CachedCall should not consider it UNLIKELY that it will not stack overflow
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-19  Robin Morisset  <rmorisset@apple.com>
2
3         CachedCall should not consider it UNLIKELY that it will not stack overflow
4         https://bugs.webkit.org/show_bug.cgi?id=194831
5
6         Reviewed by Mark Lam.
7
8         * interpreter/CachedCall.h:
9         (JSC::CachedCall::CachedCall):
10
11 2019-02-19  Mark Lam  <mark.lam@apple.com>
12
13         Fix DFG doesGC() for TryGetById and ProfileType nodes.
14         https://bugs.webkit.org/show_bug.cgi?id=194821
15         <rdar://problem/48206690>
16
17         Reviewed by Saam Barati.
18
19         Fix doesGC() for the following nodes:
20
21             ProfileType:
22                 calls operationProcessTypeProfilerLogDFG(), which can calculatedClassName(),
23                 which can call JSString::tryGetValue(), which can resolve a rope.
24
25             TryGetById:
26                 calls operationTryGetByIdOptimize(), which can startWatchingPropertyForReplacements()
27                 on a structure, which can allocate StructureRareData.
28
29         * dfg/DFGDoesGC.cpp:
30         (JSC::DFG::doesGC):
31
32 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
33
34         [JSC] Introduce JSNonDestructibleProxy for JavaScriptCore.framework's GlobalThis
35         https://bugs.webkit.org/show_bug.cgi?id=194799
36
37         Reviewed by Saam Barati.
38
39         JSProxy is destructible one because we have JSWindowProxy which has ref counted object.
40         However, JavaScriptCore.framework's JSProxy for GlobalThis does not need to be destructible.
41         This is important since we need to separate Heap subspaces between destructible and non-destructible objects.
42         If we can put more and more objects in non-destructible status, we can get rid of low-usage MarkedBlock.
43         This patch adds JSNonDestructibleProxy, which is not destructible JSProxy. While it inherits JSDestructibleObject,
44         we can make the subclass still non-destructible thanks to Subspace mechanism. This drops one more low-usage MarkedBlock.
45
46         * CMakeLists.txt:
47         * JavaScriptCore.xcodeproj/project.pbxproj:
48         * Sources.txt:
49         * runtime/JSGlobalObject.cpp:
50         (JSC::JSGlobalObject::resetPrototype):
51         (JSC::JSGlobalObject::finishCreation):
52         * runtime/JSNonDestructibleProxy.cpp: Added.
53         * runtime/JSNonDestructibleProxy.h: Added.
54         (JSC::JSNonDestructibleProxy::subspaceFor):
55         (JSC::JSNonDestructibleProxy::create):
56         (JSC::JSNonDestructibleProxy::createStructure):
57         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
58         * runtime/JSProxy.h:
59         (JSC::JSProxy::JSProxy):
60
61 2019-02-19  Robin Morisset  <rmorisset@apple.com>
62
63         B3ReduceStrength::simplifyCFG() could do a lot more on each iteration
64         https://bugs.webkit.org/show_bug.cgi?id=194475
65
66         Reviewed by Saam Barati.
67
68         B3ReduceStrength::simplifyCFG() does three optimizations (which I will call A, B and C):
69         - A makes any terminal that points to a block that is empty except for a jump point to that jump's target instead.
70         - B transforms any branch or switch that points to a single block into a jump
71         - C finds blocks ending with jumps, whose successor has a single predecessor, and inline that successor block in place of the jump
72
73         It currently is limited in the following way:
74         - A and C can only fire once per block per iteration
75         - B can create jumps that would trigger A, but they may not be seen until the next iteration
76
77         Both problems are mitigated by going through the blocks in post-order, so that when a block is optimized most of its successors have already been optimized.
78         In a sense it is the symmetric of the peephole optimizer that goes in pre-order so that when an instruction is optimized most of its children have already been optimized.
79
80         On JetStream2 it reduces the average number of iterations from 3.35 to 3.24.
81
82         * b3/B3ReduceStrength.cpp:
83
84 2019-02-19  Tadeu Zagallo  <tzagallo@apple.com>
85
86         Move bytecode cache-related filesystem code out of CodeCache
87         https://bugs.webkit.org/show_bug.cgi?id=194675
88
89         Reviewed by Saam Barati.
90
91         The code is only used for the bytecode-cache tests, so it should live in
92         jsc.cpp rather than in the CodeCache. The logic now lives in ShellSourceProvider,
93         which overrides the a virtual method in SourceProvider, `cacheBytecode`,
94         in order to write the cache to disk.
95
96         * jsc.cpp:
97         (ShellSourceProvider::create):
98         (ShellSourceProvider::~ShellSourceProvider):
99         (ShellSourceProvider::cachePath const):
100         (ShellSourceProvider::loadBytecode):
101         (ShellSourceProvider::ShellSourceProvider):
102         (jscSource):
103         (GlobalObject::moduleLoaderFetch):
104         (functionDollarEvalScript):
105         (runWithOptions):
106         * parser/SourceProvider.h:
107         (JSC::SourceProvider::cacheBytecode const):
108         * runtime/CodeCache.cpp:
109         (JSC::writeCodeBlock):
110         * runtime/CodeCache.h:
111         (JSC::CodeCacheMap::fetchFromDiskImpl):
112
113 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
114
115         [ARM] Fix crash with sampling profiler
116         https://bugs.webkit.org/show_bug.cgi?id=194772
117
118         Reviewed by Mark Lam.
119
120         sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
121         did not update the stack pointer in a single instruction. The src register was first
122         moved into the stack pointer, the immediate imm was added in a subsequent instruction.
123
124         This was problematic when a signal handler was invoked before applying the immediate,
125         when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
126         a temporary register and then move it in one go into the stack pointer.
127
128         * assembler/MacroAssemblerARMv7.h:
129         (JSC::MacroAssemblerARMv7::add32):
130
131 2019-02-18  Mark Lam  <mark.lam@apple.com>
132
133         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
134         https://bugs.webkit.org/show_bug.cgi?id=194800
135         <rdar://problem/48183773>
136
137         Reviewed by Yusuke Suzuki.
138
139         Fix doesGC() for the following nodes:
140
141             CompareEq:
142             CompareLess:
143             CompareLessEq:
144             CompareGreater:
145             CompareGreaterEq:
146             CompareStrictEq:
147                 Only return false (i.e. does not GC) for child node use kinds that have
148                 been vetted to not do anything that can GC.  For all other use kinds
149                 (including StringUse and BigIntUse), we return true (i.e. does GC).
150
151         * dfg/DFGDoesGC.cpp:
152         (JSC::DFG::doesGC):
153
154 2019-02-16  Darin Adler  <darin@apple.com>
155
156         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
157         https://bugs.webkit.org/show_bug.cgi?id=194752
158
159         Reviewed by Daniel Bates.
160
161         * heap/HeapSnapshotBuilder.cpp:
162         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
163         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
164         keep behavior the same, so let's do that.
165
166         * parser/Lexer.cpp:
167         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
168         String::format and "%04x".
169
170 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
171
172         [JSC] Add LazyClassStructure::getInitializedOnMainThread
173         https://bugs.webkit.org/show_bug.cgi?id=194784
174         <rdar://problem/48154820>
175
176         Reviewed by Mark Lam.
177
178         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
179         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
180         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
181         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
182         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
183
184         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
185         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
186         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
187         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
188
189         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
190         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
191
192         * runtime/JSGlobalObject.h:
193         (JSC::JSGlobalObject::booleanPrototype const):
194         (JSC::JSGlobalObject::numberPrototype const):
195         (JSC::JSGlobalObject::symbolPrototype const):
196         * runtime/LazyClassStructure.h:
197         (JSC::LazyClassStructure::getInitializedOnMainThread const):
198         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
199         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
200         * runtime/LazyProperty.h:
201         (JSC::LazyProperty::get const):
202         (JSC::LazyProperty::getInitializedOnMainThread const):
203
204 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
205
206         Web Inspector: Better categorize CPU usage per-thread / worker
207         https://bugs.webkit.org/show_bug.cgi?id=194564
208
209         Reviewed by Devin Rousso.
210
211         * inspector/protocol/CPUProfiler.json:
212         Add additional properties per-Event, and new per-Thread object info.
213
214 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
215
216         Bytecode cache should a have a boot-specific validation
217         https://bugs.webkit.org/show_bug.cgi?id=194769
218         <rdar://problem/48149509>
219
220         Reviewed by Keith Miller.
221
222         Add the boot UUID to the cached bytecode to enforce that it is not reused
223         across reboots.
224
225         * runtime/CachedTypes.cpp:
226         (JSC::Encoder::malloc):
227         (JSC::GenericCacheEntry::GenericCacheEntry):
228         (JSC::GenericCacheEntry::tag const):
229         (JSC::CacheEntry::CacheEntry):
230         (JSC::CacheEntry::decode const):
231         (JSC::GenericCacheEntry::decode const):
232         (JSC::encodeCodeBlock):
233
234 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
235
236         Add MSE logging configuration
237         https://bugs.webkit.org/show_bug.cgi?id=194719
238         <rdar://problem/48122151>
239
240         Reviewed by Joseph Pecoraro.
241
242         * inspector/ConsoleMessage.cpp:
243         (Inspector::messageSourceValue):
244         * inspector/protocol/Console.json:
245         * inspector/scripts/codegen/generator.py:
246         * runtime/ConsoleTypes.h:
247
248 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
249
250         Add version number to cached bytecode
251         https://bugs.webkit.org/show_bug.cgi?id=194768
252         <rdar://problem/48147968>
253
254         Reviewed by Saam Barati.
255
256         Add a version number to the bytecode cache that should be unique per build.
257
258         * CMakeLists.txt:
259         * DerivedSources-output.xcfilelist:
260         * DerivedSources.make:
261         * runtime/CachedTypes.cpp:
262         (JSC::Encoder::malloc):
263         (JSC::GenericCacheEntry::GenericCacheEntry):
264         (JSC::CacheEntry::CacheEntry):
265         (JSC::CacheEntry::encode):
266         (JSC::CacheEntry::decode const):
267         (JSC::GenericCacheEntry::decode const):
268         (JSC::decodeCodeBlockImpl):
269         * runtime/CodeCache.h:
270         (JSC::CodeCacheMap::fetchFromDiskImpl):
271
272 2019-02-17  Saam Barati  <sbarati@apple.com>
273
274         WasmB3IRGenerator models some effects incorrectly
275         https://bugs.webkit.org/show_bug.cgi?id=194038
276
277         Reviewed by Keith Miller.
278
279         * wasm/WasmB3IRGenerator.cpp:
280         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
281         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
282         These two functions were using global state instead of the
283         arguments passed into the function.
284
285         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
286         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
287         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
288         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
289         Any patchpoint that allows scratch register usage must
290         also say that it clobbers the scratch registers.
291
292 2019-02-17  Saam Barati  <sbarati@apple.com>
293
294         Deadlock when adding a Structure property transition and then doing incremental marking
295         https://bugs.webkit.org/show_bug.cgi?id=194767
296
297         Reviewed by Mark Lam.
298
299         This can happen in the following scenario:
300         
301         You have a Structure S. S is on the mark stack. Then:
302         1. S grabs its lock
303         2. S adds a new property transition
304         3. We find out we need to do some incremental marking
305         4. We mark S
306         5. visitChildren on S will try to grab its lock
307         6. We are now in a deadlock
308
309         * heap/Heap.cpp:
310         (JSC::Heap::performIncrement):
311         * runtime/Structure.cpp:
312         (JSC::Structure::addNewPropertyTransition):
313
314 2019-02-17  David Kilzer  <ddkilzer@apple.com>
315
316         Unreviewed, rolling out r241620.
317
318         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
319         (Requested by ddkilzer on #webkit.)
320
321         Reverted changeset:
322
323         "[WTF] Add environment variable helpers"
324         https://bugs.webkit.org/show_bug.cgi?id=192405
325         https://trac.webkit.org/changeset/241620
326
327 2019-02-17  Commit Queue  <commit-queue@webkit.org>
328
329         Unreviewed, rolling out r241612.
330         https://bugs.webkit.org/show_bug.cgi?id=194762
331
332         "It regressed JetStream2 parsing tests by ~40%" (Requested by
333         saamyjoon on #webkit).
334
335         Reverted changeset:
336
337         "Move bytecode cache-related filesystem code out of CodeCache"
338         https://bugs.webkit.org/show_bug.cgi?id=194675
339         https://trac.webkit.org/changeset/241612
340
341 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] JSWrapperObject should not be destructible
344         https://bugs.webkit.org/show_bug.cgi?id=194743
345
346         Reviewed by Saam Barati.
347
348         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
349         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
350         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
351
352         * runtime/BigIntObject.cpp:
353         (JSC::BigIntObject::BigIntObject):
354         * runtime/BooleanConstructor.cpp:
355         (JSC::BooleanConstructor::finishCreation):
356         * runtime/BooleanObject.cpp:
357         (JSC::BooleanObject::BooleanObject):
358         * runtime/BooleanObject.h:
359         * runtime/DateInstance.cpp:
360         (JSC::DateInstance::DateInstance):
361         (JSC::DateInstance::finishCreation):
362         * runtime/DateInstance.h:
363         * runtime/DatePrototype.cpp:
364         (JSC::dateProtoFuncGetTime):
365         (JSC::dateProtoFuncSetTime):
366         (JSC::setNewValueFromTimeArgs):
367         (JSC::setNewValueFromDateArgs):
368         (JSC::dateProtoFuncSetYear):
369         * runtime/JSCPoison.h:
370         * runtime/JSWrapperObject.h:
371         (JSC::JSWrapperObject::JSWrapperObject):
372         * runtime/NumberObject.cpp:
373         (JSC::NumberObject::NumberObject):
374         * runtime/NumberObject.h:
375         * runtime/StringConstructor.cpp:
376         (JSC::StringConstructor::finishCreation):
377         * runtime/StringObject.cpp:
378         (JSC::StringObject::StringObject):
379         * runtime/StringObject.h:
380         (JSC::StringObject::internalValue const):
381         * runtime/SymbolObject.cpp:
382         (JSC::SymbolObject::SymbolObject):
383         * runtime/SymbolObject.h:
384
385 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
386
387         [JSC] Shrink UnlinkedFunctionExecutable
388         https://bugs.webkit.org/show_bug.cgi?id=194733
389
390         Reviewed by Mark Lam.
391
392         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
393         directives can be found in the comment of non typical function's source code (Program,
394         Eval code, and Global function from function constructor etc.), and tricky thing is that
395         SourceProvider's directives are updated by Parser. The reason why we have these fields in
396         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
397         if we skip parsing by using CodeCache. These fields are effective only if (1)
398         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
399         or sourceMappingURLDirective. This is rare enough to purge them to a separated
400         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
401         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
402         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
403         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
404         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
405         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
406         one of size class.
407
408         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
409         And kill one MarkedBlock allocation in JSC initialization phase.
410
411         * bytecode/UnlinkedFunctionExecutable.cpp:
412         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
413         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
414         * bytecode/UnlinkedFunctionExecutable.h:
415         * debugger/DebuggerLocation.cpp:
416         (JSC::DebuggerLocation::DebuggerLocation):
417         * inspector/ScriptDebugServer.cpp:
418         (Inspector::ScriptDebugServer::dispatchDidParseSource):
419         * parser/Lexer.h:
420         (JSC::Lexer::sourceURLDirective const):
421         (JSC::Lexer::sourceMappingURLDirective const):
422         (JSC::Lexer::sourceURL const): Deleted.
423         (JSC::Lexer::sourceMappingURL const): Deleted.
424         * parser/Parser.h:
425         (JSC::Parser<LexerType>::parse):
426         * parser/SourceProvider.h:
427         (JSC::SourceProvider::sourceURLDirective const):
428         (JSC::SourceProvider::sourceMappingURLDirective const):
429         (JSC::SourceProvider::setSourceURLDirective):
430         (JSC::SourceProvider::setSourceMappingURLDirective):
431         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
432         since it is the correct name.
433         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
434         sourceMappingURLDirective since it is the correct name.
435         * runtime/CachedTypes.cpp:
436         (JSC::CachedSourceProviderShape::encode):
437         (JSC::CachedFunctionExecutableRareData::encode):
438         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
439         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
440         (JSC::CachedFunctionExecutable::rareData const):
441         (JSC::CachedFunctionExecutable::encode):
442         (JSC::CachedFunctionExecutable::decode const):
443         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
444         * runtime/CodeCache.cpp:
445         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
446         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
447         * runtime/CodeCache.h:
448         (JSC::generateUnlinkedCodeBlockImpl):
449         * runtime/FunctionExecutable.h:
450         * runtime/SamplingProfiler.cpp:
451         (JSC::SamplingProfiler::StackFrame::url):
452
453 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
454
455         [JSC] Remove unused global private variables
456         https://bugs.webkit.org/show_bug.cgi?id=194741
457
458         Reviewed by Joseph Pecoraro.
459
460         There are some private functions and constants that are no longer referenced from builtin JS code.
461         This patch cleans up them.
462
463         * builtins/BuiltinNames.h:
464         * builtins/ObjectConstructor.js:
465         (entries):
466         * runtime/JSGlobalObject.cpp:
467         (JSC::JSGlobalObject::init):
468
469 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
470
471         [JSC] Lazily create empty RegExp
472         https://bugs.webkit.org/show_bug.cgi?id=194735
473
474         Reviewed by Keith Miller.
475
476         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
477         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
478         one MarkedBlock.
479
480         * runtime/JSGlobalObject.cpp:
481         (JSC::JSGlobalObject::init):
482         * runtime/RegExpCache.cpp:
483         (JSC::RegExpCache::ensureEmptyRegExpSlow):
484         (JSC::RegExpCache::initialize): Deleted.
485         * runtime/RegExpCache.h:
486         (JSC::RegExpCache::ensureEmptyRegExp):
487         (JSC::RegExpCache::emptyRegExp const): Deleted.
488         * runtime/RegExpCachedResult.cpp:
489         (JSC::RegExpCachedResult::lastResult):
490         * runtime/RegExpCachedResult.h:
491         * runtime/VM.cpp:
492         (JSC::VM::VM):
493
494 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
495
496         [JSC] Make builtin objects more lazily initialized under non-JIT mode
497         https://bugs.webkit.org/show_bug.cgi?id=194727
498
499         Reviewed by Saam Barati.
500
501         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
502         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
503         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
504         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
505         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
506         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
507         MarkedBlock allocation just for Symbols.
508
509         * runtime/JSGlobalObject.cpp:
510         (JSC::JSGlobalObject::init):
511         (JSC::JSGlobalObject::visitChildren):
512         * runtime/JSGlobalObject.h:
513         (JSC::JSGlobalObject::numberToStringWatchpoint):
514         (JSC::JSGlobalObject::booleanPrototype const):
515         (JSC::JSGlobalObject::numberPrototype const):
516         (JSC::JSGlobalObject::symbolPrototype const):
517         (JSC::JSGlobalObject::booleanObjectStructure const):
518         (JSC::JSGlobalObject::symbolObjectStructure const):
519         (JSC::JSGlobalObject::numberObjectStructure const):
520         (JSC::JSGlobalObject::stringObjectStructure const):
521
522 2019-02-15  Michael Saboff  <msaboff@apple.com>
523
524         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
525         https://bugs.webkit.org/show_bug.cgi?id=194558
526
527         Reviewed by Saam Barati.
528
529         Added an in bounds check before the read of the next character for Unicode regular expressions
530         for pattern generation that didn't already have such checks.
531
532         * yarr/YarrJIT.cpp:
533         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
534         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
535         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
536         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
537
538 2019-02-15  Dean Jackson  <dino@apple.com>
539
540         Allow emulation of user gestures from Web Inspector console
541         https://bugs.webkit.org/show_bug.cgi?id=194725
542         <rdar://problem/48126604>
543
544         Reviewed by Joseph Pecoraro and Devin Rousso.
545
546         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
547         to the evaluate function, and mark the function as override so that PageRuntimeAgent
548         can change the behaviour.
549         (Inspector::InspectorRuntimeAgent::evaluate):
550         * inspector/agents/InspectorRuntimeAgent.h:
551         * inspector/protocol/Runtime.json:
552
553 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
554
555         [JSC] Do not initialize Wasm related data if Wasm is not enabled
556         https://bugs.webkit.org/show_bug.cgi?id=194728
557
558         Reviewed by Mark Lam.
559
560         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
561
562         * runtime/InitializeThreading.cpp:
563         (JSC::initializeThreading):
564         * runtime/JSLock.cpp:
565         (JSC::JSLock::didAcquireLock):
566
567 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
568
569         [WTF] Add environment variable helpers
570         https://bugs.webkit.org/show_bug.cgi?id=192405
571
572         Reviewed by Michael Catanzaro.
573
574         * inspector/remote/glib/RemoteInspectorGlib.cpp:
575         (Inspector::RemoteInspector::RemoteInspector):
576         (Inspector::RemoteInspector::start):
577         * jsc.cpp:
578         (startTimeoutThreadIfNeeded):
579         * runtime/Options.cpp:
580         (JSC::overrideOptionWithHeuristic):
581         (JSC::Options::overrideAliasedOptionWithHeuristic):
582         (JSC::Options::initialize):
583         * runtime/VM.cpp:
584         (JSC::enableAssembler):
585         (JSC::VM::VM):
586         * tools/CodeProfiling.cpp:
587         (JSC::CodeProfiling::notifyAllocator):
588         Utilize WTF::Environment where possible.
589
590 2019-02-15  Mark Lam  <mark.lam@apple.com>
591
592         SamplingProfiler::stackTracesAsJSON() should escape strings.
593         https://bugs.webkit.org/show_bug.cgi?id=194649
594         <rdar://problem/48072386>
595
596         Reviewed by Saam Barati.
597
598         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
599
600         * runtime/SamplingProfiler.cpp:
601         (JSC::SamplingProfiler::stackTracesAsJSON):
602         * runtime/TypeSet.cpp:
603         (JSC::TypeSet::toJSONString const):
604         (JSC::StructureShape::toJSONString const):
605
606 2019-02-15  Robin Morisset  <rmorisset@apple.com>
607
608         CodeBlock::jettison should clear related watchpoints
609         https://bugs.webkit.org/show_bug.cgi?id=194544
610
611         Reviewed by Mark Lam.
612
613         * bytecode/CodeBlock.cpp:
614         (JSC::CodeBlock::jettison):
615         * dfg/DFGCommonData.h:
616         (JSC::DFG::CommonData::clearWatchpoints): Added.
617         * dfg/CommonData.cpp:
618         (JSC::DFG::CommonData::clearWatchpoints): Added.
619
620 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
621
622         Move bytecode cache-related filesystem code out of CodeCache
623         https://bugs.webkit.org/show_bug.cgi?id=194675
624
625         Reviewed by Saam Barati.
626
627         That code is only used for the bytecode-cache tests, so it should live in
628         jsc.cpp rather than in the CodeCache.
629
630         * jsc.cpp:
631         (CliSourceProvider::create):
632         (CliSourceProvider::~CliSourceProvider):
633         (CliSourceProvider::cachePath const):
634         (CliSourceProvider::loadBytecode):
635         (CliSourceProvider::CliSourceProvider):
636         (jscSource):
637         (GlobalObject::moduleLoaderFetch):
638         (functionDollarEvalScript):
639         (runWithOptions):
640         * parser/SourceProvider.h:
641         (JSC::SourceProvider::cacheBytecode const):
642         * runtime/CodeCache.cpp:
643         (JSC::writeCodeBlock):
644         * runtime/CodeCache.h:
645         (JSC::CodeCacheMap::fetchFromDiskImpl):
646
647 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
648
649         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
650         https://bugs.webkit.org/show_bug.cgi?id=194714
651
652         Reviewed by Mark Lam.
653
654         Let's consider about the following extreme case.
655
656         1. VM (A) is created.
657         2. Another VM (B) is created on a different thread.
658         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
659         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
660         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
661         6. (A) sees the half-baked worklist, which may be in the middle of creation.
662
663         This patch puts store-store fence just before putting a pointer to a global variable.
664         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
665
666         * dfg/DFGWorklist.cpp:
667         (JSC::DFG::ensureGlobalDFGWorklist):
668         (JSC::DFG::ensureGlobalFTLWorklist):
669         * wasm/WasmWorklist.cpp:
670         (JSC::Wasm::ensureWorklist):
671
672 2019-02-15  Commit Queue  <commit-queue@webkit.org>
673
674         Unreviewed, rolling out r241559 and r241566.
675         https://bugs.webkit.org/show_bug.cgi?id=194710
676
677         Causes layout test crashes under GuardMalloc (Requested by
678         ryanhaddad on #webkit).
679
680         Reverted changesets:
681
682         "[WTF] Add environment variable helpers"
683         https://bugs.webkit.org/show_bug.cgi?id=192405
684         https://trac.webkit.org/changeset/241559
685
686         "Unreviewed build fix for WinCairo Debug after r241559."
687         https://trac.webkit.org/changeset/241566
688
689 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
690
691         [JSC] Do not even allocate JIT worklists in non-JIT mode
692         https://bugs.webkit.org/show_bug.cgi?id=194693
693
694         Reviewed by Mark Lam.
695
696         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
697         And we do not perform any GC operations that are only meaningful in JIT environment.
698
699         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
700         2. We remove DFG marking constraint in non-JIT mode.
701         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
702         4. We do not visit JITStubRoutineSet.
703         5. Align JITWorklist function names to the other worklists.
704
705         * dfg/DFGOSRExitPreparation.cpp:
706         (JSC::DFG::prepareCodeOriginForOSRExit):
707         * dfg/DFGPlan.h:
708         * dfg/DFGWorklist.cpp:
709         (JSC::DFG::markCodeBlocks): Deleted.
710         * dfg/DFGWorklist.h:
711         * heap/Heap.cpp:
712         (JSC::Heap::completeAllJITPlans):
713         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
714         (JSC::Heap::gatherScratchBufferRoots):
715         (JSC::Heap::removeDeadCompilerWorklistEntries):
716         (JSC::Heap::stopThePeriphery):
717         (JSC::Heap::suspendCompilerThreads):
718         (JSC::Heap::resumeCompilerThreads):
719         (JSC::Heap::addCoreConstraints):
720         * jit/JITWorklist.cpp:
721         (JSC::JITWorklist::existingGlobalWorklistOrNull):
722         (JSC::JITWorklist::ensureGlobalWorklist):
723         (JSC::JITWorklist::instance): Deleted.
724         * jit/JITWorklist.h:
725         * llint/LLIntSlowPaths.cpp:
726         (JSC::LLInt::jitCompileAndSetHeuristics):
727         * runtime/VM.cpp:
728         (JSC::VM::~VM):
729         (JSC::VM::gatherScratchBufferRoots):
730         (JSC::VM::gatherConservativeRoots): Deleted.
731         * runtime/VM.h:
732
733 2019-02-15  Saam barati  <sbarati@apple.com>
734
735         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
736         https://bugs.webkit.org/show_bug.cgi?id=194036
737
738         Reviewed by Yusuke Suzuki.
739
740         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
741         use linear scan for register allocation. Instead of linear scan, Air-O0 does
742         mostly block-local register allocation, and it does this as it's emitting
743         code directly. The register allocator uses liveness analysis to reduce
744         the number of spills. Doing register allocation as we're emitting code
745         allows us to skip editing the IR to insert spills, which saves a non trivial
746         amount of compile time. For stack allocation, we give each Tmp its own slot.
747         This is less than ideal. We probably want to do some trivial live range analysis
748         in the future. The reason this isn't a deal breaker for Wasm is that this patch
749         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
750         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
751         
752         This patch is another 25% Wasm startup time speedup. It seems to be worth
753         another 1% on JetStream2.
754
755         * JavaScriptCore.xcodeproj/project.pbxproj:
756         * Sources.txt:
757         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
758         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
759         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
760         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
761         (JSC::B3::Air::callFrameAddr):
762         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
763         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
764         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
765         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
766         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
767         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
768         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
769         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
770         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
771         * b3/air/AirCode.cpp:
772         * b3/air/AirCode.h:
773         * b3/air/AirGenerate.cpp:
774         (JSC::B3::Air::prepareForGeneration):
775         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
776         (JSC::B3::Air::generate):
777         * b3/air/AirHandleCalleeSaves.cpp:
778         (JSC::B3::Air::handleCalleeSaves):
779         * b3/air/AirHandleCalleeSaves.h:
780         * b3/air/AirTmpMap.h:
781         * runtime/Options.h:
782         * wasm/WasmAirIRGenerator.cpp:
783         (JSC::Wasm::AirIRGenerator::didKill):
784         (JSC::Wasm::AirIRGenerator::newTmp):
785         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
786         (JSC::Wasm::parseAndCompileAir):
787         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
788         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
789         * wasm/WasmAirIRGenerator.h:
790         * wasm/WasmB3IRGenerator.cpp:
791         (JSC::Wasm::B3IRGenerator::didKill):
792         * wasm/WasmBBQPlan.cpp:
793         (JSC::Wasm::BBQPlan::compileFunctions):
794         * wasm/WasmFunctionParser.h:
795         (JSC::Wasm::FunctionParser<Context>::parseBody):
796         (JSC::Wasm::FunctionParser<Context>::parseExpression):
797         * wasm/WasmValidate.cpp:
798         (JSC::Wasm::Validate::didKill):
799
800 2019-02-14  Saam barati  <sbarati@apple.com>
801
802         lowerStackArgs should lower Lea32/64 on ARM64 to Add
803         https://bugs.webkit.org/show_bug.cgi?id=194656
804
805         Reviewed by Yusuke Suzuki.
806
807         On arm64, Lea is just implemented as an add. However, Air treats it as an
808         address with a given width. Because of this width, we were incorrectly
809         computing whether or not this immediate could fit into the instruction itself
810         or it needed to be explicitly put into a register. This patch makes
811         AirLowerStackArgs lower Lea to Add on arm64.
812
813         * b3/air/AirLowerStackArgs.cpp:
814         (JSC::B3::Air::lowerStackArgs):
815         * b3/air/AirOpcode.opcodes:
816         * b3/air/testair.cpp:
817
818 2019-02-14  Saam Barati  <sbarati@apple.com>
819
820         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
821         https://bugs.webkit.org/show_bug.cgi?id=194583
822         <rdar://problem/48028140>
823
824         Reviewed by Yusuke Suzuki.
825
826         This patch makes it so that getVariablesUnderTDZ caches a result of
827         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
828         it's called in an environment where there are a lot of variables.
829         This patch makes it so we cache its results. This is profitable when
830         getVariablesUnderTDZ is called repeatedly with the same environment
831         state. This is common since we call this every time we encounter a
832         function definition/expression node.
833
834         * builtins/BuiltinExecutables.cpp:
835         (JSC::BuiltinExecutables::createExecutable):
836         * bytecode/UnlinkedFunctionExecutable.cpp:
837         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
838         * bytecode/UnlinkedFunctionExecutable.h:
839         * bytecompiler/BytecodeGenerator.cpp:
840         (JSC::BytecodeGenerator::popLexicalScopeInternal):
841         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
842         (JSC::BytecodeGenerator::pushTDZVariables):
843         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
844         (JSC::BytecodeGenerator::restoreTDZStack):
845         * bytecompiler/BytecodeGenerator.h:
846         (JSC::BytecodeGenerator::makeFunction):
847         * parser/VariableEnvironment.cpp:
848         (JSC::CompactVariableMap::Handle::Handle):
849         (JSC::CompactVariableMap::Handle::operator=):
850         * parser/VariableEnvironment.h:
851         (JSC::CompactVariableMap::Handle::operator bool const):
852         * runtime/CodeCache.cpp:
853         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
854
855 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
856
857         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
858         https://bugs.webkit.org/show_bug.cgi?id=194659
859
860         Reviewed by Mark Lam.
861
862         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
863         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
864         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
865
866         * dfg/DFGJITCode.h:
867         * dfg/DFGJITFinalizer.cpp:
868         (JSC::DFG::JITFinalizer::finalize):
869         (JSC::DFG::JITFinalizer::finalizeFunction):
870         * jit/JITCode.cpp:
871         (JSC::DirectJITCode::initializeCodeRefForDFG):
872         (JSC::DirectJITCode::initializeCodeRef): Deleted.
873         (JSC::NativeJITCode::initializeCodeRef): Deleted.
874         * jit/JITCode.h:
875         * llint/LLIntEntrypoint.cpp:
876         (JSC::LLInt::setFunctionEntrypoint):
877         (JSC::LLInt::setEvalEntrypoint):
878         (JSC::LLInt::setProgramEntrypoint):
879         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
880
881 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
882
883         [WTF] Add environment variable helpers
884         https://bugs.webkit.org/show_bug.cgi?id=192405
885
886         Reviewed by Michael Catanzaro.
887
888         * inspector/remote/glib/RemoteInspectorGlib.cpp:
889         (Inspector::RemoteInspector::RemoteInspector):
890         (Inspector::RemoteInspector::start):
891         * jsc.cpp:
892         (startTimeoutThreadIfNeeded):
893         * runtime/Options.cpp:
894         (JSC::overrideOptionWithHeuristic):
895         (JSC::Options::overrideAliasedOptionWithHeuristic):
896         (JSC::Options::initialize):
897         * runtime/VM.cpp:
898         (JSC::enableAssembler):
899         (JSC::VM::VM):
900         * tools/CodeProfiling.cpp:
901         (JSC::CodeProfiling::notifyAllocator):
902         Utilize WTF::Environment where possible.
903
904 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
905
906         [JSC] Should have default NativeJITCode
907         https://bugs.webkit.org/show_bug.cgi?id=194634
908
909         Reviewed by Mark Lam.
910
911         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
912         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
913         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
914         allocations, which takes 14KB.
915
916         * runtime/VM.cpp:
917         (JSC::jitCodeForCallTrampoline):
918         (JSC::jitCodeForConstructTrampoline):
919         (JSC::VM::getHostFunction):
920
921 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
922
923         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
924         https://bugs.webkit.org/show_bug.cgi?id=194576
925
926         Reviewed by Saam Barati.
927
928         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
929         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
930
931         * bytecode/UnlinkedFunctionExecutable.cpp:
932         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
933         (JSC::UnlinkedFunctionExecutable::link):
934         * bytecode/UnlinkedFunctionExecutable.h:
935         * runtime/CodeCache.cpp:
936         (JSC::generateUnlinkedCodeBlockForFunctions):
937
938 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
939
940         CachedBitVector's size must be converted from bits to bytes
941         https://bugs.webkit.org/show_bug.cgi?id=194441
942
943         Reviewed by Saam Barati.
944
945         CachedBitVector used its size in bits for memcpy. That didn't cause any
946         issues when encoding, since the size in bits was also used in the allocation,
947         but would overflow the actual BitVector buffer when decoding.
948
949         * runtime/CachedTypes.cpp:
950         (JSC::CachedBitVector::encode):
951         (JSC::CachedBitVector::decode const):
952
953 2019-02-13  Brian Burg  <bburg@apple.com>
954
955         Web Inspector: don't include accessibility role in DOM.Node object payloads
956         https://bugs.webkit.org/show_bug.cgi?id=194623
957         <rdar://problem/36384037>
958
959         Reviewed by Devin Rousso.
960
961         Remove property of DOM.Node that is no longer being sent.
962
963         * inspector/protocol/DOM.json:
964
965 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
966
967         We should only make rope strings when concatenating strings long enough.
968         https://bugs.webkit.org/show_bug.cgi?id=194465
969
970         Reviewed by Mark Lam.
971
972         This patch stops us from allocating a rope string if the resulting
973         rope would be smaller than the size of the JSRopeString object we
974         would need to allocate.
975
976         This patch also adds paths so that we don't unnecessarily allocate
977         JSString cells for primitives we are going to concatenate with a
978         string anyway.
979
980         The important change from the previous one is that we do not apply
981         the above rule to JSRopeStrings generated by JSStrings. If we convert
982         it to JSString, comparison of memory consumption becomes the following,
983         because JSRopeString does not have StringImpl until it is resolved.
984
985             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
986
987         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
988         resolving eagerly increases memory footprint. The point is that we need to
989         account newly created JSString and JSRopeString from the operands. This is the
990         reason why this patch adds different thresholds for each jsString functions.
991
992         This patch also avoids concatenation for ropes conservatively. Many ropes are
993         temporary cells. So we do not resolve eagerly if one of operands is already a
994         rope.
995
996         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
997
998             Before: 159.3778
999             After:  160.72340000000003
1000
1001         * dfg/DFGOperations.cpp:
1002         * runtime/CommonSlowPaths.cpp:
1003         (JSC::SLOW_PATH_DECL):
1004         * runtime/JSString.h:
1005         (JSC::JSString::isRope const):
1006         * runtime/Operations.cpp:
1007         (JSC::jsAddSlowCase):
1008         * runtime/Operations.h:
1009         (JSC::jsString):
1010         (JSC::jsAddNonNumber):
1011         (JSC::jsAdd):
1012
1013 2019-02-13  Saam Barati  <sbarati@apple.com>
1014
1015         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
1016         https://bugs.webkit.org/show_bug.cgi?id=194610
1017
1018         Reviewed by Michael Saboff.
1019
1020         BinarySwitch might use the scratch register. We must model the
1021         effects of that properly. This is already caught by our br-table
1022         tests on arm64.
1023
1024         * wasm/WasmAirIRGenerator.cpp:
1025         (JSC::Wasm::AirIRGenerator::addSwitch):
1026
1027 2019-02-13  Mark Lam  <mark.lam@apple.com>
1028
1029         Create a randomized free list for new StructureIDs on StructureIDTable resize.
1030         https://bugs.webkit.org/show_bug.cgi?id=194566
1031         <rdar://problem/47975502>
1032
1033         Reviewed by Michael Saboff.
1034
1035         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
1036         implementation is a little easier to read.
1037
1038         This patch appears to be perf neutral on JetStream2 (as run from the command line).
1039
1040         * runtime/StructureIDTable.cpp:
1041         (JSC::StructureIDTable::StructureIDTable):
1042         (JSC::StructureIDTable::makeFreeListFromRange):
1043         (JSC::StructureIDTable::resize):
1044         (JSC::StructureIDTable::allocateID):
1045         (JSC::StructureIDTable::deallocateID):
1046         * runtime/StructureIDTable.h:
1047         (JSC::StructureIDTable::get):
1048         (JSC::StructureIDTable::deallocateID):
1049         (JSC::StructureIDTable::allocateID):
1050         (JSC::StructureIDTable::flushOldTables):
1051
1052 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1053
1054         VariableLengthObject::allocate<T> should initialize objects
1055         https://bugs.webkit.org/show_bug.cgi?id=194534
1056
1057         Reviewed by Michael Saboff.
1058
1059         `buffer()` should not be called for empty VariableLengthObjects, but
1060         these cases were not being caught due to the objects not being properly
1061         initialized. Fix it so that allocate calls the constructor and fix the
1062         assertion failues.
1063
1064         * runtime/CachedTypes.cpp:
1065         (JSC::CachedObject::operator new):
1066         (JSC::VariableLengthObject::allocate):
1067         (JSC::CachedVector::encode):
1068         (JSC::CachedVector::decode const):
1069         (JSC::CachedUniquedStringImpl::decode const):
1070         (JSC::CachedBitVector::encode):
1071         (JSC::CachedBitVector::decode const):
1072         (JSC::CachedArray::encode):
1073         (JSC::CachedArray::decode const):
1074         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
1075         (JSC::CachedBigInt::decode const):
1076
1077 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1078
1079         CodeBlocks read from disk should not be re-written
1080         https://bugs.webkit.org/show_bug.cgi?id=194535
1081
1082         Reviewed by Michael Saboff.
1083
1084         Keep track of which CodeBlocks have been read from disk or have already
1085         been serialized in CodeCache.
1086
1087         * runtime/CodeCache.cpp:
1088         (JSC::CodeCache::write):
1089         * runtime/CodeCache.h:
1090         (JSC::SourceCodeValue::SourceCodeValue):
1091         (JSC::CodeCacheMap::fetchFromDiskImpl):
1092
1093 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1094
1095         SourceCode should be copied when generating bytecode for functions
1096         https://bugs.webkit.org/show_bug.cgi?id=194536
1097
1098         Reviewed by Saam Barati.
1099
1100         The FunctionExecutable might be collected while generating the bytecode
1101         for nested functions, in which case the SourceCode reference would no
1102         longer be valid.
1103
1104         * runtime/CodeCache.cpp:
1105         (JSC::generateUnlinkedCodeBlockForFunctions):
1106
1107 2019-02-12  Saam barati  <sbarati@apple.com>
1108
1109         JSScript needs to retain its cache path NSURL*
1110         https://bugs.webkit.org/show_bug.cgi?id=194577
1111
1112         Reviewed by Tim Horton.
1113
1114         * API/JSScript.mm:
1115         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1116         (-[JSScript dealloc]):
1117
1118 2019-02-12  Robin Morisset  <rmorisset@apple.com>
1119
1120         Make B3Value::returnsBool() more precise
1121         https://bugs.webkit.org/show_bug.cgi?id=194457
1122
1123         Reviewed by Saam Barati.
1124
1125         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
1126         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
1127         No new tests added as this should be indirectly tested by the already existing tests.
1128
1129         * b3/B3Value.cpp:
1130         (JSC::B3::Value::returnsBool const):
1131
1132 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1133
1134         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1135         https://bugs.webkit.org/show_bug.cgi?id=194399
1136         <rdar://problem/47889777>
1137
1138         * dfg/DFGDoesGC.cpp:
1139         (JSC::DFG::doesGC):
1140
1141 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1142
1143         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1144         https://bugs.webkit.org/show_bug.cgi?id=194370
1145
1146         Reviewed by Darin Adler.
1147
1148         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1149         necessary, but it will make errors more visible.
1150
1151         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1152         (Inspector::RemoteInspector::start):
1153         (Inspector::dbusConnectionCallAsyncReadyCallback):
1154         * inspector/remote/glib/RemoteInspectorServer.cpp:
1155         (Inspector::RemoteInspectorServer::start):
1156
1157 2019-02-12  Andy Estes  <aestes@apple.com>
1158
1159         [iOSMac] Enable Parental Controls Content Filtering
1160         https://bugs.webkit.org/show_bug.cgi?id=194521
1161         <rdar://39732376>
1162
1163         Reviewed by Tim Horton.
1164
1165         * Configurations/FeatureDefines.xcconfig:
1166
1167 2019-02-11  Mark Lam  <mark.lam@apple.com>
1168
1169         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1170         https://bugs.webkit.org/show_bug.cgi?id=194512
1171         <rdar://problem/47975465>
1172
1173         Reviewed by Yusuke Suzuki.
1174
1175         * runtime/StructureIDTable.cpp:
1176         (JSC::StructureIDTable::StructureIDTable):
1177         (JSC::StructureIDTable::allocateID):
1178         (JSC::StructureIDTable::deallocateID):
1179         * runtime/StructureIDTable.h:
1180
1181 2019-02-10  Mark Lam  <mark.lam@apple.com>
1182
1183         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1184         https://bugs.webkit.org/show_bug.cgi?id=194493
1185         <rdar://problem/36380852>
1186
1187         Reviewed by Yusuke Suzuki.
1188
1189         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1190         however not good for performance and memory usage.  As such, a debug ASSERT will
1191         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1192         possible to be instantiated with duplicate cases in
1193         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1194
1195         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1196         see duplicate cases.
1197
1198         * jit/BinarySwitch.cpp:
1199         (JSC::BinarySwitch::BinarySwitch):
1200
1201 2019-02-10  Darin Adler  <darin@apple.com>
1202
1203         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1204         https://bugs.webkit.org/show_bug.cgi?id=194485
1205
1206         Reviewed by Daniel Bates.
1207
1208         * heap/HeapSnapshotBuilder.cpp:
1209         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1210         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1211
1212         * runtime/JSGlobalObjectFunctions.cpp:
1213         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1214         including one in a call to appendByteAsHex.
1215         (JSC::globalFuncEscape): Ditto.
1216
1217 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1218
1219         Unreviewed, rolling out r241230.
1220         https://bugs.webkit.org/show_bug.cgi?id=194488
1221
1222         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1223         #webkit).
1224
1225         Reverted changeset:
1226
1227         "We should only make rope strings when concatenating strings
1228         long enough."
1229         https://bugs.webkit.org/show_bug.cgi?id=194465
1230         https://trac.webkit.org/changeset/241230
1231
1232 2019-02-10  Saam barati  <sbarati@apple.com>
1233
1234         BBQ-Air: Emit better code for switch
1235         https://bugs.webkit.org/show_bug.cgi?id=194053
1236
1237         Reviewed by Yusuke Suzuki.
1238
1239         Instead of emitting a linear set of jumps for Switch, this patch
1240         makes the BBQ-Air backend emit a binary switch.
1241
1242         * wasm/WasmAirIRGenerator.cpp:
1243         (JSC::Wasm::AirIRGenerator::addSwitch):
1244
1245 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1246
1247         Unreviewed, Lexer should use isLatin1 implementation in WTF
1248         https://bugs.webkit.org/show_bug.cgi?id=194466
1249
1250         Follow-up after r241233 pointed by Darin.
1251
1252         * parser/Lexer.cpp:
1253         (JSC::isLatin1): Deleted.
1254
1255 2019-02-09  Darin Adler  <darin@apple.com>
1256
1257         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1258         https://bugs.webkit.org/show_bug.cgi?id=194021
1259
1260         Reviewed by Geoffrey Garen.
1261
1262         * inspector/agents/InspectorConsoleAgent.cpp:
1263         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1264         makeString do the conversion without allocating/destroying a String.
1265         * inspector/agents/InspectorDebuggerAgent.cpp:
1266         (Inspector::objectGroupForBreakpointAction): Ditto.
1267         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1268         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1269         * runtime/JSGenericTypedArrayViewInlines.h:
1270         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1271         * runtime/NumberPrototype.cpp:
1272         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1273         of calling numberToFixedWidthString to do the same thing.
1274         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1275         numberToFixedPrecisionString to do the same thing.
1276         * runtime/SamplingProfiler.cpp:
1277         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1278
1279 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1280
1281         Unreviewed, rolling in r241237 again
1282         https://bugs.webkit.org/show_bug.cgi?id=194469
1283
1284         * runtime/JSString.h:
1285         (JSC::jsSubstring):
1286
1287 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1288
1289         Unreviewed, rolling out r241237.
1290         https://bugs.webkit.org/show_bug.cgi?id=194474
1291
1292         Shows significant memory increase in WSL (Requested by
1293         yusukesuzuki on #webkit).
1294
1295         Reverted changeset:
1296
1297         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1298         takes more memory"
1299         https://bugs.webkit.org/show_bug.cgi?id=194469
1300         https://trac.webkit.org/changeset/241237
1301
1302 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1303
1304         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1305         https://bugs.webkit.org/show_bug.cgi?id=194469
1306
1307         Reviewed by Geoffrey Garen.
1308
1309         * runtime/JSString.h:
1310         (JSC::jsSubstring):
1311
1312 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1313
1314         [JSC] CachedTypes should use jsString instead of JSString::create
1315         https://bugs.webkit.org/show_bug.cgi?id=194471
1316
1317         Reviewed by Mark Lam.
1318
1319         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1320
1321         * runtime/CachedTypes.cpp:
1322         (JSC::CachedJSValue::decode const):
1323
1324 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1325
1326         [JSC] Increase StructureIDTable initial capacity
1327         https://bugs.webkit.org/show_bug.cgi?id=194468
1328
1329         Reviewed by Mark Lam.
1330
1331         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1332         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1333         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1334         more memory dirty. We also remove some structures that are no longer used.
1335
1336         * runtime/JSGlobalObject.h:
1337         (JSC::JSGlobalObject::callbackObjectStructure const):
1338         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1339         * runtime/StructureIDTable.h:
1340         * runtime/VM.h:
1341
1342 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1343
1344         [JSC] String.fromCharCode's slow path always generates 16bit string
1345         https://bugs.webkit.org/show_bug.cgi?id=194466
1346
1347         Reviewed by Keith Miller.
1348
1349         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1350         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1351         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1352         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1353         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1354         as much as possible.
1355
1356         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1357
1358         * runtime/StringConstructor.cpp:
1359         (JSC::stringFromCharCode):
1360
1361 2019-02-08  Keith Miller  <keith_miller@apple.com>
1362
1363         We should only make rope strings when concatenating strings long enough.
1364         https://bugs.webkit.org/show_bug.cgi?id=194465
1365
1366         Reviewed by Saam Barati.
1367
1368         This patch stops us from allocating a rope string if the resulting
1369         rope would be smaller than the size of the JSRopeString object we
1370         would need to allocate.
1371
1372         This patch also adds paths so that we don't unnecessarily allocate
1373         JSString cells for primitives we are going to concatenate with a
1374         string anyway.
1375
1376         * dfg/DFGOperations.cpp:
1377         * runtime/CommonSlowPaths.cpp:
1378         (JSC::SLOW_PATH_DECL):
1379         * runtime/JSString.h:
1380         * runtime/Operations.cpp:
1381         (JSC::jsAddSlowCase):
1382         * runtime/Operations.h:
1383         (JSC::jsString):
1384         (JSC::jsAdd):
1385
1386 2019-02-08  Saam barati  <sbarati@apple.com>
1387
1388         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1389         https://bugs.webkit.org/show_bug.cgi?id=194334
1390         <rdar://problem/47844327>
1391
1392         Reviewed by Mark Lam.
1393
1394         * dfg/DFGAbstractInterpreterInlines.h:
1395         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1396         * dfg/DFGArgumentsEliminationPhase.cpp:
1397         * dfg/DFGByteCodeParser.cpp:
1398         (JSC::DFG::ByteCodeParser::parseBlock):
1399         * dfg/DFGClobberize.h:
1400         (JSC::DFG::clobberize):
1401         * dfg/DFGConstantFoldingPhase.cpp:
1402         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1403         * dfg/DFGFixupPhase.cpp:
1404         (JSC::DFG::FixupPhase::fixupNode):
1405         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1406         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1407         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1408         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1409         * dfg/DFGNodeType.h:
1410         * dfg/DFGSSALoweringPhase.cpp:
1411         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1412         * dfg/DFGSpeculativeJIT.cpp:
1413         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1414         * ftl/FTLLowerDFGToB3.cpp:
1415         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1416         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1417
1418 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1419
1420         [JSC] Shrink sizeof(CodeBlock) more
1421         https://bugs.webkit.org/show_bug.cgi?id=194419
1422
1423         Reviewed by Mark Lam.
1424
1425         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1426
1427         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1428         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1429         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1430
1431         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1432         And we do not touch it in CodeBlock::~CodeBlock.
1433
1434         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1435         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1436         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1437
1438         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1439
1440         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1441
1442         * bytecode/CodeBlock.cpp:
1443         (JSC::CodeBlock::hash const):
1444         (JSC::CodeBlock::sourceCodeForTools const):
1445         (JSC::CodeBlock::dumpAssumingJITType const):
1446         (JSC::CodeBlock::dumpSource):
1447         (JSC::CodeBlock::CodeBlock):
1448         (JSC::CodeBlock::finishCreation):
1449         (JSC::CodeBlock::propagateTransitions):
1450         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1451         (JSC::CodeBlock::setCalleeSaveRegisters):
1452         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1453         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1454         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1455         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1456         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1457         (JSC::CodeBlock::newReplacement):
1458         (JSC::CodeBlock::replacement):
1459         (JSC::CodeBlock::computeCapabilityLevel):
1460         (JSC::CodeBlock::jettison):
1461         (JSC::CodeBlock::calleeSaveRegisters const):
1462         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1463         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1464         (JSC::CodeBlock::getArrayProfile):
1465         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1466         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1467         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1468         (JSC::CodeBlock::validate):
1469         (JSC::CodeBlock::outOfLineJumpTarget):
1470         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1471         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1472         * bytecode/CodeBlock.h:
1473         (JSC::CodeBlock::specializationKind const):
1474         (JSC::CodeBlock::isStrictMode const):
1475         (JSC::CodeBlock::isConstructor const):
1476         (JSC::CodeBlock::codeType const):
1477         (JSC::CodeBlock::isKnownNotImmediate):
1478         (JSC::CodeBlock::instructions const):
1479         (JSC::CodeBlock::ownerExecutable const):
1480         (JSC::CodeBlock::thisRegister const):
1481         (JSC::CodeBlock::source const):
1482         (JSC::CodeBlock::sourceOffset const):
1483         (JSC::CodeBlock::firstLineColumnOffset const):
1484         (JSC::CodeBlock::createRareDataIfNecessary):
1485         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1486         (JSC::CodeBlock::setThisRegister): Deleted.
1487         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1488         * bytecode/EvalCodeBlock.h:
1489         * bytecode/FunctionCodeBlock.h:
1490         * bytecode/GlobalCodeBlock.h:
1491         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1492         * bytecode/ModuleProgramCodeBlock.h:
1493         * bytecode/ProgramCodeBlock.h:
1494         * debugger/Debugger.cpp:
1495         (JSC::Debugger::toggleBreakpoint):
1496         * debugger/DebuggerCallFrame.cpp:
1497         (JSC::DebuggerCallFrame::sourceID const):
1498         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1499         * debugger/DebuggerScope.cpp:
1500         (JSC::DebuggerScope::location const):
1501         * dfg/DFGByteCodeParser.cpp:
1502         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1503         (JSC::DFG::ByteCodeParser::inliningCost):
1504         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1505         * dfg/DFGCapabilities.cpp:
1506         (JSC::DFG::isSupportedForInlining):
1507         (JSC::DFG::mightCompileEval):
1508         (JSC::DFG::mightCompileProgram):
1509         (JSC::DFG::mightCompileFunctionForCall):
1510         (JSC::DFG::mightCompileFunctionForConstruct):
1511         (JSC::DFG::canUseOSRExitFuzzing):
1512         * dfg/DFGGraph.h:
1513         (JSC::DFG::Graph::executableFor):
1514         * dfg/DFGJITCompiler.cpp:
1515         (JSC::DFG::JITCompiler::compileFunction):
1516         * dfg/DFGOSREntry.cpp:
1517         (JSC::DFG::prepareOSREntry):
1518         * dfg/DFGOSRExit.cpp:
1519         (JSC::DFG::restoreCalleeSavesFor):
1520         (JSC::DFG::saveCalleeSavesFor):
1521         (JSC::DFG::saveOrCopyCalleeSavesFor):
1522         * dfg/DFGOSRExitCompilerCommon.cpp:
1523         (JSC::DFG::handleExitCounts):
1524         * dfg/DFGOperations.cpp:
1525         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1526         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1527         * ftl/FTLCapabilities.cpp:
1528         (JSC::FTL::canCompile):
1529         * ftl/FTLLink.cpp:
1530         (JSC::FTL::link):
1531         * ftl/FTLOSRExitCompiler.cpp:
1532         (JSC::FTL::compileStub):
1533         * interpreter/CallFrame.cpp:
1534         (JSC::CallFrame::callerSourceOrigin):
1535         * interpreter/Interpreter.cpp:
1536         (JSC::eval):
1537         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1538         * interpreter/StackVisitor.cpp:
1539         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1540         (JSC::StackVisitor::Frame::sourceURL const):
1541         (JSC::StackVisitor::Frame::sourceID):
1542         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1543         * interpreter/StackVisitor.h:
1544         * jit/AssemblyHelpers.h:
1545         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1546         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1547         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1548         * jit/CallFrameShuffleData.cpp:
1549         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1550         * jit/JIT.cpp:
1551         (JSC::JIT::compileWithoutLinking):
1552         * jit/JITToDFGDeferredCompilationCallback.cpp:
1553         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1554         * jit/JITWorklist.cpp:
1555         (JSC::JITWorklist::Plan::finalize):
1556         (JSC::JITWorklist::compileNow):
1557         * jit/RegisterAtOffsetList.cpp:
1558         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1559         * jit/RegisterAtOffsetList.h:
1560         (JSC::RegisterAtOffsetList::at const):
1561         * runtime/ErrorInstance.cpp:
1562         (JSC::appendSourceToError):
1563         * runtime/ScriptExecutable.cpp:
1564         (JSC::ScriptExecutable::newCodeBlockFor):
1565         * runtime/StackFrame.cpp:
1566         (JSC::StackFrame::sourceID const):
1567         (JSC::StackFrame::sourceURL const):
1568         (JSC::StackFrame::computeLineAndColumn const):
1569
1570 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1571
1572         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1573         https://bugs.webkit.org/show_bug.cgi?id=194460
1574
1575         Reviewed by Mark Lam.
1576
1577         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1578
1579         * b3/B3LowerMacros.cpp:
1580
1581 2019-02-08  Mark Lam  <mark.lam@apple.com>
1582
1583         Use maxSingleCharacterString in comparisons instead of literal constants.
1584         https://bugs.webkit.org/show_bug.cgi?id=194452
1585
1586         Reviewed by Yusuke Suzuki.
1587
1588         This way, if we ever change maxSingleCharacterString, it won't break all this code
1589         that relies on it being 0xff implicitly.
1590
1591         * dfg/DFGSpeculativeJIT.cpp:
1592         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1593         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1594         * ftl/FTLLowerDFGToB3.cpp:
1595         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1596         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1597         * jit/ThunkGenerators.cpp:
1598         (JSC::stringGetByValGenerator):
1599         (JSC::charToString):
1600
1601 2019-02-08  Mark Lam  <mark.lam@apple.com>
1602
1603         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1604         https://bugs.webkit.org/show_bug.cgi?id=194446
1605         <rdar://problem/47926792>
1606
1607         Reviewed by Saam Barati.
1608
1609         Fix doesGC() for the following nodes:
1610
1611             CheckTierUpAtReturn:
1612                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1613                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1614
1615             CheckTierUpInLoop:
1616                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1617                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1618
1619             CheckTierUpAndOSREnter:
1620                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1621                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1622
1623             GetByVal:
1624                 case Array::String calls operationSingleCharacterString(), which calls
1625                 jsSingleCharacterString(), which can allocate a string.
1626
1627             PutByValDirect:
1628             PutByVal:
1629             PutByValAlias:
1630                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1631                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1632                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1633                 slow paths call putByValInternal(), which may create exception objects, or
1634                 call the generic JSValue::put() which may execute arbitrary code.
1635
1636             StringCharAt:
1637                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1638                 which can allocate a string.
1639
1640         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1641         to use the maxSingleCharacterString constant instead of a literal constant.
1642
1643         * dfg/DFGDoesGC.cpp:
1644         (JSC::DFG::doesGC):
1645         * dfg/DFGSpeculativeJIT.cpp:
1646         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1647         * dfg/DFGSpeculativeJIT64.cpp:
1648         (JSC::DFG::SpeculativeJIT::compile):
1649         * ftl/FTLLowerDFGToB3.cpp:
1650         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1651         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1652         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1653
1654 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1655
1656         [JSC] SourceProviderCacheItem should be small
1657         https://bugs.webkit.org/show_bug.cgi?id=194432
1658
1659         Reviewed by Saam Barati.
1660
1661         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1662         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1663         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1664
1665         * parser/Parser.cpp:
1666         (JSC::Parser<LexerType>::parseFunctionInfo):
1667         * parser/ParserModes.h:
1668         * parser/ParserTokens.h:
1669         * parser/SourceProviderCacheItem.h:
1670         (JSC::SourceProviderCacheItem::endFunctionToken const):
1671         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1672
1673 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1674
1675         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1676         https://bugs.webkit.org/show_bug.cgi?id=194420
1677
1678         Reviewed by Saam Barati.
1679
1680         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1681         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1682         This trivial patch fixes both.
1683
1684         * b3/B3ReduceStrength.cpp:
1685         * b3/testb3.cpp:
1686         (JSC::B3::testAbsNegArg):
1687
1688 2019-02-07  Keith Miller  <keith_miller@apple.com>
1689
1690         Better error messages for module loader SPI
1691         https://bugs.webkit.org/show_bug.cgi?id=194421
1692
1693         Reviewed by Saam Barati.
1694
1695         * API/JSAPIGlobalObject.mm:
1696         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1697
1698 2019-02-07  Mark Lam  <mark.lam@apple.com>
1699
1700         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1701         https://bugs.webkit.org/show_bug.cgi?id=194399
1702         <rdar://problem/47889777>
1703
1704         Reviewed by Yusuke Suzuki.
1705
1706         Fix doesGC() for the following nodes:
1707
1708             CheckTraps:
1709                 We normally will not emit this node because Options::usePollingTraps() is
1710                 false by default.  However, as it is implemented now, CheckTraps can GC
1711                 because it can allocate a TerminatedExecutionException.  If we make the
1712                 TerminatedExecutionException a singleton allocated at initialization time,
1713                 doesGC() can return false for CheckTraps.
1714                 https://bugs.webkit.org/show_bug.cgi?id=194323
1715
1716             GetMapBucket:
1717                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1718                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1719                 can resolve a rope.
1720
1721             Switch:
1722                 If switchData kind is SwitchChar, can call operationResolveRope() .
1723                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1724                     can call operationSwitchString() which resolves ropes.
1725
1726             DirectTailCall:
1727             ForceOSRExit:
1728             Return:
1729             TailCallForwardVarargs:
1730             TailCallVarargs:
1731             Throw:
1732                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1733                 for them, but following our conservative practice, unless we have a good
1734                 reason for doesGC() to return false, we should just return true.
1735
1736         * dfg/DFGDoesGC.cpp:
1737         (JSC::DFG::doesGC):
1738
1739 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1740
1741         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1742         https://bugs.webkit.org/show_bug.cgi?id=194250
1743
1744         Reviewed by Saam Barati.
1745
1746         Adds the following optimizations for integers:
1747         - Sub(x, x) => 0
1748             Already covered by the test testSubArg
1749         - Sub(x1, Neg(x2)) => Add (x1, x2)
1750             Added test: testSubNeg
1751         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1752             Added test: testNegSub
1753         - Add(Neg(x1), x2) => Sub(x2, x1)
1754             Added test: testAddNeg1
1755         - Add(x1, Neg(x2)) => Sub(x1, x2)
1756             Added test: testAddNeg2
1757         Adds the following optimization for floating point values:
1758         - Abs(Neg(x)) => Abs(x)
1759             Added test: testAbsNegArg
1760             Adds the following optimization:
1761
1762         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1763
1764         * b3/B3ReduceStrength.cpp:
1765         * b3/testb3.cpp:
1766         (JSC::B3::testAddNeg1):
1767         (JSC::B3::testAddNeg2):
1768         (JSC::B3::testSubNeg):
1769         (JSC::B3::testNegSub):
1770         (JSC::B3::testAbsAbsArg):
1771         (JSC::B3::testAbsNegArg):
1772         (JSC::B3::run):
1773
1774 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1775
1776         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1777         https://bugs.webkit.org/show_bug.cgi?id=194374
1778
1779         Reviewed by Geoffrey Garen.
1780
1781         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1782         But pointer is larger than single character. BufferInternal StringImpl with single character
1783         is more memory efficient.
1784
1785         * runtime/SmallStrings.cpp:
1786         (JSC::SmallStringsStorage::SmallStringsStorage):
1787         (JSC::SmallStrings::SmallStrings):
1788         * runtime/SmallStrings.h:
1789
1790 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1791
1792         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1793         https://bugs.webkit.org/show_bug.cgi?id=194369
1794         <rdar://problem/47813087>
1795
1796         Reviewed by Saam Barati.
1797
1798         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1799         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1800         constant folding phase.
1801
1802         * dfg/DFGAbstractInterpreterInlines.h:
1803         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1804
1805 2019-02-06  Devin Rousso  <drousso@apple.com>
1806
1807         Web Inspector: DOM: don't send the entire function string with each event listener
1808         https://bugs.webkit.org/show_bug.cgi?id=194293
1809         <rdar://problem/47822809>
1810
1811         Reviewed by Joseph Pecoraro.
1812
1813         * inspector/protocol/DOM.json:
1814
1815         * runtime/JSFunction.h:
1816         Export `calculatedDisplayName`.
1817
1818 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1819
1820         [JSC] PrivateName to PublicName hash table is wasteful
1821         https://bugs.webkit.org/show_bug.cgi?id=194277
1822
1823         Reviewed by Michael Saboff.
1824
1825         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1826         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1827         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1828         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1829
1830         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1831
1832         1. PrivateName's content should be the same to PublicName.
1833         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1834            the public name should be easily crafted from the given PrivateName.
1835
1836         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1837         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1838
1839         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1840         WebCore.
1841
1842         * builtins/BuiltinNames.cpp:
1843         (JSC::BuiltinNames::BuiltinNames):
1844         * builtins/BuiltinNames.h:
1845         (JSC::BuiltinNames::lookUpPrivateName const):
1846         (JSC::BuiltinNames::getPublicName const):
1847         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1848         (JSC::BuiltinNames::appendExternalName):
1849         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1850         * builtins/BuiltinUtils.h:
1851         * bytecode/BytecodeDumper.cpp:
1852         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1853         * bytecompiler/NodesCodegen.cpp:
1854         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1855         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1856         * parser/Lexer.cpp:
1857         (JSC::Lexer<LChar>::parseIdentifier):
1858         (JSC::Lexer<UChar>::parseIdentifier):
1859         * parser/Parser.cpp:
1860         (JSC::Parser<LexerType>::createGeneratorParameters):
1861         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1862         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1863         (JSC::Parser<LexerType>::parseClassDeclaration):
1864         (JSC::Parser<LexerType>::parseExportDeclaration):
1865         (JSC::Parser<LexerType>::parseMemberExpression):
1866         * parser/ParserArena.h:
1867         (JSC::IdentifierArena::makeIdentifier):
1868         * runtime/CachedTypes.cpp:
1869         (JSC::CachedUniquedStringImpl::encode):
1870         (JSC::CachedUniquedStringImpl::decode const):
1871         * runtime/CommonIdentifiers.cpp:
1872         (JSC::CommonIdentifiers::CommonIdentifiers):
1873         (JSC::CommonIdentifiers::lookUpPrivateName const):
1874         (JSC::CommonIdentifiers::getPublicName const):
1875         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1876         * runtime/CommonIdentifiers.h:
1877         * runtime/ExceptionHelpers.cpp:
1878         (JSC::createUndefinedVariableError):
1879         * runtime/Identifier.cpp:
1880         (JSC::Identifier::dump const):
1881         * runtime/Identifier.h:
1882         * runtime/IdentifierInlines.h:
1883         (JSC::Identifier::fromUid):
1884         * runtime/JSTypedArrayViewPrototype.cpp:
1885         (JSC::JSTypedArrayViewPrototype::finishCreation):
1886         * tools/JSDollarVM.cpp:
1887         (JSC::functionGetPrivateProperty):
1888
1889 2019-02-06  Keith Rollin  <krollin@apple.com>
1890
1891         Really enable the automatic checking and regenerations of .xcfilelists during builds
1892         https://bugs.webkit.org/show_bug.cgi?id=194357
1893         <rdar://problem/47861231>
1894
1895         Reviewed by Chris Dumez.
1896
1897         Bug 194124 was supposed to enable the automatic checking and
1898         regenerating of .xcfilelist files during the build. While related
1899         changes were included in that patch, the change to actually enable the
1900         operation somehow was omitted. This patch actually enables the
1901         operation. The check-xcfilelist.sh scripts now check
1902         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1903         from the checking.
1904
1905         * Scripts/check-xcfilelists.sh:
1906
1907 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1908
1909         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1910         https://bugs.webkit.org/show_bug.cgi?id=194339
1911
1912         Reviewed by Michael Saboff.
1913
1914         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1915         They have even the same structure. This patch unifies the subspaces for them.
1916
1917         * runtime/DirectEvalExecutable.h:
1918         * runtime/EvalExecutable.h:
1919         (JSC::EvalExecutable::subspaceFor):
1920         * runtime/IndirectEvalExecutable.h:
1921         * runtime/VM.cpp:
1922         * runtime/VM.h:
1923         (JSC::VM::forEachScriptExecutableSpace):
1924
1925 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1926
1927         [JSC] NativeExecutable should be smaller
1928         https://bugs.webkit.org/show_bug.cgi?id=194331
1929
1930         Reviewed by Michael Saboff.
1931
1932         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1933         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1934         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1935         only takes one MarkedBlock for NativeExecutable.
1936
1937         To make NativeExecutable smaller,
1938
1939         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1940            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1941
1942         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1943            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1944            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1945
1946         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1947            Intrinsic for NativeExecutable.
1948
1949         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1950
1951         * CMakeLists.txt:
1952         * JavaScriptCore.xcodeproj/project.pbxproj:
1953         * bytecode/CallVariant.h:
1954         * interpreter/Interpreter.cpp:
1955         * jit/JITCode.cpp:
1956         (JSC::DirectJITCode::DirectJITCode):
1957         (JSC::NativeJITCode::NativeJITCode):
1958         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1959         * jit/JITCode.h:
1960         (JSC::JITCode::signature const):
1961         (JSC::JITCode::intrinsic):
1962         * jit/JITOperations.cpp:
1963         * jit/JITThunks.cpp:
1964         (JSC::JITThunks::hostFunctionStub):
1965         * jit/Repatch.cpp:
1966         * llint/LLIntSlowPaths.cpp:
1967         * runtime/ExecutableBase.cpp:
1968         (JSC::ExecutableBase::dump const):
1969         (JSC::ExecutableBase::hashFor const):
1970         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1971         (JSC::ExecutableBase::clearCode): Deleted.
1972         * runtime/ExecutableBase.h:
1973         (JSC::ExecutableBase::ExecutableBase):
1974         (JSC::ExecutableBase::isModuleProgramExecutable):
1975         (JSC::ExecutableBase::isHostFunction const):
1976         (JSC::ExecutableBase::generatedJITCodeForCall const):
1977         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1978         (JSC::ExecutableBase::generatedJITCodeFor const):
1979         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1980         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1981         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1982         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1983         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1984         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1985         (JSC::ExecutableBase::intrinsic const): Deleted.
1986         * runtime/ExecutableBaseInlines.h: Added.
1987         (JSC::ExecutableBase::intrinsic const):
1988         (JSC::ExecutableBase::hasJITCodeForCall const):
1989         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1990         * runtime/JSBoundFunction.cpp:
1991         * runtime/JSType.cpp:
1992         (WTF::printInternal):
1993         * runtime/JSType.h:
1994         * runtime/NativeExecutable.cpp:
1995         (JSC::NativeExecutable::create):
1996         (JSC::NativeExecutable::createStructure):
1997         (JSC::NativeExecutable::NativeExecutable):
1998         (JSC::NativeExecutable::signatureFor const):
1999         (JSC::NativeExecutable::intrinsic const):
2000         * runtime/NativeExecutable.h:
2001         * runtime/ScriptExecutable.cpp:
2002         (JSC::ScriptExecutable::ScriptExecutable):
2003         (JSC::ScriptExecutable::clearCode):
2004         (JSC::ScriptExecutable::installCode):
2005         (JSC::ScriptExecutable::hasClearableCode const):
2006         * runtime/ScriptExecutable.h:
2007         (JSC::ScriptExecutable::intrinsic const):
2008         (JSC::ScriptExecutable::hasJITCodeForCall const):
2009         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2010         * runtime/VM.cpp:
2011         (JSC::VM::getHostFunction):
2012
2013 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
2014
2015         Build failure after r240431
2016         https://bugs.webkit.org/show_bug.cgi?id=194330
2017
2018         Reviewed by Žan Doberšek.
2019
2020         * API/glib/JSCOptions.cpp:
2021
2022 2019-02-05  Mark Lam  <mark.lam@apple.com>
2023
2024         Fix DFG's doesGC() for a few more nodes.
2025         https://bugs.webkit.org/show_bug.cgi?id=194307
2026         <rdar://problem/47832956>
2027
2028         Reviewed by Yusuke Suzuki.
2029
2030         Fix doesGC() for the following nodes:
2031
2032             NumberToStringWithValidRadixConstant:
2033                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
2034                 which can allocate a string.
2035                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
2036                 which can allocate a string.
2037                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
2038                 which can allocate a string.
2039
2040             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
2041                 memory for all kinds of objects.
2042             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
2043                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
2044                 these allocates memory for the match result.
2045             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
2046                 calls RegExpObject's collectMatches(), which allocates an array amongst
2047                 other objects.
2048
2049             StringFromCharCode:
2050                 If the uint32 code to convert is greater than maxSingleCharacterString,
2051                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
2052                 which allocates a new string if the code is greater than maxSingleCharacterString.
2053
2054         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
2055         to use maxSingleCharacterString instead of a literal constant.
2056
2057         * dfg/DFGDoesGC.cpp:
2058         (JSC::DFG::doesGC):
2059         * dfg/DFGSpeculativeJIT.cpp:
2060         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2061         * ftl/FTLLowerDFGToB3.cpp:
2062         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
2063
2064 2019-02-05  Keith Rollin  <krollin@apple.com>
2065
2066         Enable the automatic checking and regenerations of .xcfilelists during builds
2067         https://bugs.webkit.org/show_bug.cgi?id=194124
2068         <rdar://problem/47721277>
2069
2070         Reviewed by Tim Horton.
2071
2072         Bug 193790 add a facility for checking -- during build time -- that
2073         any needed .xcfilelist files are up-to-date and for updating them if
2074         they are not. This facility was initially opt-in by setting
2075         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
2076         the process seemed robust. Its now time to enable this facility and
2077         make it opt-out. If there is a need to disable this facility, set and
2078         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
2079         running `make` or `build-webkit`, or before running Xcode from the
2080         command line.
2081
2082         Additionally, remove the step that generates a list of source files
2083         going into the UnifiedSources build step. It's only necessarily to
2084         specify Sources.txt and SourcesCocoa.txt as inputs.
2085
2086         * JavaScriptCore.xcodeproj/project.pbxproj:
2087         * UnifiedSources-input.xcfilelist: Removed.
2088
2089 2019-02-05  Keith Rollin  <krollin@apple.com>
2090
2091         Update .xcfilelist files
2092         https://bugs.webkit.org/show_bug.cgi?id=194121
2093         <rdar://problem/47720863>
2094
2095         Reviewed by Tim Horton.
2096
2097         Preparatory to enabling the facility for automatically updating the
2098         .xcfilelist files, check in a freshly-updated set so that not everyone
2099         runs up against having to regenerate them themselves.
2100
2101         * DerivedSources-input.xcfilelist:
2102         * DerivedSources-output.xcfilelist:
2103
2104 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
2105
2106         [INTL] improve efficiency of Intl.NumberFormat formatToParts
2107         https://bugs.webkit.org/show_bug.cgi?id=185557
2108
2109         Reviewed by Mark Lam.
2110
2111         Since field nesting depth is minimal, this algorithm should be effectively O(n),
2112         where n is the number of characters in the formatted string.
2113         It may be less memory efficient than the previous impl, since the intermediate Vector
2114         is the length of the string, instead of the count of the fields.
2115
2116         * runtime/IntlNumberFormat.cpp:
2117         (JSC::IntlNumberFormat::formatToParts):
2118         * runtime/IntlNumberFormat.h:
2119
2120 2019-02-05  Mark Lam  <mark.lam@apple.com>
2121
2122         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
2123         https://bugs.webkit.org/show_bug.cgi?id=194298
2124         <rdar://problem/47827555>
2125
2126         Reviewed by Saam Barati.
2127
2128         We do this for 3 reasons:
2129         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2130         2. If things change in the future where clobberize() no longer reports these nodes
2131            as write(Heap), each node should be vetted first to make sure that it can never
2132            GC before being moved back to the doesGC() list that returns false.
2133         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2134            correct in its claims about the nodes' GCing possibility.
2135
2136         The list of nodes moved are:
2137
2138             ArrayPush
2139             ArrayPop
2140             Call
2141             CallEval
2142             CallForwardVarargs
2143             CallVarargs
2144             Construct
2145             ConstructForwardVarargs
2146             ConstructVarargs
2147             DefineDataProperty
2148             DefineAccessorProperty
2149             DeleteById
2150             DeleteByVal
2151             DirectCall
2152             DirectConstruct
2153             DirectTailCallInlinedCaller
2154             GetById
2155             GetByIdDirect
2156             GetByIdDirectFlush
2157             GetByIdFlush
2158             GetByIdWithThis
2159             GetByValWithThis
2160             GetDirectPname
2161             GetDynamicVar
2162             HasGenericProperty
2163             HasOwnProperty
2164             HasStructureProperty
2165             InById
2166             InByVal
2167             InstanceOf
2168             InstanceOfCustom
2169             LoadVarargs
2170             NumberToStringWithRadix
2171             PutById
2172             PutByIdDirect
2173             PutByIdFlush
2174             PutByIdWithThis
2175             PutByOffset
2176             PutByValWithThis
2177             PutDynamicVar
2178             PutGetterById
2179             PutGetterByVal
2180             PutGetterSetterById
2181             PutSetterById
2182             PutSetterByVal
2183             PutStack
2184             PutToArguments
2185             RegExpExec
2186             RegExpTest
2187             ResolveScope
2188             ResolveScopeForHoistingFuncDeclInEval
2189             TailCall
2190             TailCallForwardVarargsInlinedCaller
2191             TailCallInlinedCaller
2192             TailCallVarargsInlinedCaller
2193             ToNumber
2194             ToPrimitive
2195             ValueNegate
2196
2197         * dfg/DFGDoesGC.cpp:
2198         (JSC::DFG::doesGC):
2199
2200 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2201
2202         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2203         https://bugs.webkit.org/show_bug.cgi?id=194281
2204
2205         Reviewed by Michael Saboff.
2206
2207         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2208         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2209
2210         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2211         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2212         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2213
2214         * bytecode/CodeBlock.cpp:
2215         (JSC::CodeBlock::finishCreation):
2216         * bytecode/CodeBlock.h:
2217         (JSC::CodeBlock::bitVectors const): Deleted.
2218         * bytecode/CodeType.h:
2219         * bytecode/UnlinkedCodeBlock.cpp:
2220         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2221         (JSC::UnlinkedCodeBlock::shrinkToFit):
2222         * bytecode/UnlinkedCodeBlock.h:
2223         (JSC::UnlinkedCodeBlock::bitVector):
2224         (JSC::UnlinkedCodeBlock::addBitVector):
2225         (JSC::UnlinkedCodeBlock::addSetConstant):
2226         (JSC::UnlinkedCodeBlock::constantRegisters):
2227         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2228         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2229         (JSC::UnlinkedCodeBlock::codeType const):
2230         (JSC::UnlinkedCodeBlock::didOptimize const):
2231         (JSC::UnlinkedCodeBlock::setDidOptimize):
2232         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2233         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2234         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2235         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2236         * bytecompiler/BytecodeGenerator.cpp:
2237         (JSC::BytecodeGenerator::emitLoad):
2238         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2239         * bytecompiler/BytecodeGenerator.h:
2240         * runtime/CachedTypes.cpp:
2241         (JSC::CachedCodeBlockRareData::encode):
2242         (JSC::CachedCodeBlockRareData::decode const):
2243         (JSC::CachedCodeBlock::scopeRegister const):
2244         (JSC::CachedCodeBlock::codeType const):
2245         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2246         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2247         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2248         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2249
2250 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2251
2252         Unreviewed, add missing exception checks after r240637
2253         https://bugs.webkit.org/show_bug.cgi?id=193546
2254
2255         * tools/JSDollarVM.cpp:
2256         (JSC::functionShadowChickenFunctionsOnStack):
2257
2258 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2259
2260         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2261         https://bugs.webkit.org/show_bug.cgi?id=193993
2262
2263         Reviewed by Keith Miller.
2264
2265         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2266         And some of them are rarely used. We should allocate it lazily.
2267
2268         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2269         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2270         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2271         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2272         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2273         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2274         by using WTF::storeStoreFence when lazily allocating it.
2275
2276         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2277         existence of the space before touching this. This is not racy because the main thread is stopped when
2278         the constraint solving is working.
2279
2280         This changes sizeof(VM) from 64736 to 56472.
2281
2282         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2283         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2284         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2285         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2286         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2287         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2288         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2289
2290         * API/JSCallbackFunction.h:
2291         * API/ObjCCallbackFunction.h:
2292         (JSC::ObjCCallbackFunction::subspaceFor):
2293         * API/glib/JSCCallbackFunction.h:
2294         * CMakeLists.txt:
2295         * JavaScriptCore.xcodeproj/project.pbxproj:
2296         * bytecode/CodeBlock.cpp:
2297         (JSC::CodeBlock::visitChildren):
2298         (JSC::CodeBlock::finalizeUnconditionally):
2299         * bytecode/CodeBlock.h:
2300         * bytecode/EvalCodeBlock.h:
2301         * bytecode/ExecutableToCodeBlockEdge.h:
2302         * bytecode/FunctionCodeBlock.h:
2303         * bytecode/ModuleProgramCodeBlock.h:
2304         * bytecode/ProgramCodeBlock.h:
2305         * bytecode/UnlinkedFunctionExecutable.cpp:
2306         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2307         * bytecode/UnlinkedFunctionExecutable.h:
2308         * dfg/DFGSpeculativeJIT.cpp:
2309         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2310         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2311         (JSC::DFG::SpeculativeJIT::compileNewObject):
2312         * ftl/FTLLowerDFGToB3.cpp:
2313         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2314         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2315         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2316         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2317         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2318         * heap/Heap.cpp:
2319         (JSC::Heap::finalizeUnconditionalFinalizers):
2320         (JSC::Heap::deleteAllCodeBlocks):
2321         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2322         (JSC::Heap::addCoreConstraints):
2323         * heap/Subspace.cpp:
2324         (JSC::Subspace::initialize):
2325         * jit/AssemblyHelpers.h:
2326         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2327         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2328         * jit/JITOpcodes.cpp:
2329         (JSC::JIT::emit_op_new_object):
2330         * jit/JITOpcodes32_64.cpp:
2331         (JSC::JIT::emit_op_new_object):
2332         * runtime/DirectArguments.h:
2333         * runtime/DirectEvalExecutable.h:
2334         * runtime/ErrorInstance.h:
2335         (JSC::ErrorInstance::subspaceFor):
2336         * runtime/ExecutableBase.h:
2337         * runtime/FunctionExecutable.h:
2338         * runtime/IndirectEvalExecutable.h:
2339         * runtime/InferredValue.cpp:
2340         (JSC::InferredValue::visitChildren):
2341         * runtime/InferredValue.h:
2342         * runtime/InferredValueInlines.h:
2343         (JSC::InferredValue::finalizeUnconditionally):
2344         * runtime/InternalFunction.h:
2345         * runtime/JSAsyncFunction.h:
2346         * runtime/JSAsyncGeneratorFunction.h:
2347         * runtime/JSBoundFunction.h:
2348         * runtime/JSCell.h:
2349         (JSC::subspaceFor):
2350         (JSC::subspaceForConcurrently):
2351         * runtime/JSCellInlines.h:
2352         (JSC::allocatorForNonVirtualConcurrently):
2353         * runtime/JSCustomGetterSetterFunction.h:
2354         * runtime/JSDestructibleObject.h:
2355         * runtime/JSFunction.h:
2356         * runtime/JSGeneratorFunction.h:
2357         * runtime/JSImmutableButterfly.h:
2358         * runtime/JSLexicalEnvironment.h:
2359         (JSC::JSLexicalEnvironment::subspaceFor):
2360         * runtime/JSNativeStdFunction.h:
2361         * runtime/JSSegmentedVariableObject.h:
2362         * runtime/JSString.h:
2363         * runtime/ModuleProgramExecutable.h:
2364         * runtime/NativeExecutable.h:
2365         * runtime/ProgramExecutable.h:
2366         * runtime/PropertyMapHashTable.h:
2367         * runtime/ProxyRevoke.h:
2368         * runtime/ScopedArguments.h:
2369         * runtime/ScriptExecutable.cpp:
2370         (JSC::ScriptExecutable::clearCode):
2371         (JSC::ScriptExecutable::installCode):
2372         * runtime/Structure.h:
2373         * runtime/StructureRareData.h:
2374         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2375         * runtime/VM.cpp:
2376         (JSC::VM::VM):
2377         * runtime/VM.h:
2378         (JSC::VM::SpaceAndSet::SpaceAndSet):
2379         (JSC::VM::SpaceAndSet::setFor):
2380         (JSC::VM::forEachScriptExecutableSpace):
2381         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2382         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2383         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2384         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2385         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2386         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2387         * runtime/WeakMapImpl.h:
2388         (JSC::WeakMapImpl::subspaceFor):
2389         * wasm/js/JSWebAssemblyCodeBlock.h:
2390         * wasm/js/JSWebAssemblyMemory.h:
2391         * wasm/js/WebAssemblyFunction.h:
2392         * wasm/js/WebAssemblyWrapperFunction.h:
2393
2394 2019-02-04  Keith Miller  <keith_miller@apple.com>
2395
2396         Change llint operand macros to inline functions
2397         https://bugs.webkit.org/show_bug.cgi?id=194248
2398
2399         Reviewed by Mark Lam.
2400
2401         * llint/LLIntSlowPaths.cpp:
2402         (JSC::LLInt::getNonConstantOperand):
2403         (JSC::LLInt::getOperand):
2404         (JSC::LLInt::llint_trace_value):
2405         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2406         (JSC::LLInt::getByVal):
2407         (JSC::LLInt::genericCall):
2408         (JSC::LLInt::varargsSetup):
2409         (JSC::LLInt::commonCallEval):
2410
2411 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2412
2413         when lowering AssertNotEmpty, create the value before creating the patchpoint
2414         https://bugs.webkit.org/show_bug.cgi?id=194231
2415
2416         Reviewed by Saam Barati.
2417
2418         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2419         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2420
2421         * ftl/FTLLowerDFGToB3.cpp:
2422         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2423
2424 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2425
2426         [JSC] ExecutableToCodeBlockEdge should be smaller
2427         https://bugs.webkit.org/show_bug.cgi?id=194244
2428
2429         Reviewed by Michael Saboff.
2430
2431         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2432         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2433         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2434         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2435
2436         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2437         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2438         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2439
2440         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2441         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2442         does not touch it if it is called in non-main threads).
2443
2444         * bytecode/ExecutableToCodeBlockEdge.cpp:
2445         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2446         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2447         (JSC::ExecutableToCodeBlockEdge::activate):
2448         (JSC::ExecutableToCodeBlockEdge::deactivate):
2449         (JSC::ExecutableToCodeBlockEdge::isActive const):
2450         * bytecode/ExecutableToCodeBlockEdge.h:
2451         * runtime/JSCell.h:
2452         * runtime/JSCellInlines.h:
2453         (JSC::JSCell::perCellBit const):
2454         (JSC::JSCell::setPerCellBit):
2455         (JSC::JSCell::mayBePrototype const): Deleted.
2456         (JSC::JSCell::didBecomePrototype): Deleted.
2457         * runtime/JSObject.cpp:
2458         (JSC::JSObject::setPrototypeDirect):
2459         * runtime/JSObject.h:
2460         * runtime/JSObjectInlines.h:
2461         (JSC::JSObject::mayBePrototype const):
2462         (JSC::JSObject::didBecomePrototype):
2463         * runtime/JSTypeInfo.h:
2464         (JSC::TypeInfo::perCellBit):
2465         (JSC::TypeInfo::mergeInlineTypeFlags):
2466         (JSC::TypeInfo::mayBePrototype): Deleted.
2467
2468 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2469
2470         [JSC] Shrink size of FunctionExecutable
2471         https://bugs.webkit.org/show_bug.cgi?id=194191
2472
2473         Reviewed by Michael Saboff.
2474
2475         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2476         improves the allocation efficiency.
2477
2478         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2479            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2480
2481         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2482            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2483            the size of FunctionExecutable in the common case.
2484
2485         This patch changes the size of FunctionExecutable from 176 to 144.
2486
2487         * bytecode/CodeBlock.cpp:
2488         (JSC::CodeBlock::dumpSource):
2489         (JSC::CodeBlock::finishCreation):
2490         * dfg/DFGNode.h:
2491         (JSC::DFG::Node::OpInfoWrapper::as const):
2492         * interpreter/StackVisitor.cpp:
2493         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2494         * runtime/ExecutableBase.h:
2495         * runtime/FunctionExecutable.cpp:
2496         (JSC::FunctionExecutable::FunctionExecutable):
2497         (JSC::FunctionExecutable::ensureRareDataSlow):
2498         * runtime/FunctionExecutable.h:
2499         * runtime/Intrinsic.h:
2500         * runtime/ModuleProgramExecutable.cpp:
2501         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2502         * runtime/ProgramExecutable.cpp:
2503         (JSC::ProgramExecutable::ProgramExecutable):
2504         * runtime/ScriptExecutable.cpp:
2505         (JSC::ScriptExecutable::ScriptExecutable):
2506         (JSC::ScriptExecutable::overrideLineNumber const):
2507         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2508         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2509         * runtime/ScriptExecutable.h:
2510         (JSC::ScriptExecutable::firstLine const):
2511         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2512         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2513         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2514         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2515         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2516         * runtime/StackFrame.cpp:
2517         (JSC::StackFrame::computeLineAndColumn const):
2518         * tools/JSDollarVM.cpp:
2519         (JSC::functionReturnTypeFor):
2520
2521 2019-02-04  Mark Lam  <mark.lam@apple.com>
2522
2523         DFG's doesGC() is incorrect about the SameValue node's behavior.
2524         https://bugs.webkit.org/show_bug.cgi?id=194211
2525         <rdar://problem/47608913>
2526
2527         Reviewed by Saam Barati.
2528
2529         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2530         it calls operationSameValue() which may allocate memory for resolving ropes.
2531
2532         * dfg/DFGDoesGC.cpp:
2533         (JSC::DFG::doesGC):
2534
2535 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2536
2537         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2538         https://bugs.webkit.org/show_bug.cgi?id=194031
2539
2540         Reviewed by Saam Barati.
2541
2542         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2543         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2544         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2545         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2546
2547         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2548         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2549
2550         * bytecode/MetadataTable.cpp:
2551         (JSC::MetadataTable::MetadataTable):
2552         (JSC::MetadataTable::~MetadataTable):
2553         * bytecode/UnlinkedCodeBlock.cpp:
2554         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2555         (JSC::UnlinkedCodeBlock::visitChildren):
2556         (JSC::UnlinkedCodeBlock::estimatedSize):
2557         (JSC::UnlinkedCodeBlock::setInstructions):
2558         * bytecode/UnlinkedCodeBlock.h:
2559         (JSC::UnlinkedCodeBlock::metadata):
2560         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2561         * bytecode/UnlinkedMetadataTable.h:
2562         (JSC::UnlinkedMetadataTable::create):
2563         * bytecode/UnlinkedMetadataTableInlines.h:
2564         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2565         * runtime/CachedTypes.cpp:
2566         (JSC::CachedMetadataTable::decode const):
2567         (JSC::CachedCodeBlock::metadata const):
2568         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2569         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2570         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2571
2572 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2573
2574         [JSC] Decouple JIT related data from CodeBlock
2575         https://bugs.webkit.org/show_bug.cgi?id=194187
2576
2577         Reviewed by Saam Barati.
2578
2579         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2580         We have three types of data in CodeBlock.
2581
2582         1. The data which is always used. CodeBlock needs to hold it.
2583         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2584         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2585
2586         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2587         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2588         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2589         in both non-JIT and *JIT* modes.
2590
2591         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2592         by the lock of CodeBlock.
2593
2594         The size of CodeBlock is reduced from 512 to 352.
2595
2596         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2597
2598             Footprint geomean: 36696503 (34.997 MB)
2599             Peak Footprint geomean: 38595988 (36.808 MB)
2600             Score: 37634263 (35.891 MB)
2601
2602             Footprint geomean: 37172768 (35.451 MB)
2603             Peak Footprint geomean: 38978288 (37.173 MB)
2604             Score: 38064824 (36.301 MB)
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::~CodeBlock):
2608         (JSC::CodeBlock::propagateTransitions):
2609         (JSC::CodeBlock::ensureJITDataSlow):
2610         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2611         (JSC::CodeBlock::getICStatusMap):
2612         (JSC::CodeBlock::addStubInfo):
2613         (JSC::CodeBlock::addJITAddIC):
2614         (JSC::CodeBlock::addJITMulIC):
2615         (JSC::CodeBlock::addJITSubIC):
2616         (JSC::CodeBlock::addJITNegIC):
2617         (JSC::CodeBlock::findStubInfo):
2618         (JSC::CodeBlock::addByValInfo):
2619         (JSC::CodeBlock::addCallLinkInfo):
2620         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2621         (JSC::CodeBlock::addRareCaseProfile):
2622         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2623         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2624         (JSC::CodeBlock::resetJITData):
2625         (JSC::CodeBlock::stronglyVisitStrongReferences):
2626         (JSC::CodeBlock::shrinkToFit):
2627         (JSC::CodeBlock::linkIncomingCall):
2628         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2629         (JSC::CodeBlock::unlinkIncomingCalls):
2630         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2631         (JSC::CodeBlock::dumpValueProfiles):
2632         (JSC::CodeBlock::setPCToCodeOriginMap):
2633         (JSC::CodeBlock::findPC):
2634         (JSC::CodeBlock::dumpMathICStats):
2635         * bytecode/CodeBlock.h:
2636         (JSC::CodeBlock::ensureJITData):
2637         (JSC::CodeBlock::setJITCodeMap):
2638         (JSC::CodeBlock::jitCodeMap):
2639         (JSC::CodeBlock::likelyToTakeSlowCase):
2640         (JSC::CodeBlock::couldTakeSlowCase):
2641         (JSC::CodeBlock::lazyOperandValueProfiles):
2642         (JSC::CodeBlock::stubInfoBegin): Deleted.
2643         (JSC::CodeBlock::stubInfoEnd): Deleted.
2644         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2645         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2646         (JSC::CodeBlock::jitCodeMap const): Deleted.
2647         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2648         * bytecode/MethodOfGettingAValueProfile.cpp:
2649         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2650         (JSC::MethodOfGettingAValueProfile::reportValue):
2651         * dfg/DFGByteCodeParser.cpp:
2652         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2653         * jit/JIT.h:
2654         * jit/JITOperations.cpp:
2655         (JSC::tryGetByValOptimize):
2656         * jit/JITPropertyAccess.cpp:
2657         (JSC::JIT::privateCompileGetByVal):
2658         (JSC::JIT::privateCompilePutByVal):
2659
2660 2018-12-16  Darin Adler  <darin@apple.com>
2661
2662         Convert additional String::format clients to alternative approaches
2663         https://bugs.webkit.org/show_bug.cgi?id=192746
2664
2665         Reviewed by Alexey Proskuryakov.
2666
2667         * inspector/agents/InspectorConsoleAgent.cpp:
2668         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2669         and FormattedNumber::fixedWidth.
2670
2671 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2672
2673         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2674         https://bugs.webkit.org/show_bug.cgi?id=194177
2675
2676         Reviewed by Saam Barati.
2677
2678         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2679         We can share the IsoSubspace for JSFunction.
2680
2681         * runtime/JSAsyncFunction.h:
2682         * runtime/JSAsyncGeneratorFunction.h:
2683         * runtime/JSGeneratorFunction.h:
2684         * runtime/VM.cpp:
2685         (JSC::VM::VM):
2686         * runtime/VM.h:
2687
2688 2019-02-01  Mark Lam  <mark.lam@apple.com>
2689
2690         Remove invalid assertion in DFG's compileDoubleRep().
2691         https://bugs.webkit.org/show_bug.cgi?id=194130
2692         <rdar://problem/47699474>
2693
2694         Reviewed by Saam Barati.
2695
2696         * dfg/DFGSpeculativeJIT.cpp:
2697         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2698
2699 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2700
2701         [JSC] Unify CodeBlock IsoSubspaces
2702         https://bugs.webkit.org/show_bug.cgi?id=194167
2703
2704         Reviewed by Saam Barati.
2705
2706         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2707         But this is not necessary since,
2708
2709         1. They do not override the classInfo methods.
2710         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2711
2712         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2713         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2714         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2715
2716         This patch unifies these IsoSubspaces into one.
2717
2718         * bytecode/CodeBlock.cpp:
2719         (JSC::CodeBlock::destroy):
2720         * bytecode/CodeBlock.h:
2721         * bytecode/EvalCodeBlock.cpp:
2722         (JSC::EvalCodeBlock::destroy): Deleted.
2723         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2724         * bytecode/FunctionCodeBlock.cpp:
2725         (JSC::FunctionCodeBlock::destroy): Deleted.
2726         * bytecode/FunctionCodeBlock.h:
2727         * bytecode/GlobalCodeBlock.h:
2728         * bytecode/ModuleProgramCodeBlock.cpp:
2729         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2730         * bytecode/ModuleProgramCodeBlock.h:
2731         * bytecode/ProgramCodeBlock.cpp:
2732         (JSC::ProgramCodeBlock::destroy): Deleted.
2733         * bytecode/ProgramCodeBlock.h:
2734         * interpreter/Interpreter.cpp:
2735         (JSC::Interpreter::execute):
2736         * runtime/VM.cpp:
2737         (JSC::VM::VM):
2738         * runtime/VM.h:
2739         (JSC::VM::forEachCodeBlockSpace):
2740
2741 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2742
2743         Unreviewed, follow-up after r240859
2744         https://bugs.webkit.org/show_bug.cgi?id=194145
2745
2746         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2747         And rename cellDangerousBitsSpace back to cellSpace.
2748
2749         * runtime/JSCellInlines.h:
2750         (JSC::JSCell::subspaceFor):
2751         * runtime/VM.cpp:
2752         (JSC::VM::VM):
2753         * runtime/VM.h:
2754
2755 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2756
2757         [JSC] Remove cellJSValueOOBSpace
2758         https://bugs.webkit.org/show_bug.cgi?id=194145
2759
2760         Reviewed by Mark Lam.
2761
2762         * runtime/JSObject.h:
2763         (JSC::JSObject::subspaceFor): Deleted.
2764         * runtime/VM.cpp:
2765         (JSC::VM::VM):
2766         * runtime/VM.h:
2767
2768 2019-01-31  Mark Lam  <mark.lam@apple.com>
2769
2770         Remove poisoning from CodeBlock and LLInt code.
2771         https://bugs.webkit.org/show_bug.cgi?id=194113
2772
2773         Reviewed by Yusuke Suzuki.
2774
2775         * bytecode/CodeBlock.cpp:
2776         (JSC::CodeBlock::CodeBlock):
2777         (JSC::CodeBlock::~CodeBlock):
2778         (JSC::CodeBlock::setConstantRegisters):
2779         (JSC::CodeBlock::propagateTransitions):
2780         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2781         (JSC::CodeBlock::jettison):
2782         (JSC::CodeBlock::predictedMachineCodeSize):
2783         * bytecode/CodeBlock.h:
2784         (JSC::CodeBlock::vm const):
2785         (JSC::CodeBlock::addConstant):
2786         (JSC::CodeBlock::heap const):
2787         (JSC::CodeBlock::replaceConstant):
2788         * llint/LLIntOfflineAsmConfig.h:
2789         * llint/LLIntSlowPaths.cpp:
2790         (JSC::LLInt::handleHostCall):
2791         (JSC::LLInt::setUpCall):
2792         * llint/LowLevelInterpreter.asm:
2793         * llint/LowLevelInterpreter32_64.asm:
2794         * llint/LowLevelInterpreter64.asm:
2795
2796 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2797
2798         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2799         https://bugs.webkit.org/show_bug.cgi?id=194107
2800
2801         Reviewed by Saam Barati.
2802
2803         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2804         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2805
2806         * CMakeLists.txt:
2807         * DerivedSources.make:
2808         * JavaScriptCore.xcodeproj/project.pbxproj:
2809         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2810         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2811         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2812         (JSC::AsyncFromSyncIteratorPrototype::create):
2813         * runtime/AsyncFromSyncIteratorPrototype.h:
2814
2815 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2816
2817         Fix `runJITThreadLimitTests` in testapi
2818         https://bugs.webkit.org/show_bug.cgi?id=194064
2819         <rdar://problem/46139147>
2820
2821         Reviewed by Mark Lam.
2822
2823         Fix typo where `targetNumberOfThreads` was not being used.
2824
2825         * API/tests/testapi.mm:
2826         (runJITThreadLimitTests):
2827
2828 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2829
2830         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2831         https://bugs.webkit.org/show_bug.cgi?id=194112
2832
2833         Reviewed by Mark Lam.
2834
2835         `testBytecodeCache` does not populate the bytecode cache for the global
2836         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2837
2838         * API/tests/testapi.mm:
2839         (testBytecodeCache):
2840
2841 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2842
2843         Unreviewed, follow-up after r240796
2844
2845         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2846         when allocating InferredValue in FunctionExecutable::finishCreation.
2847
2848         * runtime/FunctionExecutable.cpp:
2849         (JSC::FunctionExecutable::FunctionExecutable):
2850         (JSC::FunctionExecutable::finishCreation):
2851
2852 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2853
2854         [JSC] Do not use InferredValue in non-JIT configuration
2855         https://bugs.webkit.org/show_bug.cgi?id=194084
2856
2857         Reviewed by Saam Barati.
2858
2859         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2860         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2861         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2862         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2863         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2864         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2865         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2866         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2867
2868         * bytecode/ObjectAllocationProfileInlines.h:
2869         (JSC::ObjectAllocationProfile::initializeProfile):
2870         * runtime/FunctionExecutable.cpp:
2871         (JSC::FunctionExecutable::finishCreation):
2872         (JSC::FunctionExecutable::visitChildren):
2873         * runtime/FunctionExecutable.h:
2874         * runtime/InferredValue.cpp:
2875         (JSC::InferredValue::create):
2876         * runtime/JSAsyncFunction.cpp:
2877         (JSC::JSAsyncFunction::create):
2878         * runtime/JSAsyncGeneratorFunction.cpp:
2879         (JSC::JSAsyncGeneratorFunction::create):
2880         * runtime/JSFunction.cpp:
2881         (JSC::JSFunction::create):
2882         * runtime/JSFunctionInlines.h:
2883         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2884         * runtime/JSGeneratorFunction.cpp:
2885         (JSC::JSGeneratorFunction::create):
2886         * runtime/JSSymbolTableObject.h:
2887         (JSC::JSSymbolTableObject::setSymbolTable):
2888         * runtime/SymbolTable.cpp:
2889         (JSC::SymbolTable::finishCreation):
2890         * runtime/VM.cpp:
2891         (JSC::VM::VM):
2892
2893 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2894
2895         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2896         https://bugs.webkit.org/show_bug.cgi?id=194085
2897
2898         Reviewed by Yusuke Suzuki.
2899
2900         r240730 changed ud_itab.py and caused incremental build failures
2901         for Ninja builds.
2902
2903         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2904
2905 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2906
2907         [JSC] Symbol should be in destructibleCellSpace
2908         https://bugs.webkit.org/show_bug.cgi?id=194082
2909
2910         Reviewed by Saam Barati.
2911
2912         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2913         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2914         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2915         Symbol's space destructibleCellSpace to appropriately call the destructor.
2916
2917         * runtime/Symbol.h:
2918
2919 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2920
2921         Unreviewed, rolling out r240755.
2922
2923         This was not correct
2924
2925         Reverted changeset:
2926
2927         "Unreviewed, fix GCC build after r240730"
2928         https://bugs.webkit.org/show_bug.cgi?id=194041
2929         https://trac.webkit.org/changeset/240755
2930
2931 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2932
2933         Unreviewed, fix GCC build after r240730
2934         https://bugs.webkit.org/show_bug.cgi?id=194041
2935         <rdar://problem/47680981>
2936
2937         * disassembler/udis86/ud_itab.py:
2938         (UdItabGenerator.genOpcodeTablesLookupIndex):
2939
2940 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2941
2942         testapi's `testBytecodeCache` does not need to run the code twice
2943         https://bugs.webkit.org/show_bug.cgi?id=194046
2944
2945         Reviewed by Mark Lam.
2946
2947         Since we populate the cache eagerly (unlike the stress tests) we don't
2948         need to run the code twice.
2949
2950         * API/tests/testapi.mm:
2951         (testBytecodeCache):
2952
2953 2019-01-30  Saam barati  <sbarati@apple.com>
2954
2955         [WebAssembly] Change BBQ to generate Air IR
2956         https://bugs.webkit.org/show_bug.cgi?id=191802
2957         <rdar://problem/47651718>
2958
2959         Reviewed by Keith Miller.
2960
2961         This patch adds a new Wasm compiler for the BBQ tier. Instead
2962         of compiling using  B3-01, we now generate Air code directly.
2963         The goal of doing this was to speed up compile times for Wasm
2964         programs.
2965         
2966         This patch provides us with a 20-30% compile time speedup. However, I
2967         have ideas on how to improve compile times even further. For example,
2968         we should probably implement a faster running register allocator:
2969         https://bugs.webkit.org/show_bug.cgi?id=194036
2970         
2971         We can also improve on the code we generate.
2972         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2973         And we should do better instruction selection in various
2974         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2975
2976         * JavaScriptCore.xcodeproj/project.pbxproj:
2977         * Sources.txt:
2978         * b3/B3LowerToAir.cpp:
2979         * b3/B3StackmapSpecial.h:
2980         * b3/air/AirCode.cpp:
2981         (JSC::B3::Air::Code::emitDefaultPrologue):
2982         * b3/air/AirCode.h:
2983         * b3/air/AirTmp.h:
2984         (JSC::B3::Air::Tmp::Tmp):
2985         * runtime/Options.h:
2986         * wasm/WasmAirIRGenerator.cpp: Added.
2987         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2988         (JSC::Wasm::TypedTmp::TypedTmp):
2989         (JSC::Wasm::TypedTmp::operator== const):
2990         (JSC::Wasm::TypedTmp::operator!= const):
2991         (JSC::Wasm::TypedTmp::operator bool const):
2992         (JSC::Wasm::TypedTmp::operator Tmp const):
2993         (JSC::Wasm::TypedTmp::operator Arg const):
2994         (JSC::Wasm::TypedTmp::tmp const):
2995         (JSC::Wasm::TypedTmp::type const):
2996         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2997         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2998         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2999         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
3000         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
3001         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
3002         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
3003         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
3004         (JSC::Wasm::AirIRGenerator::emptyExpression):
3005         (JSC::Wasm::AirIRGenerator::fail const):
3006         (JSC::Wasm::AirIRGenerator::setParser):
3007         (JSC::Wasm::AirIRGenerator::toTmpVector):
3008         (JSC::Wasm::AirIRGenerator::validateInst):
3009         (JSC::Wasm::AirIRGenerator::extractArg):
3010         (JSC::Wasm::AirIRGenerator::append):
3011         (JSC::Wasm::AirIRGenerator::appendEffectful):
3012         (JSC::Wasm::AirIRGenerator::newTmp):
3013         (JSC::Wasm::AirIRGenerator::g32):
3014         (JSC::Wasm::AirIRGenerator::g64):
3015         (JSC::Wasm::AirIRGenerator::f32):
3016         (JSC::Wasm::AirIRGenerator::f64):
3017         (JSC::Wasm::AirIRGenerator::tmpForType):
3018         (JSC::Wasm::AirIRGenerator::addPatchpoint):
3019         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
3020         (JSC::Wasm::AirIRGenerator::emitCheck):
3021         (JSC::Wasm::AirIRGenerator::emitCCall):
3022         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
3023         (JSC::Wasm::AirIRGenerator::instanceValue):
3024         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
3025         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
3026         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3027         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
3028         (JSC::Wasm::AirIRGenerator::emitThrowException):
3029         (JSC::Wasm::AirIRGenerator::addLocal):
3030         (JSC::Wasm::AirIRGenerator::addConstant):
3031         (JSC::Wasm::AirIRGenerator::addArguments):
3032         (JSC::Wasm::AirIRGenerator::getLocal):
3033         (JSC::Wasm::AirIRGenerator::addUnreachable):
3034         (JSC::Wasm::AirIRGenerator::addGrowMemory):
3035         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
3036         (JSC::Wasm::AirIRGenerator::setLocal):
3037         (JSC::Wasm::AirIRGenerator::getGlobal):
3038         (JSC::Wasm::AirIRGenerator::setGlobal):
3039         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
3040         (JSC::Wasm::sizeOfLoadOp):
3041         (JSC::Wasm::AirIRGenerator::emitLoadOp):
3042         (JSC::Wasm::AirIRGenerator::load):
3043         (JSC::Wasm::sizeOfStoreOp):
3044         (JSC::Wasm::AirIRGenerator::emitStoreOp):
3045         (JSC::Wasm::AirIRGenerator::store):
3046         (JSC::Wasm::AirIRGenerator::addSelect):
3047         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
3048         (JSC::Wasm::AirIRGenerator::addLoop):
3049         (JSC::Wasm::AirIRGenerator::addTopLevel):
3050         (JSC::Wasm::AirIRGenerator::addBlock):
3051         (JSC::Wasm::AirIRGenerator::addIf):
3052         (JSC::Wasm::AirIRGenerator::addElse):
3053         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
3054         (JSC::Wasm::AirIRGenerator::addReturn):
3055         (JSC::Wasm::AirIRGenerator::addBranch):
3056         (JSC::Wasm::AirIRGenerator::addSwitch):
3057         (JSC::Wasm::AirIRGenerator::endBlock):
3058         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
3059         (JSC::Wasm::AirIRGenerator::addCall):
3060         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3061         (JSC::Wasm::AirIRGenerator::unify):
3062         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
3063         (JSC::Wasm::AirIRGenerator::dump):
3064         (JSC::Wasm::AirIRGenerator::origin):
3065         (JSC::Wasm::parseAndCompileAir):
3066         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
3067         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
3068         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
3069         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
3070         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
3071         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
3072         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
3073         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
3074         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
3075         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
3076         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
3077         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
3078         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
3079         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
3080         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
3081         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
3082         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
3083         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
3084         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
3085         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
3086         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
3087         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
3088         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
3089         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
3090         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
3091         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
3092         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
3093         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
3094         (JSC::Wasm::AirIRGenerator::addShift):
3095         (JSC::Wasm::AirIRGenerator::addIntegerSub):
3096         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
3097         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
3098         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
3099         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
3100         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
3101         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
3102         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
3103         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
3104         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
3105         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
3106         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3107         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
3108         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
3109         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
3110         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
3111         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
3112         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
3113         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
3114         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
3115         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
3116         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
3117         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
3118         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
3119         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
3120         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
3121         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
3122         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
3123         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
3124         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
3125         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
3126         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
3127         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
3128         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
3129         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3130         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3131         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3132         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3133         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3134         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3135         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3136         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3137         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3138         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3139         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3140         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3141         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3142         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3143         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3144         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3145         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3146         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3147         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3148         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3149         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3150         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3151         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3152         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3153         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3154         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3155         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3156         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3157         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3158         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3159         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3160         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3161         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3162         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3163         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3164         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3165         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3166         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3167         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3168         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3169         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3170         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3171         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3172         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3173         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3174         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3175         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3176         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3177         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3178         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3179         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3180         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3181         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3182         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3183         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3184         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3185         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3186         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3187         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3188         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3189         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3190         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3191         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3192         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3193         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3194         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3195         * wasm/WasmAirIRGenerator.h: Added.
3196         * wasm/WasmB3IRGenerator.cpp:
3197         (JSC::Wasm::B3IRGenerator::emptyExpression):
3198         * wasm/WasmBBQPlan.cpp:
3199         (JSC::Wasm::BBQPlan::compileFunctions):
3200         * wasm/WasmCallingConvention.cpp:
3201         (JSC::Wasm::jscCallingConventionAir):
3202         (JSC::Wasm::wasmCallingConventionAir):
3203         * wasm/WasmCallingConvention.h:
3204         (JSC::Wasm::CallingConvention::CallingConvention):
3205         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3206         (JSC::Wasm::CallingConvention::marshallArgument const):
3207         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3208         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3209         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3210         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3211         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3212         (JSC::Wasm::CallingConventionAir::loadArguments const):
3213         (JSC::Wasm::CallingConventionAir::setupCall const):
3214         (JSC::Wasm::nextJSCOffset):
3215         * wasm/WasmFunctionParser.h:
3216         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3217         * wasm/WasmValidate.cpp:
3218         (JSC::Wasm::Validate::emptyExpression):
3219
3220 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3221
3222         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3223         https://bugs.webkit.org/show_bug.cgi?id=194050
3224         <rdar://problem/47595592>
3225
3226         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3227         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3228
3229         Reviewed by Yusuke Suzuki.
3230
3231         * ftl/FTLOperations.cpp:
3232         (JSC::FTL::operationMaterializeObjectInOSR):
3233
3234 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3235
3236         Remove assertion that CachedSymbolTables should have no RareData
3237         https://bugs.webkit.org/show_bug.cgi?id=194037
3238
3239         Reviewed by Mark Lam.
3240
3241         It turns out that we don't need to cache the SymbolTableRareData and
3242         we should not assert that it's empty.
3243
3244         * runtime/CachedTypes.cpp:
3245         (JSC::CachedSymbolTable::encode):
3246
3247 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3248
3249         CachedBytecode's move constructor should not call `freeDataIfOwned`
3250         https://bugs.webkit.org/show_bug.cgi?id=194045
3251
3252         Reviewed by Mark Lam.
3253
3254         That might result in freeing a garbage value
3255
3256         * parser/SourceProvider.h:
3257         (JSC::CachedBytecode::CachedBytecode):
3258
3259 2019-01-30  Keith Miller  <keith_miller@apple.com>
3260
3261         mul32 should convert powers of 2 to an lshift
3262         https://bugs.webkit.org/show_bug.cgi?id=193957
3263
3264         Reviewed by Yusuke Suzuki.
3265
3266         * assembler/MacroAssembler.h:
3267         (JSC::MacroAssembler::mul32):
3268         * assembler/testmasm.cpp:
3269         (JSC::int32Operands):
3270         (JSC::testMul32WithImmediates):
3271         (JSC::run):
3272
3273 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3274
3275         [JSC] Make disassembler data structures constant read-only data
3276         https://bugs.webkit.org/show_bug.cgi?id=194041
3277
3278         Reviewed by Mark Lam.
3279
3280         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3281         This patch makes them "const".
3282
3283         * disassembler/ARM64/A64DOpcode.cpp:
3284         * disassembler/udis86/ud_itab.py:
3285         (UdItabGenerator.genOpcodeTablesLookupIndex):
3286         (UdItabGenerator.genInsnTable):
3287         (UdItabGenerator.genMnemonicsList):
3288         (genItabH):
3289         * disassembler/udis86/udis86_decode.h:
3290         * disassembler/udis86/udis86_syn.c:
3291         * disassembler/udis86/udis86_syn.h:
3292         * disassembler/udis86/udis86_types.h:
3293
3294 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3295
3296         Unreviewed, update the builtin test results
3297         https://bugs.webkit.org/show_bug.cgi?id=194015
3298
3299         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3300         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3301         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3302         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3303         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3304         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3305         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3306         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3307         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3308         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3309         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3310         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3311         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3312
3313 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3314
3315         [JSC] Make global static variables "const" as much as possible
3316         https://bugs.webkit.org/show_bug.cgi?id=194015
3317
3318         Reviewed by Mark Lam.
3319
3320         Some of global static variables are not "const". For example, `static const char* name = ...`
3321         is not constant variable. We should make it `static const char* const name = ...`.
3322
3323         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3324         (generate_externs_for_object):
3325         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3326         (generate_externs_for_object):
3327         * Scripts/wkbuiltins/builtins_generator.py:
3328         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3329         * assembler/MacroAssembler.h:
3330         (JSC::MacroAssembler::additionBlindedConstant):
3331         * b3/air/AirFormTable.h:
3332         * b3/air/opcode_generator.rb:
3333         * runtime/JSObject.cpp:
3334         (JSC::JSObject::visitButterfly):
3335         * tools/CodeProfile.cpp:
3336         * tools/CodeProfile.h:
3337
3338 2019-01-29  Keith Miller  <keith_miller@apple.com>
3339
3340         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3341         https://bugs.webkit.org/show_bug.cgi?id=194000
3342         <rdar://problem/47642894>
3343
3344         Reviewed by Mark Lam.
3345
3346         default constructor is unused and
3347         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3348         data member which causes sadness.
3349
3350         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3351
3352 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3353
3354         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3355
3356         Rubber-stamped by Yusuke Suzuki.
3357
3358         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3359
3360         * parser/Parser.h:
3361         (JSC::Parser::declareHoistedVariable):
3362
3363 2019-01-29  Mark Lam  <mark.lam@apple.com>
3364
3365         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3366         https://bugs.webkit.org/show_bug.cgi?id=132333
3367
3368         Reviewed by Yusuke Suzuki.
3369
3370         * bytecode/InstructionStream.h:
3371         (JSC::InstructionStreamWriter::write):
3372         - The 32-bit write() function need not invert the order of the bytes written to
3373           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3374           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3375
3376         * llint/LLIntOfflineAsmConfig.h:
3377         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3378
3379 2019-01-29  Mark Lam  <mark.lam@apple.com>
3380
3381         ValueRecovery::recover() should purify NaN values it recovers.
3382         https://bugs.webkit.org/show_bug.cgi?id=193978
3383         <rdar://problem/47625488>
3384
3385         Reviewed by Saam Barati.
3386
3387         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3388         recovered DoubleDisplacedInJSStack values need to be purified.
3389         ValueRecovery::recover() should do the same.
3390
3391         * bytecode/ValueRecovery.cpp:
3392         (JSC::ValueRecovery::recover const):
3393
3394 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3395
3396         [JSC] FTL should handle LocalAllocator*
3397         https://bugs.webkit.org/show_bug.cgi?id=193980
3398
3399         Reviewed by Saam Barati.
3400
3401         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3402         because the FTL still use the incoming value as 32bit integer there.
3403
3404         * ftl/FTLLowerDFGToB3.cpp:
3405         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3406
3407 2019-01-29  Keith Rollin  <krollin@apple.com>
3408
3409         Add .xcfilelists to Run Script build phases
3410         https://bugs.webkit.org/show_bug.cgi?id=193792
3411         <rdar://problem/47201785>
3412
3413         Reviewed by Alex Christensen.
3414
3415         As part of supporting XCBuild, update the necessary Run Script build
3416         phases in their Xcode projects to refer to their associated
3417         .xcfilelist files.
3418
3419         Note that the addition of these files bumps the Xcode project version
3420         number to something that's Xcode 10 compatible. This change means that
3421         older versions of the Xcode IDE can't read these projects. Nor can it
3422         fully load workspaces that refer to these projects (the updated
3423         projects are shown as non-expandable placeholders). `xcodebuild` can
3424         still build these projects; it's just that the IDE can't open them.
3425
3426         * JavaScriptCore.xcodeproj/project.pbxproj:
3427
3428 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3429
3430         [ARM] Check for negative zero instead of just zero
3431         https://bugs.webkit.org/show_bug.cgi?id=193689
3432
3433         Reviewed by Mark Lam.
3434
3435         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3436         of just bailing out for zero.
3437
3438         * assembler/MacroAssemblerARMv7.h:
3439         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3440
3441 2019-01-28  Devin Rousso  <drousso@apple.com>
3442
3443         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3444         https://bugs.webkit.org/show_bug.cgi?id=193863
3445         <rdar://problem/47572764>
3446
3447         Reviewed by Joseph Pecoraro.
3448
3449         * inspector/protocol/Page.json:
3450         Add more values to the `Setting` enum type:
3451          - `ICECandidateFilteringEnabled`
3452          - `MediaCaptureRequiresSecureConnection`
3453          - `MockCaptureDevicesEnabled`
3454
3455 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3456
3457         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3458         https://bugs.webkit.org/show_bug.cgi?id=193941
3459
3460         Reviewed by Alex Christensen.
3461
3462         * API/JSWeakObjectMapRefPrivate.cpp:
3463         * bytecompiler/NodesCodegen.cpp:
3464         * heap/MachineStackMarker.cpp:
3465         * jit/ExecutableAllocator.cpp:
3466         * jsc.cpp:
3467         * parser/Nodes.cpp:
3468         * runtime/DateConstructor.cpp:
3469         * runtime/DateConversion.cpp:
3470         * runtime/DateInstance.cpp:
3471         * runtime/DatePrototype.cpp:
3472         * runtime/InitializeThreading.cpp:
3473         * runtime/IteratorOperations.cpp:
3474         * runtime/JSDateMath.cpp:
3475         * runtime/JSGlobalObjectFunctions.cpp:
3476         * runtime/StringPrototype.cpp:
3477         * runtime/VM.cpp:
3478         * testRegExp.cpp:
3479         * tools/JSDollarVM.cpp:
3480         * yarr/YarrInterpreter.cpp:
3481         * yarr/YarrJIT.cpp:
3482         * yarr/YarrPattern.cpp:
3483         * yarr/YarrUnicodeProperties.cpp:
3484
3485 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3486
3487         [JSC] Reduce size of memory used for ShadowChicken
3488         https://bugs.webkit.org/show_bug.cgi?id=193546
3489
3490         Reviewed by Mark Lam.
3491
3492         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3493         The removal of ShadowChicken saves 55KB memory.
3494
3495         * debugger/DebuggerCallFrame.cpp:
3496         (JSC::DebuggerCallFrame::create):
3497         * ftl/FTLLowerDFGToB3.cpp:
3498         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3499         * heap/Heap.cpp:
3500         (JSC::Heap::stopThePeriphery):
3501         (JSC::Heap::addCoreConstraints):
3502         * jit/CCallHelpers.cpp:
3503         (JSC::CCallHelpers::ensureShadowChickenPacket):
3504         * jit/JITExceptions.cpp:
3505         (JSC::genericUnwind):
3506         * jit/JITOpcodes.cpp:
3507         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3508         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3509         * jit/JITOpcodes32_64.cpp:
3510         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3511         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3512         * jit/JITOperations.cpp:
3513         * llint/LLIntSlowPaths.cpp:
3514         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3515         * runtime/JSGlobalObject.cpp:
3516         (JSC::JSGlobalObject::setDebugger):
3517         * runtime/JSGlobalObject.h:
3518         (JSC::JSGlobalObject::setDebugger): Deleted.
3519         * runtime/VM.cpp:
3520         (JSC::VM::VM):
3521         (JSC::VM::ensureShadowChicken):
3522         * runtime/VM.h:
3523         (JSC::VM::shadowChicken):
3524         * tools/JSDollarVM.cpp:
3525         (JSC::functionShadowChickenFunctionsOnStack):
3526         (JSC::changeDebuggerModeWhenIdle):
3527
3528 2019-01-28  Andy Estes  <aestes@apple.com>
3529
3530         [watchOS] Enable Parental Controls content filtering
3531         https://bugs.webkit.org/show_bug.cgi?id=193939
3532         <rdar://problem/46641912>
3533
3534         Reviewed by Ryosuke Niwa.
3535
3536         * Configurations/FeatureDefines.xcconfig:
3537
3538 2019-01-28  Mark Lam  <mark.lam@apple.com>
3539
3540         ToString node actually does GC.
3541         https://bugs.webkit.org/show_bug.cgi?id=193920
3542         <rdar://problem/46695900>
3543
3544         Reviewed by Yusuke Suzuki.
3545
3546         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3547         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3548
3549         * dfg/DFGDoesGC.cpp:
3550         (JSC::DFG::doesGC):
3551
3552 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3553
3554         [JSC] RegExpConstructor should not have own IsoSubspace
3555         https://bugs.webkit.org/show_bug.cgi?id=193801
3556
3557         Reviewed by Mark Lam.
3558
3559         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3560         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3561         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3562         it from RegExpConstructor members.
3563
3564         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3565         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3566         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3567
3568         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3569
3570         * CMakeLists.txt:
3571         * JavaScriptCore.xcodeproj/project.pbxproj:
3572         * Sources.txt:
3573         * dfg/DFGOperations.cpp:
3574         * dfg/DFGSpeculativeJIT.cpp:
3575         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3576         * dfg/DFGStrengthReductionPhase.cpp:
3577         (JSC::DFG::StrengthReductionPhase::handleNode):
3578         * ftl/FTLAbstractHeapRepository.cpp:
3579         * ftl/FTLAbstractHeapRepository.h:
3580         * ftl/FTLLowerDFGToB3.cpp:
3581         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3582         * runtime/JSGlobalObject.cpp:
3583         (JSC::JSGlobalObject::init):
3584         (JSC::JSGlobalObject::visitChildren):
3585         * runtime/JSGlobalObject.h:
3586         (JSC::JSGlobalObject::regExpGlobalData):
3587         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3588         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3589         * runtime/RegExpCache.cpp:
3590         (JSC::RegExpCache::initialize):
3591         * runtime/RegExpCache.h:
3592         (JSC::RegExpCache::emptyRegExp const):
3593         * runtime/RegExpCachedResult.cpp:
3594         (JSC::RegExpCachedResult::visitAggregate):
3595         (JSC::RegExpCachedResult::visitChildren): Deleted.
3596         * runtime/RegExpCachedResult.h:
3597         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3598         * runtime/RegExpConstructor.cpp:
3599         (JSC::RegExpConstructor::RegExpConstructor):
3600         (JSC::regExpConstructorDollar):
3601         (JSC::regExpConstructorInput):
3602         (JSC::regExpConstructorMultiline):
3603         (JSC::regExpConstructorLastMatch):
3604         (JSC::regExpConstructorLastParen):
3605         (JSC::regExpConstructorLeftContext):
3606         (JSC::regExpConstructorRightContext):
3607         (JSC::setRegExpConstructorInput):
3608         (JSC::setRegExpConstructorMultiline):
3609         (JSC::RegExpConstructor::destroy): Deleted.
3610         (JSC::RegExpConstructor::visitChildren): Deleted.
3611         (JSC::RegExpConstructor::getBackref): Deleted.
3612         (JSC::RegExpConstructor::getLastParen): Deleted.
3613         (JSC::RegExpConstructor::getLeftContext): Deleted.
3614         (JSC::RegExpConstructor::getRightContext): Deleted.
3615         * runtime/RegExpConstructor.h:
3616         (JSC::RegExpConstructor::performMatch): Deleted.
3617         (JSC::RegExpConstructor::recordMatch): Deleted.
3618         * runtime/RegExpGlobalData.cpp: Added.
3619         (JSC::RegExpGlobalData::visitAggregate):
3620         (JSC::RegExpGlobalData::getBackref):
3621         (JSC::RegExpGlobalData::getLastParen):
3622         (JSC::RegExpGlobalData::getLeftContext):
3623         (JSC::RegExpGlobalData::getRightContext):
3624         * runtime/RegExpGlobalData.h: Added.
3625         (JSC::RegExpGlobalData::cachedResult):
3626         (JSC::RegExpGlobalData::setMultiline):
3627         (JSC::RegExpGlobalData::multiline const):
3628         (JSC::RegExpGlobalData::input):
3629         (JSC::RegExpGlobalData::offsetOfCachedResult):
3630         * runtime/RegExpGlobalDataInlines.h: Added.
3631         (JSC::RegExpGlobalData::setInput):
3632         (JSC::RegExpGlobalData::performMatch):
3633         (JSC::RegExpGlobalData::recordMatch):
3634         * runtime/RegExpObject.cpp:
3635         (JSC::RegExpObject::matchGlobal):
3636         * runtime/RegExpObjectInlines.h:
3637         (JSC::RegExpObject::execInline):
3638         (JSC::RegExpObject::matchInline):
3639         (JSC::collectMatches):
3640         * runtime/RegExpPrototype.cpp:
3641         (JSC::RegExpPrototype::finishCreation):
3642         (JSC::regExpProtoFuncSearchFast):
3643         (JSC::RegExpPrototype::visitChildren): Deleted.
3644         * runtime/RegExpPrototype.h:
3645         * runtime/StringPrototype.cpp:
3646         (JSC::removeUsingRegExpSearch):
3647         (JSC::replaceUsingRegExpSearch):
3648         * runtime/VM.cpp:
3649         (JSC::VM::VM):
3650         * runtime/VM.h:
3651
3652 2018-12-15  Darin Adler  <darin@apple.com>
3653
3654         Replace many uses of String::format with more type-safe alternatives
3655         https://bugs.webkit.org/show_bug.cgi?id=192742
3656
3657         Reviewed by Mark Lam.
3658
3659         * inspector/InjectedScriptBase.cpp:
3660         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3661         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3662         * inspector/InspectorBackendDispatcher.cpp:
3663         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3664         * inspector/agents/InspectorConsoleAgent.cpp:
3665         (Inspector::InspectorConsoleAgent::enable): Ditto.
3666         * jsc.cpp:
3667         (FunctionJSCStackFunctor::operator() const): Ditto.
3668
3669         * runtime/CodeCache.cpp:
3670         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3671         using String::number.
3672
3673         * runtime/IntlDateTimeFormat.cpp:
3674         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3675         * runtime/IntlObject.cpp:
3676         (JSC::canonicalizeLocaleList): Ditto.
3677
3678 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3679
3680         AX: Introduce a static accessibility tree
3681         https://bugs.webkit.org/show_bug.cgi?id=193348
3682         <rdar://problem/47203295>
3683
3684         Reviewed by Ryosuke Niwa.
3685
3686         * Configurations/FeatureDefines.xcconfig:
3687
3688 2019-01-26  Devin Rousso  <drousso@apple.com>
3689
3690         Web Inspector: provide a way to edit the user agent of a remote target
3691         https://bugs.webkit.org/show_bug.cgi?id=193862
3692         <rdar://problem/47359292>
3693
3694         Reviewed by Joseph Pecoraro.
3695
3696         * inspector/protocol/Page.json:
3697         Add `overrideUserAgent` command.
3698
3699 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3700
3701         [JSC] NativeErrorConstructor should not have own IsoSubspace
3702         https://bugs.webkit.org/show_bug.cgi?id=193713
3703
3704         Reviewed by Saam Barati.
3705
3706         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3707         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3708         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3709         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3710         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3711         referenced.
3712
3713         * CMakeLists.txt:
3714         * JavaScriptCore.xcodeproj/project.pbxproj:
3715         * Sources.txt:
3716         * builtins/BuiltinNames.h:
3717         * interpreter/Interpreter.h:
3718         * runtime/Error.cpp:
3719         (JSC::createEvalError):
3720         (JSC::createRangeError):
3721         (JSC::createReferenceError):
3722         (JSC::createSyntaxError):
3723         (JSC::createTypeError):
3724         (JSC::createURIError):
3725         (WTF::printInternal): Deleted.
3726         * runtime/Error.h:
3727         * runtime/ErrorPrototype.cpp:
3728         (JSC::ErrorPrototype::create):
3729         (JSC::ErrorPrototype::finishCreation):
3730         * runtime/ErrorPrototype.h:
3731         (JSC::ErrorPrototype::create): Deleted.
3732         * runtime/ErrorType.cpp: Added.
3733         (JSC::errorTypeName):
3734         (WTF::printInternal):
3735         * runtime/ErrorType.h: Added.
3736         * runtime/JSGlobalObject.cpp:
3737         (JSC::JSGlobalObject::initializeErrorConstructor):
3738         (JSC::JSGlobalObject::init):
3739         (JSC::JSGlobalObject::visitChildren):
3740         * runtime/JSGlobalObject.h:
3741         (JSC::JSGlobalObject::internalPromiseConstructor const):
3742         (JSC::JSGlobalObject::errorStructure const):
3743         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3744         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3745         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3746         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3747         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3748         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3749         * runtime/NativeErrorConstructor.cpp:
3750         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3751         (JSC::NativeErrorConstructorBase::finishCreation):
3752         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3753         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3754         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3755         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3756         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3757         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3758         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3759         * runtime/NativeErrorConstructor.h:
3760         (JSC::NativeErrorConstructorBase::createStructure):
3761         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3762         * runtime/NativeErrorPrototype.cpp:
3763         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3764         * runtime/NativeErrorPrototype.h:
3765         * runtime/VM.cpp:
3766         (JSC::VM::VM):
3767         * runtime/VM.h:
3768         * wasm/js/WasmToJS.cpp:
3769         (JSC::Wasm::handleBadI64Use):
3770
3771 2019-01-25  Devin Rousso  <drousso@apple.com>
3772
3773         Web Inspector: provide a way to edit page settings on a remote target
3774         https://bugs.webkit.org/show_bug.cgi?id=193813
3775         <rdar://problem/47359510>
3776
3777         Reviewed by Joseph Pecoraro.
3778
3779         * inspector/protocol/Page.json:
3780         Add `overrideSetting` command with supporting `Setting` enum type.
3781
3782 2019-01-25  Keith Rollin  <krollin@apple.com>
3783
3784         Update Xcode projects with "Check .xcfilelists" build phase
3785         https://bugs.webkit.org/show_bug.cgi?id=193790
3786         <rdar://problem/47201374>
3787
3788         Reviewed by Alex Christensen.
3789
3790         Support for XCBuild includes specifying inputs and outputs to various
3791         Run Script build phases. These inputs and outputs are specified as
3792         .xcfilelist files. Once created, these .xcfilelist files need to be
3793         kept up-to-date. In order to check that they are up-to-date or not,
3794         add an Xcode build step that invokes an external script that performs
3795         the checking. If the .xcfilelists are found to be out-of-date, update
3796         them, halt the build, and instruct the developer to restart the build
3797         with up-to-date files.
3798
3799         At this time, the checking and regenerating is performed only if the
3800         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3801         who want to use this facility can set this variable and test out the
3802         checking/regenerating. Once it seems like there are no egregious
3803         issues that upset a developer's workflow, we'll unconditionally enable
3804         this facility.
3805
3806         * JavaScriptCore.xcodeproj/project.pbxproj:
3807         * Scripts/check-xcfilelists.sh: Added.
3808
3809 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3810
3811         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3812         https://bugs.webkit.org/show_bug.cgi?id=193796
3813         <rdar://problem/47532910>
3814
3815         Reviewed by Devin Rousso.
3816
3817         * runtime/SamplingProfiler.cpp:
3818         (JSC::SamplingProfiler::machThread):
3819         * runtime/SamplingProfiler.h:
3820         Expose the mach_port_t of the SamplingProfiler thread
3821         so it can be tested against later.
3822
3823 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3824
3825         Fix Windows build after r240511
3826
3827         * bytecode/UnlinkedFunctionExecutable.cpp:
3828         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3829
3830 2019-01-25  Keith Rollin  <krollin@apple.com>
3831
3832         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3833         https://bugs.webkit.org/show_bug.cgi?id=193781
3834         <rdar://problem/47201153>
3835
3836         Reviewed by Alex Christensen.
3837
3838         Part of generating the .xcfilelists used as part of adopting XCBuild
3839         includes running `make DerivedSources.make` from a standalone script.
3840         It’s important for this invocation to have the same environment as
3841         when the actual build invokes `make DerivedSources.make`. If the
3842         environments are different, then the two invocations will provide
3843         different results. In order to get the same environment in the
3844         standalone script, have the script launch xcodebuild targeting the
3845         "Apply Configuration to XCFileLists" build target, which will then
3846         re-invoke our standalone script. The script is now running again, this
3847         time in an environment with all workspace, project, target, xcconfig
3848         and other environment variables established.
3849
3850         The "Apply Configuration to XCFileLists" build target accomplishes
3851         this task via a small embedded shell script that consists only of:
3852
3853             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3854
3855         The process that invokes "Apply Configuration to XCFileLists" first
3856         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3857         evaluated and exports it into the shell environment. When xcodebuild
3858         is invoked, it inherits the value of this variable and can `eval` the
3859         contents of that variable. Our external standalone script can then set
3860         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3861         of command-line parameters needed to restart itself in the appropriate
3862         state.
3863
3864         * JavaScriptCore.xcodeproj/project.pbxproj:
3865
3866 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3867
3868         Add API to generate and consume cached bytecode
3869         https://bugs.webkit.org/show_bug.cgi?id=193401
3870         <rdar://problem/47514099>
3871
3872         Reviewed by Keith Miller.
3873
3874         Add the `generateBytecode` and `generateModuleBytecode` functions to
3875         generate serialized bytecode for a given `SourceCode`. These functions
3876         will eagerly generate code for all the nested functions.
3877
3878         Additionally, update the API methods in JSScript to generate and use the
3879         bytecode when the bytecodeCache path is provided.
3880
3881         * API/JSAPIGlobalObject.mm:
3882         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3883         * API/JSContext.mm:
3884         (-[JSContext wrapperMap]):
3885         * API/JSContextInternal.h:
3886         * API/JSScript.mm:
3887         (+[JSScript scriptWithSource:inVirtualMachine:]):
3888         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3889         (-[JSScript dealloc]):
3890         (-[JSScript readCache]):
3891         (-[JSScript writeCache]):
3892         (-[JSScript hash]):
3893         (-[JSScript source]):
3894         (-[JSScript cachedBytecode]):
3895         (-[JSScript jsSourceCode:]):
3896         * API/JSScriptInternal.h:
3897         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3898         (JSScriptSourceProvider::create):
3899         (JSScriptSourceProvider::JSScriptSourceProvider):