id=194167
2534
2535         Reviewed by Saam Barati.
2536
2537         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2538         But this is not necessary since,
2539
2540         1. They do not override the classInfo methods.
2541         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2542
2543         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2544         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2545         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2546
2547         This patch unifies these IsoSubspaces into one.
2548
2549         * bytecode/CodeBlock.cpp:
2550         (JSC::CodeBlock::destroy):
2551         * bytecode/CodeBlock.h:
2552         * bytecode/EvalCodeBlock.cpp:
2553         (JSC::EvalCodeBlock::destroy): Deleted.
2554         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2555         * bytecode/FunctionCodeBlock.cpp:
2556         (JSC::FunctionCodeBlock::destroy): Deleted.
2557         * bytecode/FunctionCodeBlock.h:
2558         * bytecode/GlobalCodeBlock.h:
2559         * bytecode/ModuleProgramCodeBlock.cpp:
2560         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2561         * bytecode/ModuleProgramCodeBlock.h:
2562         * bytecode/ProgramCodeBlock.cpp:
2563         (JSC::ProgramCodeBlock::destroy): Deleted.
2564         * bytecode/ProgramCodeBlock.h:
2565         * interpreter/Interpreter.cpp:
2566         (JSC::Interpreter::execute):
2567         * runtime/VM.cpp:
2568         (JSC::VM::VM):
2569         * runtime/VM.h:
2570         (JSC::VM::forEachCodeBlockSpace):
2571
2572 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2573
2574         Unreviewed, follow-up after r240859
2575         https://bugs.webkit.org/show_bug.cgi?id=194145
2576
2577         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2578         And rename cellDangerousBitsSpace back to cellSpace.
2579
2580         * runtime/JSCellInlines.h:
2581         (JSC::JSCell::subspaceFor):
2582         * runtime/VM.cpp:
2583         (JSC::VM::VM):
2584         * runtime/VM.h:
2585
2586 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2587
2588         [JSC] Remove cellJSValueOOBSpace
2589         https://bugs.webkit.org/show_bug.cgi?id=194145
2590
2591         Reviewed by Mark Lam.
2592
2593         * runtime/JSObject.h:
2594         (JSC::JSObject::subspaceFor): Deleted.
2595         * runtime/VM.cpp:
2596         (JSC::VM::VM):
2597         * runtime/VM.h:
2598
2599 2019-01-31  Mark Lam  <mark.lam@apple.com>
2600
2601         Remove poisoning from CodeBlock and LLInt code.
2602         https://bugs.webkit.org/show_bug.cgi?id=194113
2603
2604         Reviewed by Yusuke Suzuki.
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::CodeBlock):
2608         (JSC::CodeBlock::~CodeBlock):
2609         (JSC::CodeBlock::setConstantRegisters):
2610         (JSC::CodeBlock::propagateTransitions):
2611         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2612         (JSC::CodeBlock::jettison):
2613         (JSC::CodeBlock::predictedMachineCodeSize):
2614         * bytecode/CodeBlock.h:
2615         (JSC::CodeBlock::vm const):
2616         (JSC::CodeBlock::addConstant):
2617         (JSC::CodeBlock::heap const):
2618         (JSC::CodeBlock::replaceConstant):
2619         * llint/LLIntOfflineAsmConfig.h:
2620         * llint/LLIntSlowPaths.cpp:
2621         (JSC::LLInt::handleHostCall):
2622         (JSC::LLInt::setUpCall):
2623         * llint/LowLevelInterpreter.asm:
2624         * llint/LowLevelInterpreter32_64.asm:
2625         * llint/LowLevelInterpreter64.asm:
2626
2627 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2628
2629         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2630         https://bugs.webkit.org/show_bug.cgi?id=194107
2631
2632         Reviewed by Saam Barati.
2633
2634         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2635         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2636
2637         * CMakeLists.txt:
2638         * DerivedSources.make:
2639         * JavaScriptCore.xcodeproj/project.pbxproj:
2640         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2641         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2642         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2643         (JSC::AsyncFromSyncIteratorPrototype::create):
2644         * runtime/AsyncFromSyncIteratorPrototype.h:
2645
2646 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2647
2648         Fix `runJITThreadLimitTests` in testapi
2649         https://bugs.webkit.org/show_bug.cgi?id=194064
2650         <rdar://problem/46139147>
2651
2652         Reviewed by Mark Lam.
2653
2654         Fix typo where `targetNumberOfThreads` was not being used.
2655
2656         * API/tests/testapi.mm:
2657         (runJITThreadLimitTests):
2658
2659 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2660
2661         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2662         https://bugs.webkit.org/show_bug.cgi?id=194112
2663
2664         Reviewed by Mark Lam.
2665
2666         `testBytecodeCache` does not populate the bytecode cache for the global
2667         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2668
2669         * API/tests/testapi.mm:
2670         (testBytecodeCache):
2671
2672 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2673
2674         Unreviewed, follow-up after r240796
2675
2676         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2677         when allocating InferredValue in FunctionExecutable::finishCreation.
2678
2679         * runtime/FunctionExecutable.cpp:
2680         (JSC::FunctionExecutable::FunctionExecutable):
2681         (JSC::FunctionExecutable::finishCreation):
2682
2683 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2684
2685         [JSC] Do not use InferredValue in non-JIT configuration
2686         https://bugs.webkit.org/show_bug.cgi?id=194084
2687
2688         Reviewed by Saam Barati.
2689
2690         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2691         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2692         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2693         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2694         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2695         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2696         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2697         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2698
2699         * bytecode/ObjectAllocationProfileInlines.h:
2700         (JSC::ObjectAllocationProfile::initializeProfile):
2701         * runtime/FunctionExecutable.cpp:
2702         (JSC::FunctionExecutable::finishCreation):
2703         (JSC::FunctionExecutable::visitChildren):
2704         * runtime/FunctionExecutable.h:
2705         * runtime/InferredValue.cpp:
2706         (JSC::InferredValue::create):
2707         * runtime/JSAsyncFunction.cpp:
2708         (JSC::JSAsyncFunction::create):
2709         * runtime/JSAsyncGeneratorFunction.cpp:
2710         (JSC::JSAsyncGeneratorFunction::create):
2711         * runtime/JSFunction.cpp:
2712         (JSC::JSFunction::create):
2713         * runtime/JSFunctionInlines.h:
2714         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2715         * runtime/JSGeneratorFunction.cpp:
2716         (JSC::JSGeneratorFunction::create):
2717         * runtime/JSSymbolTableObject.h:
2718         (JSC::JSSymbolTableObject::setSymbolTable):
2719         * runtime/SymbolTable.cpp:
2720         (JSC::SymbolTable::finishCreation):
2721         * runtime/VM.cpp:
2722         (JSC::VM::VM):
2723
2724 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2725
2726         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2727         https://bugs.webkit.org/show_bug.cgi?id=194085
2728
2729         Reviewed by Yusuke Suzuki.
2730
2731         r240730 changed ud_itab.py and caused incremental build failures
2732         for Ninja builds.
2733
2734         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2735
2736 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2737
2738         [JSC] Symbol should be in destructibleCellSpace
2739         https://bugs.webkit.org/show_bug.cgi?id=194082
2740
2741         Reviewed by Saam Barati.
2742
2743         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2744         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2745         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2746         Symbol's space destructibleCellSpace to appropriately call the destructor.
2747
2748         * runtime/Symbol.h:
2749
2750 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2751
2752         Unreviewed, rolling out r240755.
2753
2754         This was not correct
2755
2756         Reverted changeset:
2757
2758         "Unreviewed, fix GCC build after r240730"
2759         https://bugs.webkit.org/show_bug.cgi?id=194041
2760         https://trac.webkit.org/changeset/240755
2761
2762 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2763
2764         Unreviewed, fix GCC build after r240730
2765         https://bugs.webkit.org/show_bug.cgi?id=194041
2766         <rdar://problem/47680981>
2767
2768         * disassembler/udis86/ud_itab.py:
2769         (UdItabGenerator.genOpcodeTablesLookupIndex):
2770
2771 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2772
2773         testapi's `testBytecodeCache` does not need to run the code twice
2774         https://bugs.webkit.org/show_bug.cgi?id=194046
2775
2776         Reviewed by Mark Lam.
2777
2778         Since we populate the cache eagerly (unlike the stress tests) we don't
2779         need to run the code twice.
2780
2781         * API/tests/testapi.mm:
2782         (testBytecodeCache):
2783
2784 2019-01-30  Saam barati  <sbarati@apple.com>
2785
2786         [WebAssembly] Change BBQ to generate Air IR
2787         https://bugs.webkit.org/show_bug.cgi?id=191802
2788         <rdar://problem/47651718>
2789
2790         Reviewed by Keith Miller.
2791
2792         This patch adds a new Wasm compiler for the BBQ tier. Instead
2793         of compiling using  B3-01, we now generate Air code directly.
2794         The goal of doing this was to speed up compile times for Wasm
2795         programs.
2796         
2797         This patch provides us with a 20-30% compile time speedup. However, I
2798         have ideas on how to improve compile times even further. For example,
2799         we should probably implement a faster running register allocator:
2800         https://bugs.webkit.org/show_bug.cgi?id=194036
2801         
2802         We can also improve on the code we generate.
2803         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2804         And we should do better instruction selection in various
2805         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2806
2807         * JavaScriptCore.xcodeproj/project.pbxproj:
2808         * Sources.txt:
2809         * b3/B3LowerToAir.cpp:
2810         * b3/B3StackmapSpecial.h:
2811         * b3/air/AirCode.cpp:
2812         (JSC::B3::Air::Code::emitDefaultPrologue):
2813         * b3/air/AirCode.h:
2814         * b3/air/AirTmp.h:
2815         (JSC::B3::Air::Tmp::Tmp):
2816         * runtime/Options.h:
2817         * wasm/WasmAirIRGenerator.cpp: Added.
2818         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2819         (JSC::Wasm::TypedTmp::TypedTmp):
2820         (JSC::Wasm::TypedTmp::operator== const):
2821         (JSC::Wasm::TypedTmp::operator!= const):
2822         (JSC::Wasm::TypedTmp::operator bool const):
2823         (JSC::Wasm::TypedTmp::operator Tmp const):
2824         (JSC::Wasm::TypedTmp::operator Arg const):
2825         (JSC::Wasm::TypedTmp::tmp const):
2826         (JSC::Wasm::TypedTmp::type const):
2827         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2828         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2829         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2830         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2831         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2832         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2833         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2834         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2835         (JSC::Wasm::AirIRGenerator::emptyExpression):
2836         (JSC::Wasm::AirIRGenerator::fail const):
2837         (JSC::Wasm::AirIRGenerator::setParser):
2838         (JSC::Wasm::AirIRGenerator::toTmpVector):
2839         (JSC::Wasm::AirIRGenerator::validateInst):
2840         (JSC::Wasm::AirIRGenerator::extractArg):
2841         (JSC::Wasm::AirIRGenerator::append):
2842         (JSC::Wasm::AirIRGenerator::appendEffectful):
2843         (JSC::Wasm::AirIRGenerator::newTmp):
2844         (JSC::Wasm::AirIRGenerator::g32):
2845         (JSC::Wasm::AirIRGenerator::g64):
2846         (JSC::Wasm::AirIRGenerator::f32):
2847         (JSC::Wasm::AirIRGenerator::f64):
2848         (JSC::Wasm::AirIRGenerator::tmpForType):
2849         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2850         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2851         (JSC::Wasm::AirIRGenerator::emitCheck):
2852         (JSC::Wasm::AirIRGenerator::emitCCall):
2853         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2854         (JSC::Wasm::AirIRGenerator::instanceValue):
2855         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2856         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2857         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2858         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2859         (JSC::Wasm::AirIRGenerator::emitThrowException):
2860         (JSC::Wasm::AirIRGenerator::addLocal):
2861         (JSC::Wasm::AirIRGenerator::addConstant):
2862         (JSC::Wasm::AirIRGenerator::addArguments):
2863         (JSC::Wasm::AirIRGenerator::getLocal):
2864         (JSC::Wasm::AirIRGenerator::addUnreachable):
2865         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2866         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2867         (JSC::Wasm::AirIRGenerator::setLocal):
2868         (JSC::Wasm::AirIRGenerator::getGlobal):
2869         (JSC::Wasm::AirIRGenerator::setGlobal):
2870         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2871         (JSC::Wasm::sizeOfLoadOp):
2872         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2873         (JSC::Wasm::AirIRGenerator::load):
2874         (JSC::Wasm::sizeOfStoreOp):
2875         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2876         (JSC::Wasm::AirIRGenerator::store):
2877         (JSC::Wasm::AirIRGenerator::addSelect):
2878         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2879         (JSC::Wasm::AirIRGenerator::addLoop):
2880         (JSC::Wasm::AirIRGenerator::addTopLevel):
2881         (JSC::Wasm::AirIRGenerator::addBlock):
2882         (JSC::Wasm::AirIRGenerator::addIf):
2883         (JSC::Wasm::AirIRGenerator::addElse):
2884         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2885         (JSC::Wasm::AirIRGenerator::addReturn):
2886         (JSC::Wasm::AirIRGenerator::addBranch):
2887         (JSC::Wasm::AirIRGenerator::addSwitch):
2888         (JSC::Wasm::AirIRGenerator::endBlock):
2889         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2890         (JSC::Wasm::AirIRGenerator::addCall):
2891         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2892         (JSC::Wasm::AirIRGenerator::unify):
2893         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2894         (JSC::Wasm::AirIRGenerator::dump):
2895         (JSC::Wasm::AirIRGenerator::origin):
2896         (JSC::Wasm::parseAndCompileAir):
2897         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2898         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2899         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2900         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2901         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2902         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2903         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2904         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2905         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2906         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2907         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2908         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2909         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2910         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2911         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2912         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2913         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2914         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2915         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2916         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2917         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2918         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2919         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2920         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2921         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2922         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2923         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2924         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2925         (JSC::Wasm::AirIRGenerator::addShift):
2926         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2927         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2928         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2929         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2930         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2931         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2932         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2933         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2934         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2935         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2936         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2937         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2941         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2942         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2943         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2944         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2948         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2949         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2950         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2951         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2952         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2953         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2954         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2955         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2962         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2963         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2964         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2965         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2966         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2967         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2968         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2969         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2970         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2971         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2972         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2973         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2974         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2975         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2976         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2977         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2978         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2979         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2980         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2981         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2982         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2983         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2984         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2985         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2992         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2993         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2994         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2995         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2996         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2997         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2998         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2999         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3000         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3001         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3002         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3003         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3004         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3005         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3006         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3007         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3011         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3012         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3013         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3014         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3020         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3026         * wasm/WasmAirIRGenerator.h: Added.
3027         * wasm/WasmB3IRGenerator.cpp:
3028         (JSC::Wasm::B3IRGenerator::emptyExpression):
3029         * wasm/WasmBBQPlan.cpp:
3030         (JSC::Wasm::BBQPlan::compileFunctions):
3031         * wasm/WasmCallingConvention.cpp:
3032         (JSC::Wasm::jscCallingConventionAir):
3033         (JSC::Wasm::wasmCallingConventionAir):
3034         * wasm/WasmCallingConvention.h:
3035         (JSC::Wasm::CallingConvention::CallingConvention):
3036         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3037         (JSC::Wasm::CallingConvention::marshallArgument const):
3038         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3039         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3040         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3041         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3042         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3043         (JSC::Wasm::CallingConventionAir::loadArguments const):
3044         (JSC::Wasm::CallingConventionAir::setupCall const):
3045         (JSC::Wasm::nextJSCOffset):
3046         * wasm/WasmFunctionParser.h:
3047         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3048         * wasm/WasmValidate.cpp:
3049         (JSC::Wasm::Validate::emptyExpression):
3050
3051 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3052
3053         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3054         https://bugs.webkit.org/show_bug.cgi?id=194050
3055         <rdar://problem/47595592>
3056
3057         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3058         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3059
3060         Reviewed by Yusuke Suzuki.
3061
3062         * ftl/FTLOperations.cpp:
3063         (JSC::FTL::operationMaterializeObjectInOSR):
3064
3065 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3066
3067         Remove assertion that CachedSymbolTables should have no RareData
3068         https://bugs.webkit.org/show_bug.cgi?id=194037
3069
3070         Reviewed by Mark Lam.
3071
3072         It turns out that we don't need to cache the SymbolTableRareData and
3073         we should not assert that it's empty.
3074
3075         * runtime/CachedTypes.cpp:
3076         (JSC::CachedSymbolTable::encode):
3077
3078 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3079
3080         CachedBytecode's move constructor should not call `freeDataIfOwned`
3081         https://bugs.webkit.org/show_bug.cgi?id=194045
3082
3083         Reviewed by Mark Lam.
3084
3085         That might result in freeing a garbage value
3086
3087         * parser/SourceProvider.h:
3088         (JSC::CachedBytecode::CachedBytecode):
3089
3090 2019-01-30  Keith Miller  <keith_miller@apple.com>
3091
3092         mul32 should convert powers of 2 to an lshift
3093         https://bugs.webkit.org/show_bug.cgi?id=193957
3094
3095         Reviewed by Yusuke Suzuki.
3096
3097         * assembler/MacroAssembler.h:
3098         (JSC::MacroAssembler::mul32):
3099         * assembler/testmasm.cpp:
3100         (JSC::int32Operands):
3101         (JSC::testMul32WithImmediates):
3102         (JSC::run):
3103
3104 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3105
3106         [JSC] Make disassembler data structures constant read-only data
3107         https://bugs.webkit.org/show_bug.cgi?id=194041
3108
3109         Reviewed by Mark Lam.
3110
3111         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3112         This patch makes them "const".
3113
3114         * disassembler/ARM64/A64DOpcode.cpp:
3115         * disassembler/udis86/ud_itab.py:
3116         (UdItabGenerator.genOpcodeTablesLookupIndex):
3117         (UdItabGenerator.genInsnTable):
3118         (UdItabGenerator.genMnemonicsList):
3119         (genItabH):
3120         * disassembler/udis86/udis86_decode.h:
3121         * disassembler/udis86/udis86_syn.c:
3122         * disassembler/udis86/udis86_syn.h:
3123         * disassembler/udis86/udis86_types.h:
3124
3125 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3126
3127         Unreviewed, update the builtin test results
3128         https://bugs.webkit.org/show_bug.cgi?id=194015
3129
3130         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3131         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3132         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3133         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3134         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3135         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3136         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3137         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3138         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3139         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3140         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3141         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3142         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3143
3144 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3145
3146         [JSC] Make global static variables "const" as much as possible
3147         https://bugs.webkit.org/show_bug.cgi?id=194015
3148
3149         Reviewed by Mark Lam.
3150
3151         Some of global static variables are not "const". For example, `static const char* name = ...`
3152         is not constant variable. We should make it `static const char* const name = ...`.
3153
3154         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3155         (generate_externs_for_object):
3156         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3157         (generate_externs_for_object):
3158         * Scripts/wkbuiltins/builtins_generator.py:
3159         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3160         * assembler/MacroAssembler.h:
3161         (JSC::MacroAssembler::additionBlindedConstant):
3162         * b3/air/AirFormTable.h:
3163         * b3/air/opcode_generator.rb:
3164         * runtime/JSObject.cpp:
3165         (JSC::JSObject::visitButterfly):
3166         * tools/CodeProfile.cpp:
3167         * tools/CodeProfile.h:
3168
3169 2019-01-29  Keith Miller  <keith_miller@apple.com>
3170
3171         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3172         https://bugs.webkit.org/show_bug.cgi?id=194000
3173         <rdar://problem/47642894>
3174
3175         Reviewed by Mark Lam.
3176
3177         default constructor is unused and
3178         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3179         data member which causes sadness.
3180
3181         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3182
3183 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3184
3185         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3186
3187         Rubber-stamped by Yusuke Suzuki.
3188
3189         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3190
3191         * parser/Parser.h:
3192         (JSC::Parser::declareHoistedVariable):
3193
3194 2019-01-29  Mark Lam  <mark.lam@apple.com>
3195
3196         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3197         https://bugs.webkit.org/show_bug.cgi?id=132333
3198
3199         Reviewed by Yusuke Suzuki.
3200
3201         * bytecode/InstructionStream.h:
3202         (JSC::InstructionStreamWriter::write):
3203         - The 32-bit write() function need not invert the order of the bytes written to
3204           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3205           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3206
3207         * llint/LLIntOfflineAsmConfig.h:
3208         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3209
3210 2019-01-29  Mark Lam  <mark.lam@apple.com>
3211
3212         ValueRecovery::recover() should purify NaN values it recovers.
3213         https://bugs.webkit.org/show_bug.cgi?id=193978
3214         <rdar://problem/47625488>
3215
3216         Reviewed by Saam Barati.
3217
3218         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3219         recovered DoubleDisplacedInJSStack values need to be purified.
3220         ValueRecovery::recover() should do the same.
3221
3222         * bytecode/ValueRecovery.cpp:
3223         (JSC::ValueRecovery::recover const):
3224
3225 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3226
3227         [JSC] FTL should handle LocalAllocator*
3228         https://bugs.webkit.org/show_bug.cgi?id=193980
3229
3230         Reviewed by Saam Barati.
3231
3232         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3233         because the FTL still use the incoming value as 32bit integer there.
3234
3235         * ftl/FTLLowerDFGToB3.cpp:
3236         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3237
3238 2019-01-29  Keith Rollin  <krollin@apple.com>
3239
3240         Add .xcfilelists to Run Script build phases
3241         https://bugs.webkit.org/show_bug.cgi?id=193792
3242         <rdar://problem/47201785>
3243
3244         Reviewed by Alex Christensen.
3245
3246         As part of supporting XCBuild, update the necessary Run Script build
3247         phases in their Xcode projects to refer to their associated
3248         .xcfilelist files.
3249
3250         Note that the addition of these files bumps the Xcode project version
3251         number to something that's Xcode 10 compatible. This change means that
3252         older versions of the Xcode IDE can't read these projects. Nor can it
3253         fully load workspaces that refer to these projects (the updated
3254         projects are shown as non-expandable placeholders). `xcodebuild` can
3255         still build these projects; it's just that the IDE can't open them.
3256
3257         * JavaScriptCore.xcodeproj/project.pbxproj:
3258
3259 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3260
3261         [ARM] Check for negative zero instead of just zero
3262         https://bugs.webkit.org/show_bug.cgi?id=193689
3263
3264         Reviewed by Mark Lam.
3265
3266         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3267         of just bailing out for zero.
3268
3269         * assembler/MacroAssemblerARMv7.h:
3270         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3271
3272 2019-01-28  Devin Rousso  <drousso@apple.com>
3273
3274         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3275         https://bugs.webkit.org/show_bug.cgi?id=193863
3276         <rdar://problem/47572764>
3277
3278         Reviewed by Joseph Pecoraro.
3279
3280         * inspector/protocol/Page.json:
3281         Add more values to the `Setting` enum type:
3282          - `ICECandidateFilteringEnabled`
3283          - `MediaCaptureRequiresSecureConnection`
3284          - `MockCaptureDevicesEnabled`
3285
3286 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3287
3288         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3289         https://bugs.webkit.org/show_bug.cgi?id=193941
3290
3291         Reviewed by Alex Christensen.
3292
3293         * API/JSWeakObjectMapRefPrivate.cpp:
3294         * bytecompiler/NodesCodegen.cpp:
3295         * heap/MachineStackMarker.cpp:
3296         * jit/ExecutableAllocator.cpp:
3297         * jsc.cpp:
3298         * parser/Nodes.cpp:
3299         * runtime/DateConstructor.cpp:
3300         * runtime/DateConversion.cpp:
3301         * runtime/DateInstance.cpp:
3302         * runtime/DatePrototype.cpp:
3303         * runtime/InitializeThreading.cpp:
3304         * runtime/IteratorOperations.cpp:
3305         * runtime/JSDateMath.cpp:
3306         * runtime/JSGlobalObjectFunctions.cpp:
3307         * runtime/StringPrototype.cpp:
3308         * runtime/VM.cpp:
3309         * testRegExp.cpp:
3310         * tools/JSDollarVM.cpp:
3311         * yarr/YarrInterpreter.cpp:
3312         * yarr/YarrJIT.cpp:
3313         * yarr/YarrPattern.cpp:
3314         * yarr/YarrUnicodeProperties.cpp:
3315
3316 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3317
3318         [JSC] Reduce size of memory used for ShadowChicken
3319         https://bugs.webkit.org/show_bug.cgi?id=193546
3320
3321         Reviewed by Mark Lam.
3322
3323         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3324         The removal of ShadowChicken saves 55KB memory.
3325
3326         * debugger/DebuggerCallFrame.cpp:
3327         (JSC::DebuggerCallFrame::create):
3328         * ftl/FTLLowerDFGToB3.cpp:
3329         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3330         * heap/Heap.cpp:
3331         (JSC::Heap::stopThePeriphery):
3332         (JSC::Heap::addCoreConstraints):
3333         * jit/CCallHelpers.cpp:
3334         (JSC::CCallHelpers::ensureShadowChickenPacket):
3335         * jit/JITExceptions.cpp:
3336         (JSC::genericUnwind):
3337         * jit/JITOpcodes.cpp:
3338         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3339         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3340         * jit/JITOpcodes32_64.cpp:
3341         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3342         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3343         * jit/JITOperations.cpp:
3344         * llint/LLIntSlowPaths.cpp:
3345         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3346         * runtime/JSGlobalObject.cpp:
3347         (JSC::JSGlobalObject::setDebugger):
3348         * runtime/JSGlobalObject.h:
3349         (JSC::JSGlobalObject::setDebugger): Deleted.
3350         * runtime/VM.cpp:
3351         (JSC::VM::VM):
3352         (JSC::VM::ensureShadowChicken):
3353         * runtime/VM.h:
3354         (JSC::VM::shadowChicken):
3355         * tools/JSDollarVM.cpp:
3356         (JSC::functionShadowChickenFunctionsOnStack):
3357         (JSC::changeDebuggerModeWhenIdle):
3358
3359 2019-01-28  Andy Estes  <aestes@apple.com>
3360
3361         [watchOS] Enable Parental Controls content filtering
3362         https://bugs.webkit.org/show_bug.cgi?id=193939
3363         <rdar://problem/46641912>
3364
3365         Reviewed by Ryosuke Niwa.
3366
3367         * Configurations/FeatureDefines.xcconfig:
3368
3369 2019-01-28  Mark Lam  <mark.lam@apple.com>
3370
3371         ToString node actually does GC.
3372         https://bugs.webkit.org/show_bug.cgi?id=193920
3373         <rdar://problem/46695900>
3374
3375         Reviewed by Yusuke Suzuki.
3376
3377         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3378         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3379
3380         * dfg/DFGDoesGC.cpp:
3381         (JSC::DFG::doesGC):
3382
3383 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3384
3385         [JSC] RegExpConstructor should not have own IsoSubspace
3386         https://bugs.webkit.org/show_bug.cgi?id=193801
3387
3388         Reviewed by Mark Lam.
3389
3390         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3391         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3392         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3393         it from RegExpConstructor members.
3394
3395         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3396         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3397         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3398
3399         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3400
3401         * CMakeLists.txt:
3402         * JavaScriptCore.xcodeproj/project.pbxproj:
3403         * Sources.txt:
3404         * dfg/DFGOperations.cpp:
3405         * dfg/DFGSpeculativeJIT.cpp:
3406         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3407         * dfg/DFGStrengthReductionPhase.cpp:
3408         (JSC::DFG::StrengthReductionPhase::handleNode):
3409         * ftl/FTLAbstractHeapRepository.cpp:
3410         * ftl/FTLAbstractHeapRepository.h:
3411         * ftl/FTLLowerDFGToB3.cpp:
3412         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3413         * runtime/JSGlobalObject.cpp:
3414         (JSC::JSGlobalObject::init):
3415         (JSC::JSGlobalObject::visitChildren):
3416         * runtime/JSGlobalObject.h:
3417         (JSC::JSGlobalObject::regExpGlobalData):
3418         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3419         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3420         * runtime/RegExpCache.cpp:
3421         (JSC::RegExpCache::initialize):
3422         * runtime/RegExpCache.h:
3423         (JSC::RegExpCache::emptyRegExp const):
3424         * runtime/RegExpCachedResult.cpp:
3425         (JSC::RegExpCachedResult::visitAggregate):
3426         (JSC::RegExpCachedResult::visitChildren): Deleted.
3427         * runtime/RegExpCachedResult.h:
3428         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3429         * runtime/RegExpConstructor.cpp:
3430         (JSC::RegExpConstructor::RegExpConstructor):
3431         (JSC::regExpConstructorDollar):
3432         (JSC::regExpConstructorInput):
3433         (JSC::regExpConstructorMultiline):
3434         (JSC::regExpConstructorLastMatch):
3435         (JSC::regExpConstructorLastParen):
3436         (JSC::regExpConstructorLeftContext):
3437         (JSC::regExpConstructorRightContext):
3438         (JSC::setRegExpConstructorInput):
3439         (JSC::setRegExpConstructorMultiline):
3440         (JSC::RegExpConstructor::destroy): Deleted.
3441         (JSC::RegExpConstructor::visitChildren): Deleted.
3442         (JSC::RegExpConstructor::getBackref): Deleted.
3443         (JSC::RegExpConstructor::getLastParen): Deleted.
3444         (JSC::RegExpConstructor::getLeftContext): Deleted.
3445         (JSC::RegExpConstructor::getRightContext): Deleted.
3446         * runtime/RegExpConstructor.h:
3447         (JSC::RegExpConstructor::performMatch): Deleted.
3448         (JSC::RegExpConstructor::recordMatch): Deleted.
3449         * runtime/RegExpGlobalData.cpp: Added.
3450         (JSC::RegExpGlobalData::visitAggregate):
3451         (JSC::RegExpGlobalData::getBackref):
3452         (JSC::RegExpGlobalData::getLastParen):
3453         (JSC::RegExpGlobalData::getLeftContext):
3454         (JSC::RegExpGlobalData::getRightContext):
3455         * runtime/RegExpGlobalData.h: Added.
3456         (JSC::RegExpGlobalData::cachedResult):
3457         (JSC::RegExpGlobalData::setMultiline):
3458         (JSC::RegExpGlobalData::multiline const):
3459         (JSC::RegExpGlobalData::input):
3460         (JSC::RegExpGlobalData::offsetOfCachedResult):
3461         * runtime/RegExpGlobalDataInlines.h: Added.
3462         (JSC::RegExpGlobalData::setInput):
3463         (JSC::RegExpGlobalData::performMatch):
3464         (JSC::RegExpGlobalData::recordMatch):
3465         * runtime/RegExpObject.cpp:
3466         (JSC::RegExpObject::matchGlobal):
3467         * runtime/RegExpObjectInlines.h:
3468         (JSC::RegExpObject::execInline):
3469         (JSC::RegExpObject::matchInline):
3470         (JSC::collectMatches):
3471         * runtime/RegExpPrototype.cpp:
3472         (JSC::RegExpPrototype::finishCreation):
3473         (JSC::regExpProtoFuncSearchFast):
3474         (JSC::RegExpPrototype::visitChildren): Deleted.
3475         * runtime/RegExpPrototype.h:
3476         * runtime/StringPrototype.cpp:
3477         (JSC::removeUsingRegExpSearch):
3478         (JSC::replaceUsingRegExpSearch):
3479         * runtime/VM.cpp:
3480         (JSC::VM::VM):
3481         * runtime/VM.h:
3482
3483 2018-12-15  Darin Adler  <darin@apple.com>
3484
3485         Replace many uses of String::format with more type-safe alternatives
3486         https://bugs.webkit.org/show_bug.cgi?id=192742
3487
3488         Reviewed by Mark Lam.
3489
3490         * inspector/InjectedScriptBase.cpp:
3491         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3492         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3493         * inspector/InspectorBackendDispatcher.cpp:
3494         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3495         * inspector/agents/InspectorConsoleAgent.cpp:
3496         (Inspector::InspectorConsoleAgent::enable): Ditto.
3497         * jsc.cpp:
3498         (FunctionJSCStackFunctor::operator() const): Ditto.
3499
3500         * runtime/CodeCache.cpp:
3501         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3502         using String::number.
3503
3504         * runtime/IntlDateTimeFormat.cpp:
3505         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3506         * runtime/IntlObject.cpp:
3507         (JSC::canonicalizeLocaleList): Ditto.
3508
3509 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3510
3511         AX: Introduce a static accessibility tree
3512         https://bugs.webkit.org/show_bug.cgi?id=193348
3513         <rdar://problem/47203295>
3514
3515         Reviewed by Ryosuke Niwa.
3516
3517         * Configurations/FeatureDefines.xcconfig:
3518
3519 2019-01-26  Devin Rousso  <drousso@apple.com>
3520
3521         Web Inspector: provide a way to edit the user agent of a remote target
3522         https://bugs.webkit.org/show_bug.cgi?id=193862
3523         <rdar://problem/47359292>
3524
3525         Reviewed by Joseph Pecoraro.
3526
3527         * inspector/protocol/Page.json:
3528         Add `overrideUserAgent` command.
3529
3530 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3531
3532         [JSC] NativeErrorConstructor should not have own IsoSubspace
3533         https://bugs.webkit.org/show_bug.cgi?id=193713
3534
3535         Reviewed by Saam Barati.
3536
3537         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3538         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3539         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3540         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3541         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3542         referenced.
3543
3544         * CMakeLists.txt:
3545         * JavaScriptCore.xcodeproj/project.pbxproj:
3546         * Sources.txt:
3547         * builtins/BuiltinNames.h:
3548         * interpreter/Interpreter.h:
3549         * runtime/Error.cpp:
3550         (JSC::createEvalError):
3551         (JSC::createRangeError):
3552         (JSC::createReferenceError):
3553         (JSC::createSyntaxError):
3554         (JSC::createTypeError):
3555         (JSC::createURIError):
3556         (WTF::printInternal): Deleted.
3557         * runtime/Error.h:
3558         * runtime/ErrorPrototype.cpp:
3559         (JSC::ErrorPrototype::create):
3560         (JSC::ErrorPrototype::finishCreation):
3561         * runtime/ErrorPrototype.h:
3562         (JSC::ErrorPrototype::create): Deleted.
3563         * runtime/ErrorType.cpp: Added.
3564         (JSC::errorTypeName):
3565         (WTF::printInternal):
3566         * runtime/ErrorType.h: Added.
3567         * runtime/JSGlobalObject.cpp:
3568         (JSC::JSGlobalObject::initializeErrorConstructor):
3569         (JSC::JSGlobalObject::init):
3570         (JSC::JSGlobalObject::visitChildren):
3571         * runtime/JSGlobalObject.h:
3572         (JSC::JSGlobalObject::internalPromiseConstructor const):
3573         (JSC::JSGlobalObject::errorStructure const):
3574         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3575         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3576         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3577         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3578         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3579         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3580         * runtime/NativeErrorConstructor.cpp:
3581         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3582         (JSC::NativeErrorConstructorBase::finishCreation):
3583         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3584         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3585         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3586         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3587         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3588         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3589         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3590         * runtime/NativeErrorConstructor.h:
3591         (JSC::NativeErrorConstructorBase::createStructure):
3592         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3593         * runtime/NativeErrorPrototype.cpp:
3594         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3595         * runtime/NativeErrorPrototype.h:
3596         * runtime/VM.cpp:
3597         (JSC::VM::VM):
3598         * runtime/VM.h:
3599         * wasm/js/WasmToJS.cpp:
3600         (JSC::Wasm::handleBadI64Use):
3601
3602 2019-01-25  Devin Rousso  <drousso@apple.com>
3603
3604         Web Inspector: provide a way to edit page settings on a remote target
3605         https://bugs.webkit.org/show_bug.cgi?id=193813
3606         <rdar://problem/47359510>
3607
3608         Reviewed by Joseph Pecoraro.
3609
3610         * inspector/protocol/Page.json:
3611         Add `overrideSetting` command with supporting `Setting` enum type.
3612
3613 2019-01-25  Keith Rollin  <krollin@apple.com>
3614
3615         Update Xcode projects with "Check .xcfilelists" build phase
3616         https://bugs.webkit.org/show_bug.cgi?id=193790
3617         <rdar://problem/47201374>
3618
3619         Reviewed by Alex Christensen.
3620
3621         Support for XCBuild includes specifying inputs and outputs to various
3622         Run Script build phases. These inputs and outputs are specified as
3623         .xcfilelist files. Once created, these .xcfilelist files need to be
3624         kept up-to-date. In order to check that they are up-to-date or not,
3625         add an Xcode build step that invokes an external script that performs
3626         the checking. If the .xcfilelists are found to be out-of-date, update
3627         them, halt the build, and instruct the developer to restart the build
3628         with up-to-date files.
3629
3630         At this time, the checking and regenerating is performed only if the
3631         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3632         who want to use this facility can set this variable and test out the
3633         checking/regenerating. Once it seems like there are no egregious
3634         issues that upset a developer's workflow, we'll unconditionally enable
3635         this facility.
3636
3637         * JavaScriptCore.xcodeproj/project.pbxproj:
3638         * Scripts/check-xcfilelists.sh: Added.
3639
3640 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3641
3642         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3643         https://bugs.webkit.org/show_bug.cgi?id=193796
3644         <rdar://problem/47532910>
3645
3646         Reviewed by Devin Rousso.
3647
3648         * runtime/SamplingProfiler.cpp:
3649         (JSC::SamplingProfiler::machThread):
3650         * runtime/SamplingProfiler.h:
3651         Expose the mach_port_t of the SamplingProfiler thread
3652         so it can be tested against later.
3653
3654 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3655
3656         Fix Windows build after r240511
3657
3658         * bytecode/UnlinkedFunctionExecutable.cpp:
3659         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3660
3661 2019-01-25  Keith Rollin  <krollin@apple.com>
3662
3663         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3664         https://bugs.webkit.org/show_bug.cgi?id=193781
3665         <rdar://problem/47201153>
3666
3667         Reviewed by Alex Christensen.
3668
3669         Part of generating the .xcfilelists used as part of adopting XCBuild
3670         includes running `make DerivedSources.make` from a standalone script.
3671         It’s important for this invocation to have the same environment as
3672         when the actual build invokes `make DerivedSources.make`. If the
3673         environments are different, then the two invocations will provide
3674         different results. In order to get the same environment in the
3675         standalone script, have the script launch xcodebuild targeting the
3676         "Apply Configuration to XCFileLists" build target, which will then
3677         re-invoke our standalone script. The script is now running again, this
3678         time in an environment with all workspace, project, target, xcconfig
3679         and other environment variables established.
3680
3681         The "Apply Configuration to XCFileLists" build target accomplishes
3682         this task via a small embedded shell script that consists only of:
3683
3684             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3685
3686         The process that invokes "Apply Configuration to XCFileLists" first
3687         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3688         evaluated and exports it into the shell environment. When xcodebuild
3689         is invoked, it inherits the value of this variable and can `eval` the
3690         contents of that variable. Our external standalone script can then set
3691         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3692         of command-line parameters needed to restart itself in the appropriate
3693         state.
3694
3695         * JavaScriptCore.xcodeproj/project.pbxproj:
3696
3697 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3698
3699         Add API to generate and consume cached bytecode
3700         https://bugs.webkit.org/show_bug.cgi?id=193401
3701         <rdar://problem/47514099>
3702
3703         Reviewed by Keith Miller.
3704
3705         Add the `generateBytecode` and `generateModuleBytecode` functions to
3706         generate serialized bytecode for a given `SourceCode`. These functions
3707         will eagerly generate code for all the nested functions.
3708
3709         Additionally, update the API methods in JSScript to generate and use the
3710         bytecode when the bytecodeCache path is provided.
3711
3712         * API/JSAPIGlobalObject.mm:
3713         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3714         * API/JSContext.mm:
3715         (-[JSContext wrapperMap]):
3716         * API/JSContextInternal.h:
3717         * API/JSScript.mm:
3718         (+[JSScript scriptWithSource:inVirtualMachine:]):
3719         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3720         (-[JSScript dealloc]):
3721         (-[JSScript readCache]):
3722         (-[JSScript writeCache]):
3723         (-[JSScript hash]):
3724         (-[JSScript source]):
3725         (-[JSScript cachedBytecode]):
3726         (-[JSScript jsSourceCode:]):
3727         * API/JSScriptInternal.h:
3728         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3729         (JSScriptSourceProvider::create):
3730         (JSScriptSourceProvider::JSScriptSourceProvider):
3731         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3732         (JSScriptSourceProvider::hash const):
3733         (JSScriptSourceProvider::source const):
3734         (JSScriptSourceProvider::cachedBytecode const):
3735         * API/JSVirtualMachine.mm:
3736         (-[JSVirtualMachine vm]):
3737         * API/JSVirtualMachineInternal.h:
3738         * API/tests/testapi.mm:
3739         (testBytecodeCache):
3740         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3741         (testObjectiveCAPI):
3742         * JavaScriptCore.xcodeproj/project.pbxproj:
3743         * SourcesCocoa.txt:
3744         * bytecode/UnlinkedFunctionExecutable.cpp:
3745         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3746         * bytecode/UnlinkedFunctionExecutable.h:
3747         * parser/SourceCodeKey.h:
3748         (JSC::SourceCodeKey::source const):
3749         * parser/SourceProvider.h:
3750         (JSC::CachedBytecode::CachedBytecode):
3751         (JSC::CachedBytecode::operator=):
3752         (JSC::CachedBytecode::data const):
3753         (JSC::CachedBytecode::size const):
3754         (JSC::CachedBytecode::owned const):
3755         (JSC::CachedBytecode::~CachedBytecode):
3756         (JSC::CachedBytecode::freeDataIfOwned):
3757         (JSC::SourceProvider::cachedBytecode const):
3758         * parser/UnlinkedSourceCode.h:
3759         (JSC::UnlinkedSourceCode::provider const):
3760         * runtime/CodeCache.cpp:
3761         (JSC::generateUnlinkedCodeBlockForFunctions):
3762         (JSC::writeCodeBlock):
3763         (JSC::serializeBytecode):
3764         * runtime/CodeCache.h:
3765         (JSC::CodeCacheMap::fetchFromDiskImpl):
3766         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3767         (JSC::generateUnlinkedCodeBlockImpl):
3768         (JSC::generateUnlinkedCodeBlock):
3769         * runtime/Completion.cpp:
3770         (JSC::generateBytecode):
3771         (JSC::generateModuleBytecode):
3772         * runtime/Completion.h:
3773         * runtime/Options.cpp:
3774         (JSC::recomputeDependentOptions):
3775
3776 2019-01-25  Keith Rollin  <krollin@apple.com>
3777
3778         Update WebKitAdditions.xcconfig with correct order of variable definitions
3779         https://bugs.webkit.org/show_bug.cgi?id=193793
3780         <rdar://problem/47532439>
3781
3782         Reviewed by Alex Christensen.
3783
3784         XCBuild changes the way xcconfig variables are evaluated. In short,
3785         all config file assignments are now considered in part of the
3786         evaluation. When using the new build system and an .xcconfig file
3787         contains multiple assignments of the same build setting:
3788
3789         - Later assignments using $(inherited) will inherit from earlier
3790           assignments in the xcconfig file.
3791         - Later assignments not using $(inherited) will take precedence over
3792           earlier assignments. An assignment to a more general setting will
3793           mask an earlier assignment to a less general setting. For example,
3794           an assignment without a condition ('FOO = bar') will completely mask
3795           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3796
3797         This affects some of our .xcconfig files, in that sometimes platform-
3798         or sdk-specific definitions appear before the general definitions.
3799         Under the new evaluations rules, the general definitions alway take
3800         effect because they always overwrite the more-specific definitions. The
3801         solution is to swap the order, so that the general definitions are
3802         established first, and then conditionally overwritten by the
3803         more-specific definitions.
3804
3805         * Configurations/Version.xcconfig:
3806
3807 2019-01-25  Keith Rollin  <krollin@apple.com>
3808
3809         Update existing .xcfilelists
3810         https://bugs.webkit.org/show_bug.cgi?id=193791
3811         <rdar://problem/47201706>
3812
3813         Reviewed by Alex Christensen.
3814
3815         Many .xcfilelist files were added in r238824 in order to support
3816         XCBuild. Update these with recent changes to the set of build files
3817         and with the current generate-xcfilelist script.
3818
3819         * DerivedSources-input.xcfilelist:
3820         * DerivedSources-output.xcfilelist:
3821         * UnifiedSources-input.xcfilelist:
3822         * UnifiedSources-output.xcfilelist:
3823
3824 2019-01-25  Jon Davis  <jond@apple.com>
3825
3826         Update JavaScriptCore feature status entries.
3827         https://bugs.webkit.org/show_bug.cgi?id=193797
3828
3829         Reviewed by Mark Lam.
3830         
3831         Updated feature status for Async Iteration, and Object rest/spread.
3832
3833         * features.json:
3834
3835 2019-01-24  Keith Miller  <keith_miller@apple.com>
3836
3837         Remove usage of internal macro from private header
3838         https://bugs.webkit.org/show_bug.cgi?id=193809
3839
3840         Reviewed by Saam Barati.
3841
3842         Also, add a new file to include all of our API headers to make sure
3843         they don't accidentally include C++ or internal values.
3844
3845         * API/JSScript.h:
3846         * API/tests/testIncludes.m: Added.
3847         * JavaScriptCore.xcodeproj/project.pbxproj:
3848
3849 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3850
3851         [JSC] ErrorConstructor should not have own IsoSubspace
3852         https://bugs.webkit.org/show_bug.cgi?id=193800
3853
3854         Reviewed by Saam Barati.
3855
3856         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3857         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3858         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3859         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3860         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3861         into IsoSubspaces) described,
3862
3863             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3864             appear to just override methods, which are called dynamically via the structure or class of the object.
3865             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3866
3867         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3868         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3869         This reduces the memory usage.
3870
3871         * interpreter/Interpreter.h:
3872         * runtime/Error.cpp:
3873         (JSC::getStackTrace):
3874         * runtime/ErrorConstructor.cpp:
3875         (JSC::ErrorConstructor::ErrorConstructor):
3876         (JSC::ErrorConstructor::finishCreation):
3877         (JSC::constructErrorConstructor):
3878         (JSC::callErrorConstructor):
3879         (JSC::ErrorConstructor::put):
3880         (JSC::ErrorConstructor::deleteProperty):
3881         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3882         (JSC::Interpreter::callErrorConstructor): Deleted.
3883         * runtime/ErrorConstructor.h:
3884         * runtime/JSGlobalObject.cpp:
3885         (JSC::JSGlobalObject::JSGlobalObject):
3886         (JSC::JSGlobalObject::init):
3887         (JSC::JSGlobalObject::visitChildren):
3888         * runtime/JSGlobalObject.h:
3889         (JSC::JSGlobalObject::stackTraceLimit const):
3890         (JSC::JSGlobalObject::setStackTraceLimit):
3891         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3892         * runtime/VM.cpp:
3893         (JSC::VM::VM):
3894         * runtime/VM.h:
3895
3896 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3897
3898         Web Inspector: CPU Usage Timeline
3899         https://bugs.webkit.org/show_bug.cgi?id=193730
3900         <rdar://problem/46797201>