[JSC] Remove unused global private variables
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Remove unused global private variables
4         https://bugs.webkit.org/show_bug.cgi?id=194741
5
6         Reviewed by Joseph Pecoraro.
7
8         There are some private functions and constants that are no longer referenced from builtin JS code.
9         This patch cleans up them.
10
11         * builtins/BuiltinNames.h:
12         * builtins/ObjectConstructor.js:
13         (entries):
14         * runtime/JSGlobalObject.cpp:
15         (JSC::JSGlobalObject::init):
16
17 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
18
19         [JSC] Lazily create empty RegExp
20         https://bugs.webkit.org/show_bug.cgi?id=194735
21
22         Reviewed by Keith Miller.
23
24         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
25         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
26         one MarkedBlock.
27
28         * runtime/JSGlobalObject.cpp:
29         (JSC::JSGlobalObject::init):
30         * runtime/RegExpCache.cpp:
31         (JSC::RegExpCache::ensureEmptyRegExpSlow):
32         (JSC::RegExpCache::initialize): Deleted.
33         * runtime/RegExpCache.h:
34         (JSC::RegExpCache::ensureEmptyRegExp):
35         (JSC::RegExpCache::emptyRegExp const): Deleted.
36         * runtime/RegExpCachedResult.cpp:
37         (JSC::RegExpCachedResult::lastResult):
38         * runtime/RegExpCachedResult.h:
39         * runtime/VM.cpp:
40         (JSC::VM::VM):
41
42 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
43
44         [JSC] Make builtin objects more lazily initialized under non-JIT mode
45         https://bugs.webkit.org/show_bug.cgi?id=194727
46
47         Reviewed by Saam Barati.
48
49         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
50         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
51         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
52         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
53         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
54         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
55         MarkedBlock allocation just for Symbols.
56
57         * runtime/JSGlobalObject.cpp:
58         (JSC::JSGlobalObject::init):
59         (JSC::JSGlobalObject::visitChildren):
60         * runtime/JSGlobalObject.h:
61         (JSC::JSGlobalObject::numberToStringWatchpoint):
62         (JSC::JSGlobalObject::booleanPrototype const):
63         (JSC::JSGlobalObject::numberPrototype const):
64         (JSC::JSGlobalObject::symbolPrototype const):
65         (JSC::JSGlobalObject::booleanObjectStructure const):
66         (JSC::JSGlobalObject::symbolObjectStructure const):
67         (JSC::JSGlobalObject::numberObjectStructure const):
68         (JSC::JSGlobalObject::stringObjectStructure const):
69
70 2019-02-15  Michael Saboff  <msaboff@apple.com>
71
72         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
73         https://bugs.webkit.org/show_bug.cgi?id=194558
74
75         Reviewed by Saam Barati.
76
77         Added an in bounds check before the read of the next character for Unicode regular expressions
78         for pattern generation that didn't already have such checks.
79
80         * yarr/YarrJIT.cpp:
81         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
82         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
83         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
84         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
85
86 2019-02-15  Dean Jackson  <dino@apple.com>
87
88         Allow emulation of user gestures from Web Inspector console
89         https://bugs.webkit.org/show_bug.cgi?id=194725
90         <rdar://problem/48126604>
91
92         Reviewed by Joseph Pecoraro and Devin Rousso.
93
94         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
95         to the evaluate function, and mark the function as override so that PageRuntimeAgent
96         can change the behaviour.
97         (Inspector::InspectorRuntimeAgent::evaluate):
98         * inspector/agents/InspectorRuntimeAgent.h:
99         * inspector/protocol/Runtime.json:
100
101 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
102
103         [JSC] Do not initialize Wasm related data if Wasm is not enabled
104         https://bugs.webkit.org/show_bug.cgi?id=194728
105
106         Reviewed by Mark Lam.
107
108         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
109
110         * runtime/InitializeThreading.cpp:
111         (JSC::initializeThreading):
112         * runtime/JSLock.cpp:
113         (JSC::JSLock::didAcquireLock):
114
115 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
116
117         [WTF] Add environment variable helpers
118         https://bugs.webkit.org/show_bug.cgi?id=192405
119
120         Reviewed by Michael Catanzaro.
121
122         * inspector/remote/glib/RemoteInspectorGlib.cpp:
123         (Inspector::RemoteInspector::RemoteInspector):
124         (Inspector::RemoteInspector::start):
125         * jsc.cpp:
126         (startTimeoutThreadIfNeeded):
127         * runtime/Options.cpp:
128         (JSC::overrideOptionWithHeuristic):
129         (JSC::Options::overrideAliasedOptionWithHeuristic):
130         (JSC::Options::initialize):
131         * runtime/VM.cpp:
132         (JSC::enableAssembler):
133         (JSC::VM::VM):
134         * tools/CodeProfiling.cpp:
135         (JSC::CodeProfiling::notifyAllocator):
136         Utilize WTF::Environment where possible.
137
138 2019-02-15  Mark Lam  <mark.lam@apple.com>
139
140         SamplingProfiler::stackTracesAsJSON() should escape strings.
141         https://bugs.webkit.org/show_bug.cgi?id=194649
142         <rdar://problem/48072386>
143
144         Reviewed by Saam Barati.
145
146         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
147
148         * runtime/SamplingProfiler.cpp:
149         (JSC::SamplingProfiler::stackTracesAsJSON):
150         * runtime/TypeSet.cpp:
151         (JSC::TypeSet::toJSONString const):
152         (JSC::StructureShape::toJSONString const):
153
154 2019-02-15  Robin Morisset  <rmorisset@apple.com>
155
156         CodeBlock::jettison should clear related watchpoints
157         https://bugs.webkit.org/show_bug.cgi?id=194544
158
159         Reviewed by Mark Lam.
160
161         * bytecode/CodeBlock.cpp:
162         (JSC::CodeBlock::jettison):
163         * dfg/DFGCommonData.h:
164         (JSC::DFG::CommonData::clearWatchpoints): Added.
165         * dfg/CommonData.cpp:
166         (JSC::DFG::CommonData::clearWatchpoints): Added.
167
168 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
169
170         Move bytecode cache-related filesystem code out of CodeCache
171         https://bugs.webkit.org/show_bug.cgi?id=194675
172
173         Reviewed by Saam Barati.
174
175         That code is only used for the bytecode-cache tests, so it should live in
176         jsc.cpp rather than in the CodeCache.
177
178         * jsc.cpp:
179         (CliSourceProvider::create):
180         (CliSourceProvider::~CliSourceProvider):
181         (CliSourceProvider::cachePath const):
182         (CliSourceProvider::loadBytecode):
183         (CliSourceProvider::CliSourceProvider):
184         (jscSource):
185         (GlobalObject::moduleLoaderFetch):
186         (functionDollarEvalScript):
187         (runWithOptions):
188         * parser/SourceProvider.h:
189         (JSC::SourceProvider::cacheBytecode const):
190         * runtime/CodeCache.cpp:
191         (JSC::writeCodeBlock):
192         * runtime/CodeCache.h:
193         (JSC::CodeCacheMap::fetchFromDiskImpl):
194
195 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
196
197         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
198         https://bugs.webkit.org/show_bug.cgi?id=194714
199
200         Reviewed by Mark Lam.
201
202         Let's consider about the following extreme case.
203
204         1. VM (A) is created.
205         2. Another VM (B) is created on a different thread.
206         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
207         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
208         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
209         6. (A) sees the half-baked worklist, which may be in the middle of creation.
210
211         This patch puts store-store fence just before putting a pointer to a global variable.
212         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
213
214         * dfg/DFGWorklist.cpp:
215         (JSC::DFG::ensureGlobalDFGWorklist):
216         (JSC::DFG::ensureGlobalFTLWorklist):
217         * wasm/WasmWorklist.cpp:
218         (JSC::Wasm::ensureWorklist):
219
220 2019-02-15  Commit Queue  <commit-queue@webkit.org>
221
222         Unreviewed, rolling out r241559 and r241566.
223         https://bugs.webkit.org/show_bug.cgi?id=194710
224
225         Causes layout test crashes under GuardMalloc (Requested by
226         ryanhaddad on #webkit).
227
228         Reverted changesets:
229
230         "[WTF] Add environment variable helpers"
231         https://bugs.webkit.org/show_bug.cgi?id=192405
232         https://trac.webkit.org/changeset/241559
233
234         "Unreviewed build fix for WinCairo Debug after r241559."
235         https://trac.webkit.org/changeset/241566
236
237 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
238
239         [JSC] Do not even allocate JIT worklists in non-JIT mode
240         https://bugs.webkit.org/show_bug.cgi?id=194693
241
242         Reviewed by Mark Lam.
243
244         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
245         And we do not perform any GC operations that are only meaningful in JIT environment.
246
247         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
248         2. We remove DFG marking constraint in non-JIT mode.
249         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
250         4. We do not visit JITStubRoutineSet.
251         5. Align JITWorklist function names to the other worklists.
252
253         * dfg/DFGOSRExitPreparation.cpp:
254         (JSC::DFG::prepareCodeOriginForOSRExit):
255         * dfg/DFGPlan.h:
256         * dfg/DFGWorklist.cpp:
257         (JSC::DFG::markCodeBlocks): Deleted.
258         * dfg/DFGWorklist.h:
259         * heap/Heap.cpp:
260         (JSC::Heap::completeAllJITPlans):
261         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
262         (JSC::Heap::gatherScratchBufferRoots):
263         (JSC::Heap::removeDeadCompilerWorklistEntries):
264         (JSC::Heap::stopThePeriphery):
265         (JSC::Heap::suspendCompilerThreads):
266         (JSC::Heap::resumeCompilerThreads):
267         (JSC::Heap::addCoreConstraints):
268         * jit/JITWorklist.cpp:
269         (JSC::JITWorklist::existingGlobalWorklistOrNull):
270         (JSC::JITWorklist::ensureGlobalWorklist):
271         (JSC::JITWorklist::instance): Deleted.
272         * jit/JITWorklist.h:
273         * llint/LLIntSlowPaths.cpp:
274         (JSC::LLInt::jitCompileAndSetHeuristics):
275         * runtime/VM.cpp:
276         (JSC::VM::~VM):
277         (JSC::VM::gatherScratchBufferRoots):
278         (JSC::VM::gatherConservativeRoots): Deleted.
279         * runtime/VM.h:
280
281 2019-02-15  Saam barati  <sbarati@apple.com>
282
283         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
284         https://bugs.webkit.org/show_bug.cgi?id=194036
285
286         Reviewed by Yusuke Suzuki.
287
288         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
289         use linear scan for register allocation. Instead of linear scan, Air-O0 does
290         mostly block-local register allocation, and it does this as it's emitting
291         code directly. The register allocator uses liveness analysis to reduce
292         the number of spills. Doing register allocation as we're emitting code
293         allows us to skip editing the IR to insert spills, which saves a non trivial
294         amount of compile time. For stack allocation, we give each Tmp its own slot.
295         This is less than ideal. We probably want to do some trivial live range analysis
296         in the future. The reason this isn't a deal breaker for Wasm is that this patch
297         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
298         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
299         
300         This patch is another 25% Wasm startup time speedup. It seems to be worth
301         another 1% on JetStream2.
302
303         * JavaScriptCore.xcodeproj/project.pbxproj:
304         * Sources.txt:
305         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
306         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
307         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
308         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
309         (JSC::B3::Air::callFrameAddr):
310         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
311         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
312         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
313         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
314         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
315         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
316         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
317         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
318         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
319         * b3/air/AirCode.cpp:
320         * b3/air/AirCode.h:
321         * b3/air/AirGenerate.cpp:
322         (JSC::B3::Air::prepareForGeneration):
323         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
324         (JSC::B3::Air::generate):
325         * b3/air/AirHandleCalleeSaves.cpp:
326         (JSC::B3::Air::handleCalleeSaves):
327         * b3/air/AirHandleCalleeSaves.h:
328         * b3/air/AirTmpMap.h:
329         * runtime/Options.h:
330         * wasm/WasmAirIRGenerator.cpp:
331         (JSC::Wasm::AirIRGenerator::didKill):
332         (JSC::Wasm::AirIRGenerator::newTmp):
333         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
334         (JSC::Wasm::parseAndCompileAir):
335         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
336         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
337         * wasm/WasmAirIRGenerator.h:
338         * wasm/WasmB3IRGenerator.cpp:
339         (JSC::Wasm::B3IRGenerator::didKill):
340         * wasm/WasmBBQPlan.cpp:
341         (JSC::Wasm::BBQPlan::compileFunctions):
342         * wasm/WasmFunctionParser.h:
343         (JSC::Wasm::FunctionParser<Context>::parseBody):
344         (JSC::Wasm::FunctionParser<Context>::parseExpression):
345         * wasm/WasmValidate.cpp:
346         (JSC::Wasm::Validate::didKill):
347
348 2019-02-14  Saam barati  <sbarati@apple.com>
349
350         lowerStackArgs should lower Lea32/64 on ARM64 to Add
351         https://bugs.webkit.org/show_bug.cgi?id=194656
352
353         Reviewed by Yusuke Suzuki.
354
355         On arm64, Lea is just implemented as an add. However, Air treats it as an
356         address with a given width. Because of this width, we were incorrectly
357         computing whether or not this immediate could fit into the instruction itself
358         or it needed to be explicitly put into a register. This patch makes
359         AirLowerStackArgs lower Lea to Add on arm64.
360
361         * b3/air/AirLowerStackArgs.cpp:
362         (JSC::B3::Air::lowerStackArgs):
363         * b3/air/AirOpcode.opcodes:
364         * b3/air/testair.cpp:
365
366 2019-02-14  Saam Barati  <sbarati@apple.com>
367
368         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
369         https://bugs.webkit.org/show_bug.cgi?id=194583
370         <rdar://problem/48028140>
371
372         Reviewed by Yusuke Suzuki.
373
374         This patch makes it so that getVariablesUnderTDZ caches a result of
375         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
376         it's called in an environment where there are a lot of variables.
377         This patch makes it so we cache its results. This is profitable when
378         getVariablesUnderTDZ is called repeatedly with the same environment
379         state. This is common since we call this every time we encounter a
380         function definition/expression node.
381
382         * builtins/BuiltinExecutables.cpp:
383         (JSC::BuiltinExecutables::createExecutable):
384         * bytecode/UnlinkedFunctionExecutable.cpp:
385         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
386         * bytecode/UnlinkedFunctionExecutable.h:
387         * bytecompiler/BytecodeGenerator.cpp:
388         (JSC::BytecodeGenerator::popLexicalScopeInternal):
389         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
390         (JSC::BytecodeGenerator::pushTDZVariables):
391         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
392         (JSC::BytecodeGenerator::restoreTDZStack):
393         * bytecompiler/BytecodeGenerator.h:
394         (JSC::BytecodeGenerator::makeFunction):
395         * parser/VariableEnvironment.cpp:
396         (JSC::CompactVariableMap::Handle::Handle):
397         (JSC::CompactVariableMap::Handle::operator=):
398         * parser/VariableEnvironment.h:
399         (JSC::CompactVariableMap::Handle::operator bool const):
400         * runtime/CodeCache.cpp:
401         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
402
403 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
404
405         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
406         https://bugs.webkit.org/show_bug.cgi?id=194659
407
408         Reviewed by Mark Lam.
409
410         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
411         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
412         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
413
414         * dfg/DFGJITCode.h:
415         * dfg/DFGJITFinalizer.cpp:
416         (JSC::DFG::JITFinalizer::finalize):
417         (JSC::DFG::JITFinalizer::finalizeFunction):
418         * jit/JITCode.cpp:
419         (JSC::DirectJITCode::initializeCodeRefForDFG):
420         (JSC::DirectJITCode::initializeCodeRef): Deleted.
421         (JSC::NativeJITCode::initializeCodeRef): Deleted.
422         * jit/JITCode.h:
423         * llint/LLIntEntrypoint.cpp:
424         (JSC::LLInt::setFunctionEntrypoint):
425         (JSC::LLInt::setEvalEntrypoint):
426         (JSC::LLInt::setProgramEntrypoint):
427         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
428
429 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
430
431         [WTF] Add environment variable helpers
432         https://bugs.webkit.org/show_bug.cgi?id=192405
433
434         Reviewed by Michael Catanzaro.
435
436         * inspector/remote/glib/RemoteInspectorGlib.cpp:
437         (Inspector::RemoteInspector::RemoteInspector):
438         (Inspector::RemoteInspector::start):
439         * jsc.cpp:
440         (startTimeoutThreadIfNeeded):
441         * runtime/Options.cpp:
442         (JSC::overrideOptionWithHeuristic):
443         (JSC::Options::overrideAliasedOptionWithHeuristic):
444         (JSC::Options::initialize):
445         * runtime/VM.cpp:
446         (JSC::enableAssembler):
447         (JSC::VM::VM):
448         * tools/CodeProfiling.cpp:
449         (JSC::CodeProfiling::notifyAllocator):
450         Utilize WTF::Environment where possible.
451
452 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
453
454         [JSC] Should have default NativeJITCode
455         https://bugs.webkit.org/show_bug.cgi?id=194634
456
457         Reviewed by Mark Lam.
458
459         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
460         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
461         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
462         allocations, which takes 14KB.
463
464         * runtime/VM.cpp:
465         (JSC::jitCodeForCallTrampoline):
466         (JSC::jitCodeForConstructTrampoline):
467         (JSC::VM::getHostFunction):
468
469 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
470
471         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
472         https://bugs.webkit.org/show_bug.cgi?id=194576
473
474         Reviewed by Saam Barati.
475
476         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
477         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
478
479         * bytecode/UnlinkedFunctionExecutable.cpp:
480         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
481         (JSC::UnlinkedFunctionExecutable::link):
482         * bytecode/UnlinkedFunctionExecutable.h:
483         * runtime/CodeCache.cpp:
484         (JSC::generateUnlinkedCodeBlockForFunctions):
485
486 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
487
488         CachedBitVector's size must be converted from bits to bytes
489         https://bugs.webkit.org/show_bug.cgi?id=194441
490
491         Reviewed by Saam Barati.
492
493         CachedBitVector used its size in bits for memcpy. That didn't cause any
494         issues when encoding, since the size in bits was also used in the allocation,
495         but would overflow the actual BitVector buffer when decoding.
496
497         * runtime/CachedTypes.cpp:
498         (JSC::CachedBitVector::encode):
499         (JSC::CachedBitVector::decode const):
500
501 2019-02-13  Brian Burg  <bburg@apple.com>
502
503         Web Inspector: don't include accessibility role in DOM.Node object payloads
504         https://bugs.webkit.org/show_bug.cgi?id=194623
505         <rdar://problem/36384037>
506
507         Reviewed by Devin Rousso.
508
509         Remove property of DOM.Node that is no longer being sent.
510
511         * inspector/protocol/DOM.json:
512
513 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
514
515         We should only make rope strings when concatenating strings long enough.
516         https://bugs.webkit.org/show_bug.cgi?id=194465
517
518         Reviewed by Mark Lam.
519
520         This patch stops us from allocating a rope string if the resulting
521         rope would be smaller than the size of the JSRopeString object we
522         would need to allocate.
523
524         This patch also adds paths so that we don't unnecessarily allocate
525         JSString cells for primitives we are going to concatenate with a
526         string anyway.
527
528         The important change from the previous one is that we do not apply
529         the above rule to JSRopeStrings generated by JSStrings. If we convert
530         it to JSString, comparison of memory consumption becomes the following,
531         because JSRopeString does not have StringImpl until it is resolved.
532
533             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
534
535         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
536         resolving eagerly increases memory footprint. The point is that we need to
537         account newly created JSString and JSRopeString from the operands. This is the
538         reason why this patch adds different thresholds for each jsString functions.
539
540         This patch also avoids concatenation for ropes conservatively. Many ropes are
541         temporary cells. So we do not resolve eagerly if one of operands is already a
542         rope.
543
544         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
545
546             Before: 159.3778
547             After:  160.72340000000003
548
549         * dfg/DFGOperations.cpp:
550         * runtime/CommonSlowPaths.cpp:
551         (JSC::SLOW_PATH_DECL):
552         * runtime/JSString.h:
553         (JSC::JSString::isRope const):
554         * runtime/Operations.cpp:
555         (JSC::jsAddSlowCase):
556         * runtime/Operations.h:
557         (JSC::jsString):
558         (JSC::jsAddNonNumber):
559         (JSC::jsAdd):
560
561 2019-02-13  Saam Barati  <sbarati@apple.com>
562
563         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
564         https://bugs.webkit.org/show_bug.cgi?id=194610
565
566         Reviewed by Michael Saboff.
567
568         BinarySwitch might use the scratch register. We must model the
569         effects of that properly. This is already caught by our br-table
570         tests on arm64.
571
572         * wasm/WasmAirIRGenerator.cpp:
573         (JSC::Wasm::AirIRGenerator::addSwitch):
574
575 2019-02-13  Mark Lam  <mark.lam@apple.com>
576
577         Create a randomized free list for new StructureIDs on StructureIDTable resize.
578         https://bugs.webkit.org/show_bug.cgi?id=194566
579         <rdar://problem/47975502>
580
581         Reviewed by Michael Saboff.
582
583         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
584         implementation is a little easier to read.
585
586         This patch appears to be perf neutral on JetStream2 (as run from the command line).
587
588         * runtime/StructureIDTable.cpp:
589         (JSC::StructureIDTable::StructureIDTable):
590         (JSC::StructureIDTable::makeFreeListFromRange):
591         (JSC::StructureIDTable::resize):
592         (JSC::StructureIDTable::allocateID):
593         (JSC::StructureIDTable::deallocateID):
594         * runtime/StructureIDTable.h:
595         (JSC::StructureIDTable::get):
596         (JSC::StructureIDTable::deallocateID):
597         (JSC::StructureIDTable::allocateID):
598         (JSC::StructureIDTable::flushOldTables):
599
600 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
601
602         VariableLengthObject::allocate<T> should initialize objects
603         https://bugs.webkit.org/show_bug.cgi?id=194534
604
605         Reviewed by Michael Saboff.
606
607         `buffer()` should not be called for empty VariableLengthObjects, but
608         these cases were not being caught due to the objects not being properly
609         initialized. Fix it so that allocate calls the constructor and fix the
610         assertion failues.
611
612         * runtime/CachedTypes.cpp:
613         (JSC::CachedObject::operator new):
614         (JSC::VariableLengthObject::allocate):
615         (JSC::CachedVector::encode):
616         (JSC::CachedVector::decode const):
617         (JSC::CachedUniquedStringImpl::decode const):
618         (JSC::CachedBitVector::encode):
619         (JSC::CachedBitVector::decode const):
620         (JSC::CachedArray::encode):
621         (JSC::CachedArray::decode const):
622         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
623         (JSC::CachedBigInt::decode const):
624
625 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
626
627         CodeBlocks read from disk should not be re-written
628         https://bugs.webkit.org/show_bug.cgi?id=194535
629
630         Reviewed by Michael Saboff.
631
632         Keep track of which CodeBlocks have been read from disk or have already
633         been serialized in CodeCache.
634
635         * runtime/CodeCache.cpp:
636         (JSC::CodeCache::write):
637         * runtime/CodeCache.h:
638         (JSC::SourceCodeValue::SourceCodeValue):
639         (JSC::CodeCacheMap::fetchFromDiskImpl):
640
641 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
642
643         SourceCode should be copied when generating bytecode for functions
644         https://bugs.webkit.org/show_bug.cgi?id=194536
645
646         Reviewed by Saam Barati.
647
648         The FunctionExecutable might be collected while generating the bytecode
649         for nested functions, in which case the SourceCode reference would no
650         longer be valid.
651
652         * runtime/CodeCache.cpp:
653         (JSC::generateUnlinkedCodeBlockForFunctions):
654
655 2019-02-12  Saam barati  <sbarati@apple.com>
656
657         JSScript needs to retain its cache path NSURL*
658         https://bugs.webkit.org/show_bug.cgi?id=194577
659
660         Reviewed by Tim Horton.
661
662         * API/JSScript.mm:
663         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
664         (-[JSScript dealloc]):
665
666 2019-02-12  Robin Morisset  <rmorisset@apple.com>
667
668         Make B3Value::returnsBool() more precise
669         https://bugs.webkit.org/show_bug.cgi?id=194457
670
671         Reviewed by Saam Barati.
672
673         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
674         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
675         No new tests added as this should be indirectly tested by the already existing tests.
676
677         * b3/B3Value.cpp:
678         (JSC::B3::Value::returnsBool const):
679
680 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
681
682         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
683         https://bugs.webkit.org/show_bug.cgi?id=194399
684         <rdar://problem/47889777>
685
686         * dfg/DFGDoesGC.cpp:
687         (JSC::DFG::doesGC):
688
689 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
690
691         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
692         https://bugs.webkit.org/show_bug.cgi?id=194370
693
694         Reviewed by Darin Adler.
695
696         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
697         necessary, but it will make errors more visible.
698
699         * inspector/remote/glib/RemoteInspectorGlib.cpp:
700         (Inspector::RemoteInspector::start):
701         (Inspector::dbusConnectionCallAsyncReadyCallback):
702         * inspector/remote/glib/RemoteInspectorServer.cpp:
703         (Inspector::RemoteInspectorServer::start):
704
705 2019-02-12  Andy Estes  <aestes@apple.com>
706
707         [iOSMac] Enable Parental Controls Content Filtering
708         https://bugs.webkit.org/show_bug.cgi?id=194521
709         <rdar://39732376>
710
711         Reviewed by Tim Horton.
712
713         * Configurations/FeatureDefines.xcconfig:
714
715 2019-02-11  Mark Lam  <mark.lam@apple.com>
716
717         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
718         https://bugs.webkit.org/show_bug.cgi?id=194512
719         <rdar://problem/47975465>
720
721         Reviewed by Yusuke Suzuki.
722
723         * runtime/StructureIDTable.cpp:
724         (JSC::StructureIDTable::StructureIDTable):
725         (JSC::StructureIDTable::allocateID):
726         (JSC::StructureIDTable::deallocateID):
727         * runtime/StructureIDTable.h:
728
729 2019-02-10  Mark Lam  <mark.lam@apple.com>
730
731         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
732         https://bugs.webkit.org/show_bug.cgi?id=194493
733         <rdar://problem/36380852>
734
735         Reviewed by Yusuke Suzuki.
736
737         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
738         however not good for performance and memory usage.  As such, a debug ASSERT will
739         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
740         possible to be instantiated with duplicate cases in
741         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
742
743         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
744         see duplicate cases.
745
746         * jit/BinarySwitch.cpp:
747         (JSC::BinarySwitch::BinarySwitch):
748
749 2019-02-10  Darin Adler  <darin@apple.com>
750
751         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
752         https://bugs.webkit.org/show_bug.cgi?id=194485
753
754         Reviewed by Daniel Bates.
755
756         * heap/HeapSnapshotBuilder.cpp:
757         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
758         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
759
760         * runtime/JSGlobalObjectFunctions.cpp:
761         (JSC::encode): Removed some unneeded casts in StringBuilder code,
762         including one in a call to appendByteAsHex.
763         (JSC::globalFuncEscape): Ditto.
764
765 2019-02-10  Commit Queue  <commit-queue@webkit.org>
766
767         Unreviewed, rolling out r241230.
768         https://bugs.webkit.org/show_bug.cgi?id=194488
769
770         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
771         #webkit).
772
773         Reverted changeset:
774
775         "We should only make rope strings when concatenating strings
776         long enough."
777         https://bugs.webkit.org/show_bug.cgi?id=194465
778         https://trac.webkit.org/changeset/241230
779
780 2019-02-10  Saam barati  <sbarati@apple.com>
781
782         BBQ-Air: Emit better code for switch
783         https://bugs.webkit.org/show_bug.cgi?id=194053
784
785         Reviewed by Yusuke Suzuki.
786
787         Instead of emitting a linear set of jumps for Switch, this patch
788         makes the BBQ-Air backend emit a binary switch.
789
790         * wasm/WasmAirIRGenerator.cpp:
791         (JSC::Wasm::AirIRGenerator::addSwitch):
792
793 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
794
795         Unreviewed, Lexer should use isLatin1 implementation in WTF
796         https://bugs.webkit.org/show_bug.cgi?id=194466
797
798         Follow-up after r241233 pointed by Darin.
799
800         * parser/Lexer.cpp:
801         (JSC::isLatin1): Deleted.
802
803 2019-02-09  Darin Adler  <darin@apple.com>
804
805         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
806         https://bugs.webkit.org/show_bug.cgi?id=194021
807
808         Reviewed by Geoffrey Garen.
809
810         * inspector/agents/InspectorConsoleAgent.cpp:
811         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
812         makeString do the conversion without allocating/destroying a String.
813         * inspector/agents/InspectorDebuggerAgent.cpp:
814         (Inspector::objectGroupForBreakpointAction): Ditto.
815         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
816         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
817         * runtime/JSGenericTypedArrayViewInlines.h:
818         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
819         * runtime/NumberPrototype.cpp:
820         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
821         of calling numberToFixedWidthString to do the same thing.
822         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
823         numberToFixedPrecisionString to do the same thing.
824         * runtime/SamplingProfiler.cpp:
825         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
826
827 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         Unreviewed, rolling in r241237 again
830         https://bugs.webkit.org/show_bug.cgi?id=194469
831
832         * runtime/JSString.h:
833         (JSC::jsSubstring):
834
835 2019-02-09  Commit Queue  <commit-queue@webkit.org>
836
837         Unreviewed, rolling out r241237.
838         https://bugs.webkit.org/show_bug.cgi?id=194474
839
840         Shows significant memory increase in WSL (Requested by
841         yusukesuzuki on #webkit).
842
843         Reverted changeset:
844
845         "[WTF] Use BufferInternal StringImpl if substring StringImpl
846         takes more memory"
847         https://bugs.webkit.org/show_bug.cgi?id=194469
848         https://trac.webkit.org/changeset/241237
849
850 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
851
852         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
853         https://bugs.webkit.org/show_bug.cgi?id=194469
854
855         Reviewed by Geoffrey Garen.
856
857         * runtime/JSString.h:
858         (JSC::jsSubstring):
859
860 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
861
862         [JSC] CachedTypes should use jsString instead of JSString::create
863         https://bugs.webkit.org/show_bug.cgi?id=194471
864
865         Reviewed by Mark Lam.
866
867         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
868
869         * runtime/CachedTypes.cpp:
870         (JSC::CachedJSValue::decode const):
871
872 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
873
874         [JSC] Increase StructureIDTable initial capacity
875         https://bugs.webkit.org/show_bug.cgi?id=194468
876
877         Reviewed by Mark Lam.
878
879         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
880         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
881         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
882         more memory dirty. We also remove some structures that are no longer used.
883
884         * runtime/JSGlobalObject.h:
885         (JSC::JSGlobalObject::callbackObjectStructure const):
886         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
887         * runtime/StructureIDTable.h:
888         * runtime/VM.h:
889
890 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
891
892         [JSC] String.fromCharCode's slow path always generates 16bit string
893         https://bugs.webkit.org/show_bug.cgi?id=194466
894
895         Reviewed by Keith Miller.
896
897         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
898         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
899         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
900         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
901         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
902         as much as possible.
903
904         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
905
906         * runtime/StringConstructor.cpp:
907         (JSC::stringFromCharCode):
908
909 2019-02-08  Keith Miller  <keith_miller@apple.com>
910
911         We should only make rope strings when concatenating strings long enough.
912         https://bugs.webkit.org/show_bug.cgi?id=194465
913
914         Reviewed by Saam Barati.
915
916         This patch stops us from allocating a rope string if the resulting
917         rope would be smaller than the size of the JSRopeString object we
918         would need to allocate.
919
920         This patch also adds paths so that we don't unnecessarily allocate
921         JSString cells for primitives we are going to concatenate with a
922         string anyway.
923
924         * dfg/DFGOperations.cpp:
925         * runtime/CommonSlowPaths.cpp:
926         (JSC::SLOW_PATH_DECL):
927         * runtime/JSString.h:
928         * runtime/Operations.cpp:
929         (JSC::jsAddSlowCase):
930         * runtime/Operations.h:
931         (JSC::jsString):
932         (JSC::jsAdd):
933
934 2019-02-08  Saam barati  <sbarati@apple.com>
935
936         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
937         https://bugs.webkit.org/show_bug.cgi?id=194334
938         <rdar://problem/47844327>
939
940         Reviewed by Mark Lam.
941
942         * dfg/DFGAbstractInterpreterInlines.h:
943         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
944         * dfg/DFGArgumentsEliminationPhase.cpp:
945         * dfg/DFGByteCodeParser.cpp:
946         (JSC::DFG::ByteCodeParser::parseBlock):
947         * dfg/DFGClobberize.h:
948         (JSC::DFG::clobberize):
949         * dfg/DFGConstantFoldingPhase.cpp:
950         (JSC::DFG::ConstantFoldingPhase::foldConstants):
951         * dfg/DFGFixupPhase.cpp:
952         (JSC::DFG::FixupPhase::fixupNode):
953         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
954         * dfg/DFGIntegerCheckCombiningPhase.cpp:
955         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
956         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
957         * dfg/DFGNodeType.h:
958         * dfg/DFGSSALoweringPhase.cpp:
959         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
960         * dfg/DFGSpeculativeJIT.cpp:
961         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
962         * ftl/FTLLowerDFGToB3.cpp:
963         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
964         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
965
966 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
967
968         [JSC] Shrink sizeof(CodeBlock) more
969         https://bugs.webkit.org/show_bug.cgi?id=194419
970
971         Reviewed by Mark Lam.
972
973         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
974
975         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
976         has the same information. These data is not touched in CodeBlock::~CodeBlock,
977         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
978
979         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
980         And we do not touch it in CodeBlock::~CodeBlock.
981
982         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
983         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
984         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
985
986         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
987
988         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
989
990         * bytecode/CodeBlock.cpp:
991         (JSC::CodeBlock::hash const):
992         (JSC::CodeBlock::sourceCodeForTools const):
993         (JSC::CodeBlock::dumpAssumingJITType const):
994         (JSC::CodeBlock::dumpSource):
995         (JSC::CodeBlock::CodeBlock):
996         (JSC::CodeBlock::finishCreation):
997         (JSC::CodeBlock::propagateTransitions):
998         (JSC::CodeBlock::finalizeLLIntInlineCaches):
999         (JSC::CodeBlock::setCalleeSaveRegisters):
1000         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1001         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1002         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1003         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1004         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1005         (JSC::CodeBlock::newReplacement):
1006         (JSC::CodeBlock::replacement):
1007         (JSC::CodeBlock::computeCapabilityLevel):
1008         (JSC::CodeBlock::jettison):
1009         (JSC::CodeBlock::calleeSaveRegisters const):
1010         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1011         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1012         (JSC::CodeBlock::getArrayProfile):
1013         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1014         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1015         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1016         (JSC::CodeBlock::validate):
1017         (JSC::CodeBlock::outOfLineJumpTarget):
1018         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1019         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1020         * bytecode/CodeBlock.h:
1021         (JSC::CodeBlock::specializationKind const):
1022         (JSC::CodeBlock::isStrictMode const):
1023         (JSC::CodeBlock::isConstructor const):
1024         (JSC::CodeBlock::codeType const):
1025         (JSC::CodeBlock::isKnownNotImmediate):
1026         (JSC::CodeBlock::instructions const):
1027         (JSC::CodeBlock::ownerExecutable const):
1028         (JSC::CodeBlock::thisRegister const):
1029         (JSC::CodeBlock::source const):
1030         (JSC::CodeBlock::sourceOffset const):
1031         (JSC::CodeBlock::firstLineColumnOffset const):
1032         (JSC::CodeBlock::createRareDataIfNecessary):
1033         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1034         (JSC::CodeBlock::setThisRegister): Deleted.
1035         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1036         * bytecode/EvalCodeBlock.h:
1037         * bytecode/FunctionCodeBlock.h:
1038         * bytecode/GlobalCodeBlock.h:
1039         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1040         * bytecode/ModuleProgramCodeBlock.h:
1041         * bytecode/ProgramCodeBlock.h:
1042         * debugger/Debugger.cpp:
1043         (JSC::Debugger::toggleBreakpoint):
1044         * debugger/DebuggerCallFrame.cpp:
1045         (JSC::DebuggerCallFrame::sourceID const):
1046         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1047         * debugger/DebuggerScope.cpp:
1048         (JSC::DebuggerScope::location const):
1049         * dfg/DFGByteCodeParser.cpp:
1050         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1051         (JSC::DFG::ByteCodeParser::inliningCost):
1052         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1053         * dfg/DFGCapabilities.cpp:
1054         (JSC::DFG::isSupportedForInlining):
1055         (JSC::DFG::mightCompileEval):
1056         (JSC::DFG::mightCompileProgram):
1057         (JSC::DFG::mightCompileFunctionForCall):
1058         (JSC::DFG::mightCompileFunctionForConstruct):
1059         (JSC::DFG::canUseOSRExitFuzzing):
1060         * dfg/DFGGraph.h:
1061         (JSC::DFG::Graph::executableFor):
1062         * dfg/DFGJITCompiler.cpp:
1063         (JSC::DFG::JITCompiler::compileFunction):
1064         * dfg/DFGOSREntry.cpp:
1065         (JSC::DFG::prepareOSREntry):
1066         * dfg/DFGOSRExit.cpp:
1067         (JSC::DFG::restoreCalleeSavesFor):
1068         (JSC::DFG::saveCalleeSavesFor):
1069         (JSC::DFG::saveOrCopyCalleeSavesFor):
1070         * dfg/DFGOSRExitCompilerCommon.cpp:
1071         (JSC::DFG::handleExitCounts):
1072         * dfg/DFGOperations.cpp:
1073         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1074         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1075         * ftl/FTLCapabilities.cpp:
1076         (JSC::FTL::canCompile):
1077         * ftl/FTLLink.cpp:
1078         (JSC::FTL::link):
1079         * ftl/FTLOSRExitCompiler.cpp:
1080         (JSC::FTL::compileStub):
1081         * interpreter/CallFrame.cpp:
1082         (JSC::CallFrame::callerSourceOrigin):
1083         * interpreter/Interpreter.cpp:
1084         (JSC::eval):
1085         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1086         * interpreter/StackVisitor.cpp:
1087         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1088         (JSC::StackVisitor::Frame::sourceURL const):
1089         (JSC::StackVisitor::Frame::sourceID):
1090         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1091         * interpreter/StackVisitor.h:
1092         * jit/AssemblyHelpers.h:
1093         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1094         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1095         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1096         * jit/CallFrameShuffleData.cpp:
1097         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1098         * jit/JIT.cpp:
1099         (JSC::JIT::compileWithoutLinking):
1100         * jit/JITToDFGDeferredCompilationCallback.cpp:
1101         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1102         * jit/JITWorklist.cpp:
1103         (JSC::JITWorklist::Plan::finalize):
1104         (JSC::JITWorklist::compileNow):
1105         * jit/RegisterAtOffsetList.cpp:
1106         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1107         * jit/RegisterAtOffsetList.h:
1108         (JSC::RegisterAtOffsetList::at const):
1109         * runtime/ErrorInstance.cpp:
1110         (JSC::appendSourceToError):
1111         * runtime/ScriptExecutable.cpp:
1112         (JSC::ScriptExecutable::newCodeBlockFor):
1113         * runtime/StackFrame.cpp:
1114         (JSC::StackFrame::sourceID const):
1115         (JSC::StackFrame::sourceURL const):
1116         (JSC::StackFrame::computeLineAndColumn const):
1117
1118 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1119
1120         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1121         https://bugs.webkit.org/show_bug.cgi?id=194460
1122
1123         Reviewed by Mark Lam.
1124
1125         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1126
1127         * b3/B3LowerMacros.cpp:
1128
1129 2019-02-08  Mark Lam  <mark.lam@apple.com>
1130
1131         Use maxSingleCharacterString in comparisons instead of literal constants.
1132         https://bugs.webkit.org/show_bug.cgi?id=194452
1133
1134         Reviewed by Yusuke Suzuki.
1135
1136         This way, if we ever change maxSingleCharacterString, it won't break all this code
1137         that relies on it being 0xff implicitly.
1138
1139         * dfg/DFGSpeculativeJIT.cpp:
1140         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1141         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1142         * ftl/FTLLowerDFGToB3.cpp:
1143         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1144         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1145         * jit/ThunkGenerators.cpp:
1146         (JSC::stringGetByValGenerator):
1147         (JSC::charToString):
1148
1149 2019-02-08  Mark Lam  <mark.lam@apple.com>
1150
1151         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1152         https://bugs.webkit.org/show_bug.cgi?id=194446
1153         <rdar://problem/47926792>
1154
1155         Reviewed by Saam Barati.
1156
1157         Fix doesGC() for the following nodes:
1158
1159             CheckTierUpAtReturn:
1160                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1161                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1162
1163             CheckTierUpInLoop:
1164                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1165                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1166
1167             CheckTierUpAndOSREnter:
1168                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1169                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1170
1171             GetByVal:
1172                 case Array::String calls operationSingleCharacterString(), which calls
1173                 jsSingleCharacterString(), which can allocate a string.
1174
1175             PutByValDirect:
1176             PutByVal:
1177             PutByValAlias:
1178                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1179                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1180                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1181                 slow paths call putByValInternal(), which may create exception objects, or
1182                 call the generic JSValue::put() which may execute arbitrary code.
1183
1184             StringCharAt:
1185                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1186                 which can allocate a string.
1187
1188         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1189         to use the maxSingleCharacterString constant instead of a literal constant.
1190
1191         * dfg/DFGDoesGC.cpp:
1192         (JSC::DFG::doesGC):
1193         * dfg/DFGSpeculativeJIT.cpp:
1194         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1195         * dfg/DFGSpeculativeJIT64.cpp:
1196         (JSC::DFG::SpeculativeJIT::compile):
1197         * ftl/FTLLowerDFGToB3.cpp:
1198         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1199         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1200         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1201
1202 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1203
1204         [JSC] SourceProviderCacheItem should be small
1205         https://bugs.webkit.org/show_bug.cgi?id=194432
1206
1207         Reviewed by Saam Barati.
1208
1209         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1210         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1211         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1212
1213         * parser/Parser.cpp:
1214         (JSC::Parser<LexerType>::parseFunctionInfo):
1215         * parser/ParserModes.h:
1216         * parser/ParserTokens.h:
1217         * parser/SourceProviderCacheItem.h:
1218         (JSC::SourceProviderCacheItem::endFunctionToken const):
1219         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1220
1221 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1222
1223         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1224         https://bugs.webkit.org/show_bug.cgi?id=194420
1225
1226         Reviewed by Saam Barati.
1227
1228         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1229         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1230         This trivial patch fixes both.
1231
1232         * b3/B3ReduceStrength.cpp:
1233         * b3/testb3.cpp:
1234         (JSC::B3::testAbsNegArg):
1235
1236 2019-02-07  Keith Miller  <keith_miller@apple.com>
1237
1238         Better error messages for module loader SPI
1239         https://bugs.webkit.org/show_bug.cgi?id=194421
1240
1241         Reviewed by Saam Barati.
1242
1243         * API/JSAPIGlobalObject.mm:
1244         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1245
1246 2019-02-07  Mark Lam  <mark.lam@apple.com>
1247
1248         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1249         https://bugs.webkit.org/show_bug.cgi?id=194399
1250         <rdar://problem/47889777>
1251
1252         Reviewed by Yusuke Suzuki.
1253
1254         Fix doesGC() for the following nodes:
1255
1256             CheckTraps:
1257                 We normally will not emit this node because Options::usePollingTraps() is
1258                 false by default.  However, as it is implemented now, CheckTraps can GC
1259                 because it can allocate a TerminatedExecutionException.  If we make the
1260                 TerminatedExecutionException a singleton allocated at initialization time,
1261                 doesGC() can return false for CheckTraps.
1262                 https://bugs.webkit.org/show_bug.cgi?id=194323
1263
1264             GetMapBucket:
1265                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1266                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1267                 can resolve a rope.
1268
1269             Switch:
1270                 If switchData kind is SwitchChar, can call operationResolveRope() .
1271                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1272                     can call operationSwitchString() which resolves ropes.
1273
1274             DirectTailCall:
1275             ForceOSRExit:
1276             Return:
1277             TailCallForwardVarargs:
1278             TailCallVarargs:
1279             Throw:
1280                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1281                 for them, but following our conservative practice, unless we have a good
1282                 reason for doesGC() to return false, we should just return true.
1283
1284         * dfg/DFGDoesGC.cpp:
1285         (JSC::DFG::doesGC):
1286
1287 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1288
1289         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1290         https://bugs.webkit.org/show_bug.cgi?id=194250
1291
1292         Reviewed by Saam Barati.
1293
1294         Adds the following optimizations for integers:
1295         - Sub(x, x) => 0
1296             Already covered by the test testSubArg
1297         - Sub(x1, Neg(x2)) => Add (x1, x2)
1298             Added test: testSubNeg
1299         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1300             Added test: testNegSub
1301         - Add(Neg(x1), x2) => Sub(x2, x1)
1302             Added test: testAddNeg1
1303         - Add(x1, Neg(x2)) => Sub(x1, x2)
1304             Added test: testAddNeg2
1305         Adds the following optimization for floating point values:
1306         - Abs(Neg(x)) => Abs(x)
1307             Added test: testAbsNegArg
1308             Adds the following optimization:
1309
1310         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1311
1312         * b3/B3ReduceStrength.cpp:
1313         * b3/testb3.cpp:
1314         (JSC::B3::testAddNeg1):
1315         (JSC::B3::testAddNeg2):
1316         (JSC::B3::testSubNeg):
1317         (JSC::B3::testNegSub):
1318         (JSC::B3::testAbsAbsArg):
1319         (JSC::B3::testAbsNegArg):
1320         (JSC::B3::run):
1321
1322 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1323
1324         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1325         https://bugs.webkit.org/show_bug.cgi?id=194374
1326
1327         Reviewed by Geoffrey Garen.
1328
1329         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1330         But pointer is larger than single character. BufferInternal StringImpl with single character
1331         is more memory efficient.
1332
1333         * runtime/SmallStrings.cpp:
1334         (JSC::SmallStringsStorage::SmallStringsStorage):
1335         (JSC::SmallStrings::SmallStrings):
1336         * runtime/SmallStrings.h:
1337
1338 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1339
1340         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1341         https://bugs.webkit.org/show_bug.cgi?id=194369
1342         <rdar://problem/47813087>
1343
1344         Reviewed by Saam Barati.
1345
1346         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1347         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1348         constant folding phase.
1349
1350         * dfg/DFGAbstractInterpreterInlines.h:
1351         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1352
1353 2019-02-06  Devin Rousso  <drousso@apple.com>
1354
1355         Web Inspector: DOM: don't send the entire function string with each event listener
1356         https://bugs.webkit.org/show_bug.cgi?id=194293
1357         <rdar://problem/47822809>
1358
1359         Reviewed by Joseph Pecoraro.
1360
1361         * inspector/protocol/DOM.json:
1362
1363         * runtime/JSFunction.h:
1364         Export `calculatedDisplayName`.
1365
1366 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1367
1368         [JSC] PrivateName to PublicName hash table is wasteful
1369         https://bugs.webkit.org/show_bug.cgi?id=194277
1370
1371         Reviewed by Michael Saboff.
1372
1373         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1374         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1375         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1376         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1377
1378         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1379
1380         1. PrivateName's content should be the same to PublicName.
1381         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1382            the public name should be easily crafted from the given PrivateName.
1383
1384         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1385         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1386
1387         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1388         WebCore.
1389
1390         * builtins/BuiltinNames.cpp:
1391         (JSC::BuiltinNames::BuiltinNames):
1392         * builtins/BuiltinNames.h:
1393         (JSC::BuiltinNames::lookUpPrivateName const):
1394         (JSC::BuiltinNames::getPublicName const):
1395         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1396         (JSC::BuiltinNames::appendExternalName):
1397         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1398         * builtins/BuiltinUtils.h:
1399         * bytecode/BytecodeDumper.cpp:
1400         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1401         * bytecompiler/NodesCodegen.cpp:
1402         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1403         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1404         * parser/Lexer.cpp:
1405         (JSC::Lexer<LChar>::parseIdentifier):
1406         (JSC::Lexer<UChar>::parseIdentifier):
1407         * parser/Parser.cpp:
1408         (JSC::Parser<LexerType>::createGeneratorParameters):
1409         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1410         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1411         (JSC::Parser<LexerType>::parseClassDeclaration):
1412         (JSC::Parser<LexerType>::parseExportDeclaration):
1413         (JSC::Parser<LexerType>::parseMemberExpression):
1414         * parser/ParserArena.h:
1415         (JSC::IdentifierArena::makeIdentifier):
1416         * runtime/CachedTypes.cpp:
1417         (JSC::CachedUniquedStringImpl::encode):
1418         (JSC::CachedUniquedStringImpl::decode const):
1419         * runtime/CommonIdentifiers.cpp:
1420         (JSC::CommonIdentifiers::CommonIdentifiers):
1421         (JSC::CommonIdentifiers::lookUpPrivateName const):
1422         (JSC::CommonIdentifiers::getPublicName const):
1423         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1424         * runtime/CommonIdentifiers.h:
1425         * runtime/ExceptionHelpers.cpp:
1426         (JSC::createUndefinedVariableError):
1427         * runtime/Identifier.cpp:
1428         (JSC::Identifier::dump const):
1429         * runtime/Identifier.h:
1430         * runtime/IdentifierInlines.h:
1431         (JSC::Identifier::fromUid):
1432         * runtime/JSTypedArrayViewPrototype.cpp:
1433         (JSC::JSTypedArrayViewPrototype::finishCreation):
1434         * tools/JSDollarVM.cpp:
1435         (JSC::functionGetPrivateProperty):
1436
1437 2019-02-06  Keith Rollin  <krollin@apple.com>
1438
1439         Really enable the automatic checking and regenerations of .xcfilelists during builds
1440         https://bugs.webkit.org/show_bug.cgi?id=194357
1441         <rdar://problem/47861231>
1442
1443         Reviewed by Chris Dumez.
1444
1445         Bug 194124 was supposed to enable the automatic checking and
1446         regenerating of .xcfilelist files during the build. While related
1447         changes were included in that patch, the change to actually enable the
1448         operation somehow was omitted. This patch actually enables the
1449         operation. The check-xcfilelist.sh scripts now check
1450         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1451         from the checking.
1452
1453         * Scripts/check-xcfilelists.sh:
1454
1455 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1456
1457         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1458         https://bugs.webkit.org/show_bug.cgi?id=194339
1459
1460         Reviewed by Michael Saboff.
1461
1462         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1463         They have even the same structure. This patch unifies the subspaces for them.
1464
1465         * runtime/DirectEvalExecutable.h:
1466         * runtime/EvalExecutable.h:
1467         (JSC::EvalExecutable::subspaceFor):
1468         * runtime/IndirectEvalExecutable.h:
1469         * runtime/VM.cpp:
1470         * runtime/VM.h:
1471         (JSC::VM::forEachScriptExecutableSpace):
1472
1473 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1474
1475         [JSC] NativeExecutable should be smaller
1476         https://bugs.webkit.org/show_bug.cgi?id=194331
1477
1478         Reviewed by Michael Saboff.
1479
1480         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1481         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1482         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1483         only takes one MarkedBlock for NativeExecutable.
1484
1485         To make NativeExecutable smaller,
1486
1487         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1488            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1489
1490         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1491            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1492            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1493
1494         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1495            Intrinsic for NativeExecutable.
1496
1497         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1498
1499         * CMakeLists.txt:
1500         * JavaScriptCore.xcodeproj/project.pbxproj:
1501         * bytecode/CallVariant.h:
1502         * interpreter/Interpreter.cpp:
1503         * jit/JITCode.cpp:
1504         (JSC::DirectJITCode::DirectJITCode):
1505         (JSC::NativeJITCode::NativeJITCode):
1506         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1507         * jit/JITCode.h:
1508         (JSC::JITCode::signature const):
1509         (JSC::JITCode::intrinsic):
1510         * jit/JITOperations.cpp:
1511         * jit/JITThunks.cpp:
1512         (JSC::JITThunks::hostFunctionStub):
1513         * jit/Repatch.cpp:
1514         * llint/LLIntSlowPaths.cpp:
1515         * runtime/ExecutableBase.cpp:
1516         (JSC::ExecutableBase::dump const):
1517         (JSC::ExecutableBase::hashFor const):
1518         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1519         (JSC::ExecutableBase::clearCode): Deleted.
1520         * runtime/ExecutableBase.h:
1521         (JSC::ExecutableBase::ExecutableBase):
1522         (JSC::ExecutableBase::isModuleProgramExecutable):
1523         (JSC::ExecutableBase::isHostFunction const):
1524         (JSC::ExecutableBase::generatedJITCodeForCall const):
1525         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1526         (JSC::ExecutableBase::generatedJITCodeFor const):
1527         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1528         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1529         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1530         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1531         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1532         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1533         (JSC::ExecutableBase::intrinsic const): Deleted.
1534         * runtime/ExecutableBaseInlines.h: Added.
1535         (JSC::ExecutableBase::intrinsic const):
1536         (JSC::ExecutableBase::hasJITCodeForCall const):
1537         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1538         * runtime/JSBoundFunction.cpp:
1539         * runtime/JSType.cpp:
1540         (WTF::printInternal):
1541         * runtime/JSType.h:
1542         * runtime/NativeExecutable.cpp:
1543         (JSC::NativeExecutable::create):
1544         (JSC::NativeExecutable::createStructure):
1545         (JSC::NativeExecutable::NativeExecutable):
1546         (JSC::NativeExecutable::signatureFor const):
1547         (JSC::NativeExecutable::intrinsic const):
1548         * runtime/NativeExecutable.h:
1549         * runtime/ScriptExecutable.cpp:
1550         (JSC::ScriptExecutable::ScriptExecutable):
1551         (JSC::ScriptExecutable::clearCode):
1552         (JSC::ScriptExecutable::installCode):
1553         (JSC::ScriptExecutable::hasClearableCode const):
1554         * runtime/ScriptExecutable.h:
1555         (JSC::ScriptExecutable::intrinsic const):
1556         (JSC::ScriptExecutable::hasJITCodeForCall const):
1557         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1558         * runtime/VM.cpp:
1559         (JSC::VM::getHostFunction):
1560
1561 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1562
1563         Build failure after r240431
1564         https://bugs.webkit.org/show_bug.cgi?id=194330
1565
1566         Reviewed by Žan Doberšek.
1567
1568         * API/glib/JSCOptions.cpp:
1569
1570 2019-02-05  Mark Lam  <mark.lam@apple.com>
1571
1572         Fix DFG's doesGC() for a few more nodes.
1573         https://bugs.webkit.org/show_bug.cgi?id=194307
1574         <rdar://problem/47832956>
1575
1576         Reviewed by Yusuke Suzuki.
1577
1578         Fix doesGC() for the following nodes:
1579
1580             NumberToStringWithValidRadixConstant:
1581                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1582                 which can allocate a string.
1583                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1584                 which can allocate a string.
1585                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1586                 which can allocate a string.
1587
1588             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1589                 memory for all kinds of objects.
1590             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1591                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1592                 these allocates memory for the match result.
1593             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1594                 calls RegExpObject's collectMatches(), which allocates an array amongst
1595                 other objects.
1596
1597             StringFromCharCode:
1598                 If the uint32 code to convert is greater than maxSingleCharacterString,
1599                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1600                 which allocates a new string if the code is greater than maxSingleCharacterString.
1601
1602         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1603         to use maxSingleCharacterString instead of a literal constant.
1604
1605         * dfg/DFGDoesGC.cpp:
1606         (JSC::DFG::doesGC):
1607         * dfg/DFGSpeculativeJIT.cpp:
1608         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1609         * ftl/FTLLowerDFGToB3.cpp:
1610         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1611
1612 2019-02-05  Keith Rollin  <krollin@apple.com>
1613
1614         Enable the automatic checking and regenerations of .xcfilelists during builds
1615         https://bugs.webkit.org/show_bug.cgi?id=194124
1616         <rdar://problem/47721277>
1617
1618         Reviewed by Tim Horton.
1619
1620         Bug 193790 add a facility for checking -- during build time -- that
1621         any needed .xcfilelist files are up-to-date and for updating them if
1622         they are not. This facility was initially opt-in by setting
1623         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1624         the process seemed robust. Its now time to enable this facility and
1625         make it opt-out. If there is a need to disable this facility, set and
1626         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1627         running `make` or `build-webkit`, or before running Xcode from the
1628         command line.
1629
1630         Additionally, remove the step that generates a list of source files
1631         going into the UnifiedSources build step. It's only necessarily to
1632         specify Sources.txt and SourcesCocoa.txt as inputs.
1633
1634         * JavaScriptCore.xcodeproj/project.pbxproj:
1635         * UnifiedSources-input.xcfilelist: Removed.
1636
1637 2019-02-05  Keith Rollin  <krollin@apple.com>
1638
1639         Update .xcfilelist files
1640         https://bugs.webkit.org/show_bug.cgi?id=194121
1641         <rdar://problem/47720863>
1642
1643         Reviewed by Tim Horton.
1644
1645         Preparatory to enabling the facility for automatically updating the
1646         .xcfilelist files, check in a freshly-updated set so that not everyone
1647         runs up against having to regenerate them themselves.
1648
1649         * DerivedSources-input.xcfilelist:
1650         * DerivedSources-output.xcfilelist:
1651
1652 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1653
1654         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1655         https://bugs.webkit.org/show_bug.cgi?id=185557
1656
1657         Reviewed by Mark Lam.
1658
1659         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1660         where n is the number of characters in the formatted string.
1661         It may be less memory efficient than the previous impl, since the intermediate Vector
1662         is the length of the string, instead of the count of the fields.
1663
1664         * runtime/IntlNumberFormat.cpp:
1665         (JSC::IntlNumberFormat::formatToParts):
1666         * runtime/IntlNumberFormat.h:
1667
1668 2019-02-05  Mark Lam  <mark.lam@apple.com>
1669
1670         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1671         https://bugs.webkit.org/show_bug.cgi?id=194298
1672         <rdar://problem/47827555>
1673
1674         Reviewed by Saam Barati.
1675
1676         We do this for 3 reasons:
1677         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1678         2. If things change in the future where clobberize() no longer reports these nodes
1679            as write(Heap), each node should be vetted first to make sure that it can never
1680            GC before being moved back to the doesGC() list that returns false.
1681         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1682            correct in its claims about the nodes' GCing possibility.
1683
1684         The list of nodes moved are:
1685
1686             ArrayPush
1687             ArrayPop
1688             Call
1689             CallEval
1690             CallForwardVarargs
1691             CallVarargs
1692             Construct
1693             ConstructForwardVarargs
1694             ConstructVarargs
1695             DefineDataProperty
1696             DefineAccessorProperty
1697             DeleteById
1698             DeleteByVal
1699             DirectCall
1700             DirectConstruct
1701             DirectTailCallInlinedCaller
1702             GetById
1703             GetByIdDirect
1704             GetByIdDirectFlush
1705             GetByIdFlush
1706             GetByIdWithThis
1707             GetByValWithThis
1708             GetDirectPname
1709             GetDynamicVar
1710             HasGenericProperty
1711             HasOwnProperty
1712             HasStructureProperty
1713             InById
1714             InByVal
1715             InstanceOf
1716             InstanceOfCustom
1717             LoadVarargs
1718             NumberToStringWithRadix
1719             PutById
1720             PutByIdDirect
1721             PutByIdFlush
1722             PutByIdWithThis
1723             PutByOffset
1724             PutByValWithThis
1725             PutDynamicVar
1726             PutGetterById
1727             PutGetterByVal
1728             PutGetterSetterById
1729             PutSetterById
1730             PutSetterByVal
1731             PutStack
1732             PutToArguments
1733             RegExpExec
1734             RegExpTest
1735             ResolveScope
1736             ResolveScopeForHoistingFuncDeclInEval
1737             TailCall
1738             TailCallForwardVarargsInlinedCaller
1739             TailCallInlinedCaller
1740             TailCallVarargsInlinedCaller
1741             ToNumber
1742             ToPrimitive
1743             ValueNegate
1744
1745         * dfg/DFGDoesGC.cpp:
1746         (JSC::DFG::doesGC):
1747
1748 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1749
1750         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1751         https://bugs.webkit.org/show_bug.cgi?id=194281
1752
1753         Reviewed by Michael Saboff.
1754
1755         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1756         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1757
1758         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1759         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1760         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1761
1762         * bytecode/CodeBlock.cpp:
1763         (JSC::CodeBlock::finishCreation):
1764         * bytecode/CodeBlock.h:
1765         (JSC::CodeBlock::bitVectors const): Deleted.
1766         * bytecode/CodeType.h:
1767         * bytecode/UnlinkedCodeBlock.cpp:
1768         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1769         (JSC::UnlinkedCodeBlock::shrinkToFit):
1770         * bytecode/UnlinkedCodeBlock.h:
1771         (JSC::UnlinkedCodeBlock::bitVector):
1772         (JSC::UnlinkedCodeBlock::addBitVector):
1773         (JSC::UnlinkedCodeBlock::addSetConstant):
1774         (JSC::UnlinkedCodeBlock::constantRegisters):
1775         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1776         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1777         (JSC::UnlinkedCodeBlock::codeType const):
1778         (JSC::UnlinkedCodeBlock::didOptimize const):
1779         (JSC::UnlinkedCodeBlock::setDidOptimize):
1780         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1781         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1782         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1783         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1784         * bytecompiler/BytecodeGenerator.cpp:
1785         (JSC::BytecodeGenerator::emitLoad):
1786         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1787         * bytecompiler/BytecodeGenerator.h:
1788         * runtime/CachedTypes.cpp:
1789         (JSC::CachedCodeBlockRareData::encode):
1790         (JSC::CachedCodeBlockRareData::decode const):
1791         (JSC::CachedCodeBlock::scopeRegister const):
1792         (JSC::CachedCodeBlock::codeType const):
1793         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1794         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1795         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1796         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1797
1798 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1799
1800         Unreviewed, add missing exception checks after r240637
1801         https://bugs.webkit.org/show_bug.cgi?id=193546
1802
1803         * tools/JSDollarVM.cpp:
1804         (JSC::functionShadowChickenFunctionsOnStack):
1805
1806 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1807
1808         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1809         https://bugs.webkit.org/show_bug.cgi?id=193993
1810
1811         Reviewed by Keith Miller.
1812
1813         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1814         And some of them are rarely used. We should allocate it lazily.
1815
1816         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1817         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1818         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1819         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1820         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1821         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1822         by using WTF::storeStoreFence when lazily allocating it.
1823
1824         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1825         existence of the space before touching this. This is not racy because the main thread is stopped when
1826         the constraint solving is working.
1827
1828         This changes sizeof(VM) from 64736 to 56472.
1829
1830         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1831         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1832         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1833         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1834         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1835         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1836         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1837
1838         * API/JSCallbackFunction.h:
1839         * API/ObjCCallbackFunction.h:
1840         (JSC::ObjCCallbackFunction::subspaceFor):
1841         * API/glib/JSCCallbackFunction.h:
1842         * CMakeLists.txt:
1843         * JavaScriptCore.xcodeproj/project.pbxproj:
1844         * bytecode/CodeBlock.cpp:
1845         (JSC::CodeBlock::visitChildren):
1846         (JSC::CodeBlock::finalizeUnconditionally):
1847         * bytecode/CodeBlock.h:
1848         * bytecode/EvalCodeBlock.h:
1849         * bytecode/ExecutableToCodeBlockEdge.h:
1850         * bytecode/FunctionCodeBlock.h:
1851         * bytecode/ModuleProgramCodeBlock.h:
1852         * bytecode/ProgramCodeBlock.h:
1853         * bytecode/UnlinkedFunctionExecutable.cpp:
1854         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1855         * bytecode/UnlinkedFunctionExecutable.h:
1856         * dfg/DFGSpeculativeJIT.cpp:
1857         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1858         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1859         (JSC::DFG::SpeculativeJIT::compileNewObject):
1860         * ftl/FTLLowerDFGToB3.cpp:
1861         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1862         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1863         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1864         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1865         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1866         * heap/Heap.cpp:
1867         (JSC::Heap::finalizeUnconditionalFinalizers):
1868         (JSC::Heap::deleteAllCodeBlocks):
1869         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1870         (JSC::Heap::addCoreConstraints):
1871         * heap/Subspace.cpp:
1872         (JSC::Subspace::initialize):
1873         * jit/AssemblyHelpers.h:
1874         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1875         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1876         * jit/JITOpcodes.cpp:
1877         (JSC::JIT::emit_op_new_object):
1878         * jit/JITOpcodes32_64.cpp:
1879         (JSC::JIT::emit_op_new_object):
1880         * runtime/DirectArguments.h:
1881         * runtime/DirectEvalExecutable.h:
1882         * runtime/ErrorInstance.h:
1883         (JSC::ErrorInstance::subspaceFor):
1884         * runtime/ExecutableBase.h:
1885         * runtime/FunctionExecutable.h:
1886         * runtime/IndirectEvalExecutable.h:
1887         * runtime/InferredValue.cpp:
1888         (JSC::InferredValue::visitChildren):
1889         * runtime/InferredValue.h:
1890         * runtime/InferredValueInlines.h:
1891         (JSC::InferredValue::finalizeUnconditionally):
1892         * runtime/InternalFunction.h:
1893         * runtime/JSAsyncFunction.h:
1894         * runtime/JSAsyncGeneratorFunction.h:
1895         * runtime/JSBoundFunction.h:
1896         * runtime/JSCell.h:
1897         (JSC::subspaceFor):
1898         (JSC::subspaceForConcurrently):
1899         * runtime/JSCellInlines.h:
1900         (JSC::allocatorForNonVirtualConcurrently):
1901         * runtime/JSCustomGetterSetterFunction.h:
1902         * runtime/JSDestructibleObject.h:
1903         * runtime/JSFunction.h:
1904         * runtime/JSGeneratorFunction.h:
1905         * runtime/JSImmutableButterfly.h:
1906         * runtime/JSLexicalEnvironment.h:
1907         (JSC::JSLexicalEnvironment::subspaceFor):
1908         * runtime/JSNativeStdFunction.h:
1909         * runtime/JSSegmentedVariableObject.h:
1910         * runtime/JSString.h:
1911         * runtime/ModuleProgramExecutable.h:
1912         * runtime/NativeExecutable.h:
1913         * runtime/ProgramExecutable.h:
1914         * runtime/PropertyMapHashTable.h:
1915         * runtime/ProxyRevoke.h:
1916         * runtime/ScopedArguments.h:
1917         * runtime/ScriptExecutable.cpp:
1918         (JSC::ScriptExecutable::clearCode):
1919         (JSC::ScriptExecutable::installCode):
1920         * runtime/Structure.h:
1921         * runtime/StructureRareData.h:
1922         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1923         * runtime/VM.cpp:
1924         (JSC::VM::VM):
1925         * runtime/VM.h:
1926         (JSC::VM::SpaceAndSet::SpaceAndSet):
1927         (JSC::VM::SpaceAndSet::setFor):
1928         (JSC::VM::forEachScriptExecutableSpace):
1929         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1930         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1931         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1932         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1933         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1934         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1935         * runtime/WeakMapImpl.h:
1936         (JSC::WeakMapImpl::subspaceFor):
1937         * wasm/js/JSWebAssemblyCodeBlock.h:
1938         * wasm/js/JSWebAssemblyMemory.h:
1939         * wasm/js/WebAssemblyFunction.h:
1940         * wasm/js/WebAssemblyWrapperFunction.h:
1941
1942 2019-02-04  Keith Miller  <keith_miller@apple.com>
1943
1944         Change llint operand macros to inline functions
1945         https://bugs.webkit.org/show_bug.cgi?id=194248
1946
1947         Reviewed by Mark Lam.
1948
1949         * llint/LLIntSlowPaths.cpp:
1950         (JSC::LLInt::getNonConstantOperand):
1951         (JSC::LLInt::getOperand):
1952         (JSC::LLInt::llint_trace_value):
1953         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1954         (JSC::LLInt::getByVal):
1955         (JSC::LLInt::genericCall):
1956         (JSC::LLInt::varargsSetup):
1957         (JSC::LLInt::commonCallEval):
1958
1959 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1960
1961         when lowering AssertNotEmpty, create the value before creating the patchpoint
1962         https://bugs.webkit.org/show_bug.cgi?id=194231
1963
1964         Reviewed by Saam Barati.
1965
1966         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1967         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1968
1969         * ftl/FTLLowerDFGToB3.cpp:
1970         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1971
1972 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1973
1974         [JSC] ExecutableToCodeBlockEdge should be smaller
1975         https://bugs.webkit.org/show_bug.cgi?id=194244
1976
1977         Reviewed by Michael Saboff.
1978
1979         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1980         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1981         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1982         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1983
1984         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1985         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1986         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1987
1988         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1989         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1990         does not touch it if it is called in non-main threads).
1991
1992         * bytecode/ExecutableToCodeBlockEdge.cpp:
1993         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1994         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1995         (JSC::ExecutableToCodeBlockEdge::activate):
1996         (JSC::ExecutableToCodeBlockEdge::deactivate):
1997         (JSC::ExecutableToCodeBlockEdge::isActive const):
1998         * bytecode/ExecutableToCodeBlockEdge.h:
1999         * runtime/JSCell.h:
2000         * runtime/JSCellInlines.h:
2001         (JSC::JSCell::perCellBit const):
2002         (JSC::JSCell::setPerCellBit):
2003         (JSC::JSCell::mayBePrototype const): Deleted.
2004         (JSC::JSCell::didBecomePrototype): Deleted.
2005         * runtime/JSObject.cpp:
2006         (JSC::JSObject::setPrototypeDirect):
2007         * runtime/JSObject.h:
2008         * runtime/JSObjectInlines.h:
2009         (JSC::JSObject::mayBePrototype const):
2010         (JSC::JSObject::didBecomePrototype):
2011         * runtime/JSTypeInfo.h:
2012         (JSC::TypeInfo::perCellBit):
2013         (JSC::TypeInfo::mergeInlineTypeFlags):
2014         (JSC::TypeInfo::mayBePrototype): Deleted.
2015
2016 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2017
2018         [JSC] Shrink size of FunctionExecutable
2019         https://bugs.webkit.org/show_bug.cgi?id=194191
2020
2021         Reviewed by Michael Saboff.
2022
2023         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2024         improves the allocation efficiency.
2025
2026         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2027            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2028
2029         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2030            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2031            the size of FunctionExecutable in the common case.
2032
2033         This patch changes the size of FunctionExecutable from 176 to 144.
2034
2035         * bytecode/CodeBlock.cpp:
2036         (JSC::CodeBlock::dumpSource):
2037         (JSC::CodeBlock::finishCreation):
2038         * dfg/DFGNode.h:
2039         (JSC::DFG::Node::OpInfoWrapper::as const):
2040         * interpreter/StackVisitor.cpp:
2041         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2042         * runtime/ExecutableBase.h:
2043         * runtime/FunctionExecutable.cpp:
2044         (JSC::FunctionExecutable::FunctionExecutable):
2045         (JSC::FunctionExecutable::ensureRareDataSlow):
2046         * runtime/FunctionExecutable.h:
2047         * runtime/Intrinsic.h:
2048         * runtime/ModuleProgramExecutable.cpp:
2049         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2050         * runtime/ProgramExecutable.cpp:
2051         (JSC::ProgramExecutable::ProgramExecutable):
2052         * runtime/ScriptExecutable.cpp:
2053         (JSC::ScriptExecutable::ScriptExecutable):
2054         (JSC::ScriptExecutable::overrideLineNumber const):
2055         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2056         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2057         * runtime/ScriptExecutable.h:
2058         (JSC::ScriptExecutable::firstLine const):
2059         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2060         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2061         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2062         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2063         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2064         * runtime/StackFrame.cpp:
2065         (JSC::StackFrame::computeLineAndColumn const):
2066         * tools/JSDollarVM.cpp:
2067         (JSC::functionReturnTypeFor):
2068
2069 2019-02-04  Mark Lam  <mark.lam@apple.com>
2070
2071         DFG's doesGC() is incorrect about the SameValue node's behavior.
2072         https://bugs.webkit.org/show_bug.cgi?id=194211
2073         <rdar://problem/47608913>
2074
2075         Reviewed by Saam Barati.
2076
2077         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2078         it calls operationSameValue() which may allocate memory for resolving ropes.
2079
2080         * dfg/DFGDoesGC.cpp:
2081         (JSC::DFG::doesGC):
2082
2083 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2084
2085         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2086         https://bugs.webkit.org/show_bug.cgi?id=194031
2087
2088         Reviewed by Saam Barati.
2089
2090         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2091         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2092         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2093         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2094
2095         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2096         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2097
2098         * bytecode/MetadataTable.cpp:
2099         (JSC::MetadataTable::MetadataTable):
2100         (JSC::MetadataTable::~MetadataTable):
2101         * bytecode/UnlinkedCodeBlock.cpp:
2102         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2103         (JSC::UnlinkedCodeBlock::visitChildren):
2104         (JSC::UnlinkedCodeBlock::estimatedSize):
2105         (JSC::UnlinkedCodeBlock::setInstructions):
2106         * bytecode/UnlinkedCodeBlock.h:
2107         (JSC::UnlinkedCodeBlock::metadata):
2108         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2109         * bytecode/UnlinkedMetadataTable.h:
2110         (JSC::UnlinkedMetadataTable::create):
2111         * bytecode/UnlinkedMetadataTableInlines.h:
2112         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2113         * runtime/CachedTypes.cpp:
2114         (JSC::CachedMetadataTable::decode const):
2115         (JSC::CachedCodeBlock::metadata const):
2116         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2117         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2118         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2119
2120 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2121
2122         [JSC] Decouple JIT related data from CodeBlock
2123         https://bugs.webkit.org/show_bug.cgi?id=194187
2124
2125         Reviewed by Saam Barati.
2126
2127         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2128         We have three types of data in CodeBlock.
2129
2130         1. The data which is always used. CodeBlock needs to hold it.
2131         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2132         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2133
2134         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2135         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2136         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2137         in both non-JIT and *JIT* modes.
2138
2139         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2140         by the lock of CodeBlock.
2141
2142         The size of CodeBlock is reduced from 512 to 352.
2143
2144         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2145
2146             Footprint geomean: 36696503 (34.997 MB)
2147             Peak Footprint geomean: 38595988 (36.808 MB)
2148             Score: 37634263 (35.891 MB)
2149
2150             Footprint geomean: 37172768 (35.451 MB)
2151             Peak Footprint geomean: 38978288 (37.173 MB)
2152             Score: 38064824 (36.301 MB)
2153
2154         * bytecode/CodeBlock.cpp:
2155         (JSC::CodeBlock::~CodeBlock):
2156         (JSC::CodeBlock::propagateTransitions):
2157         (JSC::CodeBlock::ensureJITDataSlow):
2158         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2159         (JSC::CodeBlock::getICStatusMap):
2160         (JSC::CodeBlock::addStubInfo):
2161         (JSC::CodeBlock::addJITAddIC):
2162         (JSC::CodeBlock::addJITMulIC):
2163         (JSC::CodeBlock::addJITSubIC):
2164         (JSC::CodeBlock::addJITNegIC):
2165         (JSC::CodeBlock::findStubInfo):
2166         (JSC::CodeBlock::addByValInfo):
2167         (JSC::CodeBlock::addCallLinkInfo):
2168         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2169         (JSC::CodeBlock::addRareCaseProfile):
2170         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2171         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2172         (JSC::CodeBlock::resetJITData):
2173         (JSC::CodeBlock::stronglyVisitStrongReferences):
2174         (JSC::CodeBlock::shrinkToFit):
2175         (JSC::CodeBlock::linkIncomingCall):
2176         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2177         (JSC::CodeBlock::unlinkIncomingCalls):
2178         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2179         (JSC::CodeBlock::dumpValueProfiles):
2180         (JSC::CodeBlock::setPCToCodeOriginMap):
2181         (JSC::CodeBlock::findPC):
2182         (JSC::CodeBlock::dumpMathICStats):
2183         * bytecode/CodeBlock.h:
2184         (JSC::CodeBlock::ensureJITData):
2185         (JSC::CodeBlock::setJITCodeMap):
2186         (JSC::CodeBlock::jitCodeMap):
2187         (JSC::CodeBlock::likelyToTakeSlowCase):
2188         (JSC::CodeBlock::couldTakeSlowCase):
2189         (JSC::CodeBlock::lazyOperandValueProfiles):
2190         (JSC::CodeBlock::stubInfoBegin): Deleted.
2191         (JSC::CodeBlock::stubInfoEnd): Deleted.
2192         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2193         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2194         (JSC::CodeBlock::jitCodeMap const): Deleted.
2195         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2196         * bytecode/MethodOfGettingAValueProfile.cpp:
2197         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2198         (JSC::MethodOfGettingAValueProfile::reportValue):
2199         * dfg/DFGByteCodeParser.cpp:
2200         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2201         * jit/JIT.h:
2202         * jit/JITOperations.cpp:
2203         (JSC::tryGetByValOptimize):
2204         * jit/JITPropertyAccess.cpp:
2205         (JSC::JIT::privateCompileGetByVal):
2206         (JSC::JIT::privateCompilePutByVal):
2207
2208 2018-12-16  Darin Adler  <darin@apple.com>
2209
2210         Convert additional String::format clients to alternative approaches
2211         https://bugs.webkit.org/show_bug.cgi?id=192746
2212
2213         Reviewed by Alexey Proskuryakov.
2214
2215         * inspector/agents/InspectorConsoleAgent.cpp:
2216         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2217         and FormattedNumber::fixedWidth.
2218
2219 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2220
2221         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2222         https://bugs.webkit.org/show_bug.cgi?id=194177
2223
2224         Reviewed by Saam Barati.
2225
2226         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2227         We can share the IsoSubspace for JSFunction.
2228
2229         * runtime/JSAsyncFunction.h:
2230         * runtime/JSAsyncGeneratorFunction.h:
2231         * runtime/JSGeneratorFunction.h:
2232         * runtime/VM.cpp:
2233         (JSC::VM::VM):
2234         * runtime/VM.h:
2235
2236 2019-02-01  Mark Lam  <mark.lam@apple.com>
2237
2238         Remove invalid assertion in DFG's compileDoubleRep().
2239         https://bugs.webkit.org/show_bug.cgi?id=194130
2240         <rdar://problem/47699474>
2241
2242         Reviewed by Saam Barati.
2243
2244         * dfg/DFGSpeculativeJIT.cpp:
2245         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2246
2247 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2248
2249         [JSC] Unify CodeBlock IsoSubspaces
2250         https://bugs.webkit.org/show_bug.cgi?id=194167
2251
2252         Reviewed by Saam Barati.
2253
2254         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2255         But this is not necessary since,
2256
2257         1. They do not override the classInfo methods.
2258         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2259
2260         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2261         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2262         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2263
2264         This patch unifies these IsoSubspaces into one.
2265
2266         * bytecode/CodeBlock.cpp:
2267         (JSC::CodeBlock::destroy):
2268         * bytecode/CodeBlock.h:
2269         * bytecode/EvalCodeBlock.cpp:
2270         (JSC::EvalCodeBlock::destroy): Deleted.
2271         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2272         * bytecode/FunctionCodeBlock.cpp:
2273         (JSC::FunctionCodeBlock::destroy): Deleted.
2274         * bytecode/FunctionCodeBlock.h:
2275         * bytecode/GlobalCodeBlock.h:
2276         * bytecode/ModuleProgramCodeBlock.cpp:
2277         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2278         * bytecode/ModuleProgramCodeBlock.h:
2279         * bytecode/ProgramCodeBlock.cpp:
2280         (JSC::ProgramCodeBlock::destroy): Deleted.
2281         * bytecode/ProgramCodeBlock.h:
2282         * interpreter/Interpreter.cpp:
2283         (JSC::Interpreter::execute):
2284         * runtime/VM.cpp:
2285         (JSC::VM::VM):
2286         * runtime/VM.h:
2287         (JSC::VM::forEachCodeBlockSpace):
2288
2289 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2290
2291         Unreviewed, follow-up after r240859
2292         https://bugs.webkit.org/show_bug.cgi?id=194145
2293
2294         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2295         And rename cellDangerousBitsSpace back to cellSpace.
2296
2297         * runtime/JSCellInlines.h:
2298         (JSC::JSCell::subspaceFor):
2299         * runtime/VM.cpp:
2300         (JSC::VM::VM):
2301         * runtime/VM.h:
2302
2303 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2304
2305         [JSC] Remove cellJSValueOOBSpace
2306         https://bugs.webkit.org/show_bug.cgi?id=194145
2307
2308         Reviewed by Mark Lam.
2309
2310         * runtime/JSObject.h:
2311         (JSC::JSObject::subspaceFor): Deleted.
2312         * runtime/VM.cpp:
2313         (JSC::VM::VM):
2314         * runtime/VM.h:
2315
2316 2019-01-31  Mark Lam  <mark.lam@apple.com>
2317
2318         Remove poisoning from CodeBlock and LLInt code.
2319         https://bugs.webkit.org/show_bug.cgi?id=194113
2320
2321         Reviewed by Yusuke Suzuki.
2322
2323         * bytecode/CodeBlock.cpp:
2324         (JSC::CodeBlock::CodeBlock):
2325         (JSC::CodeBlock::~CodeBlock):
2326         (JSC::CodeBlock::setConstantRegisters):
2327         (JSC::CodeBlock::propagateTransitions):
2328         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2329         (JSC::CodeBlock::jettison):
2330         (JSC::CodeBlock::predictedMachineCodeSize):
2331         * bytecode/CodeBlock.h:
2332         (JSC::CodeBlock::vm const):
2333         (JSC::CodeBlock::addConstant):
2334         (JSC::CodeBlock::heap const):
2335         (JSC::CodeBlock::replaceConstant):
2336         * llint/LLIntOfflineAsmConfig.h:
2337         * llint/LLIntSlowPaths.cpp:
2338         (JSC::LLInt::handleHostCall):
2339         (JSC::LLInt::setUpCall):
2340         * llint/LowLevelInterpreter.asm:
2341         * llint/LowLevelInterpreter32_64.asm:
2342         * llint/LowLevelInterpreter64.asm:
2343
2344 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2345
2346         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2347         https://bugs.webkit.org/show_bug.cgi?id=194107
2348
2349         Reviewed by Saam Barati.
2350
2351         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2352         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2353
2354         * CMakeLists.txt:
2355         * DerivedSources.make:
2356         * JavaScriptCore.xcodeproj/project.pbxproj:
2357         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2358         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2359         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2360         (JSC::AsyncFromSyncIteratorPrototype::create):
2361         * runtime/AsyncFromSyncIteratorPrototype.h:
2362
2363 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2364
2365         Fix `runJITThreadLimitTests` in testapi
2366         https://bugs.webkit.org/show_bug.cgi?id=194064
2367         <rdar://problem/46139147>
2368
2369         Reviewed by Mark Lam.
2370
2371         Fix typo where `targetNumberOfThreads` was not being used.
2372
2373         * API/tests/testapi.mm:
2374         (runJITThreadLimitTests):
2375
2376 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2377
2378         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2379         https://bugs.webkit.org/show_bug.cgi?id=194112
2380
2381         Reviewed by Mark Lam.
2382
2383         `testBytecodeCache` does not populate the bytecode cache for the global
2384         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2385
2386         * API/tests/testapi.mm:
2387         (testBytecodeCache):
2388
2389 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2390
2391         Unreviewed, follow-up after r240796
2392
2393         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2394         when allocating InferredValue in FunctionExecutable::finishCreation.
2395
2396         * runtime/FunctionExecutable.cpp:
2397         (JSC::FunctionExecutable::FunctionExecutable):
2398         (JSC::FunctionExecutable::finishCreation):
2399
2400 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2401
2402         [JSC] Do not use InferredValue in non-JIT configuration
2403         https://bugs.webkit.org/show_bug.cgi?id=194084
2404
2405         Reviewed by Saam Barati.
2406
2407         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2408         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2409         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2410         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2411         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2412         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2413         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2414         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2415
2416         * bytecode/ObjectAllocationProfileInlines.h:
2417         (JSC::ObjectAllocationProfile::initializeProfile):
2418         * runtime/FunctionExecutable.cpp:
2419         (JSC::FunctionExecutable::finishCreation):
2420         (JSC::FunctionExecutable::visitChildren):
2421         * runtime/FunctionExecutable.h:
2422         * runtime/InferredValue.cpp:
2423         (JSC::InferredValue::create):
2424         * runtime/JSAsyncFunction.cpp:
2425         (JSC::JSAsyncFunction::create):
2426         * runtime/JSAsyncGeneratorFunction.cpp:
2427         (JSC::JSAsyncGeneratorFunction::create):
2428         * runtime/JSFunction.cpp:
2429         (JSC::JSFunction::create):
2430         * runtime/JSFunctionInlines.h:
2431         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2432         * runtime/JSGeneratorFunction.cpp:
2433         (JSC::JSGeneratorFunction::create):
2434         * runtime/JSSymbolTableObject.h:
2435         (JSC::JSSymbolTableObject::setSymbolTable):
2436         * runtime/SymbolTable.cpp:
2437         (JSC::SymbolTable::finishCreation):
2438         * runtime/VM.cpp:
2439         (JSC::VM::VM):
2440
2441 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2442
2443         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2444         https://bugs.webkit.org/show_bug.cgi?id=194085
2445
2446         Reviewed by Yusuke Suzuki.
2447
2448         r240730 changed ud_itab.py and caused incremental build failures
2449         for Ninja builds.
2450
2451         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2452
2453 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2454
2455         [JSC] Symbol should be in destructibleCellSpace
2456         https://bugs.webkit.org/show_bug.cgi?id=194082
2457
2458         Reviewed by Saam Barati.
2459
2460         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2461         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2462         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2463         Symbol's space destructibleCellSpace to appropriately call the destructor.
2464
2465         * runtime/Symbol.h:
2466
2467 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2468
2469         Unreviewed, rolling out r240755.
2470
2471         This was not correct
2472
2473         Reverted changeset:
2474
2475         "Unreviewed, fix GCC build after r240730"
2476         https://bugs.webkit.org/show_bug.cgi?id=194041
2477         https://trac.webkit.org/changeset/240755
2478
2479 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2480
2481         Unreviewed, fix GCC build after r240730
2482         https://bugs.webkit.org/show_bug.cgi?id=194041
2483         <rdar://problem/47680981>
2484
2485         * disassembler/udis86/ud_itab.py:
2486         (UdItabGenerator.genOpcodeTablesLookupIndex):
2487
2488 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2489
2490         testapi's `testBytecodeCache` does not need to run the code twice
2491         https://bugs.webkit.org/show_bug.cgi?id=194046
2492
2493         Reviewed by Mark Lam.
2494
2495         Since we populate the cache eagerly (unlike the stress tests) we don't
2496         need to run the code twice.
2497
2498         * API/tests/testapi.mm:
2499         (testBytecodeCache):
2500
2501 2019-01-30  Saam barati  <sbarati@apple.com>
2502
2503         [WebAssembly] Change BBQ to generate Air IR
2504         https://bugs.webkit.org/show_bug.cgi?id=191802
2505         <rdar://problem/47651718>
2506
2507         Reviewed by Keith Miller.
2508
2509         This patch adds a new Wasm compiler for the BBQ tier. Instead
2510         of compiling using  B3-01, we now generate Air code directly.
2511         The goal of doing this was to speed up compile times for Wasm
2512         programs.
2513         
2514         This patch provides us with a 20-30% compile time speedup. However, I
2515         have ideas on how to improve compile times even further. For example,
2516         we should probably implement a faster running register allocator:
2517         https://bugs.webkit.org/show_bug.cgi?id=194036
2518         
2519         We can also improve on the code we generate.
2520         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2521         And we should do better instruction selection in various
2522         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2523
2524         * JavaScriptCore.xcodeproj/project.pbxproj:
2525         * Sources.txt:
2526         * b3/B3LowerToAir.cpp:
2527         * b3/B3StackmapSpecial.h:
2528         * b3/air/AirCode.cpp:
2529         (JSC::B3::Air::Code::emitDefaultPrologue):
2530         * b3/air/AirCode.h:
2531         * b3/air/AirTmp.h:
2532         (JSC::B3::Air::Tmp::Tmp):
2533         * runtime/Options.h:
2534         * wasm/WasmAirIRGenerator.cpp: Added.
2535         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2536         (JSC::Wasm::TypedTmp::TypedTmp):
2537         (JSC::Wasm::TypedTmp::operator== const):
2538         (JSC::Wasm::TypedTmp::operator!= const):
2539         (JSC::Wasm::TypedTmp::operator bool const):
2540         (JSC::Wasm::TypedTmp::operator Tmp const):
2541         (JSC::Wasm::TypedTmp::operator Arg const):
2542         (JSC::Wasm::TypedTmp::tmp const):
2543         (JSC::Wasm::TypedTmp::type const):
2544         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2545         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2546         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2547         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2548         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2549         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2550         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2551         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2552         (JSC::Wasm::AirIRGenerator::emptyExpression):
2553         (JSC::Wasm::AirIRGenerator::fail const):
2554         (JSC::Wasm::AirIRGenerator::setParser):
2555         (JSC::Wasm::AirIRGenerator::toTmpVector):
2556         (JSC::Wasm::AirIRGenerator::validateInst):
2557         (JSC::Wasm::AirIRGenerator::extractArg):
2558         (JSC::Wasm::AirIRGenerator::append):
2559         (JSC::Wasm::AirIRGenerator::appendEffectful):
2560         (JSC::Wasm::AirIRGenerator::newTmp):
2561         (JSC::Wasm::AirIRGenerator::g32):
2562         (JSC::Wasm::AirIRGenerator::g64):
2563         (JSC::Wasm::AirIRGenerator::f32):
2564         (JSC::Wasm::AirIRGenerator::f64):
2565         (JSC::Wasm::AirIRGenerator::tmpForType):
2566         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2567         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2568         (JSC::Wasm::AirIRGenerator::emitCheck):
2569         (JSC::Wasm::AirIRGenerator::emitCCall):
2570         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2571         (JSC::Wasm::AirIRGenerator::instanceValue):
2572         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2573         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2574         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2575         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2576         (JSC::Wasm::AirIRGenerator::emitThrowException):
2577         (JSC::Wasm::AirIRGenerator::addLocal):
2578         (JSC::Wasm::AirIRGenerator::addConstant):
2579         (JSC::Wasm::AirIRGenerator::addArguments):
2580         (JSC::Wasm::AirIRGenerator::getLocal):
2581         (JSC::Wasm::AirIRGenerator::addUnreachable):
2582         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2583         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2584         (JSC::Wasm::AirIRGenerator::setLocal):
2585         (JSC::Wasm::AirIRGenerator::getGlobal):
2586         (JSC::Wasm::AirIRGenerator::setGlobal):
2587         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2588         (JSC::Wasm::sizeOfLoadOp):
2589         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2590         (JSC::Wasm::AirIRGenerator::load):
2591         (JSC::Wasm::sizeOfStoreOp):
2592         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2593         (JSC::Wasm::AirIRGenerator::store):
2594         (JSC::Wasm::AirIRGenerator::addSelect):
2595         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2596         (JSC::Wasm::AirIRGenerator::addLoop):
2597         (JSC::Wasm::AirIRGenerator::addTopLevel):
2598         (JSC::Wasm::AirIRGenerator::addBlock):
2599         (JSC::Wasm::AirIRGenerator::addIf):
2600         (JSC::Wasm::AirIRGenerator::addElse):
2601         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2602         (JSC::Wasm::AirIRGenerator::addReturn):
2603         (JSC::Wasm::AirIRGenerator::addBranch):
2604         (JSC::Wasm::AirIRGenerator::addSwitch):
2605         (JSC::Wasm::AirIRGenerator::endBlock):
2606         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2607         (JSC::Wasm::AirIRGenerator::addCall):
2608         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2609         (JSC::Wasm::AirIRGenerator::unify):
2610         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2611         (JSC::Wasm::AirIRGenerator::dump):
2612         (JSC::Wasm::AirIRGenerator::origin):
2613         (JSC::Wasm::parseAndCompileAir):
2614         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2615         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2616         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2617         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2618         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2619         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2620         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2621         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2622         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2623         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2624         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2625         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2626         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2627         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2628         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2629         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2630         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2631         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2632         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2633         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2634         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2635         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2636         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2637         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2638         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2639         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2640         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2641         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2642         (JSC::Wasm::AirIRGenerator::addShift):
2643         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2644         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2645         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2646         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2647         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2648         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2649         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2650         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2651         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2652         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2653         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2654         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2655         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2656         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2657         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2658         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2659         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2660         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2661         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2662         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2663         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2664         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2665         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2666         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2667         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2668         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2669         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2670         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2671         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2672         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2673         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2674         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2675         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2676         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2677         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2678         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2679         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2680         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2681         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2682         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2683         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2684         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2685         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2686         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2687         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2688         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2689         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2690         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2691         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2692         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2693         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2694         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2695         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2696         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2697         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2698         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2699         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2700         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2701         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2702         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2703         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2704         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2705         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2706         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2707         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2708         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2709         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2710         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2711         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2712         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2713         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2714         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2715         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2716         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2717         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2718         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2719         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2720         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2721         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2722         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2723         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2724         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2725         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2726         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2727         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2728         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2729         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2730         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2731         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2732         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2733         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2734         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2735         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2736         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2737         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2738         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2739         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2740         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2741         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2742         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2743         * wasm/WasmAirIRGenerator.h: Added.
2744         * wasm/WasmB3IRGenerator.cpp:
2745         (JSC::Wasm::B3IRGenerator::emptyExpression):
2746         * wasm/WasmBBQPlan.cpp:
2747         (JSC::Wasm::BBQPlan::compileFunctions):
2748         * wasm/WasmCallingConvention.cpp:
2749         (JSC::Wasm::jscCallingConventionAir):
2750         (JSC::Wasm::wasmCallingConventionAir):
2751         * wasm/WasmCallingConvention.h:
2752         (JSC::Wasm::CallingConvention::CallingConvention):
2753         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2754         (JSC::Wasm::CallingConvention::marshallArgument const):
2755         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2756         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2757         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2758         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2759         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2760         (JSC::Wasm::CallingConventionAir::loadArguments const):
2761         (JSC::Wasm::CallingConventionAir::setupCall const):
2762         (JSC::Wasm::nextJSCOffset):
2763         * wasm/WasmFunctionParser.h:
2764         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2765         * wasm/WasmValidate.cpp:
2766         (JSC::Wasm::Validate::emptyExpression):
2767
2768 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2769
2770         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2771         https://bugs.webkit.org/show_bug.cgi?id=194050
2772         <rdar://problem/47595592>
2773
2774         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2775         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2776
2777         Reviewed by Yusuke Suzuki.
2778
2779         * ftl/FTLOperations.cpp:
2780         (JSC::FTL::operationMaterializeObjectInOSR):
2781
2782 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2783
2784         Remove assertion that CachedSymbolTables should have no RareData
2785         https://bugs.webkit.org/show_bug.cgi?id=194037
2786
2787         Reviewed by Mark Lam.
2788
2789         It turns out that we don't need to cache the SymbolTableRareData and
2790         we should not assert that it's empty.
2791
2792         * runtime/CachedTypes.cpp:
2793         (JSC::CachedSymbolTable::encode):
2794
2795 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2796
2797         CachedBytecode's move constructor should not call `freeDataIfOwned`
2798         https://bugs.webkit.org/show_bug.cgi?id=194045
2799
2800         Reviewed by Mark Lam.
2801
2802         That might result in freeing a garbage value
2803
2804         * parser/SourceProvider.h:
2805         (JSC::CachedBytecode::CachedBytecode):
2806
2807 2019-01-30  Keith Miller  <keith_miller@apple.com>
2808
2809         mul32 should convert powers of 2 to an lshift
2810         https://bugs.webkit.org/show_bug.cgi?id=193957
2811
2812         Reviewed by Yusuke Suzuki.
2813
2814         * assembler/MacroAssembler.h:
2815         (JSC::MacroAssembler::mul32):
2816         * assembler/testmasm.cpp:
2817         (JSC::int32Operands):
2818         (JSC::testMul32WithImmediates):
2819         (JSC::run):
2820
2821 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2822
2823         [JSC] Make disassembler data structures constant read-only data
2824         https://bugs.webkit.org/show_bug.cgi?id=194041
2825
2826         Reviewed by Mark Lam.
2827
2828         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2829         This patch makes them "const".
2830
2831         * disassembler/ARM64/A64DOpcode.cpp:
2832         * disassembler/udis86/ud_itab.py:
2833         (UdItabGenerator.genOpcodeTablesLookupIndex):
2834         (UdItabGenerator.genInsnTable):
2835         (UdItabGenerator.genMnemonicsList):
2836         (genItabH):
2837         * disassembler/udis86/udis86_decode.h:
2838         * disassembler/udis86/udis86_syn.c:
2839         * disassembler/udis86/udis86_syn.h:
2840         * disassembler/udis86/udis86_types.h:
2841
2842 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2843
2844         Unreviewed, update the builtin test results
2845         https://bugs.webkit.org/show_bug.cgi?id=194015
2846
2847         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2848         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2849         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2850         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2851         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2852         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2853         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2854         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2855         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2856         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2857         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2858         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2859         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2860
2861 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2862
2863         [JSC] Make global static variables "const" as much as possible
2864         https://bugs.webkit.org/show_bug.cgi?id=194015
2865
2866         Reviewed by Mark Lam.
2867
2868         Some of global static variables are not "const". For example, `static const char* name = ...`
2869         is not constant variable. We should make it `static const char* const name = ...`.
2870
2871         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2872         (generate_externs_for_object):
2873         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2874         (generate_externs_for_object):
2875         * Scripts/wkbuiltins/builtins_generator.py:
2876         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2877         * assembler/MacroAssembler.h:
2878         (JSC::MacroAssembler::additionBlindedConstant):
2879         * b3/air/AirFormTable.h:
2880         * b3/air/opcode_generator.rb:
2881         * runtime/JSObject.cpp:
2882         (JSC::JSObject::visitButterfly):
2883         * tools/CodeProfile.cpp:
2884         * tools/CodeProfile.h:
2885
2886 2019-01-29  Keith Miller  <keith_miller@apple.com>
2887
2888         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2889         https://bugs.webkit.org/show_bug.cgi?id=194000
2890         <rdar://problem/47642894>
2891
2892         Reviewed by Mark Lam.
2893
2894         default constructor is unused and
2895         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2896         data member which causes sadness.
2897
2898         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2899
2900 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2901
2902         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2903
2904         Rubber-stamped by Yusuke Suzuki.
2905
2906         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2907
2908         * parser/Parser.h:
2909         (JSC::Parser::declareHoistedVariable):
2910
2911 2019-01-29  Mark Lam  <mark.lam@apple.com>
2912
2913         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2914         https://bugs.webkit.org/show_bug.cgi?id=132333
2915
2916         Reviewed by Yusuke Suzuki.
2917
2918         * bytecode/InstructionStream.h:
2919         (JSC::InstructionStreamWriter::write):
2920         - The 32-bit write() function need not invert the order of the bytes written to
2921           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2922           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2923
2924         * llint/LLIntOfflineAsmConfig.h:
2925         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2926
2927 2019-01-29  Mark Lam  <mark.lam@apple.com>
2928
2929         ValueRecovery::recover() should purify NaN values it recovers.
2930         https://bugs.webkit.org/show_bug.cgi?id=193978
2931         <rdar://problem/47625488>
2932
2933         Reviewed by Saam Barati.
2934
2935         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2936         recovered DoubleDisplacedInJSStack values need to be purified.
2937         ValueRecovery::recover() should do the same.
2938
2939         * bytecode/ValueRecovery.cpp:
2940         (JSC::ValueRecovery::recover const):
2941
2942 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2943
2944         [JSC] FTL should handle LocalAllocator*
2945         https://bugs.webkit.org/show_bug.cgi?id=193980
2946
2947         Reviewed by Saam Barati.
2948
2949         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2950         because the FTL still use the incoming value as 32bit integer there.
2951
2952         * ftl/FTLLowerDFGToB3.cpp:
2953         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2954
2955 2019-01-29  Keith Rollin  <krollin@apple.com>
2956
2957         Add .xcfilelists to Run Script build phases
2958         https://bugs.webkit.org/show_bug.cgi?id=193792
2959         <rdar://problem/47201785>
2960
2961         Reviewed by Alex Christensen.
2962
2963         As part of supporting XCBuild, update the necessary Run Script build
2964         phases in their Xcode projects to refer to their associated
2965         .xcfilelist files.
2966
2967         Note that the addition of these files bumps the Xcode project version
2968         number to something that's Xcode 10 compatible. This change means that
2969         older versions of the Xcode IDE can't read these projects. Nor can it
2970         fully load workspaces that refer to these projects (the updated
2971         projects are shown as non-expandable placeholders). `xcodebuild` can
2972         still build these projects; it's just that the IDE can't open them.
2973
2974         * JavaScriptCore.xcodeproj/project.pbxproj:
2975
2976 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2977
2978         [ARM] Check for negative zero instead of just zero
2979         https://bugs.webkit.org/show_bug.cgi?id=193689
2980
2981         Reviewed by Mark Lam.
2982
2983         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2984         of just bailing out for zero.
2985
2986         * assembler/MacroAssemblerARMv7.h:
2987         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2988
2989 2019-01-28  Devin Rousso  <drousso@apple.com>
2990
2991         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2992         https://bugs.webkit.org/show_bug.cgi?id=193863
2993         <rdar://problem/47572764>
2994
2995         Reviewed by Joseph Pecoraro.
2996
2997         * inspector/protocol/Page.json:
2998         Add more values to the `Setting` enum type:
2999          - `ICECandidateFilteringEnabled`
3000          - `MediaCaptureRequiresSecureConnection`
3001          - `MockCaptureDevicesEnabled`
3002
3003 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3004
3005         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3006         https://bugs.webkit.org/show_bug.cgi?id=193941
3007
3008         Reviewed by Alex Christensen.
3009
3010         * API/JSWeakObjectMapRefPrivate.cpp:
3011         * bytecompiler/NodesCodegen.cpp:
3012         * heap/MachineStackMarker.cpp:
3013         * jit/ExecutableAllocator.cpp:
3014         * jsc.cpp:
3015         * parser/Nodes.cpp:
3016         * runtime/DateConstructor.cpp:
3017         * runtime/DateConversion.cpp:
3018         * runtime/DateInstance.cpp:
3019         * runtime/DatePrototype.cpp:
3020         * runtime/InitializeThreading.cpp:
3021         * runtime/IteratorOperations.cpp:
3022         * runtime/JSDateMath.cpp:
3023         * runtime/JSGlobalObjectFunctions.cpp:
3024         * runtime/StringPrototype.cpp:
3025         * runtime/VM.cpp:
3026         * testRegExp.cpp:
3027         * tools/JSDollarVM.cpp:
3028         * yarr/YarrInterpreter.cpp:
3029         * yarr/YarrJIT.cpp:
3030         * yarr/YarrPattern.cpp:
3031         * yarr/YarrUnicodeProperties.cpp:
3032
3033 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3034
3035         [JSC] Reduce size of memory used for ShadowChicken
3036         https://bugs.webkit.org/show_bug.cgi?id=193546
3037
3038         Reviewed by Mark Lam.
3039
3040         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3041         The removal of ShadowChicken saves 55KB memory.
3042
3043         * debugger/DebuggerCallFrame.cpp:
3044         (JSC::DebuggerCallFrame::create):
3045         * ftl/FTLLowerDFGToB3.cpp:
3046         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3047         * heap/Heap.cpp:
3048         (JSC::Heap::stopThePeriphery):
3049         (JSC::Heap::addCoreConstraints):
3050         * jit/CCallHelpers.cpp:
3051         (JSC::CCallHelpers::ensureShadowChickenPacket):
3052         * jit/JITExceptions.cpp:
3053         (JSC::genericUnwind):
3054         * jit/JITOpcodes.cpp:
3055         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3056         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3057         * jit/JITOpcodes32_64.cpp:
3058         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3059         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3060         * jit/JITOperations.cpp:
3061         * llint/LLIntSlowPaths.cpp:
3062         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3063         * runtime/JSGlobalObject.cpp:
3064         (JSC::JSGlobalObject::setDebugger):
3065         * runtime/JSGlobalObject.h:
3066         (JSC::JSGlobalObject::setDebugger): Deleted.
3067         * runtime/VM.cpp:
3068         (JSC::VM::VM):
3069         (JSC::VM::ensureShadowChicken):
3070         * runtime/VM.h:
3071         (JSC::VM::shadowChicken):
3072         * tools/JSDollarVM.cpp:
3073         (JSC::functionShadowChickenFunctionsOnStack):
3074         (JSC::changeDebuggerModeWhenIdle):
3075
3076 2019-01-28  Andy Estes  <aestes@apple.com>
3077
3078         [watchOS] Enable Parental Controls content filtering
3079         https://bugs.webkit.org/show_bug.cgi?id=193939
3080         <rdar://problem/46641912>
3081
3082         Reviewed by Ryosuke Niwa.
3083
3084         * Configurations/FeatureDefines.xcconfig:
3085
3086 2019-01-28  Mark Lam  <mark.lam@apple.com>
3087
3088         ToString node actually does GC.
3089         https://bugs.webkit.org/show_bug.cgi?id=193920
3090         <rdar://problem/46695900>
3091
3092         Reviewed by Yusuke Suzuki.
3093
3094         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3095         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3096
3097         * dfg/DFGDoesGC.cpp:
3098         (JSC::DFG::doesGC):
3099
3100 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3101
3102         [JSC] RegExpConstructor should not have own IsoSubspace
3103         https://bugs.webkit.org/show_bug.cgi?id=193801
3104
3105         Reviewed by Mark Lam.
3106
3107         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3108         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3109         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3110         it from RegExpConstructor members.
3111
3112         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3113         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3114         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3115
3116         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3117
3118         * CMakeLists.txt:
3119         * JavaScriptCore.xcodeproj/project.pbxproj:
3120         * Sources.txt:
3121         * dfg/DFGOperations.cpp:
3122         * dfg/DFGSpeculativeJIT.cpp:
3123         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3124         * dfg/DFGStrengthReductionPhase.cpp:
3125         (JSC::DFG::StrengthReductionPhase::handleNode):
3126         * ftl/FTLAbstractHeapRepository.cpp:
3127         * ftl/FTLAbstractHeapRepository.h:
3128         * ftl/FTLLowerDFGToB3.cpp:
3129         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3130         * runtime/JSGlobalObject.cpp:
3131         (JSC::JSGlobalObject::init):
3132         (JSC::JSGlobalObject::visitChildren):
3133         * runtime/JSGlobalObject.h:
3134         (JSC::JSGlobalObject::regExpGlobalData):
3135         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3136         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3137         * runtime/RegExpCache.cpp:
3138         (JSC::RegExpCache::initialize):
3139         * runtime/RegExpCache.h:
3140         (JSC::RegExpCache::emptyRegExp const):
3141         * runtime/RegExpCachedResult.cpp:
3142         (JSC::RegExpCachedResult::visitAggregate):
3143         (JSC::RegExpCachedResult::visitChildren): Deleted.
3144         * runtime/RegExpCachedResult.h:
3145         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3146         * runtime/RegExpConstructor.cpp:
3147         (JSC::RegExpConstructor::RegExpConstructor):
3148         (JSC::regExpConstructorDollar):
3149         (JSC::regExpConstructorInput):
3150         (JSC::regExpConstructorMultiline):
3151         (JSC::regExpConstructorLastMatch):
3152         (JSC::regExpConstructorLastParen):
3153         (JSC::regExpConstructorLeftContext):
3154         (JSC::regExpConstructorRightContext):
3155         (JSC::setRegExpConstructorInput):
3156         (JSC::setRegExpConstructorMultiline):
3157         (JSC::RegExpConstructor::destroy): Deleted.
3158         (JSC::RegExpConstructor::visitChildren): Deleted.
3159         (JSC::RegExpConstructor::getBackref): Deleted.
3160         (JSC::RegExpConstructor::getLastParen): Deleted.
3161         (JSC::RegExpConstructor::getLeftContext): Deleted.
3162         (JSC::RegExpConstructor::getRightContext): Deleted.
3163         * runtime/RegExpConstructor.h:
3164         (JSC::RegExpConstructor::performMatch): Deleted.
3165         (JSC::RegExpConstructor::recordMatch): Deleted.
3166         * runtime/RegExpGlobalData.cpp: Added.
3167         (JSC::RegExpGlobalData::visitAggregate):
3168         (JSC::RegExpGlobalData::getBackref):
3169         (JSC::RegExpGlobalData::getLastParen):
3170         (JSC::RegExpGlobalData::getLeftContext):
3171         (JSC::RegExpGlobalData::getRightContext):
3172         * runtime/RegExpGlobalData.h: Added.
3173         (JSC::RegExpGlobalData::cachedResult):
3174         (JSC::RegExpGlobalData::setMultiline):
3175         (JSC::RegExpGlobalData::multiline const):
3176         (JSC::RegExpGlobalData::input):
3177         (JSC::RegExpGlobalData::offsetOfCachedResult):
3178         * runtime/RegExpGlobalDataInlines.h: Added.
3179         (JSC::RegExpGlobalData::setInput):
3180         (JSC::RegExpGlobalData::performMatch):
3181         (JSC::RegExpGlobalData::recordMatch):
3182         * runtime/RegExpObject.cpp:
3183         (JSC::RegExpObject::matchGlobal):
3184         * runtime/RegExpObjectInlines.h:
3185         (JSC::RegExpObject::execInline):
3186         (JSC::RegExpObject::matchInline):
3187         (JSC::collectMatches):
3188         * runtime/RegExpPrototype.cpp:
3189         (JSC::RegExpPrototype::finishCreation):
3190         (JSC::regExpProtoFuncSearchFast):
3191         (JSC::RegExpPrototype::visitChildren): Deleted.
3192         * runtime/RegExpPrototype.h:
3193         * runtime/StringPrototype.cpp:
3194         (JSC::removeUsingRegExpSearch):
3195         (JSC::replaceUsingRegExpSearch):
3196         * runtime/VM.cpp:
3197         (JSC::VM::VM):
3198         * runtime/VM.h:
3199
3200 2018-12-15  Darin Adler  <darin@apple.com>
3201
3202         Replace many uses of String::format with more type-safe alternatives
3203         https://bugs.webkit.org/show_bug.cgi?id=192742
3204
3205         Reviewed by Mark Lam.
3206
3207         * inspector/InjectedScriptBase.cpp:
3208         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3209         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3210         * inspector/InspectorBackendDispatcher.cpp:
3211         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3212         * inspector/agents/InspectorConsoleAgent.cpp:
3213         (Inspector::InspectorConsoleAgent::enable): Ditto.
3214         * jsc.cpp:
3215         (FunctionJSCStackFunctor::operator() const): Ditto.
3216
3217         * runtime/CodeCache.cpp:
3218         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3219         using String::number.
3220
3221         * runtime/IntlDateTimeFormat.cpp:
3222         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3223         * runtime/IntlObject.cpp:
3224         (JSC::canonicalizeLocaleList): Ditto.
3225
3226 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3227
3228         AX: Introduce a static accessibility tree
3229         https://bugs.webkit.org/show_bug.cgi?id=193348
3230         <rdar://problem/47203295>
3231
3232         Reviewed by Ryosuke Niwa.
3233
3234         * Configurations/FeatureDefines.xcconfig:
3235
3236 2019-01-26  Devin Rousso  <drousso@apple.com>
3237
3238         Web Inspector: provide a way to edit the user agent of a remote target
3239         https://bugs.webkit.org/show_bug.cgi?id=193862
3240         <rdar://problem/47359292>
3241
3242         Reviewed by Joseph Pecoraro.
3243
3244         * inspector/protocol/Page.json:
3245         Add `overrideUserAgent` command.
3246
3247 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3248
3249         [JSC] NativeErrorConstructor should not have own IsoSubspace
3250         https://bugs.webkit.org/show_bug.cgi?id=193713
3251
3252         Reviewed by Saam Barati.
3253
3254         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3255         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3256         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3257         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3258         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3259         referenced.
3260
3261         * CMakeLists.txt:
3262         * JavaScriptCore.xcodeproj/project.pbxproj:
3263         * Sources.txt:
3264         * builtins/BuiltinNames.h:
3265         * interpreter/Interpreter.h:
3266         * runtime/Error.cpp:
3267         (JSC::createEvalError):
3268         (JSC::createRangeError):
3269         (JSC::createReferenceError):
3270         (JSC::createSyntaxError):
3271         (JSC::createTypeError):
3272         (JSC::createURIError):
3273         (WTF::printInternal): Deleted.
3274         * runtime/Error.h:
3275         * runtime/ErrorPrototype.cpp:
3276         (JSC::ErrorPrototype::create):
3277         (JSC::ErrorPrototype::finishCreation):
3278         * runtime/ErrorPrototype.h:
3279         (JSC::ErrorPrototype::create): Deleted.
3280         * runtime/ErrorType.cpp: Added.
3281         (JSC::errorTypeName):
3282         (WTF::printInternal):
3283         * runtime/ErrorType.h: Added.
3284         * runtime/JSGlobalObject.cpp:
3285         (JSC::JSGlobalObject::initializeErrorConstructor):
3286         (JSC::JSGlobalObject::init):
3287         (JSC::JSGlobalObject::visitChildren):
3288         * runtime/JSGlobalObject.h:
3289         (JSC::JSGlobalObject::internalPromiseConstructor const):
3290         (JSC::JSGlobalObject::errorStructure const):
3291         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3292         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3293         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3294         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3295         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3296         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3297         * runtime/NativeErrorConstructor.cpp:
3298         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3299         (JSC::NativeErrorConstructorBase::finishCreation):
3300         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3301         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3302         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3303         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3304         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3305         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3306         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3307         * runtime/NativeErrorConstructor.h:
3308         (JSC::NativeErrorConstructorBase::createStructure):
3309         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3310         * runtime/NativeErrorPrototype.cpp:
3311         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3312         * runtime/NativeErrorPrototype.h:
3313         * runtime/VM.cpp:
3314         (JSC::VM::VM):
3315         * runtime/VM.h:
3316         * wasm/js/WasmToJS.cpp:
3317         (JSC::Wasm::handleBadI64Use):
3318
3319 2019-01-25  Devin Rousso  <drousso@apple.com>
3320
3321         Web Inspector: provide a way to edit page settings on a remote target
3322         https://bugs.webkit.org/show_bug.cgi?id=193813
3323         <rdar://problem/47359510>
3324
3325         Reviewed by Joseph Pecoraro.
3326
3327         * inspector/protocol/Page.json:
3328         Add `overrideSetting` command with supporting `Setting` enum type.
3329
3330 2019-01-25  Keith Rollin  <krollin@apple.com>
3331
3332         Update Xcode projects with "Check .xcfilelists" build phase
3333         https://bugs.webkit.org/show_bug.cgi?id=193790
3334         <rdar://problem/47201374>
3335
3336         Reviewed by Alex Christensen.
3337
3338         Support for XCBuild includes specifying inputs and outputs to various
3339         Run Script build phases. These inputs and outputs are specified as
3340         .xcfilelist files. Once created, these .xcfilelist files need to be
3341         kept up-to-date. In order to check that they are up-to-date or not,
3342         add an Xcode build step that invokes an external script that performs
3343         the checking. If the .xcfilelists are found to be out-of-date, update
3344         them, halt the build, and instruct the developer to restart the build
3345         with up-to-date files.
3346
3347         At this time, the checking and regenerating is performed only if the
3348         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3349         who want to use this facility can set this variable and test out the
3350         checking/regenerating. Once it seems like there are no egregious
3351         issues that upset a developer's workflow, we'll unconditionally enable
3352         this facility.
3353
3354         * JavaScriptCore.xcodeproj/project.pbxproj:
3355         * Scripts/check-xcfilelists.sh: Added.
3356
3357 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3358
3359         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3360         https://bugs.webkit.org/show_bug.cgi?id=193796
3361         <rdar://problem/47532910>
3362
3363         Reviewed by Devin Rousso.
3364
3365         * runtime/SamplingProfiler.cpp:
3366         (JSC::SamplingProfiler::machThread):
3367         * runtime/SamplingProfiler.h:
3368         Expose the mach_port_t of the SamplingProfiler thread
3369         so it can be tested against later.
3370
3371 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3372
3373         Fix Windows build after r240511
3374
3375         * bytecode/UnlinkedFunctionExecutable.cpp:
3376         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3377
3378 2019-01-25  Keith Rollin  <krollin@apple.com>
3379
3380         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3381         https://bugs.webkit.org/show_bug.cgi?id=193781
3382         <rdar://problem/47201153>
3383
3384         Reviewed by Alex Christensen.
3385
3386         Part of generating the .xcfilelists used as part of adopting XCBuild
3387         includes running `make DerivedSources.make` from a standalone script.
3388         It’s important for this invocation to have the same environment as
3389         when the actual build invokes `make DerivedSources.make`. If the
3390         environments are different, then the two invocations will provide
3391         different results. In order to get the same environment in the
3392         standalone script, have the script launch xcodebuild targeting the
3393         "Apply Configuration to XCFileLists" build target, which will then
3394         re-invoke our standalone script. The script is now running again, this
3395         time in an environment with all workspace, project, target, xcconfig
3396         and other environment variables established.
3397
3398         The "Apply Configuration to XCFileLists" build target accomplishes
3399         this task via a small embedded shell script that consists only of:
3400
3401             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3402
3403         The process that invokes "Apply Configuration to XCFileLists" first
3404         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3405         evaluated and exports it into the shell environment. When xcodebuild
3406         is invoked, it inherits the value of this variable and can `eval` the
3407         contents of that variable. Our external standalone script can then set
3408         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3409         of command-line parameters needed to restart itself in the appropriate
3410         state.
3411
3412         * JavaScriptCore.xcodeproj/project.pbxproj:
3413
3414 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3415
3416         Add API to generate and consume cached bytecode
3417         https://bugs.webkit.org/show_bug.cgi?id=193401
3418         <rdar://problem/47514099>
3419
3420         Reviewed by Keith Miller.
3421
3422         Add the `generateBytecode` and `generateModuleBytecode` functions to
3423         generate serialized bytecode for a given `SourceCode`. These functions
3424         will eagerly generate code for all the nested functions.
3425
3426         Additionally, update the API methods in JSScript to generate and use the
3427         bytecode when the bytecodeCache path is provided.
3428
3429         * API/JSAPIGlobalObject.mm:
3430         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3431         * API/JSContext.mm:
3432         (-[JSContext wrapperMap]):
3433         * API/JSContextInternal.h:
3434         * API/JSScript.mm:
3435         (+[JSScript scriptWithSource:inVirtualMachine:]):
3436         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3437         (-[JSScript dealloc]):
3438         (-[JSScript readCache]):
3439         (-[JSScript writeCache]):
3440         (-[JSScript hash]):
3441         (-[JSScript source]):
3442         (-[JSScript cachedBytecode]):
3443         (-[JSScript jsSourceCode:]):
3444         * API/JSScriptInternal.h:
3445         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3446         (JSScriptSourceProvider::create):
3447         (JSScriptSourceProvider::JSScriptSourceProvider):
3448         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3449         (JSScriptSourceProvider::hash const):
3450         (JSScriptSourceProvider::source const):
3451         (JSScriptSourceProvider::cachedBytecode const):
3452         * API/JSVirtualMachine.mm:
3453         (-[JSVirtualMachine vm]):
3454         * API/JSVirtualMachineInternal.h:
3455         * API/tests/testapi.mm:
3456         (testBytecodeCache):
3457         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3458         (testObjectiveCAPI):
3459         * JavaScriptCore.xcodeproj/project.pbxproj:
3460         * SourcesCocoa.txt:
3461         * bytecode/UnlinkedFunctionExecutable.cpp:
3462         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3463         * bytecode/UnlinkedFunctionExecutable.h:
3464         * parser/SourceCodeKey.h:
3465         (JSC::SourceCodeKey::source const):
3466         * parser/SourceProvider.h:
3467         (JSC::CachedBytecode::CachedBytecode):
3468         (JSC::CachedBytecode::operator=):
3469         (JSC::CachedBytecode::data const):
3470         (JSC::CachedBytecode::size const):
3471         (JSC::CachedBytecode::owned const):
3472         (JSC::CachedBytecode::~CachedBytecode):
3473         (JSC::CachedBytecode::freeDataIfOwned):
3474         (JSC::SourceProvider::cachedBytecode const):
3475         * parser/UnlinkedSourceCode.h:
3476         (JSC::UnlinkedSourceCode::provider const):
3477         * runtime/CodeCache.cpp:
3478         (JSC::generateUnlinkedCodeBlockForFunctions):
3479         (JSC::writeCodeBlock):
3480         (JSC::serializeBytecode):
3481         * runtime/CodeCache.h:
3482         (JSC::CodeCacheMap::fetchFromDiskImpl):
3483         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3484         (JSC::generateUnlinkedCodeBlockImpl):
3485         (JSC::generateUnlinkedCodeBlock):
3486         * runtime/Completion.cpp:
3487         (JSC::generateBytecode):
3488         (JSC::generateModuleBytecode):
3489         * runtime/Completion.h:
3490         * runtime/Options.cpp:
3491         (JSC::recomputeDependentOptions):
3492
3493 2019-01-25  Keith Rollin  <krollin@apple.com>
3494
3495         Update WebKitAdditions.xcconfig with correct order of variable definitions
3496         https://bugs.webkit.org/show_bug.cgi?id=193793
3497         <rdar://problem/47532439>
3498
3499         Reviewed by Alex Christensen.
3500
3501         XCBuild changes the way xcconfig variables are evaluated. In short,
3502         all config file assignments are now considered in part of the
3503         evaluation. When using the new build system and an .xcconfig file
3504         contains multiple assignments of the same build setting:
3505
3506         - Later assignments using $(inherited) will inherit from earlier
3507           assignments in the xcconfig file.
3508         - Later assignments not using $(inherited) will take precedence over
3509           earlier assignments. An assignment to a more general setting will
3510           mask an earlier assignment to a less general setting. For example,
3511           an assignment without a condition ('FOO = bar') will completely mask
3512           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3513
3514         This affects some of our .xcconfig files, in that sometimes platform-
3515         or sdk-specific definitions appear before the general definitions.
3516         Under the new evaluations rules, the general definitions alway take
3517         effect because they always overwrite the more-specific definitions. The
3518         solution is to swap the order, so that the general definitions are
3519         established first, and then conditionally overwritten by the
3520         more-specific definitions.
3521
3522         * Configurations/Version.xcconfig:
3523
3524 2019-01-25  Keith Rollin  <krollin@apple.com>
3525
3526         Update existing .xcfilelists
3527         https://bugs.webkit.org/show_bug.cgi?id=193791
3528         <rdar://problem/47201706>
3529
3530         Reviewed by Alex Christensen.
3531
3532         Many .xcfilelist files were added in r238824 in order to support
3533         XCBuild. Update these with recent changes to the set of build files
3534         and with the current generate-xcfilelist script.
3535
3536         * DerivedSources-input.xcfilelist:
3537         * DerivedSources-output.xcfilelist:
3538         * UnifiedSources-input.xcfilelist:
3539         * UnifiedSources-output.xcfilelist:
3540
3541 2019-01-25  Jon Davis  <jond@apple.com>
3542
3543         Update JavaScriptCore feature status entries.
3544         https://bugs.webkit.org/show_bug.cgi?id=193797
3545
3546         Reviewed by Mark Lam.
3547         
3548         Updated feature status for Async Iteration, and Object rest/spread.
3549
3550         * features.json:
3551
3552 2019-01-24  Keith Miller  <keith_miller@apple.com>
3553
3554         Remove usage of internal macro from private header
3555         https://bugs.webkit.org/show_bug.cgi?id=193809
3556
3557         Reviewed by Saam Barati.
3558
3559         Also, add a new file to include all of our API headers to make sure
3560         they don't accidentally include C++ or internal values.
3561
3562         * API/JSScript.h:
3563         * API/tests/testIncludes.m: Added.
3564         * JavaScriptCore.xcodeproj/project.pbxproj:
3565
3566 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3567
3568         [JSC] ErrorConstructor should not have own IsoSubspace
3569         https://bugs.webkit.org/show_bug.cgi?id=193800
3570
3571         Reviewed by Saam Barati.
3572
3573         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3574         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3575         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3576         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3577         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3578         into IsoSubspaces) described,
3579
3580             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3581             appear to just override methods, which are called dynamically via the structure or class of the object.
3582             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3583
3584         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3585         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3586         This reduces the memory usage.
3587
3588         * interpreter/Interpreter.h:
3589         * runtime/Error.cpp:
3590         (JSC::getStackTrace):
3591         * runtime/ErrorConstructor.cpp:
3592         (JSC::ErrorConstructor::ErrorConstructor):
3593         (JSC::ErrorConstructor::finishCreation):
3594         (JSC::constructErrorConstructor):
3595         (JSC::callErrorConstructor):
3596         (JSC::ErrorConstructor::put):
3597         (JSC::ErrorConstructor::deleteProperty):
3598         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3599         (JSC::Interpreter::callErrorConstructor): Deleted.
3600         * runtime/ErrorConstructor.h:
3601         * runtime/JSGlobalObject.cpp:
3602         (JSC::JSGlobalObject::JSGlobalObject):
3603         (JSC::JSGlobalObject::init):
3604         (JSC::JSGlobalObject::visitChildren):
3605         * runtime/JSGlobalObject.h:
3606         (JSC::JSGlobalObject::stackTraceLimit const):
3607         (JSC::JSGlobalObject::setStackTraceLimit):
3608         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3609         * runtime/VM.cpp:
3610         (JSC::VM::VM):
3611         * runtime/VM.h:
3612
3613 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3614
3615         Web Inspector: CPU Usage Timeline
3616         https://bugs.webkit.org/show_bug.cgi?id=193730
3617         <rdar://problem/46797201>
3618
3619         Reviewed by Devin Rousso.
3620
3621         * CMakeLists.txt:
3622         * DerivedSources-input.xcfilelist:
3623         * DerivedSources.make:
3624         New files.
3625
3626         * inspector/protocol/CPUProfiler.json: Added.
3627         New domain that follows the pattern of Memory/ScriptProfiler.
3628
3629         * inspector/protocol/Timeline.json:
3630         New enum to auto-start a CPU instrument in the backend.
3631
3632 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3633
3634         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3635         https://bugs.webkit.org/show_bug.cgi?id=193774
3636
3637         Reviewed by Mark Lam.
3638
3639         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3640         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3641         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3642         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3643         for these two constructor instances. They are only two instances per JSGlobalObject.
3644
3645         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3646         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3647         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3648         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3649         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3650         for ArrayBufferConstructors, and reduces the memory usage.
3651
3652         * runtime/JSArrayBufferConstructor.cpp:
3653         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3654         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3655         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3656         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3657         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3658         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3659         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3660         (JSC::JSArrayBufferConstructor::create): Deleted.
3661         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3662         (JSC::constructArrayBuffer): Deleted.
3663         * runtime/JSArrayBufferConstructor.h:
3664         * runtime/JSGlobalObject.cpp:
3665         (JSC::JSGlobalObject::init):
3666         * runtime/JSGlobalObject.h:
3667         * runtime/VM.cpp:
3668         (JSC::VM::VM):
3669         * runtime/VM.h:
3670
3671 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3672
3673         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3674         https://bugs.webkit.org/show_bug.cgi?id=190693
3675
3676         Reviewed by Michael Saboff.
3677
3678         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3679         This becomes true when we find the executable address in our conservative roots, which
3680         means that we could be executing it right now. This means that object liveness in
3681         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3682         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3683         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3684         executing JITStubRoutine because "Conservative Scan" finds it later.
3685         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3686         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3687         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3688         attempt to mark the depending objects, and encounter the dead objects which are collected
3689         in the previous cycles.
3690
3691         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3692         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3693         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3694         GC stop time.
3695
3696         * heap/ConservativeRoots.h:
3697         (JSC::ConservativeRoots::roots const):
3698         (JSC::ConservativeRoots::roots): Deleted.
3699         * heap/Heap.cpp:
3700         (JSC::Heap::addCoreConstraints):
3701         * heap/SlotVisitor.cpp:
3702         (JSC::SlotVisitor::append):
3703         * heap/SlotVisitor.h:
3704         * jit/GCAwareJITStubRoutine.cpp:
3705         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3706         * jit/GCAwareJITStubRoutine.h:
3707
3708 2019-01-24  Saam Barati  <sbarati@apple.com>
3709
3710         Update ARM64EHash
3711         https://bugs.webkit.org/show_bug.cgi?id=193776
3712         <rdar://problem/47526457>
3713
3714         Reviewed by Mark Lam.
3715
3716         See radar for details.
3717
3718         * assembler/AssemblerBuffer.h:
3719         (JSC::ARM64EHash::update):
3720         (JSC::ARM64EHash::finalHash const):
3721
3722 2019-01-24  Saam Barati  <sbarati@apple.com>
3723
3724         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3725         https://bugs.webkit.org/show_bug.cgi?id=193751
3726         <rdar://problem/47280215>
3727
3728         Reviewed by Michael Saboff.
3729
3730         The Object Allocation Sinking phase may move allocations around inside
3731         of the program. However, it was not ensuring that it's still possible 
3732         to walk the stack at the point in the program that it moved the allocation to.
3733         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3734         All allocation sites can do a stack walk (we do a stack walk when we GC).
3735         Conservatively, this patch says we're ok to move this allocation if we are
3736         moving within the same InlineCallFrame. We could be more precise and do an
3737         analysis of stack writes. However, this scenario is so rare that we just
3738         take the conservative-and-straight-forward approach of checking that the place
3739         we're moving to is the same InlineCallFrame as the allocation site.
3740         
3741         In general, this issue arises anytime we do any kind of code motion.
3742         Interestingly, LICM gets this right. It gets it right because the only
3743         InlineCallFrames we can't move out of are the InlineCallFrames that
3744         have metadata stored on the stack (callee for closure calls and argument
3745         count for varargs calls). LICM doesn't have this issue because it relies
3746         on Clobberize for doing its effects analysis. In clobberize, we model every
3747         node within an InlineCallFrame that meets the above criteria as reading
3748         from those stack fields. Consequently, LICM won't hoist any node in that
3749         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3750         we generate to set up such an InlineCallFrame contains writes to that
3751         stack location.
3752
3753         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3754
3755 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3756
3757         [JSC] Reenable baseline JIT on mips
3758         https://bugs.webkit.org/show_bug.cgi?id=192983
3759
3760         Reviewed by Mark Lam.
3761
3762         Use $s0 as metadata register and make sure it's properly saved and
3763         restored.
3764
3765         * jit/GPRInfo.h:
3766         * jit/RegisterSet.cpp:
3767         (JSC::RegisterSet::vmCalleeSaveRegisters):
3768         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3769         * llint/LowLevelInterpreter.asm:
3770         * offlineasm/mips.rb:
3771
3772 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3773
3774         [GLIB] Expose JavaScriptCore options in GLib public API
3775         https://bugs.webkit.org/show_bug.cgi?id=188742
3776
3777         Reviewed by Michael Catanzaro.
3778
3779         Add new API to set, get and iterate JSC options.
3780
3781         * API/glib/JSCOptions.cpp: Added.
3782         (valueFromGValue):
3783         (valueToGValue):
3784         (jscOptionsSetValue):
3785         (jscOptionsGetValue):
3786         (jsc_options_set_boolean):
3787         (jsc_options_get_boolean):
3788         (jsc_options_set_int):
3789         (jsc_options_get_int):
3790         (jsc_options_set_uint):
3791         (jsc_options_get_uint):
3792         (jsc_options_set_size):
3793         (jsc_options_get_size):
3794         (jsc_options_set_double):
3795         (jsc_options_get_double):
3796         (jsc_options_set_string):
3797         (jsc_options_get_string):
3798         (jsc_options_set_range_string):
3799         (jsc_options_get_range_string):
3800         (jscOptionsType):
3801         (jsc_options_foreach):
3802         (setOptionEntry):
3803         (jsc_options_get_option_group):
3804         * API/glib/JSCOptions.h: Added.
3805         * API/glib/docs/jsc-glib-4.0-sections.txt:
3806         * API/glib/docs/jsc-glib-docs.sgml:
3807         * API/glib/jsc.h:
3808         * GLib.cmake:
3809
3810 2019-01-23  Mark Lam  <mark.lam@apple.com>
3811
3812         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
3813         https://bugs.webkit.org/show_bug.cgi?id=193744
3814         <rdar://problem/46262952>
3815
3816         Reviewed by Saam Barati.
3817
3818         * assembler/LinkBuffer.cpp:
3819         (JSC::LinkBuffer::copyCompactAndLinkCode):
3820
3821 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3822
3823         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3824         https://bugs.webkit.org/show_bug.cgi?id=193711
3825         <rdar://problem/47250262>
3826
3827         Reviewed by Saam Barati.
3828
3829         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
3830         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
3831         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
3832         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
3833         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
3834         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
3835         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
3836         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
3837         as follows.
3838
3839             BB0 -> BB1 -> BB2 -> BB4
3840              |        \        ^
3841              v          > BB3 /
3842             BB5
3843
3844         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
3845
3846             BB0 does nothing
3847                 head: loc1 is dead
3848                 tail: loc1 is dead
3849
3850             BB1 has MovHint @1, loc1
3851                 head: loc1 is dead
3852                 tail: loc1 is live
3853
3854             BB2 does nothing
3855                 head: loc1 is live
3856                 tail: loc1 is live
3857
3858             BB3 has PutStack @1, loc1
3859                 head: loc1 is live
3860                 tail: loc1 is live
3861
3862             BB4 has OSR exit using loc1
3863                 head: loc1 is live
3864                 tail: loc1 is live (in bytecode)
3865
3866             BB5 does nothing
3867                 head: loc1 is dead
3868                 tail: loc1 is dead
3869
3870         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
3871         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
3872
3873         So, the flush format of loc1 in each tail of BB is like this.
3874
3875             BB0
3876                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
3877             BB1
3878                 DeadFlush+@1 (pruning clears it)
3879             BB2
3880                 DeadFlush+@1 (since it is propagated from BB1)
3881             BB3
3882                 FlushedJSValue+@1 with loc1 (since it has PutStack)
3883             BB4
3884                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
3885             BB5
3886                 DeadFlush (pruning clears it)
3887
3888         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
3889         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
3890
3891         * dfg/DFGAvailabilityMap.cpp:
3892         (JSC::DFG::AvailabilityMap::pruneByLiveness): When p