Unreviewed, rolling out r241612.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-17  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r241612.
4         https://bugs.webkit.org/show_bug.cgi?id=194762
5
6         "It regressed JetStream2 parsing tests by ~40%" (Requested by
7         saamyjoon on #webkit).
8
9         Reverted changeset:
10
11         "Move bytecode cache-related filesystem code out of CodeCache"
12         https://bugs.webkit.org/show_bug.cgi?id=194675
13         https://trac.webkit.org/changeset/241612
14
15 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
16
17         [JSC] JSWrapperObject should not be destructible
18         https://bugs.webkit.org/show_bug.cgi?id=194743
19
20         Reviewed by Saam Barati.
21
22         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
23         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
24         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
25
26         * runtime/BigIntObject.cpp:
27         (JSC::BigIntObject::BigIntObject):
28         * runtime/BooleanConstructor.cpp:
29         (JSC::BooleanConstructor::finishCreation):
30         * runtime/BooleanObject.cpp:
31         (JSC::BooleanObject::BooleanObject):
32         * runtime/BooleanObject.h:
33         * runtime/DateInstance.cpp:
34         (JSC::DateInstance::DateInstance):
35         (JSC::DateInstance::finishCreation):
36         * runtime/DateInstance.h:
37         * runtime/DatePrototype.cpp:
38         (JSC::dateProtoFuncGetTime):
39         (JSC::dateProtoFuncSetTime):
40         (JSC::setNewValueFromTimeArgs):
41         (JSC::setNewValueFromDateArgs):
42         (JSC::dateProtoFuncSetYear):
43         * runtime/JSCPoison.h:
44         * runtime/JSWrapperObject.h:
45         (JSC::JSWrapperObject::JSWrapperObject):
46         * runtime/NumberObject.cpp:
47         (JSC::NumberObject::NumberObject):
48         * runtime/NumberObject.h:
49         * runtime/StringConstructor.cpp:
50         (JSC::StringConstructor::finishCreation):
51         * runtime/StringObject.cpp:
52         (JSC::StringObject::StringObject):
53         * runtime/StringObject.h:
54         (JSC::StringObject::internalValue const):
55         * runtime/SymbolObject.cpp:
56         (JSC::SymbolObject::SymbolObject):
57         * runtime/SymbolObject.h:
58
59 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
60
61         [JSC] Shrink UnlinkedFunctionExecutable
62         https://bugs.webkit.org/show_bug.cgi?id=194733
63
64         Reviewed by Mark Lam.
65
66         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
67         directives can be found in the comment of non typical function's source code (Program,
68         Eval code, and Global function from function constructor etc.), and tricky thing is that
69         SourceProvider's directives are updated by Parser. The reason why we have these fields in
70         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
71         if we skip parsing by using CodeCache. These fields are effective only if (1)
72         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
73         or sourceMappingURLDirective. This is rare enough to purge them to a separated
74         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
75         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
76         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
77         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
78         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
79         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
80         one of size class.
81
82         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
83         And kill one MarkedBlock allocation in JSC initialization phase.
84
85         * bytecode/UnlinkedFunctionExecutable.cpp:
86         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
87         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
88         * bytecode/UnlinkedFunctionExecutable.h:
89         * debugger/DebuggerLocation.cpp:
90         (JSC::DebuggerLocation::DebuggerLocation):
91         * inspector/ScriptDebugServer.cpp:
92         (Inspector::ScriptDebugServer::dispatchDidParseSource):
93         * parser/Lexer.h:
94         (JSC::Lexer::sourceURLDirective const):
95         (JSC::Lexer::sourceMappingURLDirective const):
96         (JSC::Lexer::sourceURL const): Deleted.
97         (JSC::Lexer::sourceMappingURL const): Deleted.
98         * parser/Parser.h:
99         (JSC::Parser<LexerType>::parse):
100         * parser/SourceProvider.h:
101         (JSC::SourceProvider::sourceURLDirective const):
102         (JSC::SourceProvider::sourceMappingURLDirective const):
103         (JSC::SourceProvider::setSourceURLDirective):
104         (JSC::SourceProvider::setSourceMappingURLDirective):
105         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
106         since it is the correct name.
107         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
108         sourceMappingURLDirective since it is the correct name.
109         * runtime/CachedTypes.cpp:
110         (JSC::CachedSourceProviderShape::encode):
111         (JSC::CachedFunctionExecutableRareData::encode):
112         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
113         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
114         (JSC::CachedFunctionExecutable::rareData const):
115         (JSC::CachedFunctionExecutable::encode):
116         (JSC::CachedFunctionExecutable::decode const):
117         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
118         * runtime/CodeCache.cpp:
119         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
120         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
121         * runtime/CodeCache.h:
122         (JSC::generateUnlinkedCodeBlockImpl):
123         * runtime/FunctionExecutable.h:
124         * runtime/SamplingProfiler.cpp:
125         (JSC::SamplingProfiler::StackFrame::url):
126
127 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
128
129         [JSC] Remove unused global private variables
130         https://bugs.webkit.org/show_bug.cgi?id=194741
131
132         Reviewed by Joseph Pecoraro.
133
134         There are some private functions and constants that are no longer referenced from builtin JS code.
135         This patch cleans up them.
136
137         * builtins/BuiltinNames.h:
138         * builtins/ObjectConstructor.js:
139         (entries):
140         * runtime/JSGlobalObject.cpp:
141         (JSC::JSGlobalObject::init):
142
143 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
144
145         [JSC] Lazily create empty RegExp
146         https://bugs.webkit.org/show_bug.cgi?id=194735
147
148         Reviewed by Keith Miller.
149
150         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
151         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
152         one MarkedBlock.
153
154         * runtime/JSGlobalObject.cpp:
155         (JSC::JSGlobalObject::init):
156         * runtime/RegExpCache.cpp:
157         (JSC::RegExpCache::ensureEmptyRegExpSlow):
158         (JSC::RegExpCache::initialize): Deleted.
159         * runtime/RegExpCache.h:
160         (JSC::RegExpCache::ensureEmptyRegExp):
161         (JSC::RegExpCache::emptyRegExp const): Deleted.
162         * runtime/RegExpCachedResult.cpp:
163         (JSC::RegExpCachedResult::lastResult):
164         * runtime/RegExpCachedResult.h:
165         * runtime/VM.cpp:
166         (JSC::VM::VM):
167
168 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
169
170         [JSC] Make builtin objects more lazily initialized under non-JIT mode
171         https://bugs.webkit.org/show_bug.cgi?id=194727
172
173         Reviewed by Saam Barati.
174
175         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
176         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
177         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
178         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
179         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
180         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
181         MarkedBlock allocation just for Symbols.
182
183         * runtime/JSGlobalObject.cpp:
184         (JSC::JSGlobalObject::init):
185         (JSC::JSGlobalObject::visitChildren):
186         * runtime/JSGlobalObject.h:
187         (JSC::JSGlobalObject::numberToStringWatchpoint):
188         (JSC::JSGlobalObject::booleanPrototype const):
189         (JSC::JSGlobalObject::numberPrototype const):
190         (JSC::JSGlobalObject::symbolPrototype const):
191         (JSC::JSGlobalObject::booleanObjectStructure const):
192         (JSC::JSGlobalObject::symbolObjectStructure const):
193         (JSC::JSGlobalObject::numberObjectStructure const):
194         (JSC::JSGlobalObject::stringObjectStructure const):
195
196 2019-02-15  Michael Saboff  <msaboff@apple.com>
197
198         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
199         https://bugs.webkit.org/show_bug.cgi?id=194558
200
201         Reviewed by Saam Barati.
202
203         Added an in bounds check before the read of the next character for Unicode regular expressions
204         for pattern generation that didn't already have such checks.
205
206         * yarr/YarrJIT.cpp:
207         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
208         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
209         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
210         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
211
212 2019-02-15  Dean Jackson  <dino@apple.com>
213
214         Allow emulation of user gestures from Web Inspector console
215         https://bugs.webkit.org/show_bug.cgi?id=194725
216         <rdar://problem/48126604>
217
218         Reviewed by Joseph Pecoraro and Devin Rousso.
219
220         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
221         to the evaluate function, and mark the function as override so that PageRuntimeAgent
222         can change the behaviour.
223         (Inspector::InspectorRuntimeAgent::evaluate):
224         * inspector/agents/InspectorRuntimeAgent.h:
225         * inspector/protocol/Runtime.json:
226
227 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
228
229         [JSC] Do not initialize Wasm related data if Wasm is not enabled
230         https://bugs.webkit.org/show_bug.cgi?id=194728
231
232         Reviewed by Mark Lam.
233
234         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
235
236         * runtime/InitializeThreading.cpp:
237         (JSC::initializeThreading):
238         * runtime/JSLock.cpp:
239         (JSC::JSLock::didAcquireLock):
240
241 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
242
243         [WTF] Add environment variable helpers
244         https://bugs.webkit.org/show_bug.cgi?id=192405
245
246         Reviewed by Michael Catanzaro.
247
248         * inspector/remote/glib/RemoteInspectorGlib.cpp:
249         (Inspector::RemoteInspector::RemoteInspector):
250         (Inspector::RemoteInspector::start):
251         * jsc.cpp:
252         (startTimeoutThreadIfNeeded):
253         * runtime/Options.cpp:
254         (JSC::overrideOptionWithHeuristic):
255         (JSC::Options::overrideAliasedOptionWithHeuristic):
256         (JSC::Options::initialize):
257         * runtime/VM.cpp:
258         (JSC::enableAssembler):
259         (JSC::VM::VM):
260         * tools/CodeProfiling.cpp:
261         (JSC::CodeProfiling::notifyAllocator):
262         Utilize WTF::Environment where possible.
263
264 2019-02-15  Mark Lam  <mark.lam@apple.com>
265
266         SamplingProfiler::stackTracesAsJSON() should escape strings.
267         https://bugs.webkit.org/show_bug.cgi?id=194649
268         <rdar://problem/48072386>
269
270         Reviewed by Saam Barati.
271
272         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
273
274         * runtime/SamplingProfiler.cpp:
275         (JSC::SamplingProfiler::stackTracesAsJSON):
276         * runtime/TypeSet.cpp:
277         (JSC::TypeSet::toJSONString const):
278         (JSC::StructureShape::toJSONString const):
279
280 2019-02-15  Robin Morisset  <rmorisset@apple.com>
281
282         CodeBlock::jettison should clear related watchpoints
283         https://bugs.webkit.org/show_bug.cgi?id=194544
284
285         Reviewed by Mark Lam.
286
287         * bytecode/CodeBlock.cpp:
288         (JSC::CodeBlock::jettison):
289         * dfg/DFGCommonData.h:
290         (JSC::DFG::CommonData::clearWatchpoints): Added.
291         * dfg/CommonData.cpp:
292         (JSC::DFG::CommonData::clearWatchpoints): Added.
293
294 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
295
296         Move bytecode cache-related filesystem code out of CodeCache
297         https://bugs.webkit.org/show_bug.cgi?id=194675
298
299         Reviewed by Saam Barati.
300
301         That code is only used for the bytecode-cache tests, so it should live in
302         jsc.cpp rather than in the CodeCache.
303
304         * jsc.cpp:
305         (CliSourceProvider::create):
306         (CliSourceProvider::~CliSourceProvider):
307         (CliSourceProvider::cachePath const):
308         (CliSourceProvider::loadBytecode):
309         (CliSourceProvider::CliSourceProvider):
310         (jscSource):
311         (GlobalObject::moduleLoaderFetch):
312         (functionDollarEvalScript):
313         (runWithOptions):
314         * parser/SourceProvider.h:
315         (JSC::SourceProvider::cacheBytecode const):
316         * runtime/CodeCache.cpp:
317         (JSC::writeCodeBlock):
318         * runtime/CodeCache.h:
319         (JSC::CodeCacheMap::fetchFromDiskImpl):
320
321 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
324         https://bugs.webkit.org/show_bug.cgi?id=194714
325
326         Reviewed by Mark Lam.
327
328         Let's consider about the following extreme case.
329
330         1. VM (A) is created.
331         2. Another VM (B) is created on a different thread.
332         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
333         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
334         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
335         6. (A) sees the half-baked worklist, which may be in the middle of creation.
336
337         This patch puts store-store fence just before putting a pointer to a global variable.
338         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
339
340         * dfg/DFGWorklist.cpp:
341         (JSC::DFG::ensureGlobalDFGWorklist):
342         (JSC::DFG::ensureGlobalFTLWorklist):
343         * wasm/WasmWorklist.cpp:
344         (JSC::Wasm::ensureWorklist):
345
346 2019-02-15  Commit Queue  <commit-queue@webkit.org>
347
348         Unreviewed, rolling out r241559 and r241566.
349         https://bugs.webkit.org/show_bug.cgi?id=194710
350
351         Causes layout test crashes under GuardMalloc (Requested by
352         ryanhaddad on #webkit).
353
354         Reverted changesets:
355
356         "[WTF] Add environment variable helpers"
357         https://bugs.webkit.org/show_bug.cgi?id=192405
358         https://trac.webkit.org/changeset/241559
359
360         "Unreviewed build fix for WinCairo Debug after r241559."
361         https://trac.webkit.org/changeset/241566
362
363 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
364
365         [JSC] Do not even allocate JIT worklists in non-JIT mode
366         https://bugs.webkit.org/show_bug.cgi?id=194693
367
368         Reviewed by Mark Lam.
369
370         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
371         And we do not perform any GC operations that are only meaningful in JIT environment.
372
373         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
374         2. We remove DFG marking constraint in non-JIT mode.
375         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
376         4. We do not visit JITStubRoutineSet.
377         5. Align JITWorklist function names to the other worklists.
378
379         * dfg/DFGOSRExitPreparation.cpp:
380         (JSC::DFG::prepareCodeOriginForOSRExit):
381         * dfg/DFGPlan.h:
382         * dfg/DFGWorklist.cpp:
383         (JSC::DFG::markCodeBlocks): Deleted.
384         * dfg/DFGWorklist.h:
385         * heap/Heap.cpp:
386         (JSC::Heap::completeAllJITPlans):
387         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
388         (JSC::Heap::gatherScratchBufferRoots):
389         (JSC::Heap::removeDeadCompilerWorklistEntries):
390         (JSC::Heap::stopThePeriphery):
391         (JSC::Heap::suspendCompilerThreads):
392         (JSC::Heap::resumeCompilerThreads):
393         (JSC::Heap::addCoreConstraints):
394         * jit/JITWorklist.cpp:
395         (JSC::JITWorklist::existingGlobalWorklistOrNull):
396         (JSC::JITWorklist::ensureGlobalWorklist):
397         (JSC::JITWorklist::instance): Deleted.
398         * jit/JITWorklist.h:
399         * llint/LLIntSlowPaths.cpp:
400         (JSC::LLInt::jitCompileAndSetHeuristics):
401         * runtime/VM.cpp:
402         (JSC::VM::~VM):
403         (JSC::VM::gatherScratchBufferRoots):
404         (JSC::VM::gatherConservativeRoots): Deleted.
405         * runtime/VM.h:
406
407 2019-02-15  Saam barati  <sbarati@apple.com>
408
409         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
410         https://bugs.webkit.org/show_bug.cgi?id=194036
411
412         Reviewed by Yusuke Suzuki.
413
414         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
415         use linear scan for register allocation. Instead of linear scan, Air-O0 does
416         mostly block-local register allocation, and it does this as it's emitting
417         code directly. The register allocator uses liveness analysis to reduce
418         the number of spills. Doing register allocation as we're emitting code
419         allows us to skip editing the IR to insert spills, which saves a non trivial
420         amount of compile time. For stack allocation, we give each Tmp its own slot.
421         This is less than ideal. We probably want to do some trivial live range analysis
422         in the future. The reason this isn't a deal breaker for Wasm is that this patch
423         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
424         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
425         
426         This patch is another 25% Wasm startup time speedup. It seems to be worth
427         another 1% on JetStream2.
428
429         * JavaScriptCore.xcodeproj/project.pbxproj:
430         * Sources.txt:
431         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
432         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
433         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
434         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
435         (JSC::B3::Air::callFrameAddr):
436         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
437         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
438         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
439         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
440         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
441         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
442         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
443         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
444         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
445         * b3/air/AirCode.cpp:
446         * b3/air/AirCode.h:
447         * b3/air/AirGenerate.cpp:
448         (JSC::B3::Air::prepareForGeneration):
449         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
450         (JSC::B3::Air::generate):
451         * b3/air/AirHandleCalleeSaves.cpp:
452         (JSC::B3::Air::handleCalleeSaves):
453         * b3/air/AirHandleCalleeSaves.h:
454         * b3/air/AirTmpMap.h:
455         * runtime/Options.h:
456         * wasm/WasmAirIRGenerator.cpp:
457         (JSC::Wasm::AirIRGenerator::didKill):
458         (JSC::Wasm::AirIRGenerator::newTmp):
459         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
460         (JSC::Wasm::parseAndCompileAir):
461         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
462         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
463         * wasm/WasmAirIRGenerator.h:
464         * wasm/WasmB3IRGenerator.cpp:
465         (JSC::Wasm::B3IRGenerator::didKill):
466         * wasm/WasmBBQPlan.cpp:
467         (JSC::Wasm::BBQPlan::compileFunctions):
468         * wasm/WasmFunctionParser.h:
469         (JSC::Wasm::FunctionParser<Context>::parseBody):
470         (JSC::Wasm::FunctionParser<Context>::parseExpression):
471         * wasm/WasmValidate.cpp:
472         (JSC::Wasm::Validate::didKill):
473
474 2019-02-14  Saam barati  <sbarati@apple.com>
475
476         lowerStackArgs should lower Lea32/64 on ARM64 to Add
477         https://bugs.webkit.org/show_bug.cgi?id=194656
478
479         Reviewed by Yusuke Suzuki.
480
481         On arm64, Lea is just implemented as an add. However, Air treats it as an
482         address with a given width. Because of this width, we were incorrectly
483         computing whether or not this immediate could fit into the instruction itself
484         or it needed to be explicitly put into a register. This patch makes
485         AirLowerStackArgs lower Lea to Add on arm64.
486
487         * b3/air/AirLowerStackArgs.cpp:
488         (JSC::B3::Air::lowerStackArgs):
489         * b3/air/AirOpcode.opcodes:
490         * b3/air/testair.cpp:
491
492 2019-02-14  Saam Barati  <sbarati@apple.com>
493
494         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
495         https://bugs.webkit.org/show_bug.cgi?id=194583
496         <rdar://problem/48028140>
497
498         Reviewed by Yusuke Suzuki.
499
500         This patch makes it so that getVariablesUnderTDZ caches a result of
501         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
502         it's called in an environment where there are a lot of variables.
503         This patch makes it so we cache its results. This is profitable when
504         getVariablesUnderTDZ is called repeatedly with the same environment
505         state. This is common since we call this every time we encounter a
506         function definition/expression node.
507
508         * builtins/BuiltinExecutables.cpp:
509         (JSC::BuiltinExecutables::createExecutable):
510         * bytecode/UnlinkedFunctionExecutable.cpp:
511         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
512         * bytecode/UnlinkedFunctionExecutable.h:
513         * bytecompiler/BytecodeGenerator.cpp:
514         (JSC::BytecodeGenerator::popLexicalScopeInternal):
515         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
516         (JSC::BytecodeGenerator::pushTDZVariables):
517         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
518         (JSC::BytecodeGenerator::restoreTDZStack):
519         * bytecompiler/BytecodeGenerator.h:
520         (JSC::BytecodeGenerator::makeFunction):
521         * parser/VariableEnvironment.cpp:
522         (JSC::CompactVariableMap::Handle::Handle):
523         (JSC::CompactVariableMap::Handle::operator=):
524         * parser/VariableEnvironment.h:
525         (JSC::CompactVariableMap::Handle::operator bool const):
526         * runtime/CodeCache.cpp:
527         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
528
529 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
530
531         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
532         https://bugs.webkit.org/show_bug.cgi?id=194659
533
534         Reviewed by Mark Lam.
535
536         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
537         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
538         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
539
540         * dfg/DFGJITCode.h:
541         * dfg/DFGJITFinalizer.cpp:
542         (JSC::DFG::JITFinalizer::finalize):
543         (JSC::DFG::JITFinalizer::finalizeFunction):
544         * jit/JITCode.cpp:
545         (JSC::DirectJITCode::initializeCodeRefForDFG):
546         (JSC::DirectJITCode::initializeCodeRef): Deleted.
547         (JSC::NativeJITCode::initializeCodeRef): Deleted.
548         * jit/JITCode.h:
549         * llint/LLIntEntrypoint.cpp:
550         (JSC::LLInt::setFunctionEntrypoint):
551         (JSC::LLInt::setEvalEntrypoint):
552         (JSC::LLInt::setProgramEntrypoint):
553         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
554
555 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
556
557         [WTF] Add environment variable helpers
558         https://bugs.webkit.org/show_bug.cgi?id=192405
559
560         Reviewed by Michael Catanzaro.
561
562         * inspector/remote/glib/RemoteInspectorGlib.cpp:
563         (Inspector::RemoteInspector::RemoteInspector):
564         (Inspector::RemoteInspector::start):
565         * jsc.cpp:
566         (startTimeoutThreadIfNeeded):
567         * runtime/Options.cpp:
568         (JSC::overrideOptionWithHeuristic):
569         (JSC::Options::overrideAliasedOptionWithHeuristic):
570         (JSC::Options::initialize):
571         * runtime/VM.cpp:
572         (JSC::enableAssembler):
573         (JSC::VM::VM):
574         * tools/CodeProfiling.cpp:
575         (JSC::CodeProfiling::notifyAllocator):
576         Utilize WTF::Environment where possible.
577
578 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
579
580         [JSC] Should have default NativeJITCode
581         https://bugs.webkit.org/show_bug.cgi?id=194634
582
583         Reviewed by Mark Lam.
584
585         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
586         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
587         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
588         allocations, which takes 14KB.
589
590         * runtime/VM.cpp:
591         (JSC::jitCodeForCallTrampoline):
592         (JSC::jitCodeForConstructTrampoline):
593         (JSC::VM::getHostFunction):
594
595 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
596
597         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
598         https://bugs.webkit.org/show_bug.cgi?id=194576
599
600         Reviewed by Saam Barati.
601
602         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
603         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
604
605         * bytecode/UnlinkedFunctionExecutable.cpp:
606         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
607         (JSC::UnlinkedFunctionExecutable::link):
608         * bytecode/UnlinkedFunctionExecutable.h:
609         * runtime/CodeCache.cpp:
610         (JSC::generateUnlinkedCodeBlockForFunctions):
611
612 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
613
614         CachedBitVector's size must be converted from bits to bytes
615         https://bugs.webkit.org/show_bug.cgi?id=194441
616
617         Reviewed by Saam Barati.
618
619         CachedBitVector used its size in bits for memcpy. That didn't cause any
620         issues when encoding, since the size in bits was also used in the allocation,
621         but would overflow the actual BitVector buffer when decoding.
622
623         * runtime/CachedTypes.cpp:
624         (JSC::CachedBitVector::encode):
625         (JSC::CachedBitVector::decode const):
626
627 2019-02-13  Brian Burg  <bburg@apple.com>
628
629         Web Inspector: don't include accessibility role in DOM.Node object payloads
630         https://bugs.webkit.org/show_bug.cgi?id=194623
631         <rdar://problem/36384037>
632
633         Reviewed by Devin Rousso.
634
635         Remove property of DOM.Node that is no longer being sent.
636
637         * inspector/protocol/DOM.json:
638
639 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
640
641         We should only make rope strings when concatenating strings long enough.
642         https://bugs.webkit.org/show_bug.cgi?id=194465
643
644         Reviewed by Mark Lam.
645
646         This patch stops us from allocating a rope string if the resulting
647         rope would be smaller than the size of the JSRopeString object we
648         would need to allocate.
649
650         This patch also adds paths so that we don't unnecessarily allocate
651         JSString cells for primitives we are going to concatenate with a
652         string anyway.
653
654         The important change from the previous one is that we do not apply
655         the above rule to JSRopeStrings generated by JSStrings. If we convert
656         it to JSString, comparison of memory consumption becomes the following,
657         because JSRopeString does not have StringImpl until it is resolved.
658
659             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
660
661         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
662         resolving eagerly increases memory footprint. The point is that we need to
663         account newly created JSString and JSRopeString from the operands. This is the
664         reason why this patch adds different thresholds for each jsString functions.
665
666         This patch also avoids concatenation for ropes conservatively. Many ropes are
667         temporary cells. So we do not resolve eagerly if one of operands is already a
668         rope.
669
670         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
671
672             Before: 159.3778
673             After:  160.72340000000003
674
675         * dfg/DFGOperations.cpp:
676         * runtime/CommonSlowPaths.cpp:
677         (JSC::SLOW_PATH_DECL):
678         * runtime/JSString.h:
679         (JSC::JSString::isRope const):
680         * runtime/Operations.cpp:
681         (JSC::jsAddSlowCase):
682         * runtime/Operations.h:
683         (JSC::jsString):
684         (JSC::jsAddNonNumber):
685         (JSC::jsAdd):
686
687 2019-02-13  Saam Barati  <sbarati@apple.com>
688
689         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
690         https://bugs.webkit.org/show_bug.cgi?id=194610
691
692         Reviewed by Michael Saboff.
693
694         BinarySwitch might use the scratch register. We must model the
695         effects of that properly. This is already caught by our br-table
696         tests on arm64.
697
698         * wasm/WasmAirIRGenerator.cpp:
699         (JSC::Wasm::AirIRGenerator::addSwitch):
700
701 2019-02-13  Mark Lam  <mark.lam@apple.com>
702
703         Create a randomized free list for new StructureIDs on StructureIDTable resize.
704         https://bugs.webkit.org/show_bug.cgi?id=194566
705         <rdar://problem/47975502>
706
707         Reviewed by Michael Saboff.
708
709         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
710         implementation is a little easier to read.
711
712         This patch appears to be perf neutral on JetStream2 (as run from the command line).
713
714         * runtime/StructureIDTable.cpp:
715         (JSC::StructureIDTable::StructureIDTable):
716         (JSC::StructureIDTable::makeFreeListFromRange):
717         (JSC::StructureIDTable::resize):
718         (JSC::StructureIDTable::allocateID):
719         (JSC::StructureIDTable::deallocateID):
720         * runtime/StructureIDTable.h:
721         (JSC::StructureIDTable::get):
722         (JSC::StructureIDTable::deallocateID):
723         (JSC::StructureIDTable::allocateID):
724         (JSC::StructureIDTable::flushOldTables):
725
726 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
727
728         VariableLengthObject::allocate<T> should initialize objects
729         https://bugs.webkit.org/show_bug.cgi?id=194534
730
731         Reviewed by Michael Saboff.
732
733         `buffer()` should not be called for empty VariableLengthObjects, but
734         these cases were not being caught due to the objects not being properly
735         initialized. Fix it so that allocate calls the constructor and fix the
736         assertion failues.
737
738         * runtime/CachedTypes.cpp:
739         (JSC::CachedObject::operator new):
740         (JSC::VariableLengthObject::allocate):
741         (JSC::CachedVector::encode):
742         (JSC::CachedVector::decode const):
743         (JSC::CachedUniquedStringImpl::decode const):
744         (JSC::CachedBitVector::encode):
745         (JSC::CachedBitVector::decode const):
746         (JSC::CachedArray::encode):
747         (JSC::CachedArray::decode const):
748         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
749         (JSC::CachedBigInt::decode const):
750
751 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
752
753         CodeBlocks read from disk should not be re-written
754         https://bugs.webkit.org/show_bug.cgi?id=194535
755
756         Reviewed by Michael Saboff.
757
758         Keep track of which CodeBlocks have been read from disk or have already
759         been serialized in CodeCache.
760
761         * runtime/CodeCache.cpp:
762         (JSC::CodeCache::write):
763         * runtime/CodeCache.h:
764         (JSC::SourceCodeValue::SourceCodeValue):
765         (JSC::CodeCacheMap::fetchFromDiskImpl):
766
767 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
768
769         SourceCode should be copied when generating bytecode for functions
770         https://bugs.webkit.org/show_bug.cgi?id=194536
771
772         Reviewed by Saam Barati.
773
774         The FunctionExecutable might be collected while generating the bytecode
775         for nested functions, in which case the SourceCode reference would no
776         longer be valid.
777
778         * runtime/CodeCache.cpp:
779         (JSC::generateUnlinkedCodeBlockForFunctions):
780
781 2019-02-12  Saam barati  <sbarati@apple.com>
782
783         JSScript needs to retain its cache path NSURL*
784         https://bugs.webkit.org/show_bug.cgi?id=194577
785
786         Reviewed by Tim Horton.
787
788         * API/JSScript.mm:
789         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
790         (-[JSScript dealloc]):
791
792 2019-02-12  Robin Morisset  <rmorisset@apple.com>
793
794         Make B3Value::returnsBool() more precise
795         https://bugs.webkit.org/show_bug.cgi?id=194457
796
797         Reviewed by Saam Barati.
798
799         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
800         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
801         No new tests added as this should be indirectly tested by the already existing tests.
802
803         * b3/B3Value.cpp:
804         (JSC::B3::Value::returnsBool const):
805
806 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
807
808         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
809         https://bugs.webkit.org/show_bug.cgi?id=194399
810         <rdar://problem/47889777>
811
812         * dfg/DFGDoesGC.cpp:
813         (JSC::DFG::doesGC):
814
815 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
816
817         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
818         https://bugs.webkit.org/show_bug.cgi?id=194370
819
820         Reviewed by Darin Adler.
821
822         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
823         necessary, but it will make errors more visible.
824
825         * inspector/remote/glib/RemoteInspectorGlib.cpp:
826         (Inspector::RemoteInspector::start):
827         (Inspector::dbusConnectionCallAsyncReadyCallback):
828         * inspector/remote/glib/RemoteInspectorServer.cpp:
829         (Inspector::RemoteInspectorServer::start):
830
831 2019-02-12  Andy Estes  <aestes@apple.com>
832
833         [iOSMac] Enable Parental Controls Content Filtering
834         https://bugs.webkit.org/show_bug.cgi?id=194521
835         <rdar://39732376>
836
837         Reviewed by Tim Horton.
838
839         * Configurations/FeatureDefines.xcconfig:
840
841 2019-02-11  Mark Lam  <mark.lam@apple.com>
842
843         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
844         https://bugs.webkit.org/show_bug.cgi?id=194512
845         <rdar://problem/47975465>
846
847         Reviewed by Yusuke Suzuki.
848
849         * runtime/StructureIDTable.cpp:
850         (JSC::StructureIDTable::StructureIDTable):
851         (JSC::StructureIDTable::allocateID):
852         (JSC::StructureIDTable::deallocateID):
853         * runtime/StructureIDTable.h:
854
855 2019-02-10  Mark Lam  <mark.lam@apple.com>
856
857         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
858         https://bugs.webkit.org/show_bug.cgi?id=194493
859         <rdar://problem/36380852>
860
861         Reviewed by Yusuke Suzuki.
862
863         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
864         however not good for performance and memory usage.  As such, a debug ASSERT will
865         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
866         possible to be instantiated with duplicate cases in
867         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
868
869         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
870         see duplicate cases.
871
872         * jit/BinarySwitch.cpp:
873         (JSC::BinarySwitch::BinarySwitch):
874
875 2019-02-10  Darin Adler  <darin@apple.com>
876
877         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
878         https://bugs.webkit.org/show_bug.cgi?id=194485
879
880         Reviewed by Daniel Bates.
881
882         * heap/HeapSnapshotBuilder.cpp:
883         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
884         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
885
886         * runtime/JSGlobalObjectFunctions.cpp:
887         (JSC::encode): Removed some unneeded casts in StringBuilder code,
888         including one in a call to appendByteAsHex.
889         (JSC::globalFuncEscape): Ditto.
890
891 2019-02-10  Commit Queue  <commit-queue@webkit.org>
892
893         Unreviewed, rolling out r241230.
894         https://bugs.webkit.org/show_bug.cgi?id=194488
895
896         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
897         #webkit).
898
899         Reverted changeset:
900
901         "We should only make rope strings when concatenating strings
902         long enough."
903         https://bugs.webkit.org/show_bug.cgi?id=194465
904         https://trac.webkit.org/changeset/241230
905
906 2019-02-10  Saam barati  <sbarati@apple.com>
907
908         BBQ-Air: Emit better code for switch
909         https://bugs.webkit.org/show_bug.cgi?id=194053
910
911         Reviewed by Yusuke Suzuki.
912
913         Instead of emitting a linear set of jumps for Switch, this patch
914         makes the BBQ-Air backend emit a binary switch.
915
916         * wasm/WasmAirIRGenerator.cpp:
917         (JSC::Wasm::AirIRGenerator::addSwitch):
918
919 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
920
921         Unreviewed, Lexer should use isLatin1 implementation in WTF
922         https://bugs.webkit.org/show_bug.cgi?id=194466
923
924         Follow-up after r241233 pointed by Darin.
925
926         * parser/Lexer.cpp:
927         (JSC::isLatin1): Deleted.
928
929 2019-02-09  Darin Adler  <darin@apple.com>
930
931         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
932         https://bugs.webkit.org/show_bug.cgi?id=194021
933
934         Reviewed by Geoffrey Garen.
935
936         * inspector/agents/InspectorConsoleAgent.cpp:
937         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
938         makeString do the conversion without allocating/destroying a String.
939         * inspector/agents/InspectorDebuggerAgent.cpp:
940         (Inspector::objectGroupForBreakpointAction): Ditto.
941         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
942         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
943         * runtime/JSGenericTypedArrayViewInlines.h:
944         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
945         * runtime/NumberPrototype.cpp:
946         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
947         of calling numberToFixedWidthString to do the same thing.
948         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
949         numberToFixedPrecisionString to do the same thing.
950         * runtime/SamplingProfiler.cpp:
951         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
952
953 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
954
955         Unreviewed, rolling in r241237 again
956         https://bugs.webkit.org/show_bug.cgi?id=194469
957
958         * runtime/JSString.h:
959         (JSC::jsSubstring):
960
961 2019-02-09  Commit Queue  <commit-queue@webkit.org>
962
963         Unreviewed, rolling out r241237.
964         https://bugs.webkit.org/show_bug.cgi?id=194474
965
966         Shows significant memory increase in WSL (Requested by
967         yusukesuzuki on #webkit).
968
969         Reverted changeset:
970
971         "[WTF] Use BufferInternal StringImpl if substring StringImpl
972         takes more memory"
973         https://bugs.webkit.org/show_bug.cgi?id=194469
974         https://trac.webkit.org/changeset/241237
975
976 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
977
978         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
979         https://bugs.webkit.org/show_bug.cgi?id=194469
980
981         Reviewed by Geoffrey Garen.
982
983         * runtime/JSString.h:
984         (JSC::jsSubstring):
985
986 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
987
988         [JSC] CachedTypes should use jsString instead of JSString::create
989         https://bugs.webkit.org/show_bug.cgi?id=194471
990
991         Reviewed by Mark Lam.
992
993         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
994
995         * runtime/CachedTypes.cpp:
996         (JSC::CachedJSValue::decode const):
997
998 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
999
1000         [JSC] Increase StructureIDTable initial capacity
1001         https://bugs.webkit.org/show_bug.cgi?id=194468
1002
1003         Reviewed by Mark Lam.
1004
1005         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1006         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1007         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1008         more memory dirty. We also remove some structures that are no longer used.
1009
1010         * runtime/JSGlobalObject.h:
1011         (JSC::JSGlobalObject::callbackObjectStructure const):
1012         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1013         * runtime/StructureIDTable.h:
1014         * runtime/VM.h:
1015
1016 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1017
1018         [JSC] String.fromCharCode's slow path always generates 16bit string
1019         https://bugs.webkit.org/show_bug.cgi?id=194466
1020
1021         Reviewed by Keith Miller.
1022
1023         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1024         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1025         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1026         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1027         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1028         as much as possible.
1029
1030         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1031
1032         * runtime/StringConstructor.cpp:
1033         (JSC::stringFromCharCode):
1034
1035 2019-02-08  Keith Miller  <keith_miller@apple.com>
1036
1037         We should only make rope strings when concatenating strings long enough.
1038         https://bugs.webkit.org/show_bug.cgi?id=194465
1039
1040         Reviewed by Saam Barati.
1041
1042         This patch stops us from allocating a rope string if the resulting
1043         rope would be smaller than the size of the JSRopeString object we
1044         would need to allocate.
1045
1046         This patch also adds paths so that we don't unnecessarily allocate
1047         JSString cells for primitives we are going to concatenate with a
1048         string anyway.
1049
1050         * dfg/DFGOperations.cpp:
1051         * runtime/CommonSlowPaths.cpp:
1052         (JSC::SLOW_PATH_DECL):
1053         * runtime/JSString.h:
1054         * runtime/Operations.cpp:
1055         (JSC::jsAddSlowCase):
1056         * runtime/Operations.h:
1057         (JSC::jsString):
1058         (JSC::jsAdd):
1059
1060 2019-02-08  Saam barati  <sbarati@apple.com>
1061
1062         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1063         https://bugs.webkit.org/show_bug.cgi?id=194334
1064         <rdar://problem/47844327>
1065
1066         Reviewed by Mark Lam.
1067
1068         * dfg/DFGAbstractInterpreterInlines.h:
1069         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1070         * dfg/DFGArgumentsEliminationPhase.cpp:
1071         * dfg/DFGByteCodeParser.cpp:
1072         (JSC::DFG::ByteCodeParser::parseBlock):
1073         * dfg/DFGClobberize.h:
1074         (JSC::DFG::clobberize):
1075         * dfg/DFGConstantFoldingPhase.cpp:
1076         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1077         * dfg/DFGFixupPhase.cpp:
1078         (JSC::DFG::FixupPhase::fixupNode):
1079         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1080         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1081         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1082         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1083         * dfg/DFGNodeType.h:
1084         * dfg/DFGSSALoweringPhase.cpp:
1085         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1086         * dfg/DFGSpeculativeJIT.cpp:
1087         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1088         * ftl/FTLLowerDFGToB3.cpp:
1089         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1090         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1091
1092 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         [JSC] Shrink sizeof(CodeBlock) more
1095         https://bugs.webkit.org/show_bug.cgi?id=194419
1096
1097         Reviewed by Mark Lam.
1098
1099         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1100
1101         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1102         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1103         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1104
1105         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1106         And we do not touch it in CodeBlock::~CodeBlock.
1107
1108         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1109         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1110         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1111
1112         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1113
1114         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1115
1116         * bytecode/CodeBlock.cpp:
1117         (JSC::CodeBlock::hash const):
1118         (JSC::CodeBlock::sourceCodeForTools const):
1119         (JSC::CodeBlock::dumpAssumingJITType const):
1120         (JSC::CodeBlock::dumpSource):
1121         (JSC::CodeBlock::CodeBlock):
1122         (JSC::CodeBlock::finishCreation):
1123         (JSC::CodeBlock::propagateTransitions):
1124         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1125         (JSC::CodeBlock::setCalleeSaveRegisters):
1126         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1127         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1128         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1129         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1130         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1131         (JSC::CodeBlock::newReplacement):
1132         (JSC::CodeBlock::replacement):
1133         (JSC::CodeBlock::computeCapabilityLevel):
1134         (JSC::CodeBlock::jettison):
1135         (JSC::CodeBlock::calleeSaveRegisters const):
1136         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1137         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1138         (JSC::CodeBlock::getArrayProfile):
1139         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1140         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1141         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1142         (JSC::CodeBlock::validate):
1143         (JSC::CodeBlock::outOfLineJumpTarget):
1144         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1145         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1146         * bytecode/CodeBlock.h:
1147         (JSC::CodeBlock::specializationKind const):
1148         (JSC::CodeBlock::isStrictMode const):
1149         (JSC::CodeBlock::isConstructor const):
1150         (JSC::CodeBlock::codeType const):
1151         (JSC::CodeBlock::isKnownNotImmediate):
1152         (JSC::CodeBlock::instructions const):
1153         (JSC::CodeBlock::ownerExecutable const):
1154         (JSC::CodeBlock::thisRegister const):
1155         (JSC::CodeBlock::source const):
1156         (JSC::CodeBlock::sourceOffset const):
1157         (JSC::CodeBlock::firstLineColumnOffset const):
1158         (JSC::CodeBlock::createRareDataIfNecessary):
1159         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1160         (JSC::CodeBlock::setThisRegister): Deleted.
1161         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1162         * bytecode/EvalCodeBlock.h:
1163         * bytecode/FunctionCodeBlock.h:
1164         * bytecode/GlobalCodeBlock.h:
1165         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1166         * bytecode/ModuleProgramCodeBlock.h:
1167         * bytecode/ProgramCodeBlock.h:
1168         * debugger/Debugger.cpp:
1169         (JSC::Debugger::toggleBreakpoint):
1170         * debugger/DebuggerCallFrame.cpp:
1171         (JSC::DebuggerCallFrame::sourceID const):
1172         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1173         * debugger/DebuggerScope.cpp:
1174         (JSC::DebuggerScope::location const):
1175         * dfg/DFGByteCodeParser.cpp:
1176         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1177         (JSC::DFG::ByteCodeParser::inliningCost):
1178         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1179         * dfg/DFGCapabilities.cpp:
1180         (JSC::DFG::isSupportedForInlining):
1181         (JSC::DFG::mightCompileEval):
1182         (JSC::DFG::mightCompileProgram):
1183         (JSC::DFG::mightCompileFunctionForCall):
1184         (JSC::DFG::mightCompileFunctionForConstruct):
1185         (JSC::DFG::canUseOSRExitFuzzing):
1186         * dfg/DFGGraph.h:
1187         (JSC::DFG::Graph::executableFor):
1188         * dfg/DFGJITCompiler.cpp:
1189         (JSC::DFG::JITCompiler::compileFunction):
1190         * dfg/DFGOSREntry.cpp:
1191         (JSC::DFG::prepareOSREntry):
1192         * dfg/DFGOSRExit.cpp:
1193         (JSC::DFG::restoreCalleeSavesFor):
1194         (JSC::DFG::saveCalleeSavesFor):
1195         (JSC::DFG::saveOrCopyCalleeSavesFor):
1196         * dfg/DFGOSRExitCompilerCommon.cpp:
1197         (JSC::DFG::handleExitCounts):
1198         * dfg/DFGOperations.cpp:
1199         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1200         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1201         * ftl/FTLCapabilities.cpp:
1202         (JSC::FTL::canCompile):
1203         * ftl/FTLLink.cpp:
1204         (JSC::FTL::link):
1205         * ftl/FTLOSRExitCompiler.cpp:
1206         (JSC::FTL::compileStub):
1207         * interpreter/CallFrame.cpp:
1208         (JSC::CallFrame::callerSourceOrigin):
1209         * interpreter/Interpreter.cpp:
1210         (JSC::eval):
1211         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1212         * interpreter/StackVisitor.cpp:
1213         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1214         (JSC::StackVisitor::Frame::sourceURL const):
1215         (JSC::StackVisitor::Frame::sourceID):
1216         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1217         * interpreter/StackVisitor.h:
1218         * jit/AssemblyHelpers.h:
1219         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1220         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1221         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1222         * jit/CallFrameShuffleData.cpp:
1223         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1224         * jit/JIT.cpp:
1225         (JSC::JIT::compileWithoutLinking):
1226         * jit/JITToDFGDeferredCompilationCallback.cpp:
1227         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1228         * jit/JITWorklist.cpp:
1229         (JSC::JITWorklist::Plan::finalize):
1230         (JSC::JITWorklist::compileNow):
1231         * jit/RegisterAtOffsetList.cpp:
1232         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1233         * jit/RegisterAtOffsetList.h:
1234         (JSC::RegisterAtOffsetList::at const):
1235         * runtime/ErrorInstance.cpp:
1236         (JSC::appendSourceToError):
1237         * runtime/ScriptExecutable.cpp:
1238         (JSC::ScriptExecutable::newCodeBlockFor):
1239         * runtime/StackFrame.cpp:
1240         (JSC::StackFrame::sourceID const):
1241         (JSC::StackFrame::sourceURL const):
1242         (JSC::StackFrame::computeLineAndColumn const):
1243
1244 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1245
1246         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1247         https://bugs.webkit.org/show_bug.cgi?id=194460
1248
1249         Reviewed by Mark Lam.
1250
1251         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1252
1253         * b3/B3LowerMacros.cpp:
1254
1255 2019-02-08  Mark Lam  <mark.lam@apple.com>
1256
1257         Use maxSingleCharacterString in comparisons instead of literal constants.
1258         https://bugs.webkit.org/show_bug.cgi?id=194452
1259
1260         Reviewed by Yusuke Suzuki.
1261
1262         This way, if we ever change maxSingleCharacterString, it won't break all this code
1263         that relies on it being 0xff implicitly.
1264
1265         * dfg/DFGSpeculativeJIT.cpp:
1266         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1267         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1268         * ftl/FTLLowerDFGToB3.cpp:
1269         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1270         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1271         * jit/ThunkGenerators.cpp:
1272         (JSC::stringGetByValGenerator):
1273         (JSC::charToString):
1274
1275 2019-02-08  Mark Lam  <mark.lam@apple.com>
1276
1277         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1278         https://bugs.webkit.org/show_bug.cgi?id=194446
1279         <rdar://problem/47926792>
1280
1281         Reviewed by Saam Barati.
1282
1283         Fix doesGC() for the following nodes:
1284
1285             CheckTierUpAtReturn:
1286                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1287                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1288
1289             CheckTierUpInLoop:
1290                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1291                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1292
1293             CheckTierUpAndOSREnter:
1294                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1295                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1296
1297             GetByVal:
1298                 case Array::String calls operationSingleCharacterString(), which calls
1299                 jsSingleCharacterString(), which can allocate a string.
1300
1301             PutByValDirect:
1302             PutByVal:
1303             PutByValAlias:
1304                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1305                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1306                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1307                 slow paths call putByValInternal(), which may create exception objects, or
1308                 call the generic JSValue::put() which may execute arbitrary code.
1309
1310             StringCharAt:
1311                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1312                 which can allocate a string.
1313
1314         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1315         to use the maxSingleCharacterString constant instead of a literal constant.
1316
1317         * dfg/DFGDoesGC.cpp:
1318         (JSC::DFG::doesGC):
1319         * dfg/DFGSpeculativeJIT.cpp:
1320         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1321         * dfg/DFGSpeculativeJIT64.cpp:
1322         (JSC::DFG::SpeculativeJIT::compile):
1323         * ftl/FTLLowerDFGToB3.cpp:
1324         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1325         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1326         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1327
1328 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1329
1330         [JSC] SourceProviderCacheItem should be small
1331         https://bugs.webkit.org/show_bug.cgi?id=194432
1332
1333         Reviewed by Saam Barati.
1334
1335         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1336         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1337         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1338
1339         * parser/Parser.cpp:
1340         (JSC::Parser<LexerType>::parseFunctionInfo):
1341         * parser/ParserModes.h:
1342         * parser/ParserTokens.h:
1343         * parser/SourceProviderCacheItem.h:
1344         (JSC::SourceProviderCacheItem::endFunctionToken const):
1345         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1346
1347 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1348
1349         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1350         https://bugs.webkit.org/show_bug.cgi?id=194420
1351
1352         Reviewed by Saam Barati.
1353
1354         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1355         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1356         This trivial patch fixes both.
1357
1358         * b3/B3ReduceStrength.cpp:
1359         * b3/testb3.cpp:
1360         (JSC::B3::testAbsNegArg):
1361
1362 2019-02-07  Keith Miller  <keith_miller@apple.com>
1363
1364         Better error messages for module loader SPI
1365         https://bugs.webkit.org/show_bug.cgi?id=194421
1366
1367         Reviewed by Saam Barati.
1368
1369         * API/JSAPIGlobalObject.mm:
1370         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1371
1372 2019-02-07  Mark Lam  <mark.lam@apple.com>
1373
1374         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1375         https://bugs.webkit.org/show_bug.cgi?id=194399
1376         <rdar://problem/47889777>
1377
1378         Reviewed by Yusuke Suzuki.
1379
1380         Fix doesGC() for the following nodes:
1381
1382             CheckTraps:
1383                 We normally will not emit this node because Options::usePollingTraps() is
1384                 false by default.  However, as it is implemented now, CheckTraps can GC
1385                 because it can allocate a TerminatedExecutionException.  If we make the
1386                 TerminatedExecutionException a singleton allocated at initialization time,
1387                 doesGC() can return false for CheckTraps.
1388                 https://bugs.webkit.org/show_bug.cgi?id=194323
1389
1390             GetMapBucket:
1391                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1392                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1393                 can resolve a rope.
1394
1395             Switch:
1396                 If switchData kind is SwitchChar, can call operationResolveRope() .
1397                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1398                     can call operationSwitchString() which resolves ropes.
1399
1400             DirectTailCall:
1401             ForceOSRExit:
1402             Return:
1403             TailCallForwardVarargs:
1404             TailCallVarargs:
1405             Throw:
1406                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1407                 for them, but following our conservative practice, unless we have a good
1408                 reason for doesGC() to return false, we should just return true.
1409
1410         * dfg/DFGDoesGC.cpp:
1411         (JSC::DFG::doesGC):
1412
1413 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1414
1415         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1416         https://bugs.webkit.org/show_bug.cgi?id=194250
1417
1418         Reviewed by Saam Barati.
1419
1420         Adds the following optimizations for integers:
1421         - Sub(x, x) => 0
1422             Already covered by the test testSubArg
1423         - Sub(x1, Neg(x2)) => Add (x1, x2)
1424             Added test: testSubNeg
1425         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1426             Added test: testNegSub
1427         - Add(Neg(x1), x2) => Sub(x2, x1)
1428             Added test: testAddNeg1
1429         - Add(x1, Neg(x2)) => Sub(x1, x2)
1430             Added test: testAddNeg2
1431         Adds the following optimization for floating point values:
1432         - Abs(Neg(x)) => Abs(x)
1433             Added test: testAbsNegArg
1434             Adds the following optimization:
1435
1436         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1437
1438         * b3/B3ReduceStrength.cpp:
1439         * b3/testb3.cpp:
1440         (JSC::B3::testAddNeg1):
1441         (JSC::B3::testAddNeg2):
1442         (JSC::B3::testSubNeg):
1443         (JSC::B3::testNegSub):
1444         (JSC::B3::testAbsAbsArg):
1445         (JSC::B3::testAbsNegArg):
1446         (JSC::B3::run):
1447
1448 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1449
1450         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1451         https://bugs.webkit.org/show_bug.cgi?id=194374
1452
1453         Reviewed by Geoffrey Garen.
1454
1455         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1456         But pointer is larger than single character. BufferInternal StringImpl with single character
1457         is more memory efficient.
1458
1459         * runtime/SmallStrings.cpp:
1460         (JSC::SmallStringsStorage::SmallStringsStorage):
1461         (JSC::SmallStrings::SmallStrings):
1462         * runtime/SmallStrings.h:
1463
1464 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1465
1466         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1467         https://bugs.webkit.org/show_bug.cgi?id=194369
1468         <rdar://problem/47813087>
1469
1470         Reviewed by Saam Barati.
1471
1472         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1473         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1474         constant folding phase.
1475
1476         * dfg/DFGAbstractInterpreterInlines.h:
1477         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1478
1479 2019-02-06  Devin Rousso  <drousso@apple.com>
1480
1481         Web Inspector: DOM: don't send the entire function string with each event listener
1482         https://bugs.webkit.org/show_bug.cgi?id=194293
1483         <rdar://problem/47822809>
1484
1485         Reviewed by Joseph Pecoraro.
1486
1487         * inspector/protocol/DOM.json:
1488
1489         * runtime/JSFunction.h:
1490         Export `calculatedDisplayName`.
1491
1492 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1493
1494         [JSC] PrivateName to PublicName hash table is wasteful
1495         https://bugs.webkit.org/show_bug.cgi?id=194277
1496
1497         Reviewed by Michael Saboff.
1498
1499         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1500         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1501         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1502         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1503
1504         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1505
1506         1. PrivateName's content should be the same to PublicName.
1507         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1508            the public name should be easily crafted from the given PrivateName.
1509
1510         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1511         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1512
1513         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1514         WebCore.
1515
1516         * builtins/BuiltinNames.cpp:
1517         (JSC::BuiltinNames::BuiltinNames):
1518         * builtins/BuiltinNames.h:
1519         (JSC::BuiltinNames::lookUpPrivateName const):
1520         (JSC::BuiltinNames::getPublicName const):
1521         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1522         (JSC::BuiltinNames::appendExternalName):
1523         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1524         * builtins/BuiltinUtils.h:
1525         * bytecode/BytecodeDumper.cpp:
1526         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1527         * bytecompiler/NodesCodegen.cpp:
1528         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1529         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1530         * parser/Lexer.cpp:
1531         (JSC::Lexer<LChar>::parseIdentifier):
1532         (JSC::Lexer<UChar>::parseIdentifier):
1533         * parser/Parser.cpp:
1534         (JSC::Parser<LexerType>::createGeneratorParameters):
1535         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1536         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1537         (JSC::Parser<LexerType>::parseClassDeclaration):
1538         (JSC::Parser<LexerType>::parseExportDeclaration):
1539         (JSC::Parser<LexerType>::parseMemberExpression):
1540         * parser/ParserArena.h:
1541         (JSC::IdentifierArena::makeIdentifier):
1542         * runtime/CachedTypes.cpp:
1543         (JSC::CachedUniquedStringImpl::encode):
1544         (JSC::CachedUniquedStringImpl::decode const):
1545         * runtime/CommonIdentifiers.cpp:
1546         (JSC::CommonIdentifiers::CommonIdentifiers):
1547         (JSC::CommonIdentifiers::lookUpPrivateName const):
1548         (JSC::CommonIdentifiers::getPublicName const):
1549         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1550         * runtime/CommonIdentifiers.h:
1551         * runtime/ExceptionHelpers.cpp:
1552         (JSC::createUndefinedVariableError):
1553         * runtime/Identifier.cpp:
1554         (JSC::Identifier::dump const):
1555         * runtime/Identifier.h:
1556         * runtime/IdentifierInlines.h:
1557         (JSC::Identifier::fromUid):
1558         * runtime/JSTypedArrayViewPrototype.cpp:
1559         (JSC::JSTypedArrayViewPrototype::finishCreation):
1560         * tools/JSDollarVM.cpp:
1561         (JSC::functionGetPrivateProperty):
1562
1563 2019-02-06  Keith Rollin  <krollin@apple.com>
1564
1565         Really enable the automatic checking and regenerations of .xcfilelists during builds
1566         https://bugs.webkit.org/show_bug.cgi?id=194357
1567         <rdar://problem/47861231>
1568
1569         Reviewed by Chris Dumez.
1570
1571         Bug 194124 was supposed to enable the automatic checking and
1572         regenerating of .xcfilelist files during the build. While related
1573         changes were included in that patch, the change to actually enable the
1574         operation somehow was omitted. This patch actually enables the
1575         operation. The check-xcfilelist.sh scripts now check
1576         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1577         from the checking.
1578
1579         * Scripts/check-xcfilelists.sh:
1580
1581 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1582
1583         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1584         https://bugs.webkit.org/show_bug.cgi?id=194339
1585
1586         Reviewed by Michael Saboff.
1587
1588         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1589         They have even the same structure. This patch unifies the subspaces for them.
1590
1591         * runtime/DirectEvalExecutable.h:
1592         * runtime/EvalExecutable.h:
1593         (JSC::EvalExecutable::subspaceFor):
1594         * runtime/IndirectEvalExecutable.h:
1595         * runtime/VM.cpp:
1596         * runtime/VM.h:
1597         (JSC::VM::forEachScriptExecutableSpace):
1598
1599 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1600
1601         [JSC] NativeExecutable should be smaller
1602         https://bugs.webkit.org/show_bug.cgi?id=194331
1603
1604         Reviewed by Michael Saboff.
1605
1606         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1607         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1608         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1609         only takes one MarkedBlock for NativeExecutable.
1610
1611         To make NativeExecutable smaller,
1612
1613         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1614            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1615
1616         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1617            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1618            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1619
1620         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1621            Intrinsic for NativeExecutable.
1622
1623         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1624
1625         * CMakeLists.txt:
1626         * JavaScriptCore.xcodeproj/project.pbxproj:
1627         * bytecode/CallVariant.h:
1628         * interpreter/Interpreter.cpp:
1629         * jit/JITCode.cpp:
1630         (JSC::DirectJITCode::DirectJITCode):
1631         (JSC::NativeJITCode::NativeJITCode):
1632         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1633         * jit/JITCode.h:
1634         (JSC::JITCode::signature const):
1635         (JSC::JITCode::intrinsic):
1636         * jit/JITOperations.cpp:
1637         * jit/JITThunks.cpp:
1638         (JSC::JITThunks::hostFunctionStub):
1639         * jit/Repatch.cpp:
1640         * llint/LLIntSlowPaths.cpp:
1641         * runtime/ExecutableBase.cpp:
1642         (JSC::ExecutableBase::dump const):
1643         (JSC::ExecutableBase::hashFor const):
1644         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1645         (JSC::ExecutableBase::clearCode): Deleted.
1646         * runtime/ExecutableBase.h:
1647         (JSC::ExecutableBase::ExecutableBase):
1648         (JSC::ExecutableBase::isModuleProgramExecutable):
1649         (JSC::ExecutableBase::isHostFunction const):
1650         (JSC::ExecutableBase::generatedJITCodeForCall const):
1651         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1652         (JSC::ExecutableBase::generatedJITCodeFor const):
1653         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1654         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1655         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1656         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1657         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1658         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1659         (JSC::ExecutableBase::intrinsic const): Deleted.
1660         * runtime/ExecutableBaseInlines.h: Added.
1661         (JSC::ExecutableBase::intrinsic const):
1662         (JSC::ExecutableBase::hasJITCodeForCall const):
1663         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1664         * runtime/JSBoundFunction.cpp:
1665         * runtime/JSType.cpp:
1666         (WTF::printInternal):
1667         * runtime/JSType.h:
1668         * runtime/NativeExecutable.cpp:
1669         (JSC::NativeExecutable::create):
1670         (JSC::NativeExecutable::createStructure):
1671         (JSC::NativeExecutable::NativeExecutable):
1672         (JSC::NativeExecutable::signatureFor const):
1673         (JSC::NativeExecutable::intrinsic const):
1674         * runtime/NativeExecutable.h:
1675         * runtime/ScriptExecutable.cpp:
1676         (JSC::ScriptExecutable::ScriptExecutable):
1677         (JSC::ScriptExecutable::clearCode):
1678         (JSC::ScriptExecutable::installCode):
1679         (JSC::ScriptExecutable::hasClearableCode const):
1680         * runtime/ScriptExecutable.h:
1681         (JSC::ScriptExecutable::intrinsic const):
1682         (JSC::ScriptExecutable::hasJITCodeForCall const):
1683         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1684         * runtime/VM.cpp:
1685         (JSC::VM::getHostFunction):
1686
1687 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1688
1689         Build failure after r240431
1690         https://bugs.webkit.org/show_bug.cgi?id=194330
1691
1692         Reviewed by Žan Doberšek.
1693
1694         * API/glib/JSCOptions.cpp:
1695
1696 2019-02-05  Mark Lam  <mark.lam@apple.com>
1697
1698         Fix DFG's doesGC() for a few more nodes.
1699         https://bugs.webkit.org/show_bug.cgi?id=194307
1700         <rdar://problem/47832956>
1701
1702         Reviewed by Yusuke Suzuki.
1703
1704         Fix doesGC() for the following nodes:
1705
1706             NumberToStringWithValidRadixConstant:
1707                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1708                 which can allocate a string.
1709                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1710                 which can allocate a string.
1711                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1712                 which can allocate a string.
1713
1714             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1715                 memory for all kinds of objects.
1716             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1717                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1718                 these allocates memory for the match result.
1719             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1720                 calls RegExpObject's collectMatches(), which allocates an array amongst
1721                 other objects.
1722
1723             StringFromCharCode:
1724                 If the uint32 code to convert is greater than maxSingleCharacterString,
1725                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1726                 which allocates a new string if the code is greater than maxSingleCharacterString.
1727
1728         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1729         to use maxSingleCharacterString instead of a literal constant.
1730
1731         * dfg/DFGDoesGC.cpp:
1732         (JSC::DFG::doesGC):
1733         * dfg/DFGSpeculativeJIT.cpp:
1734         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1735         * ftl/FTLLowerDFGToB3.cpp:
1736         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1737
1738 2019-02-05  Keith Rollin  <krollin@apple.com>
1739
1740         Enable the automatic checking and regenerations of .xcfilelists during builds
1741         https://bugs.webkit.org/show_bug.cgi?id=194124
1742         <rdar://problem/47721277>
1743
1744         Reviewed by Tim Horton.
1745
1746         Bug 193790 add a facility for checking -- during build time -- that
1747         any needed .xcfilelist files are up-to-date and for updating them if
1748         they are not. This facility was initially opt-in by setting
1749         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1750         the process seemed robust. Its now time to enable this facility and
1751         make it opt-out. If there is a need to disable this facility, set and
1752         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1753         running `make` or `build-webkit`, or before running Xcode from the
1754         command line.
1755
1756         Additionally, remove the step that generates a list of source files
1757         going into the UnifiedSources build step. It's only necessarily to
1758         specify Sources.txt and SourcesCocoa.txt as inputs.
1759
1760         * JavaScriptCore.xcodeproj/project.pbxproj:
1761         * UnifiedSources-input.xcfilelist: Removed.
1762
1763 2019-02-05  Keith Rollin  <krollin@apple.com>
1764
1765         Update .xcfilelist files
1766         https://bugs.webkit.org/show_bug.cgi?id=194121
1767         <rdar://problem/47720863>
1768
1769         Reviewed by Tim Horton.
1770
1771         Preparatory to enabling the facility for automatically updating the
1772         .xcfilelist files, check in a freshly-updated set so that not everyone
1773         runs up against having to regenerate them themselves.
1774
1775         * DerivedSources-input.xcfilelist:
1776         * DerivedSources-output.xcfilelist:
1777
1778 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1779
1780         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1781         https://bugs.webkit.org/show_bug.cgi?id=185557
1782
1783         Reviewed by Mark Lam.
1784
1785         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1786         where n is the number of characters in the formatted string.
1787         It may be less memory efficient than the previous impl, since the intermediate Vector
1788         is the length of the string, instead of the count of the fields.
1789
1790         * runtime/IntlNumberFormat.cpp:
1791         (JSC::IntlNumberFormat::formatToParts):
1792         * runtime/IntlNumberFormat.h:
1793
1794 2019-02-05  Mark Lam  <mark.lam@apple.com>
1795
1796         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1797         https://bugs.webkit.org/show_bug.cgi?id=194298
1798         <rdar://problem/47827555>
1799
1800         Reviewed by Saam Barati.
1801
1802         We do this for 3 reasons:
1803         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1804         2. If things change in the future where clobberize() no longer reports these nodes
1805            as write(Heap), each node should be vetted first to make sure that it can never
1806            GC before being moved back to the doesGC() list that returns false.
1807         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1808            correct in its claims about the nodes' GCing possibility.
1809
1810         The list of nodes moved are:
1811
1812             ArrayPush
1813             ArrayPop
1814             Call
1815             CallEval
1816             CallForwardVarargs
1817             CallVarargs
1818             Construct
1819             ConstructForwardVarargs
1820             ConstructVarargs
1821             DefineDataProperty
1822             DefineAccessorProperty
1823             DeleteById
1824             DeleteByVal
1825             DirectCall
1826             DirectConstruct
1827             DirectTailCallInlinedCaller
1828             GetById
1829             GetByIdDirect
1830             GetByIdDirectFlush
1831             GetByIdFlush
1832             GetByIdWithThis
1833             GetByValWithThis
1834             GetDirectPname
1835             GetDynamicVar
1836             HasGenericProperty
1837             HasOwnProperty
1838             HasStructureProperty
1839             InById
1840             InByVal
1841             InstanceOf
1842             InstanceOfCustom
1843             LoadVarargs
1844             NumberToStringWithRadix
1845             PutById
1846             PutByIdDirect
1847             PutByIdFlush
1848             PutByIdWithThis
1849             PutByOffset
1850             PutByValWithThis
1851             PutDynamicVar
1852             PutGetterById
1853             PutGetterByVal
1854             PutGetterSetterById
1855             PutSetterById
1856             PutSetterByVal
1857             PutStack
1858             PutToArguments
1859             RegExpExec
1860             RegExpTest
1861             ResolveScope
1862             ResolveScopeForHoistingFuncDeclInEval
1863             TailCall
1864             TailCallForwardVarargsInlinedCaller
1865             TailCallInlinedCaller
1866             TailCallVarargsInlinedCaller
1867             ToNumber
1868             ToPrimitive
1869             ValueNegate
1870
1871         * dfg/DFGDoesGC.cpp:
1872         (JSC::DFG::doesGC):
1873
1874 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1875
1876         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1877         https://bugs.webkit.org/show_bug.cgi?id=194281
1878
1879         Reviewed by Michael Saboff.
1880
1881         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1882         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1883
1884         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1885         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1886         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1887
1888         * bytecode/CodeBlock.cpp:
1889         (JSC::CodeBlock::finishCreation):
1890         * bytecode/CodeBlock.h:
1891         (JSC::CodeBlock::bitVectors const): Deleted.
1892         * bytecode/CodeType.h:
1893         * bytecode/UnlinkedCodeBlock.cpp:
1894         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1895         (JSC::UnlinkedCodeBlock::shrinkToFit):
1896         * bytecode/UnlinkedCodeBlock.h:
1897         (JSC::UnlinkedCodeBlock::bitVector):
1898         (JSC::UnlinkedCodeBlock::addBitVector):
1899         (JSC::UnlinkedCodeBlock::addSetConstant):
1900         (JSC::UnlinkedCodeBlock::constantRegisters):
1901         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1902         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1903         (JSC::UnlinkedCodeBlock::codeType const):
1904         (JSC::UnlinkedCodeBlock::didOptimize const):
1905         (JSC::UnlinkedCodeBlock::setDidOptimize):
1906         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1907         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1908         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1909         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1910         * bytecompiler/BytecodeGenerator.cpp:
1911         (JSC::BytecodeGenerator::emitLoad):
1912         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1913         * bytecompiler/BytecodeGenerator.h:
1914         * runtime/CachedTypes.cpp:
1915         (JSC::CachedCodeBlockRareData::encode):
1916         (JSC::CachedCodeBlockRareData::decode const):
1917         (JSC::CachedCodeBlock::scopeRegister const):
1918         (JSC::CachedCodeBlock::codeType const):
1919         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1920         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1921         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1922         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1923
1924 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1925
1926         Unreviewed, add missing exception checks after r240637
1927         https://bugs.webkit.org/show_bug.cgi?id=193546
1928
1929         * tools/JSDollarVM.cpp:
1930         (JSC::functionShadowChickenFunctionsOnStack):
1931
1932 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1933
1934         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1935         https://bugs.webkit.org/show_bug.cgi?id=193993
1936
1937         Reviewed by Keith Miller.
1938
1939         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1940         And some of them are rarely used. We should allocate it lazily.
1941
1942         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1943         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1944         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1945         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1946         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1947         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1948         by using WTF::storeStoreFence when lazily allocating it.
1949
1950         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1951         existence of the space before touching this. This is not racy because the main thread is stopped when
1952         the constraint solving is working.
1953
1954         This changes sizeof(VM) from 64736 to 56472.
1955
1956         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1957         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1958         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1959         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1960         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1961         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1962         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1963
1964         * API/JSCallbackFunction.h:
1965         * API/ObjCCallbackFunction.h:
1966         (JSC::ObjCCallbackFunction::subspaceFor):
1967         * API/glib/JSCCallbackFunction.h:
1968         * CMakeLists.txt:
1969         * JavaScriptCore.xcodeproj/project.pbxproj:
1970         * bytecode/CodeBlock.cpp:
1971         (JSC::CodeBlock::visitChildren):
1972         (JSC::CodeBlock::finalizeUnconditionally):
1973         * bytecode/CodeBlock.h:
1974         * bytecode/EvalCodeBlock.h:
1975         * bytecode/ExecutableToCodeBlockEdge.h:
1976         * bytecode/FunctionCodeBlock.h:
1977         * bytecode/ModuleProgramCodeBlock.h:
1978         * bytecode/ProgramCodeBlock.h:
1979         * bytecode/UnlinkedFunctionExecutable.cpp:
1980         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1981         * bytecode/UnlinkedFunctionExecutable.h:
1982         * dfg/DFGSpeculativeJIT.cpp:
1983         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1984         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1985         (JSC::DFG::SpeculativeJIT::compileNewObject):
1986         * ftl/FTLLowerDFGToB3.cpp:
1987         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1989         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1990         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1991         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1992         * heap/Heap.cpp:
1993         (JSC::Heap::finalizeUnconditionalFinalizers):
1994         (JSC::Heap::deleteAllCodeBlocks):
1995         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1996         (JSC::Heap::addCoreConstraints):
1997         * heap/Subspace.cpp:
1998         (JSC::Subspace::initialize):
1999         * jit/AssemblyHelpers.h:
2000         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2001         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2002         * jit/JITOpcodes.cpp:
2003         (JSC::JIT::emit_op_new_object):
2004         * jit/JITOpcodes32_64.cpp:
2005         (JSC::JIT::emit_op_new_object):
2006         * runtime/DirectArguments.h:
2007         * runtime/DirectEvalExecutable.h:
2008         * runtime/ErrorInstance.h:
2009         (JSC::ErrorInstance::subspaceFor):
2010         * runtime/ExecutableBase.h:
2011         * runtime/FunctionExecutable.h:
2012         * runtime/IndirectEvalExecutable.h:
2013         * runtime/InferredValue.cpp:
2014         (JSC::InferredValue::visitChildren):
2015         * runtime/InferredValue.h:
2016         * runtime/InferredValueInlines.h:
2017         (JSC::InferredValue::finalizeUnconditionally):
2018         * runtime/InternalFunction.h:
2019         * runtime/JSAsyncFunction.h:
2020         * runtime/JSAsyncGeneratorFunction.h:
2021         * runtime/JSBoundFunction.h:
2022         * runtime/JSCell.h:
2023         (JSC::subspaceFor):
2024         (JSC::subspaceForConcurrently):
2025         * runtime/JSCellInlines.h:
2026         (JSC::allocatorForNonVirtualConcurrently):
2027         * runtime/JSCustomGetterSetterFunction.h:
2028         * runtime/JSDestructibleObject.h:
2029         * runtime/JSFunction.h:
2030         * runtime/JSGeneratorFunction.h:
2031         * runtime/JSImmutableButterfly.h:
2032         * runtime/JSLexicalEnvironment.h:
2033         (JSC::JSLexicalEnvironment::subspaceFor):
2034         * runtime/JSNativeStdFunction.h:
2035         * runtime/JSSegmentedVariableObject.h:
2036         * runtime/JSString.h:
2037         * runtime/ModuleProgramExecutable.h:
2038         * runtime/NativeExecutable.h:
2039         * runtime/ProgramExecutable.h:
2040         * runtime/PropertyMapHashTable.h:
2041         * runtime/ProxyRevoke.h:
2042         * runtime/ScopedArguments.h:
2043         * runtime/ScriptExecutable.cpp:
2044         (JSC::ScriptExecutable::clearCode):
2045         (JSC::ScriptExecutable::installCode):
2046         * runtime/Structure.h:
2047         * runtime/StructureRareData.h:
2048         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2049         * runtime/VM.cpp:
2050         (JSC::VM::VM):
2051         * runtime/VM.h:
2052         (JSC::VM::SpaceAndSet::SpaceAndSet):
2053         (JSC::VM::SpaceAndSet::setFor):
2054         (JSC::VM::forEachScriptExecutableSpace):
2055         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2056         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2057         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2058         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2059         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2060         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2061         * runtime/WeakMapImpl.h:
2062         (JSC::WeakMapImpl::subspaceFor):
2063         * wasm/js/JSWebAssemblyCodeBlock.h:
2064         * wasm/js/JSWebAssemblyMemory.h:
2065         * wasm/js/WebAssemblyFunction.h:
2066         * wasm/js/WebAssemblyWrapperFunction.h:
2067
2068 2019-02-04  Keith Miller  <keith_miller@apple.com>
2069
2070         Change llint operand macros to inline functions
2071         https://bugs.webkit.org/show_bug.cgi?id=194248
2072
2073         Reviewed by Mark Lam.
2074
2075         * llint/LLIntSlowPaths.cpp:
2076         (JSC::LLInt::getNonConstantOperand):
2077         (JSC::LLInt::getOperand):
2078         (JSC::LLInt::llint_trace_value):
2079         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2080         (JSC::LLInt::getByVal):
2081         (JSC::LLInt::genericCall):
2082         (JSC::LLInt::varargsSetup):
2083         (JSC::LLInt::commonCallEval):
2084
2085 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2086
2087         when lowering AssertNotEmpty, create the value before creating the patchpoint
2088         https://bugs.webkit.org/show_bug.cgi?id=194231
2089
2090         Reviewed by Saam Barati.
2091
2092         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2093         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2094
2095         * ftl/FTLLowerDFGToB3.cpp:
2096         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2097
2098 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2099
2100         [JSC] ExecutableToCodeBlockEdge should be smaller
2101         https://bugs.webkit.org/show_bug.cgi?id=194244
2102
2103         Reviewed by Michael Saboff.
2104
2105         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2106         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2107         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2108         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2109
2110         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2111         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2112         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2113
2114         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2115         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2116         does not touch it if it is called in non-main threads).
2117
2118         * bytecode/ExecutableToCodeBlockEdge.cpp:
2119         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2120         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2121         (JSC::ExecutableToCodeBlockEdge::activate):
2122         (JSC::ExecutableToCodeBlockEdge::deactivate):
2123         (JSC::ExecutableToCodeBlockEdge::isActive const):
2124         * bytecode/ExecutableToCodeBlockEdge.h:
2125         * runtime/JSCell.h:
2126         * runtime/JSCellInlines.h:
2127         (JSC::JSCell::perCellBit const):
2128         (JSC::JSCell::setPerCellBit):
2129         (JSC::JSCell::mayBePrototype const): Deleted.
2130         (JSC::JSCell::didBecomePrototype): Deleted.
2131         * runtime/JSObject.cpp:
2132         (JSC::JSObject::setPrototypeDirect):
2133         * runtime/JSObject.h:
2134         * runtime/JSObjectInlines.h:
2135         (JSC::JSObject::mayBePrototype const):
2136         (JSC::JSObject::didBecomePrototype):
2137         * runtime/JSTypeInfo.h:
2138         (JSC::TypeInfo::perCellBit):
2139         (JSC::TypeInfo::mergeInlineTypeFlags):
2140         (JSC::TypeInfo::mayBePrototype): Deleted.
2141
2142 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2143
2144         [JSC] Shrink size of FunctionExecutable
2145         https://bugs.webkit.org/show_bug.cgi?id=194191
2146
2147         Reviewed by Michael Saboff.
2148
2149         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2150         improves the allocation efficiency.
2151
2152         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2153            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2154
2155         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2156            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2157            the size of FunctionExecutable in the common case.
2158
2159         This patch changes the size of FunctionExecutable from 176 to 144.
2160
2161         * bytecode/CodeBlock.cpp:
2162         (JSC::CodeBlock::dumpSource):
2163         (JSC::CodeBlock::finishCreation):
2164         * dfg/DFGNode.h:
2165         (JSC::DFG::Node::OpInfoWrapper::as const):
2166         * interpreter/StackVisitor.cpp:
2167         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2168         * runtime/ExecutableBase.h:
2169         * runtime/FunctionExecutable.cpp:
2170         (JSC::FunctionExecutable::FunctionExecutable):
2171         (JSC::FunctionExecutable::ensureRareDataSlow):
2172         * runtime/FunctionExecutable.h:
2173         * runtime/Intrinsic.h:
2174         * runtime/ModuleProgramExecutable.cpp:
2175         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2176         * runtime/ProgramExecutable.cpp:
2177         (JSC::ProgramExecutable::ProgramExecutable):
2178         * runtime/ScriptExecutable.cpp:
2179         (JSC::ScriptExecutable::ScriptExecutable):
2180         (JSC::ScriptExecutable::overrideLineNumber const):
2181         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2182         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2183         * runtime/ScriptExecutable.h:
2184         (JSC::ScriptExecutable::firstLine const):
2185         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2186         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2187         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2188         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2189         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2190         * runtime/StackFrame.cpp:
2191         (JSC::StackFrame::computeLineAndColumn const):
2192         * tools/JSDollarVM.cpp:
2193         (JSC::functionReturnTypeFor):
2194
2195 2019-02-04  Mark Lam  <mark.lam@apple.com>
2196
2197         DFG's doesGC() is incorrect about the SameValue node's behavior.
2198         https://bugs.webkit.org/show_bug.cgi?id=194211
2199         <rdar://problem/47608913>
2200
2201         Reviewed by Saam Barati.
2202
2203         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2204         it calls operationSameValue() which may allocate memory for resolving ropes.
2205
2206         * dfg/DFGDoesGC.cpp:
2207         (JSC::DFG::doesGC):
2208
2209 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2210
2211         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2212         https://bugs.webkit.org/show_bug.cgi?id=194031
2213
2214         Reviewed by Saam Barati.
2215
2216         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2217         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2218         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2219         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2220
2221         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2222         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2223
2224         * bytecode/MetadataTable.cpp:
2225         (JSC::MetadataTable::MetadataTable):
2226         (JSC::MetadataTable::~MetadataTable):
2227         * bytecode/UnlinkedCodeBlock.cpp:
2228         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2229         (JSC::UnlinkedCodeBlock::visitChildren):
2230         (JSC::UnlinkedCodeBlock::estimatedSize):
2231         (JSC::UnlinkedCodeBlock::setInstructions):
2232         * bytecode/UnlinkedCodeBlock.h:
2233         (JSC::UnlinkedCodeBlock::metadata):
2234         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2235         * bytecode/UnlinkedMetadataTable.h:
2236         (JSC::UnlinkedMetadataTable::create):
2237         * bytecode/UnlinkedMetadataTableInlines.h:
2238         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2239         * runtime/CachedTypes.cpp:
2240         (JSC::CachedMetadataTable::decode const):
2241         (JSC::CachedCodeBlock::metadata const):
2242         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2243         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2244         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2245
2246 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2247
2248         [JSC] Decouple JIT related data from CodeBlock
2249         https://bugs.webkit.org/show_bug.cgi?id=194187
2250
2251         Reviewed by Saam Barati.
2252
2253         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2254         We have three types of data in CodeBlock.
2255
2256         1. The data which is always used. CodeBlock needs to hold it.
2257         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2258         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2259
2260         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2261         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2262         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2263         in both non-JIT and *JIT* modes.
2264
2265         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2266         by the lock of CodeBlock.
2267
2268         The size of CodeBlock is reduced from 512 to 352.
2269
2270         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2271
2272             Footprint geomean: 36696503 (34.997 MB)
2273             Peak Footprint geomean: 38595988 (36.808 MB)
2274             Score: 37634263 (35.891 MB)
2275
2276             Footprint geomean: 37172768 (35.451 MB)
2277             Peak Footprint geomean: 38978288 (37.173 MB)
2278             Score: 38064824 (36.301 MB)
2279
2280         * bytecode/CodeBlock.cpp:
2281         (JSC::CodeBlock::~CodeBlock):
2282         (JSC::CodeBlock::propagateTransitions):
2283         (JSC::CodeBlock::ensureJITDataSlow):
2284         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2285         (JSC::CodeBlock::getICStatusMap):
2286         (JSC::CodeBlock::addStubInfo):
2287         (JSC::CodeBlock::addJITAddIC):
2288         (JSC::CodeBlock::addJITMulIC):
2289         (JSC::CodeBlock::addJITSubIC):
2290         (JSC::CodeBlock::addJITNegIC):
2291         (JSC::CodeBlock::findStubInfo):
2292         (JSC::CodeBlock::addByValInfo):
2293         (JSC::CodeBlock::addCallLinkInfo):
2294         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2295         (JSC::CodeBlock::addRareCaseProfile):
2296         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2297         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2298         (JSC::CodeBlock::resetJITData):
2299         (JSC::CodeBlock::stronglyVisitStrongReferences):
2300         (JSC::CodeBlock::shrinkToFit):
2301         (JSC::CodeBlock::linkIncomingCall):
2302         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2303         (JSC::CodeBlock::unlinkIncomingCalls):
2304         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2305         (JSC::CodeBlock::dumpValueProfiles):
2306         (JSC::CodeBlock::setPCToCodeOriginMap):
2307         (JSC::CodeBlock::findPC):
2308         (JSC::CodeBlock::dumpMathICStats):
2309         * bytecode/CodeBlock.h:
2310         (JSC::CodeBlock::ensureJITData):
2311         (JSC::CodeBlock::setJITCodeMap):
2312         (JSC::CodeBlock::jitCodeMap):
2313         (JSC::CodeBlock::likelyToTakeSlowCase):
2314         (JSC::CodeBlock::couldTakeSlowCase):
2315         (JSC::CodeBlock::lazyOperandValueProfiles):
2316         (JSC::CodeBlock::stubInfoBegin): Deleted.
2317         (JSC::CodeBlock::stubInfoEnd): Deleted.
2318         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2319         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2320         (JSC::CodeBlock::jitCodeMap const): Deleted.
2321         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2322         * bytecode/MethodOfGettingAValueProfile.cpp:
2323         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2324         (JSC::MethodOfGettingAValueProfile::reportValue):
2325         * dfg/DFGByteCodeParser.cpp:
2326         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2327         * jit/JIT.h:
2328         * jit/JITOperations.cpp:
2329         (JSC::tryGetByValOptimize):
2330         * jit/JITPropertyAccess.cpp:
2331         (JSC::JIT::privateCompileGetByVal):
2332         (JSC::JIT::privateCompilePutByVal):
2333
2334 2018-12-16  Darin Adler  <darin@apple.com>
2335
2336         Convert additional String::format clients to alternative approaches
2337         https://bugs.webkit.org/show_bug.cgi?id=192746
2338
2339         Reviewed by Alexey Proskuryakov.
2340
2341         * inspector/agents/InspectorConsoleAgent.cpp:
2342         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2343         and FormattedNumber::fixedWidth.
2344
2345 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2346
2347         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2348         https://bugs.webkit.org/show_bug.cgi?id=194177
2349
2350         Reviewed by Saam Barati.
2351
2352         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2353         We can share the IsoSubspace for JSFunction.
2354
2355         * runtime/JSAsyncFunction.h:
2356         * runtime/JSAsyncGeneratorFunction.h:
2357         * runtime/JSGeneratorFunction.h:
2358         * runtime/VM.cpp:
2359         (JSC::VM::VM):
2360         * runtime/VM.h:
2361
2362 2019-02-01  Mark Lam  <mark.lam@apple.com>
2363
2364         Remove invalid assertion in DFG's compileDoubleRep().
2365         https://bugs.webkit.org/show_bug.cgi?id=194130
2366         <rdar://problem/47699474>
2367
2368         Reviewed by Saam Barati.
2369
2370         * dfg/DFGSpeculativeJIT.cpp:
2371         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2372
2373 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2374
2375         [JSC] Unify CodeBlock IsoSubspaces
2376         https://bugs.webkit.org/show_bug.cgi?id=194167
2377
2378         Reviewed by Saam Barati.
2379
2380         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2381         But this is not necessary since,
2382
2383         1. They do not override the classInfo methods.
2384         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2385
2386         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2387         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2388         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2389
2390         This patch unifies these IsoSubspaces into one.
2391
2392         * bytecode/CodeBlock.cpp:
2393         (JSC::CodeBlock::destroy):
2394         * bytecode/CodeBlock.h:
2395         * bytecode/EvalCodeBlock.cpp:
2396         (JSC::EvalCodeBlock::destroy): Deleted.
2397         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2398         * bytecode/FunctionCodeBlock.cpp:
2399         (JSC::FunctionCodeBlock::destroy): Deleted.
2400         * bytecode/FunctionCodeBlock.h:
2401         * bytecode/GlobalCodeBlock.h:
2402         * bytecode/ModuleProgramCodeBlock.cpp:
2403         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2404         * bytecode/ModuleProgramCodeBlock.h:
2405         * bytecode/ProgramCodeBlock.cpp:
2406         (JSC::ProgramCodeBlock::destroy): Deleted.
2407         * bytecode/ProgramCodeBlock.h:
2408         * interpreter/Interpreter.cpp:
2409         (JSC::Interpreter::execute):
2410         * runtime/VM.cpp:
2411         (JSC::VM::VM):
2412         * runtime/VM.h:
2413         (JSC::VM::forEachCodeBlockSpace):
2414
2415 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2416
2417         Unreviewed, follow-up after r240859
2418         https://bugs.webkit.org/show_bug.cgi?id=194145
2419
2420         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2421         And rename cellDangerousBitsSpace back to cellSpace.
2422
2423         * runtime/JSCellInlines.h:
2424         (JSC::JSCell::subspaceFor):
2425         * runtime/VM.cpp:
2426         (JSC::VM::VM):
2427         * runtime/VM.h:
2428
2429 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2430
2431         [JSC] Remove cellJSValueOOBSpace
2432         https://bugs.webkit.org/show_bug.cgi?id=194145
2433
2434         Reviewed by Mark Lam.
2435
2436         * runtime/JSObject.h:
2437         (JSC::JSObject::subspaceFor): Deleted.
2438         * runtime/VM.cpp:
2439         (JSC::VM::VM):
2440         * runtime/VM.h:
2441
2442 2019-01-31  Mark Lam  <mark.lam@apple.com>
2443
2444         Remove poisoning from CodeBlock and LLInt code.
2445         https://bugs.webkit.org/show_bug.cgi?id=194113
2446
2447         Reviewed by Yusuke Suzuki.
2448
2449         * bytecode/CodeBlock.cpp:
2450         (JSC::CodeBlock::CodeBlock):
2451         (JSC::CodeBlock::~CodeBlock):
2452         (JSC::CodeBlock::setConstantRegisters):
2453         (JSC::CodeBlock::propagateTransitions):
2454         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2455         (JSC::CodeBlock::jettison):
2456         (JSC::CodeBlock::predictedMachineCodeSize):
2457         * bytecode/CodeBlock.h:
2458         (JSC::CodeBlock::vm const):
2459         (JSC::CodeBlock::addConstant):
2460         (JSC::CodeBlock::heap const):
2461         (JSC::CodeBlock::replaceConstant):
2462         * llint/LLIntOfflineAsmConfig.h:
2463         * llint/LLIntSlowPaths.cpp:
2464         (JSC::LLInt::handleHostCall):
2465         (JSC::LLInt::setUpCall):
2466         * llint/LowLevelInterpreter.asm:
2467         * llint/LowLevelInterpreter32_64.asm:
2468         * llint/LowLevelInterpreter64.asm:
2469
2470 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2471
2472         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2473         https://bugs.webkit.org/show_bug.cgi?id=194107
2474
2475         Reviewed by Saam Barati.
2476
2477         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2478         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2479
2480         * CMakeLists.txt:
2481         * DerivedSources.make:
2482         * JavaScriptCore.xcodeproj/project.pbxproj:
2483         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2484         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2485         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2486         (JSC::AsyncFromSyncIteratorPrototype::create):
2487         * runtime/AsyncFromSyncIteratorPrototype.h:
2488
2489 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2490
2491         Fix `runJITThreadLimitTests` in testapi
2492         https://bugs.webkit.org/show_bug.cgi?id=194064
2493         <rdar://problem/46139147>
2494
2495         Reviewed by Mark Lam.
2496
2497         Fix typo where `targetNumberOfThreads` was not being used.
2498
2499         * API/tests/testapi.mm:
2500         (runJITThreadLimitTests):
2501
2502 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2503
2504         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2505         https://bugs.webkit.org/show_bug.cgi?id=194112
2506
2507         Reviewed by Mark Lam.
2508
2509         `testBytecodeCache` does not populate the bytecode cache for the global
2510         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2511
2512         * API/tests/testapi.mm:
2513         (testBytecodeCache):
2514
2515 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2516
2517         Unreviewed, follow-up after r240796
2518
2519         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2520         when allocating InferredValue in FunctionExecutable::finishCreation.
2521
2522         * runtime/FunctionExecutable.cpp:
2523         (JSC::FunctionExecutable::FunctionExecutable):
2524         (JSC::FunctionExecutable::finishCreation):
2525
2526 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2527
2528         [JSC] Do not use InferredValue in non-JIT configuration
2529         https://bugs.webkit.org/show_bug.cgi?id=194084
2530
2531         Reviewed by Saam Barati.
2532
2533         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2534         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2535         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2536         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2537         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2538         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2539         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2540         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2541
2542         * bytecode/ObjectAllocationProfileInlines.h:
2543         (JSC::ObjectAllocationProfile::initializeProfile):
2544         * runtime/FunctionExecutable.cpp:
2545         (JSC::FunctionExecutable::finishCreation):
2546         (JSC::FunctionExecutable::visitChildren):
2547         * runtime/FunctionExecutable.h:
2548         * runtime/InferredValue.cpp:
2549         (JSC::InferredValue::create):
2550         * runtime/JSAsyncFunction.cpp:
2551         (JSC::JSAsyncFunction::create):
2552         * runtime/JSAsyncGeneratorFunction.cpp:
2553         (JSC::JSAsyncGeneratorFunction::create):
2554         * runtime/JSFunction.cpp:
2555         (JSC::JSFunction::create):
2556         * runtime/JSFunctionInlines.h:
2557         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2558         * runtime/JSGeneratorFunction.cpp:
2559         (JSC::JSGeneratorFunction::create):
2560         * runtime/JSSymbolTableObject.h:
2561         (JSC::JSSymbolTableObject::setSymbolTable):
2562         * runtime/SymbolTable.cpp:
2563         (JSC::SymbolTable::finishCreation):
2564         * runtime/VM.cpp:
2565         (JSC::VM::VM):
2566
2567 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2568
2569         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2570         https://bugs.webkit.org/show_bug.cgi?id=194085
2571
2572         Reviewed by Yusuke Suzuki.
2573
2574         r240730 changed ud_itab.py and caused incremental build failures
2575         for Ninja builds.
2576
2577         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2578
2579 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2580
2581         [JSC] Symbol should be in destructibleCellSpace
2582         https://bugs.webkit.org/show_bug.cgi?id=194082
2583
2584         Reviewed by Saam Barati.
2585
2586         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2587         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2588         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2589         Symbol's space destructibleCellSpace to appropriately call the destructor.
2590
2591         * runtime/Symbol.h:
2592
2593 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2594
2595         Unreviewed, rolling out r240755.
2596
2597         This was not correct
2598
2599         Reverted changeset:
2600
2601         "Unreviewed, fix GCC build after r240730"
2602         https://bugs.webkit.org/show_bug.cgi?id=194041
2603         https://trac.webkit.org/changeset/240755
2604
2605 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2606
2607         Unreviewed, fix GCC build after r240730
2608         https://bugs.webkit.org/show_bug.cgi?id=194041
2609         <rdar://problem/47680981>
2610
2611         * disassembler/udis86/ud_itab.py:
2612         (UdItabGenerator.genOpcodeTablesLookupIndex):
2613
2614 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2615
2616         testapi's `testBytecodeCache` does not need to run the code twice
2617         https://bugs.webkit.org/show_bug.cgi?id=194046
2618
2619         Reviewed by Mark Lam.
2620
2621         Since we populate the cache eagerly (unlike the stress tests) we don't
2622         need to run the code twice.
2623
2624         * API/tests/testapi.mm:
2625         (testBytecodeCache):
2626
2627 2019-01-30  Saam barati  <sbarati@apple.com>
2628
2629         [WebAssembly] Change BBQ to generate Air IR
2630         https://bugs.webkit.org/show_bug.cgi?id=191802
2631         <rdar://problem/47651718>
2632
2633         Reviewed by Keith Miller.
2634
2635         This patch adds a new Wasm compiler for the BBQ tier. Instead
2636         of compiling using  B3-01, we now generate Air code directly.
2637         The goal of doing this was to speed up compile times for Wasm
2638         programs.
2639         
2640         This patch provides us with a 20-30% compile time speedup. However, I
2641         have ideas on how to improve compile times even further. For example,
2642         we should probably implement a faster running register allocator:
2643         https://bugs.webkit.org/show_bug.cgi?id=194036
2644         
2645         We can also improve on the code we generate.
2646         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2647         And we should do better instruction selection in various
2648         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2649
2650         * JavaScriptCore.xcodeproj/project.pbxproj:
2651         * Sources.txt:
2652         * b3/B3LowerToAir.cpp:
2653         * b3/B3StackmapSpecial.h:
2654         * b3/air/AirCode.cpp:
2655         (JSC::B3::Air::Code::emitDefaultPrologue):
2656         * b3/air/AirCode.h:
2657         * b3/air/AirTmp.h:
2658         (JSC::B3::Air::Tmp::Tmp):
2659         * runtime/Options.h:
2660         * wasm/WasmAirIRGenerator.cpp: Added.
2661         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2662         (JSC::Wasm::TypedTmp::TypedTmp):
2663         (JSC::Wasm::TypedTmp::operator== const):
2664         (JSC::Wasm::TypedTmp::operator!= const):
2665         (JSC::Wasm::TypedTmp::operator bool const):
2666         (JSC::Wasm::TypedTmp::operator Tmp const):
2667         (JSC::Wasm::TypedTmp::operator Arg const):
2668         (JSC::Wasm::TypedTmp::tmp const):
2669         (JSC::Wasm::TypedTmp::type const):
2670         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2671         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2672         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2673         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2674         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2675         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2676         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2677         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2678         (JSC::Wasm::AirIRGenerator::emptyExpression):
2679         (JSC::Wasm::AirIRGenerator::fail const):
2680         (JSC::Wasm::AirIRGenerator::setParser):
2681         (JSC::Wasm::AirIRGenerator::toTmpVector):
2682         (JSC::Wasm::AirIRGenerator::validateInst):
2683         (JSC::Wasm::AirIRGenerator::extractArg):
2684         (JSC::Wasm::AirIRGenerator::append):
2685         (JSC::Wasm::AirIRGenerator::appendEffectful):
2686         (JSC::Wasm::AirIRGenerator::newTmp):
2687         (JSC::Wasm::AirIRGenerator::g32):
2688         (JSC::Wasm::AirIRGenerator::g64):
2689         (JSC::Wasm::AirIRGenerator::f32):
2690         (JSC::Wasm::AirIRGenerator::f64):
2691         (JSC::Wasm::AirIRGenerator::tmpForType):
2692         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2693         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2694         (JSC::Wasm::AirIRGenerator::emitCheck):
2695         (JSC::Wasm::AirIRGenerator::emitCCall):
2696         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2697         (JSC::Wasm::AirIRGenerator::instanceValue):
2698         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2699         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2700         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2701         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2702         (JSC::Wasm::AirIRGenerator::emitThrowException):
2703         (JSC::Wasm::AirIRGenerator::addLocal):
2704         (JSC::Wasm::AirIRGenerator::addConstant):
2705         (JSC::Wasm::AirIRGenerator::addArguments):
2706         (JSC::Wasm::AirIRGenerator::getLocal):
2707         (JSC::Wasm::AirIRGenerator::addUnreachable):
2708         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2709         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2710         (JSC::Wasm::AirIRGenerator::setLocal):
2711         (JSC::Wasm::AirIRGenerator::getGlobal):
2712         (JSC::Wasm::AirIRGenerator::setGlobal):
2713         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2714         (JSC::Wasm::sizeOfLoadOp):
2715         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2716         (JSC::Wasm::AirIRGenerator::load):
2717         (JSC::Wasm::sizeOfStoreOp):
2718         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2719         (JSC::Wasm::AirIRGenerator::store):
2720         (JSC::Wasm::AirIRGenerator::addSelect):
2721         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2722         (JSC::Wasm::AirIRGenerator::addLoop):
2723         (JSC::Wasm::AirIRGenerator::addTopLevel):
2724         (JSC::Wasm::AirIRGenerator::addBlock):
2725         (JSC::Wasm::AirIRGenerator::addIf):
2726         (JSC::Wasm::AirIRGenerator::addElse):
2727         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2728         (JSC::Wasm::AirIRGenerator::addReturn):
2729         (JSC::Wasm::AirIRGenerator::addBranch):
2730         (JSC::Wasm::AirIRGenerator::addSwitch):
2731         (JSC::Wasm::AirIRGenerator::endBlock):
2732         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2733         (JSC::Wasm::AirIRGenerator::addCall):
2734         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2735         (JSC::Wasm::AirIRGenerator::unify):
2736         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2737         (JSC::Wasm::AirIRGenerator::dump):
2738         (JSC::Wasm::AirIRGenerator::origin):
2739         (JSC::Wasm::parseAndCompileAir):
2740         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2741         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2742         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2743         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2744         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2745         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2746         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2747         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2748         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2749         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2750         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2751         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2752         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2753         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2754         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2755         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2756         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2757         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2758         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2759         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2760         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2761         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2762         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2763         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2764         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2765         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2766         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2767         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2768         (JSC::Wasm::AirIRGenerator::addShift):
2769         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2770         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2771         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2772         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2773         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2774         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2775         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2776         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2777         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2778         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2779         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2780         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2781         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2782         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2783         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2784         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2785         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2786         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2787         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2788         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2789         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2790         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2791         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2792         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2793         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2794         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2795         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2796         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2797         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2798         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2799         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2800         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2801         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2802         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2803         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2804         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2805         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2806         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2807         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2808         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2809         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2810         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2811         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2812         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2813         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2814         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2815         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2816         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2817         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2818         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2819         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2820         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2821         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2822         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2823         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2824         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2825         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2826         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2827         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2828         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2829         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2830         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2831         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2832         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2833         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2834         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2835         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2836         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2837         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2838         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2839         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2840         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2841         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2842         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2843         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2844         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2845         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2846         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2847         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2848         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2849         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2850         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2851         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2852         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2853         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2854         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2855         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2856         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2857         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2858         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2859         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2860         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2861         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2862         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2863         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2864         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2865         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2866         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2867         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2868         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2869         * wasm/WasmAirIRGenerator.h: Added.
2870         * wasm/WasmB3IRGenerator.cpp:
2871         (JSC::Wasm::B3IRGenerator::emptyExpression):
2872         * wasm/WasmBBQPlan.cpp:
2873         (JSC::Wasm::BBQPlan::compileFunctions):
2874         * wasm/WasmCallingConvention.cpp:
2875         (JSC::Wasm::jscCallingConventionAir):
2876         (JSC::Wasm::wasmCallingConventionAir):
2877         * wasm/WasmCallingConvention.h:
2878         (JSC::Wasm::CallingConvention::CallingConvention):
2879         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2880         (JSC::Wasm::CallingConvention::marshallArgument const):
2881         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2882         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2883         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2884         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2885         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2886         (JSC::Wasm::CallingConventionAir::loadArguments const):
2887         (JSC::Wasm::CallingConventionAir::setupCall const):
2888         (JSC::Wasm::nextJSCOffset):
2889         * wasm/WasmFunctionParser.h:
2890         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2891         * wasm/WasmValidate.cpp:
2892         (JSC::Wasm::Validate::emptyExpression):
2893
2894 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2895
2896         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2897         https://bugs.webkit.org/show_bug.cgi?id=194050
2898         <rdar://problem/47595592>
2899
2900         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2901         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2902
2903         Reviewed by Yusuke Suzuki.
2904
2905         * ftl/FTLOperations.cpp:
2906         (JSC::FTL::operationMaterializeObjectInOSR):
2907
2908 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2909
2910         Remove assertion that CachedSymbolTables should have no RareData
2911         https://bugs.webkit.org/show_bug.cgi?id=194037
2912
2913         Reviewed by Mark Lam.
2914
2915         It turns out that we don't need to cache the SymbolTableRareData and
2916         we should not assert that it's empty.
2917
2918         * runtime/CachedTypes.cpp:
2919         (JSC::CachedSymbolTable::encode):
2920
2921 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2922
2923         CachedBytecode's move constructor should not call `freeDataIfOwned`
2924         https://bugs.webkit.org/show_bug.cgi?id=194045
2925
2926         Reviewed by Mark Lam.
2927
2928         That might result in freeing a garbage value
2929
2930         * parser/SourceProvider.h:
2931         (JSC::CachedBytecode::CachedBytecode):
2932
2933 2019-01-30  Keith Miller  <keith_miller@apple.com>
2934
2935         mul32 should convert powers of 2 to an lshift
2936         https://bugs.webkit.org/show_bug.cgi?id=193957
2937
2938         Reviewed by Yusuke Suzuki.
2939
2940         * assembler/MacroAssembler.h:
2941         (JSC::MacroAssembler::mul32):
2942         * assembler/testmasm.cpp:
2943         (JSC::int32Operands):
2944         (JSC::testMul32WithImmediates):
2945         (JSC::run):
2946
2947 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2948
2949         [JSC] Make disassembler data structures constant read-only data
2950         https://bugs.webkit.org/show_bug.cgi?id=194041
2951
2952         Reviewed by Mark Lam.
2953
2954         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2955         This patch makes them "const".
2956
2957         * disassembler/ARM64/A64DOpcode.cpp:
2958         * disassembler/udis86/ud_itab.py:
2959         (UdItabGenerator.genOpcodeTablesLookupIndex):
2960         (UdItabGenerator.genInsnTable):
2961         (UdItabGenerator.genMnemonicsList):
2962         (genItabH):
2963         * disassembler/udis86/udis86_decode.h:
2964         * disassembler/udis86/udis86_syn.c:
2965         * disassembler/udis86/udis86_syn.h:
2966         * disassembler/udis86/udis86_types.h:
2967
2968 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2969
2970         Unreviewed, update the builtin test results
2971         https://bugs.webkit.org/show_bug.cgi?id=194015
2972
2973         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2974         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2975         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2976         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2977         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2978         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2979         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2980         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2981         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2982         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2983         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2984         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2985         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2986
2987 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2988
2989         [JSC] Make global static variables "const" as much as possible
2990         https://bugs.webkit.org/show_bug.cgi?id=194015
2991
2992         Reviewed by Mark Lam.
2993
2994         Some of global static variables are not "const". For example, `static const char* name = ...`
2995         is not constant variable. We should make it `static const char* const name = ...`.
2996
2997         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2998         (generate_externs_for_object):
2999         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3000         (generate_externs_for_object):
3001         * Scripts/wkbuiltins/builtins_generator.py:
3002         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3003         * assembler/MacroAssembler.h:
3004         (JSC::MacroAssembler::additionBlindedConstant):
3005         * b3/air/AirFormTable.h:
3006         * b3/air/opcode_generator.rb:
3007         * runtime/JSObject.cpp:
3008         (JSC::JSObject::visitButterfly):
3009         * tools/CodeProfile.cpp:
3010         * tools/CodeProfile.h:
3011
3012 2019-01-29  Keith Miller  <keith_miller@apple.com>
3013
3014         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3015         https://bugs.webkit.org/show_bug.cgi?id=194000
3016         <rdar://problem/47642894>
3017
3018         Reviewed by Mark Lam.
3019
3020         default constructor is unused and
3021         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3022         data member which causes sadness.
3023
3024         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3025
3026 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3027
3028         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3029
3030         Rubber-stamped by Yusuke Suzuki.
3031
3032         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3033
3034         * parser/Parser.h:
3035         (JSC::Parser::declareHoistedVariable):
3036
3037 2019-01-29  Mark Lam  <mark.lam@apple.com>
3038
3039         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3040         https://bugs.webkit.org/show_bug.cgi?id=132333
3041
3042         Reviewed by Yusuke Suzuki.
3043
3044         * bytecode/InstructionStream.h:
3045         (JSC::InstructionStreamWriter::write):
3046         - The 32-bit write() function need not invert the order of the bytes written to
3047           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3048           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3049
3050         * llint/LLIntOfflineAsmConfig.h:
3051         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3052
3053 2019-01-29  Mark Lam  <mark.lam@apple.com>
3054
3055         ValueRecovery::recover() should purify NaN values it recovers.
3056         https://bugs.webkit.org/show_bug.cgi?id=193978
3057         <rdar://problem/47625488>
3058
3059         Reviewed by Saam Barati.
3060
3061         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3062         recovered DoubleDisplacedInJSStack values need to be purified.
3063         ValueRecovery::recover() should do the same.
3064
3065         * bytecode/ValueRecovery.cpp:
3066         (JSC::ValueRecovery::recover const):
3067
3068 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3069
3070         [JSC] FTL should handle LocalAllocator*
3071         https://bugs.webkit.org/show_bug.cgi?id=193980
3072
3073         Reviewed by Saam Barati.
3074
3075         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3076         because the FTL still use the incoming value as 32bit integer there.
3077
3078         * ftl/FTLLowerDFGToB3.cpp:
3079         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3080
3081 2019-01-29  Keith Rollin  <krollin@apple.com>
3082
3083         Add .xcfilelists to Run Script build phases
3084         https://bugs.webkit.org/show_bug.cgi?id=193792
3085         <rdar://problem/47201785>
3086
3087         Reviewed by Alex Christensen.
3088
3089         As part of supporting XCBuild, update the necessary Run Script build
3090         phases in their Xcode projects to refer to their associated
3091         .xcfilelist files.
3092
3093         Note that the addition of these files bumps the Xcode project version
3094         number to something that's Xcode 10 compatible. This change means that
3095         older versions of the Xcode IDE can't read these projects. Nor can it
3096         fully load workspaces that refer to these projects (the updated
3097         projects are shown as non-expandable placeholders). `xcodebuild` can
3098         still build these projects; it's just that the IDE can't open them.
3099
3100         * JavaScriptCore.xcodeproj/project.pbxproj:
3101
3102 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3103
3104         [ARM] Check for negative zero instead of just zero
3105         https://bugs.webkit.org/show_bug.cgi?id=193689
3106
3107         Reviewed by Mark Lam.
3108
3109         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3110         of just bailing out for zero.
3111
3112         * assembler/MacroAssemblerARMv7.h:
3113         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3114
3115 2019-01-28  Devin Rousso  <drousso@apple.com>
3116
3117         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3118         https://bugs.webkit.org/show_bug.cgi?id=193863
3119         <rdar://problem/47572764>
3120
3121         Reviewed by Joseph Pecoraro.
3122
3123         * inspector/protocol/Page.json:
3124         Add more values to the `Setting` enum type:
3125          - `ICECandidateFilteringEnabled`
3126          - `MediaCaptureRequiresSecureConnection`
3127          - `MockCaptureDevicesEnabled`
3128
3129 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3130
3131         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3132         https://bugs.webkit.org/show_bug.cgi?id=193941
3133
3134         Reviewed by Alex Christensen.
3135
3136         * API/JSWeakObjectMapRefPrivate.cpp:
3137         * bytecompiler/NodesCodegen.cpp:
3138         * heap/MachineStackMarker.cpp:
3139         * jit/ExecutableAllocator.cpp:
3140         * jsc.cpp:
3141         * parser/Nodes.cpp:
3142         * runtime/DateConstructor.cpp:
3143         * runtime/DateConversion.cpp:
3144         * runtime/DateInstance.cpp:
3145         * runtime/DatePrototype.cpp:
3146         * runtime/InitializeThreading.cpp:
3147         * runtime/IteratorOperations.cpp:
3148         * runtime/JSDateMath.cpp:
3149         * runtime/JSGlobalObjectFunctions.cpp:
3150         * runtime/StringPrototype.cpp:
3151         * runtime/VM.cpp:
3152         * testRegExp.cpp:
3153         * tools/JSDollarVM.cpp:
3154         * yarr/YarrInterpreter.cpp:
3155         * yarr/YarrJIT.cpp:
3156         * yarr/YarrPattern.cpp:
3157         * yarr/YarrUnicodeProperties.cpp:
3158
3159 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3160
3161         [JSC] Reduce size of memory used for ShadowChicken
3162         https://bugs.webkit.org/show_bug.cgi?id=193546
3163
3164         Reviewed by Mark Lam.
3165
3166         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3167         The removal of ShadowChicken saves 55KB memory.
3168
3169         * debugger/DebuggerCallFrame.cpp:
3170         (JSC::DebuggerCallFrame::create):
3171         * ftl/FTLLowerDFGToB3.cpp:
3172         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3173         * heap/Heap.cpp:
3174         (JSC::Heap::stopThePeriphery):
3175         (JSC::Heap::addCoreConstraints):
3176         * jit/CCallHelpers.cpp:
3177         (JSC::CCallHelpers::ensureShadowChickenPacket):
3178         * jit/JITExceptions.cpp:
3179         (JSC::genericUnwind):
3180         * jit/JITOpcodes.cpp:
3181         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3182         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3183         * jit/JITOpcodes32_64.cpp:
3184         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3185         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3186         * jit/JITOperations.cpp:
3187         * llint/LLIntSlowPaths.cpp:
3188         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3189         * runtime/JSGlobalObject.cpp:
3190         (JSC::JSGlobalObject::setDebugger):
3191         * runtime/JSGlobalObject.h:
3192         (JSC::JSGlobalObject::setDebugger): Deleted.
3193         * runtime/VM.cpp:
3194         (JSC::VM::VM):
3195         (JSC::VM::ensureShadowChicken):
3196         * runtime/VM.h:
3197         (JSC::VM::shadowChicken):
3198         * tools/JSDollarVM.cpp:
3199         (JSC::functionShadowChickenFunctionsOnStack):
3200         (JSC::changeDebuggerModeWhenIdle):
3201
3202 2019-01-28  Andy Estes  <aestes@apple.com>
3203
3204         [watchOS] Enable Parental Controls content filtering
3205         https://bugs.webkit.org/show_bug.cgi?id=193939
3206         <rdar://problem/46641912>
3207
3208         Reviewed by Ryosuke Niwa.
3209
3210         * Configurations/FeatureDefines.xcconfig:
3211
3212 2019-01-28  Mark Lam  <mark.lam@apple.com>
3213
3214         ToString node actually does GC.
3215         https://bugs.webkit.org/show_bug.cgi?id=193920
3216         <rdar://problem/46695900>
3217
3218         Reviewed by Yusuke Suzuki.
3219
3220         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3221         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3222
3223         * dfg/DFGDoesGC.cpp:
3224         (JSC::DFG::doesGC):
3225
3226 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3227
3228         [JSC] RegExpConstructor should not have own IsoSubspace
3229         https://bugs.webkit.org/show_bug.cgi?id=193801
3230
3231         Reviewed by Mark Lam.
3232
3233         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3234         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3235         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3236         it from RegExpConstructor members.
3237
3238         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3239         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3240         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3241
3242         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3243
3244         * CMakeLists.txt:
3245         * JavaScriptCore.xcodeproj/project.pbxproj:
3246         * Sources.txt:
3247         * dfg/DFGOperations.cpp:
3248         * dfg/DFGSpeculativeJIT.cpp:
3249         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3250         * dfg/DFGStrengthReductionPhase.cpp:
3251         (JSC::DFG::StrengthReductionPhase::handleNode):
3252         * ftl/FTLAbstractHeapRepository.cpp:
3253         * ftl/FTLAbstractHeapRepository.h:
3254         * ftl/FTLLowerDFGToB3.cpp:
3255         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3256         * runtime/JSGlobalObject.cpp:
3257         (JSC::JSGlobalObject::init):
3258         (JSC::JSGlobalObject::visitChildren):
3259         * runtime/JSGlobalObject.h:
3260         (JSC::JSGlobalObject::regExpGlobalData):
3261         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3262         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3263         * runtime/RegExpCache.cpp:
3264         (JSC::RegExpCache::initialize):
3265         * runtime/RegExpCache.h:
3266         (JSC::RegExpCache::emptyRegExp const):
3267         * runtime/RegExpCachedResult.cpp:
3268         (JSC::RegExpCachedResult::visitAggregate):
3269         (JSC::RegExpCachedResult::visitChildren): Deleted.
3270         * runtime/RegExpCachedResult.h:
3271         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3272         * runtime/RegExpConstructor.cpp:
3273         (JSC::RegExpConstructor::RegExpConstructor):
3274         (JSC::regExpConstructorDollar):
3275         (JSC::regExpConstructorInput):
3276         (JSC::regExpConstructorMultiline):
3277         (JSC::regExpConstructorLastMatch):
3278         (JSC::regExpConstructorLastParen):
3279         (JSC::regExpConstructorLeftContext):
3280         (JSC::regExpConstructorRightContext):
3281         (JSC::setRegExpConstructorInput):
3282         (JSC::setRegExpConstructorMultiline):
3283         (JSC::RegExpConstructor::destroy): Deleted.
3284         (JSC::RegExpConstructor::visitChildren): Deleted.
3285         (JSC::RegExpConstructor::getBackref): Deleted.
3286         (JSC::RegExpConstructor::getLastParen): Deleted.
3287         (JSC::RegExpConstructor::getLeftContext): Deleted.
3288         (JSC::RegExpConstructor::getRightContext): Deleted.
3289         * runtime/RegExpConstructor.h:
3290         (JSC::RegExpConstructor::performMatch): Deleted.
3291         (JSC::RegExpConstructor::recordMatch): Deleted.
3292         * runtime/RegExpGlobalData.cpp: Added.
3293         (JSC::RegExpGlobalData::visitAggregate):
3294         (JSC::RegExpGlobalData::getBackref):
3295         (JSC::RegExpGlobalData::getLastParen):
3296         (JSC::RegExpGlobalData::getLeftContext):
3297         (JSC::RegExpGlobalData::getRightContext):
3298         * runtime/RegExpGlobalData.h: Added.
3299         (JSC::RegExpGlobalData::cachedResult):
3300         (JSC::RegExpGlobalData::setMultiline):
3301         (JSC::RegExpGlobalData::multiline const):
3302         (JSC::RegExpGlobalData::input):
3303         (JSC::RegExpGlobalData::offsetOfCachedResult):
3304         * runtime/RegExpGlobalDataInlines.h: Added.
3305         (JSC::RegExpGlobalData::setInput):
3306         (JSC::RegExpGlobalData::performMatch):
3307         (JSC::RegExpGlobalData::recordMatch):
3308         * runtime/RegExpObject.cpp:
3309         (JSC::RegExpObject::matchGlobal):
3310         * runtime/RegExpObjectInlines.h:
3311         (JSC::RegExpObject::execInline):
3312         (JSC::RegExpObject::matchInline):
3313         (JSC::collectMatches):
3314         * runtime/RegExpPrototype.cpp:
3315         (JSC::RegExpPrototype::finishCreation):
3316         (JSC::regExpProtoFuncSearchFast):
3317         (JSC::RegExpPrototype::visitChildren): Deleted.
3318         * runtime/RegExpPrototype.h:
3319         * runtime/StringPrototype.cpp:
3320         (JSC::removeUsingRegExpSearch):
3321         (JSC::replaceUsingRegExpSearch):
3322         * runtime/VM.cpp:
3323         (JSC::VM::VM):
3324         * runtime/VM.h:
3325
3326 2018-12-15  Darin Adler  <darin@apple.com>
3327
3328         Replace many uses of String::format with more type-safe alternatives
3329         https://bugs.webkit.org/show_bug.cgi?id=192742
3330
3331         Reviewed by Mark Lam.
3332
3333         * inspector/InjectedScriptBase.cpp:
3334         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3335         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3336         * inspector/InspectorBackendDispatcher.cpp:
3337         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3338         * inspector/agents/InspectorConsoleAgent.cpp:
3339         (Inspector::InspectorConsoleAgent::enable): Ditto.
3340         * jsc.cpp:
3341         (FunctionJSCStackFunctor::operator() const): Ditto.
3342
3343         * runtime/CodeCache.cpp:
3344         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3345         using String::number.
3346
3347         * runtime/IntlDateTimeFormat.cpp:
3348         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3349         * runtime/IntlObject.cpp:
3350         (JSC::canonicalizeLocaleList): Ditto.
3351
3352 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3353
3354         AX: Introduce a static accessibility tree
3355         https://bugs.webkit.org/show_bug.cgi?id=193348
3356         <rdar://problem/47203295>
3357
3358         Reviewed by Ryosuke Niwa.
3359
3360         * Configurations/FeatureDefines.xcconfig:
3361
3362 2019-01-26  Devin Rousso  <drousso@apple.com>
3363
3364         Web Inspector: provide a way to edit the user agent of a remote target
3365         https://bugs.webkit.org/show_bug.cgi?id=193862
3366         <rdar://problem/47359292>
3367
3368         Reviewed by Joseph Pecoraro.
3369
3370         * inspector/protocol/Page.json:
3371         Add `overrideUserAgent` command.
3372
3373 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3374
3375         [JSC] NativeErrorConstructor should not have own IsoSubspace
3376         https://bugs.webkit.org/show_bug.cgi?id=193713
3377
3378         Reviewed by Saam Barati.
3379
3380         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3381         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3382         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3383         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3384         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3385         referenced.
3386
3387         * CMakeLists.txt:
3388         * JavaScriptCore.xcodeproj/project.pbxproj:
3389         * Sources.txt:
3390         * builtins/BuiltinNames.h:
3391         * interpreter/Interpreter.h:
3392         * runtime/Error.cpp:
3393         (JSC::createEvalError):
3394         (JSC::createRangeError):
3395         (JSC::createReferenceError):
3396         (JSC::createSyntaxError):
3397         (JSC::createTypeError):
3398         (JSC::createURIError):
3399         (WTF::printInternal): Deleted.
3400         * runtime/Error.h:
3401         * runtime/ErrorPrototype.cpp:
3402         (JSC::ErrorPrototype::create):
3403         (JSC::ErrorPrototype::finishCreation):
3404         * runtime/ErrorPrototype.h:
3405         (JSC::ErrorPrototype::create): Deleted.
3406         * runtime/ErrorType.cpp: Added.
3407         (JSC::errorTypeName):
3408         (WTF::printInternal):
3409         * runtime/ErrorType.h: Added.
3410         * runtime/JSGlobalObject.cpp:
3411         (JSC::JSGlobalObject::initializeErrorConstructor):
3412         (JSC::JSGlobalObject::init):
3413         (JSC::JSGlobalObject::visitChildren):
3414         * runtime/JSGlobalObject.h:
3415         (JSC::JSGlobalObject::internalPromiseConstructor const):
3416         (JSC::JSGlobalObject::errorStructure const):
3417         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3418         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3419         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3420         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3421         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3422         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3423         * runtime/NativeErrorConstructor.cpp:
3424         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3425         (JSC::NativeErrorConstructorBase::finishCreation):
3426         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3427         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3428         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3429         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3430         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3431         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3432         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3433         * runtime/NativeErrorConstructor.h:
3434         (JSC::NativeErrorConstructorBase::createStructure):
3435         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3436         * runtime/NativeErrorPrototype.cpp:
3437         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3438         * runtime/NativeErrorPrototype.h:
3439         * runtime/VM.cpp:
3440         (JSC::VM::VM):
3441         * runtime/VM.h:
3442         * wasm/js/WasmToJS.cpp:
3443         (JSC::Wasm::handleBadI64Use):
3444
3445 2019-01-25  Devin Rousso  <drousso@apple.com>
3446
3447         Web Inspector: provide a way to edit page settings on a remote target
3448         https://bugs.webkit.org/show_bug.cgi?id=193813
3449         <rdar://problem/47359510>
3450
3451         Reviewed by Joseph Pecoraro.
3452
3453         * inspector/protocol/Page.json:
3454         Add `overrideSetting` command with supporting `Setting` enum type.
3455
3456 2019-01-25  Keith Rollin  <krollin@apple.com>
3457
3458         Update Xcode projects with "Check .xcfilelists" build phase
3459         https://bugs.webkit.org/show_bug.cgi?id=193790
3460         <rdar://problem/47201374>
3461
3462         Reviewed by Alex Christensen.
3463
3464         Support for XCBuild includes specifying inputs and outputs to various
3465         Run Script build phases. These inputs and outputs are specified as
3466         .xcfilelist files. Once created, these .xcfilelist files need to be
3467         kept up-to-date. In order to check that they are up-to-date or not,
3468         add an Xcode build step that invokes an external script that performs
3469         the checking. If the .xcfilelists are found to be out-of-date, update
3470         them, halt the build, and instruct the developer to restart the build
3471         with up-to-date files.
3472
3473         At this time, the checking and regenerating is performed only if the
3474         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3475         who want to use this facility can set this variable and test out the
3476         checking/regenerating. Once it seems like there are no egregious
3477         issues that upset a developer's workflow, we'll unconditionally enable
3478         this facility.
3479
3480         * JavaScriptCore.xcodeproj/project.pbxproj:
3481         * Scripts/check-xcfilelists.sh: Added.
3482
3483 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3484
3485         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3486         https://bugs.webkit.org/show_bug.cgi?id=193796
3487         <rdar://problem/47532910>
3488
3489         Reviewed by Devin Rousso.
3490
3491         * runtime/SamplingProfiler.cpp:
3492         (JSC::SamplingProfiler::machThread):
3493         * runtime/SamplingProfiler.h:
3494         Expose the mach_port_t of the SamplingProfiler thread
3495         so it can be tested against later.
3496
3497 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3498
3499         Fix Windows build after r240511
3500
3501         * bytecode/UnlinkedFunctionExecutable.cpp:
3502         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3503
3504 2019-01-25  Keith Rollin  <krollin@apple.com>
3505
3506         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3507         https://bugs.webkit.org/show_bug.cgi?id=193781
3508         <rdar://problem/47201153>
3509
3510         Reviewed by Alex Christensen.
3511
3512         Part of generating the .xcfilelists used as part of adopting XCBuild
3513         includes running `make DerivedSources.make` from a standalone script.
3514         It’s important for this invocation to have the same environment as
3515         when the actual build invokes `make DerivedSources.make`. If the
3516         environments are different, then the two invocations will provide
3517         different results. In order to get the same environment in the
3518         standalone script, have the script launch xcodebuild targeting the
3519         "Apply Configuration to XCFileLists" build target, which will then
3520         re-invoke our standalone script. The script is now running again, this
3521         time in an environment with all workspace, project, target, xcconfig
3522         and other environment variables established.
3523
3524         The "Apply Configuration to XCFileLists" build target accomplishes
3525         this task via a small embedded shell script that consists only of:
3526
3527             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3528
3529         The process that invokes "Apply Configuration to XCFileLists" first
3530         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3531         evaluated and exports it into the shell environment. When xcodebuild
3532         is invoked, it inherits the value of this variable and can `eval` the
3533         contents of that variable. Our external standalone script can then set
3534         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3535         of command-line parameters needed to restart itself in the appropriate
3536         state.
3537
3538         * JavaScriptCore.xcodeproj/project.pbxproj:
3539
3540 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3541
3542         Add API to generate and consume cached bytecode
3543         https://bugs.webkit.org/show_bug.cgi?id=193401
3544         <rdar://problem/47514099>
3545
3546         Reviewed by Keith Miller.
3547
3548         Add the `generateBytecode` and `generateModuleBytecode` functions to
3549         generate serialized bytecode for a given `SourceCode`. These functions
3550         will eagerly generate code for all the nested functions.
3551
3552         Additionally, update the API methods in JSScript to generate and use the
3553         bytecode when the bytecodeCache path is provided.
3554
3555         * API/JSAPIGlobalObject.mm:
3556         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3557         * API/JSContext.mm:
3558         (-[JSContext wrapperMap]):
3559         * API/JSContextInternal.h:
3560         * API/JSScript.mm:
3561         (+[JSScript scriptWithSource:inVirtualMachine:]):
3562         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3563         (-[JSScript dealloc]):
3564         (-[JSScript readCache]):
3565         (-[JSScript writeCache]):
3566         (-[JSScript hash]):
3567         (-[JSScript source]):
3568         (-[JSScript cachedBytecode]):
3569         (-[JSScript jsSourceCode:]):
3570         * API/JSScriptInternal.h:
3571         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3572         (JSScriptSourceProvider::create):
3573         (JSScriptSourceProvider::JSScriptSourceProvider):
3574         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3575         (JSScriptSourceProvider::hash const):
3576         (JSScriptSourceProvider::source const):
3577         (JSScriptSourceProvider::cachedBytecode const):
3578         * API/JSVirtualMachine.mm:
3579         (-[JSVirtualMachine vm]):
3580         * API/JSVirtualMachineInternal.h:
3581         * API/tests/testapi.mm:
3582         (testBytecodeCache):
3583         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3584         (testObjectiveCAPI):
3585         * JavaScriptCore.xcodeproj/project.pbxproj:
3586         * SourcesCocoa.txt:
3587         * bytecode/UnlinkedFunctionExecutable.cpp:
3588         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3589         * bytecode/UnlinkedFunctionExecutable.h:
3590         * parser/SourceCodeKey.h:
3591         (JSC::SourceCodeKey::source const):
3592         * parser/SourceProvider.h:
3593         (JSC::CachedBytecode::CachedBytecode):
3594         (JSC::CachedBytecode::operator=):
3595         (JSC::CachedBytecode::data const):
3596         (JSC::CachedBytecode::size const):
3597         (JSC::CachedBytecode::owned const):
3598         (JSC::CachedBytecode::~CachedBytecode):
3599         (JSC::CachedBytecode::freeDataIfOwned):
3600         (JSC::SourceProvider::cachedBytecode const):
3601         * parser/UnlinkedSourceCode.h:
3602         (JSC::UnlinkedSourceCode::provider const):
3603         * runtime/CodeCache.cpp:
3604         (JSC::generateUnlinkedCodeBlockForFunctions):
3605         (JSC::writeCodeBlock):
3606         (JSC::serializeBytecode):
3607         * runtime/CodeCache.h:
3608         (JSC::CodeCacheMap::fetchFromDiskImpl):
3609         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3610         (JSC::generateUnlinkedCodeBlockImpl):
3611         (JSC::generateUnlinkedCodeBlock):
3612         * runtime/Completion.cpp:
3613         (JSC::generateBytecode):
3614         (JSC::generateModuleBytecode):
3615         * runtime/Completion.h:
3616         * runtime/Options.cpp:
3617         (JSC::recomputeDependentOptions):
3618
3619 2019-01-25  Keith Rollin  <krollin@apple.com>
3620
3621         Update WebKitAdditions.xcconfig with correct order of variable definitions
3622         https://bugs.webkit.org/show_bug.cgi?id=193793
3623         <rdar://problem/47532439>
3624
3625         Reviewed by Alex Christensen.
3626
3627         XCBuild changes the way xcconfig variables are evaluated. In short,
3628         all config file assignments are now considered in part of the
3629         evaluation. When using the new build system and an .xcconfig file
3630         contains multiple assignments of the same build setting:
3631
3632         - Later assignments using $(inherited) will inherit from earlier
3633           assignments in the xcconfig file.
3634         - Later assignments not using $(inherited) will take precedence over
3635           earlier assignments. An assignment to a more general setting will
3636           mask an earlier assignment to a less general setting. For example,
3637           an assignment without a condition ('FOO = bar') will completely mask
3638           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3639
3640         This affects some of our .xcconfig files, in that sometimes platform-
3641         or sdk-specific definitions appear before the general definitions.
3642         Under the new evaluations rules, the general definitions alway take
3643         effect because they always overwrite the more-specific definitions. The
3644         solution is to swap the order, so that the general definitions are
3645         established first, and then conditionally overwritten by the
3646         more-specific definitions.
3647
3648         * Configurations/Version.xcconfig:
3649
3650 2019-01-25  Keith Rollin  <krollin@apple.com>
3651
3652         Update existing .xcfilelists
3653         https://bugs.webkit.org/show_bug.cgi?id=193791
3654         <rdar://problem/47201706>
3655
3656         Reviewed by Alex Christensen.
3657
3658         Many .xcfilelist files were added in r238824 in order to support
3659         XCBuild. Update these with recent changes to the set of build files
3660         and with the current generate-xcfilelist script.
3661
3662         * DerivedSources-input.xcfilelist:
3663         * DerivedSources-output.xcfilelist:
3664         * UnifiedSources-input.xcfilelist:
3665         * UnifiedSources-output.xcfilelist:
3666
3667 2019-01-25  Jon Davis  <jond@apple.com>
3668
3669         Update JavaScriptCore feature status entries.
3670         https://bugs.webkit.org/show_bug.cgi?id=193797
3671
3672         Reviewed by Mark Lam.
3673         
3674         Updated feature status for Async Iteration, and Object rest/spread.
3675
3676         * features.json:
3677
3678 2019-01-24  Keith Miller  <keith_miller@apple.com>
3679
3680         Remove usage of internal macro from private header
3681         https://bugs.webkit.org/show_bug.cgi?id=193809
3682
3683         Reviewed by Saam Barati.
3684
3685         Also, add a new file to include all of our API headers to make sure
3686         they don't accidentally include C++ or internal values.
3687
3688         * API/JSScript.h:
3689         * API/tests/testIncludes.m: Added.
3690         * JavaScriptCore.xcodeproj/project.pbxproj:
3691
3692 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3693
3694         [JSC] ErrorConstructor should not have own IsoSubspace
3695         https://bugs.webkit.org/show_bug.cgi?id=193800
3696
3697         Reviewed by Saam Barati.
3698
3699         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3700         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3701         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3702         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3703         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3704         into IsoSubspaces) described,
3705
3706             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3707             appear to just override methods, which are called dynamically via the structure or class of the object.
3708             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3709
3710         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3711         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3712         This reduces the memory usage.
3713
3714         * interpreter/Interpreter.h:
3715         * runtime/Error.cpp:
3716         (JSC::getStackTrace):
3717         * runtime/ErrorConstructor.cpp:
3718         (JSC::ErrorConstructor::ErrorConstructor):
3719         (JSC::ErrorConstructor::finishCreation):
3720         (JSC::constructErrorConstructor):
3721         (JSC::callErrorConstructor):
3722         (JSC::ErrorConstructor::put):
3723         (JSC::ErrorConstructor::deleteProperty):
3724         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3725         (JSC::Interpreter::callErrorConstructor): Deleted.
3726         * runtime/ErrorConstructor.h:
3727         * runtime/JSGlobalObject.cpp:
3728         (JSC::JSGlobalObject::JSGlobalObject):
3729         (JSC::JSGlobalObject::init):
3730         (JSC::JSGlobalObject::visitChildren):
3731         * runtime/JSGlobalObject.h:
3732         (JSC::JSGlobalObject::stackTraceLimit const):
3733         (JSC::JSGlobalObject::setStackTraceLimit):
3734         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3735         * runtime/VM.cpp:
3736         (JSC::VM::VM):
3737         * runtime/VM.h:
3738
3739 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3740
3741         Web Inspector: CPU Usage Timeline
3742         https://bugs.webkit.org/show_bug.cgi?id=193730
3743         <rdar://problem/46797201>
3744
3745         Reviewed by Devin Rousso.
3746
3747         * CMakeLists.txt:
3748         * DerivedSources-input.xcfilelist:
3749         * DerivedSources.make:
3750         New files.
3751
3752         * inspector/protocol/CPUProfiler.json: Added.
3753         New domain that follows the pattern of Memory/ScriptProfiler.
3754
3755         * inspector/protocol/Timeline.json:
3756         New enum to auto-start a CPU instrument in the backend.
3757
3758 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3759
3760         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3761         https://bugs.webkit.org/show_bug.cgi?id=193774
3762
3763         Reviewed by Mark Lam.
3764
3765         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3766         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3767         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3768         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3769         for these two constructor instances. They are only two instances per JSGlobalObject.
3770
3771         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3772         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3773         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3774         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3775         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3776         for ArrayBufferConstructors, and reduces the memory usage.
3777
3778         * runtime/JSArrayBufferConstructor.cpp:
3779         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3780         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3781         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3782         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3783         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3784         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3785         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3786         (JSC::JSArrayBufferConstructor::create): Deleted.
3787         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3788         (JSC::constructArrayBuffer): Deleted.
3789         * runtime/JSArrayBufferConstructor.h:
3790         * runtime/JSGlobalObject.cpp:
3791         (JSC::JSGlobalObject::init):
3792         * runtime/JSGlobalObject.h:
3793         * runtime/VM.cpp:
3794         (JSC::VM::VM):
3795         * runtime/VM.h:
3796
3797 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3798
3799         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3800         https://bugs.webkit.org/show_bug.cgi?id=190693
3801
3802         Reviewed by Michael Saboff.
3803
3804         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3805         This becomes true when we find the executable address in our conservative roots, which
3806         means that we could be executing it right now. This means that object liveness in
3807         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3808         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3809         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3810         executing JITStubRoutine because "Conservative Scan" finds it later.
3811         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3812         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3813         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3814         attempt to mark the depending objects, and encounter the dead objects which are collected
3815         in the previous cycles.
3816
3817         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3818         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3819         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3820         GC stop time.
3821
3822         * heap/ConservativeRoots.h:
3823         (JSC::ConservativeRoots::roots const):
3824         (JSC::ConservativeRoots::roots): Deleted.
3825         * heap/Heap.cpp:
3826         (JSC::Heap::addCoreConstraints):
3827         * heap/SlotVisitor.cpp:
3828         (JSC::SlotVisitor::append):
3829         * heap/SlotVisitor.h:
3830         * jit/GCAwareJITStubRoutine.cpp:
3831         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3832         * jit/GCAwareJITStubRoutine.h:
3833
3834 2019-01-24  Saam Barati  <sbarati@apple.com>
3835
3836         Update ARM64EHash
3837         https://bugs.webkit.org/show_bug.cgi?id=193776
3838         <rdar://problem/47526457>
3839
3840         Reviewed by Mark Lam.
3841
3842         See radar for details.
3843
3844         * assembler/AssemblerBuffer.h:
3845         (JSC::ARM64EHash::update):
3846         (JSC::ARM64EHash::finalHash const):
3847
3848 2019-01-24  Saam Barati  <sbarati@apple.com>
3849
3850         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3851         https://bugs.webkit.org/show_bug.cgi?id=193751
3852         <rdar://problem/47280215>
3853
3854         Reviewed by Michael Saboff.
3855
3856         The Object Allocation Sinking phase may move allocations around inside
3857         of the program. However, it was not ensuring that it's still possible 
3858         to walk the stack at the point in the program that it moved the allocation to.
3859         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3860         All allocation sites can do a stack walk (we do a stack walk when we GC).
3861         Conservatively, this patch says we're ok to move this allocation if we are
3862         moving within the same InlineCallFrame. We could be more precise and do an
3863         analysis of stack writes. However, this scenario is so rare that we just
3864         take the conservative-and-straight-forward approach of checking that the place
3865         we're moving to is the same InlineCallFrame as the allocation site.
3866         
3867         In general, this issue arises anytime we do any kind of code motion.
3868         Interestingly, LICM gets this right. It gets it right because the only
3869         InlineCallFrames we can't move out of are the InlineCallFrames that
3870         have metadata stored on the stack (callee for closure calls and argument
3871         count for varargs calls). LICM doesn't have this issue because it relies
3872         on Clobberize for doing its effects analysis. In clobberize, we model every
3873         node within an InlineCallFrame that meets the above criteria as reading
3874         from those stack fields. Consequently, LICM won't hoist any node in that
3875         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3876         we generate to set up such an InlineCallFrame contains writes to that
3877         stack location.
3878
3879         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3880
3881 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3882
3883         [JSC] Reenable baseline JIT on mips
3884         https://bugs.webkit.org/show_bug.cgi?id=192983
3885
3886         Reviewed by Mark Lam.
3887
3888         Use $s0 as metadata register and make sure it's properly saved and
3889         restored.
3890
3891         * jit/GPRInfo.h:
3892         * jit/RegisterSet.cpp: