[JSC] Make builtin objects more lazily initialized under non-JIT mode
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Make builtin objects more lazily initialized under non-JIT mode
4         https://bugs.webkit.org/show_bug.cgi?id=194727
5
6         Reviewed by Saam Barati.
7
8         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
9         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
10         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
11         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
12         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
13         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
14         MarkedBlock allocation just for Symbols.
15
16         * runtime/JSGlobalObject.cpp:
17         (JSC::JSGlobalObject::init):
18         (JSC::JSGlobalObject::visitChildren):
19         * runtime/JSGlobalObject.h:
20         (JSC::JSGlobalObject::numberToStringWatchpoint):
21         (JSC::JSGlobalObject::booleanPrototype const):
22         (JSC::JSGlobalObject::numberPrototype const):
23         (JSC::JSGlobalObject::symbolPrototype const):
24         (JSC::JSGlobalObject::booleanObjectStructure const):
25         (JSC::JSGlobalObject::symbolObjectStructure const):
26         (JSC::JSGlobalObject::numberObjectStructure const):
27         (JSC::JSGlobalObject::stringObjectStructure const):
28
29 2019-02-15  Michael Saboff  <msaboff@apple.com>
30
31         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
32         https://bugs.webkit.org/show_bug.cgi?id=194558
33
34         Reviewed by Saam Barati.
35
36         Added an in bounds check before the read of the next character for Unicode regular expressions
37         for pattern generation that didn't already have such checks.
38
39         * yarr/YarrJIT.cpp:
40         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
41         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
42         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
43         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
44
45 2019-02-15  Dean Jackson  <dino@apple.com>
46
47         Allow emulation of user gestures from Web Inspector console
48         https://bugs.webkit.org/show_bug.cgi?id=194725
49         <rdar://problem/48126604>
50
51         Reviewed by Joseph Pecoraro and Devin Rousso.
52
53         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
54         to the evaluate function, and mark the function as override so that PageRuntimeAgent
55         can change the behaviour.
56         (Inspector::InspectorRuntimeAgent::evaluate):
57         * inspector/agents/InspectorRuntimeAgent.h:
58         * inspector/protocol/Runtime.json:
59
60 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
61
62         [JSC] Do not initialize Wasm related data if Wasm is not enabled
63         https://bugs.webkit.org/show_bug.cgi?id=194728
64
65         Reviewed by Mark Lam.
66
67         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
68
69         * runtime/InitializeThreading.cpp:
70         (JSC::initializeThreading):
71         * runtime/JSLock.cpp:
72         (JSC::JSLock::didAcquireLock):
73
74 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
75
76         [WTF] Add environment variable helpers
77         https://bugs.webkit.org/show_bug.cgi?id=192405
78
79         Reviewed by Michael Catanzaro.
80
81         * inspector/remote/glib/RemoteInspectorGlib.cpp:
82         (Inspector::RemoteInspector::RemoteInspector):
83         (Inspector::RemoteInspector::start):
84         * jsc.cpp:
85         (startTimeoutThreadIfNeeded):
86         * runtime/Options.cpp:
87         (JSC::overrideOptionWithHeuristic):
88         (JSC::Options::overrideAliasedOptionWithHeuristic):
89         (JSC::Options::initialize):
90         * runtime/VM.cpp:
91         (JSC::enableAssembler):
92         (JSC::VM::VM):
93         * tools/CodeProfiling.cpp:
94         (JSC::CodeProfiling::notifyAllocator):
95         Utilize WTF::Environment where possible.
96
97 2019-02-15  Mark Lam  <mark.lam@apple.com>
98
99         SamplingProfiler::stackTracesAsJSON() should escape strings.
100         https://bugs.webkit.org/show_bug.cgi?id=194649
101         <rdar://problem/48072386>
102
103         Reviewed by Saam Barati.
104
105         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
106
107         * runtime/SamplingProfiler.cpp:
108         (JSC::SamplingProfiler::stackTracesAsJSON):
109         * runtime/TypeSet.cpp:
110         (JSC::TypeSet::toJSONString const):
111         (JSC::StructureShape::toJSONString const):
112
113 2019-02-15  Robin Morisset  <rmorisset@apple.com>
114
115         CodeBlock::jettison should clear related watchpoints
116         https://bugs.webkit.org/show_bug.cgi?id=194544
117
118         Reviewed by Mark Lam.
119
120         * bytecode/CodeBlock.cpp:
121         (JSC::CodeBlock::jettison):
122         * dfg/DFGCommonData.h:
123         (JSC::DFG::CommonData::clearWatchpoints): Added.
124         * dfg/CommonData.cpp:
125         (JSC::DFG::CommonData::clearWatchpoints): Added.
126
127 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
128
129         Move bytecode cache-related filesystem code out of CodeCache
130         https://bugs.webkit.org/show_bug.cgi?id=194675
131
132         Reviewed by Saam Barati.
133
134         That code is only used for the bytecode-cache tests, so it should live in
135         jsc.cpp rather than in the CodeCache.
136
137         * jsc.cpp:
138         (CliSourceProvider::create):
139         (CliSourceProvider::~CliSourceProvider):
140         (CliSourceProvider::cachePath const):
141         (CliSourceProvider::loadBytecode):
142         (CliSourceProvider::CliSourceProvider):
143         (jscSource):
144         (GlobalObject::moduleLoaderFetch):
145         (functionDollarEvalScript):
146         (runWithOptions):
147         * parser/SourceProvider.h:
148         (JSC::SourceProvider::cacheBytecode const):
149         * runtime/CodeCache.cpp:
150         (JSC::writeCodeBlock):
151         * runtime/CodeCache.h:
152         (JSC::CodeCacheMap::fetchFromDiskImpl):
153
154 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
155
156         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
157         https://bugs.webkit.org/show_bug.cgi?id=194714
158
159         Reviewed by Mark Lam.
160
161         Let's consider about the following extreme case.
162
163         1. VM (A) is created.
164         2. Another VM (B) is created on a different thread.
165         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
166         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
167         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
168         6. (A) sees the half-baked worklist, which may be in the middle of creation.
169
170         This patch puts store-store fence just before putting a pointer to a global variable.
171         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
172
173         * dfg/DFGWorklist.cpp:
174         (JSC::DFG::ensureGlobalDFGWorklist):
175         (JSC::DFG::ensureGlobalFTLWorklist):
176         * wasm/WasmWorklist.cpp:
177         (JSC::Wasm::ensureWorklist):
178
179 2019-02-15  Commit Queue  <commit-queue@webkit.org>
180
181         Unreviewed, rolling out r241559 and r241566.
182         https://bugs.webkit.org/show_bug.cgi?id=194710
183
184         Causes layout test crashes under GuardMalloc (Requested by
185         ryanhaddad on #webkit).
186
187         Reverted changesets:
188
189         "[WTF] Add environment variable helpers"
190         https://bugs.webkit.org/show_bug.cgi?id=192405
191         https://trac.webkit.org/changeset/241559
192
193         "Unreviewed build fix for WinCairo Debug after r241559."
194         https://trac.webkit.org/changeset/241566
195
196 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
197
198         [JSC] Do not even allocate JIT worklists in non-JIT mode
199         https://bugs.webkit.org/show_bug.cgi?id=194693
200
201         Reviewed by Mark Lam.
202
203         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
204         And we do not perform any GC operations that are only meaningful in JIT environment.
205
206         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
207         2. We remove DFG marking constraint in non-JIT mode.
208         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
209         4. We do not visit JITStubRoutineSet.
210         5. Align JITWorklist function names to the other worklists.
211
212         * dfg/DFGOSRExitPreparation.cpp:
213         (JSC::DFG::prepareCodeOriginForOSRExit):
214         * dfg/DFGPlan.h:
215         * dfg/DFGWorklist.cpp:
216         (JSC::DFG::markCodeBlocks): Deleted.
217         * dfg/DFGWorklist.h:
218         * heap/Heap.cpp:
219         (JSC::Heap::completeAllJITPlans):
220         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
221         (JSC::Heap::gatherScratchBufferRoots):
222         (JSC::Heap::removeDeadCompilerWorklistEntries):
223         (JSC::Heap::stopThePeriphery):
224         (JSC::Heap::suspendCompilerThreads):
225         (JSC::Heap::resumeCompilerThreads):
226         (JSC::Heap::addCoreConstraints):
227         * jit/JITWorklist.cpp:
228         (JSC::JITWorklist::existingGlobalWorklistOrNull):
229         (JSC::JITWorklist::ensureGlobalWorklist):
230         (JSC::JITWorklist::instance): Deleted.
231         * jit/JITWorklist.h:
232         * llint/LLIntSlowPaths.cpp:
233         (JSC::LLInt::jitCompileAndSetHeuristics):
234         * runtime/VM.cpp:
235         (JSC::VM::~VM):
236         (JSC::VM::gatherScratchBufferRoots):
237         (JSC::VM::gatherConservativeRoots): Deleted.
238         * runtime/VM.h:
239
240 2019-02-15  Saam barati  <sbarati@apple.com>
241
242         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
243         https://bugs.webkit.org/show_bug.cgi?id=194036
244
245         Reviewed by Yusuke Suzuki.
246
247         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
248         use linear scan for register allocation. Instead of linear scan, Air-O0 does
249         mostly block-local register allocation, and it does this as it's emitting
250         code directly. The register allocator uses liveness analysis to reduce
251         the number of spills. Doing register allocation as we're emitting code
252         allows us to skip editing the IR to insert spills, which saves a non trivial
253         amount of compile time. For stack allocation, we give each Tmp its own slot.
254         This is less than ideal. We probably want to do some trivial live range analysis
255         in the future. The reason this isn't a deal breaker for Wasm is that this patch
256         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
257         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
258         
259         This patch is another 25% Wasm startup time speedup. It seems to be worth
260         another 1% on JetStream2.
261
262         * JavaScriptCore.xcodeproj/project.pbxproj:
263         * Sources.txt:
264         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
265         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
266         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
267         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
268         (JSC::B3::Air::callFrameAddr):
269         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
270         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
271         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
272         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
273         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
274         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
275         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
276         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
277         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
278         * b3/air/AirCode.cpp:
279         * b3/air/AirCode.h:
280         * b3/air/AirGenerate.cpp:
281         (JSC::B3::Air::prepareForGeneration):
282         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
283         (JSC::B3::Air::generate):
284         * b3/air/AirHandleCalleeSaves.cpp:
285         (JSC::B3::Air::handleCalleeSaves):
286         * b3/air/AirHandleCalleeSaves.h:
287         * b3/air/AirTmpMap.h:
288         * runtime/Options.h:
289         * wasm/WasmAirIRGenerator.cpp:
290         (JSC::Wasm::AirIRGenerator::didKill):
291         (JSC::Wasm::AirIRGenerator::newTmp):
292         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
293         (JSC::Wasm::parseAndCompileAir):
294         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
295         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
296         * wasm/WasmAirIRGenerator.h:
297         * wasm/WasmB3IRGenerator.cpp:
298         (JSC::Wasm::B3IRGenerator::didKill):
299         * wasm/WasmBBQPlan.cpp:
300         (JSC::Wasm::BBQPlan::compileFunctions):
301         * wasm/WasmFunctionParser.h:
302         (JSC::Wasm::FunctionParser<Context>::parseBody):
303         (JSC::Wasm::FunctionParser<Context>::parseExpression):
304         * wasm/WasmValidate.cpp:
305         (JSC::Wasm::Validate::didKill):
306
307 2019-02-14  Saam barati  <sbarati@apple.com>
308
309         lowerStackArgs should lower Lea32/64 on ARM64 to Add
310         https://bugs.webkit.org/show_bug.cgi?id=194656
311
312         Reviewed by Yusuke Suzuki.
313
314         On arm64, Lea is just implemented as an add. However, Air treats it as an
315         address with a given width. Because of this width, we were incorrectly
316         computing whether or not this immediate could fit into the instruction itself
317         or it needed to be explicitly put into a register. This patch makes
318         AirLowerStackArgs lower Lea to Add on arm64.
319
320         * b3/air/AirLowerStackArgs.cpp:
321         (JSC::B3::Air::lowerStackArgs):
322         * b3/air/AirOpcode.opcodes:
323         * b3/air/testair.cpp:
324
325 2019-02-14  Saam Barati  <sbarati@apple.com>
326
327         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
328         https://bugs.webkit.org/show_bug.cgi?id=194583
329         <rdar://problem/48028140>
330
331         Reviewed by Yusuke Suzuki.
332
333         This patch makes it so that getVariablesUnderTDZ caches a result of
334         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
335         it's called in an environment where there are a lot of variables.
336         This patch makes it so we cache its results. This is profitable when
337         getVariablesUnderTDZ is called repeatedly with the same environment
338         state. This is common since we call this every time we encounter a
339         function definition/expression node.
340
341         * builtins/BuiltinExecutables.cpp:
342         (JSC::BuiltinExecutables::createExecutable):
343         * bytecode/UnlinkedFunctionExecutable.cpp:
344         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
345         * bytecode/UnlinkedFunctionExecutable.h:
346         * bytecompiler/BytecodeGenerator.cpp:
347         (JSC::BytecodeGenerator::popLexicalScopeInternal):
348         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
349         (JSC::BytecodeGenerator::pushTDZVariables):
350         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
351         (JSC::BytecodeGenerator::restoreTDZStack):
352         * bytecompiler/BytecodeGenerator.h:
353         (JSC::BytecodeGenerator::makeFunction):
354         * parser/VariableEnvironment.cpp:
355         (JSC::CompactVariableMap::Handle::Handle):
356         (JSC::CompactVariableMap::Handle::operator=):
357         * parser/VariableEnvironment.h:
358         (JSC::CompactVariableMap::Handle::operator bool const):
359         * runtime/CodeCache.cpp:
360         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
361
362 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
363
364         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
365         https://bugs.webkit.org/show_bug.cgi?id=194659
366
367         Reviewed by Mark Lam.
368
369         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
370         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
371         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
372
373         * dfg/DFGJITCode.h:
374         * dfg/DFGJITFinalizer.cpp:
375         (JSC::DFG::JITFinalizer::finalize):
376         (JSC::DFG::JITFinalizer::finalizeFunction):
377         * jit/JITCode.cpp:
378         (JSC::DirectJITCode::initializeCodeRefForDFG):
379         (JSC::DirectJITCode::initializeCodeRef): Deleted.
380         (JSC::NativeJITCode::initializeCodeRef): Deleted.
381         * jit/JITCode.h:
382         * llint/LLIntEntrypoint.cpp:
383         (JSC::LLInt::setFunctionEntrypoint):
384         (JSC::LLInt::setEvalEntrypoint):
385         (JSC::LLInt::setProgramEntrypoint):
386         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
387
388 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
389
390         [WTF] Add environment variable helpers
391         https://bugs.webkit.org/show_bug.cgi?id=192405
392
393         Reviewed by Michael Catanzaro.
394
395         * inspector/remote/glib/RemoteInspectorGlib.cpp:
396         (Inspector::RemoteInspector::RemoteInspector):
397         (Inspector::RemoteInspector::start):
398         * jsc.cpp:
399         (startTimeoutThreadIfNeeded):
400         * runtime/Options.cpp:
401         (JSC::overrideOptionWithHeuristic):
402         (JSC::Options::overrideAliasedOptionWithHeuristic):
403         (JSC::Options::initialize):
404         * runtime/VM.cpp:
405         (JSC::enableAssembler):
406         (JSC::VM::VM):
407         * tools/CodeProfiling.cpp:
408         (JSC::CodeProfiling::notifyAllocator):
409         Utilize WTF::Environment where possible.
410
411 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
412
413         [JSC] Should have default NativeJITCode
414         https://bugs.webkit.org/show_bug.cgi?id=194634
415
416         Reviewed by Mark Lam.
417
418         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
419         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
420         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
421         allocations, which takes 14KB.
422
423         * runtime/VM.cpp:
424         (JSC::jitCodeForCallTrampoline):
425         (JSC::jitCodeForConstructTrampoline):
426         (JSC::VM::getHostFunction):
427
428 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
429
430         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
431         https://bugs.webkit.org/show_bug.cgi?id=194576
432
433         Reviewed by Saam Barati.
434
435         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
436         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
437
438         * bytecode/UnlinkedFunctionExecutable.cpp:
439         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
440         (JSC::UnlinkedFunctionExecutable::link):
441         * bytecode/UnlinkedFunctionExecutable.h:
442         * runtime/CodeCache.cpp:
443         (JSC::generateUnlinkedCodeBlockForFunctions):
444
445 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
446
447         CachedBitVector's size must be converted from bits to bytes
448         https://bugs.webkit.org/show_bug.cgi?id=194441
449
450         Reviewed by Saam Barati.
451
452         CachedBitVector used its size in bits for memcpy. That didn't cause any
453         issues when encoding, since the size in bits was also used in the allocation,
454         but would overflow the actual BitVector buffer when decoding.
455
456         * runtime/CachedTypes.cpp:
457         (JSC::CachedBitVector::encode):
458         (JSC::CachedBitVector::decode const):
459
460 2019-02-13  Brian Burg  <bburg@apple.com>
461
462         Web Inspector: don't include accessibility role in DOM.Node object payloads
463         https://bugs.webkit.org/show_bug.cgi?id=194623
464         <rdar://problem/36384037>
465
466         Reviewed by Devin Rousso.
467
468         Remove property of DOM.Node that is no longer being sent.
469
470         * inspector/protocol/DOM.json:
471
472 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
473
474         We should only make rope strings when concatenating strings long enough.
475         https://bugs.webkit.org/show_bug.cgi?id=194465
476
477         Reviewed by Mark Lam.
478
479         This patch stops us from allocating a rope string if the resulting
480         rope would be smaller than the size of the JSRopeString object we
481         would need to allocate.
482
483         This patch also adds paths so that we don't unnecessarily allocate
484         JSString cells for primitives we are going to concatenate with a
485         string anyway.
486
487         The important change from the previous one is that we do not apply
488         the above rule to JSRopeStrings generated by JSStrings. If we convert
489         it to JSString, comparison of memory consumption becomes the following,
490         because JSRopeString does not have StringImpl until it is resolved.
491
492             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
493
494         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
495         resolving eagerly increases memory footprint. The point is that we need to
496         account newly created JSString and JSRopeString from the operands. This is the
497         reason why this patch adds different thresholds for each jsString functions.
498
499         This patch also avoids concatenation for ropes conservatively. Many ropes are
500         temporary cells. So we do not resolve eagerly if one of operands is already a
501         rope.
502
503         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
504
505             Before: 159.3778
506             After:  160.72340000000003
507
508         * dfg/DFGOperations.cpp:
509         * runtime/CommonSlowPaths.cpp:
510         (JSC::SLOW_PATH_DECL):
511         * runtime/JSString.h:
512         (JSC::JSString::isRope const):
513         * runtime/Operations.cpp:
514         (JSC::jsAddSlowCase):
515         * runtime/Operations.h:
516         (JSC::jsString):
517         (JSC::jsAddNonNumber):
518         (JSC::jsAdd):
519
520 2019-02-13  Saam Barati  <sbarati@apple.com>
521
522         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
523         https://bugs.webkit.org/show_bug.cgi?id=194610
524
525         Reviewed by Michael Saboff.
526
527         BinarySwitch might use the scratch register. We must model the
528         effects of that properly. This is already caught by our br-table
529         tests on arm64.
530
531         * wasm/WasmAirIRGenerator.cpp:
532         (JSC::Wasm::AirIRGenerator::addSwitch):
533
534 2019-02-13  Mark Lam  <mark.lam@apple.com>
535
536         Create a randomized free list for new StructureIDs on StructureIDTable resize.
537         https://bugs.webkit.org/show_bug.cgi?id=194566
538         <rdar://problem/47975502>
539
540         Reviewed by Michael Saboff.
541
542         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
543         implementation is a little easier to read.
544
545         This patch appears to be perf neutral on JetStream2 (as run from the command line).
546
547         * runtime/StructureIDTable.cpp:
548         (JSC::StructureIDTable::StructureIDTable):
549         (JSC::StructureIDTable::makeFreeListFromRange):
550         (JSC::StructureIDTable::resize):
551         (JSC::StructureIDTable::allocateID):
552         (JSC::StructureIDTable::deallocateID):
553         * runtime/StructureIDTable.h:
554         (JSC::StructureIDTable::get):
555         (JSC::StructureIDTable::deallocateID):
556         (JSC::StructureIDTable::allocateID):
557         (JSC::StructureIDTable::flushOldTables):
558
559 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
560
561         VariableLengthObject::allocate<T> should initialize objects
562         https://bugs.webkit.org/show_bug.cgi?id=194534
563
564         Reviewed by Michael Saboff.
565
566         `buffer()` should not be called for empty VariableLengthObjects, but
567         these cases were not being caught due to the objects not being properly
568         initialized. Fix it so that allocate calls the constructor and fix the
569         assertion failues.
570
571         * runtime/CachedTypes.cpp:
572         (JSC::CachedObject::operator new):
573         (JSC::VariableLengthObject::allocate):
574         (JSC::CachedVector::encode):
575         (JSC::CachedVector::decode const):
576         (JSC::CachedUniquedStringImpl::decode const):
577         (JSC::CachedBitVector::encode):
578         (JSC::CachedBitVector::decode const):
579         (JSC::CachedArray::encode):
580         (JSC::CachedArray::decode const):
581         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
582         (JSC::CachedBigInt::decode const):
583
584 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
585
586         CodeBlocks read from disk should not be re-written
587         https://bugs.webkit.org/show_bug.cgi?id=194535
588
589         Reviewed by Michael Saboff.
590
591         Keep track of which CodeBlocks have been read from disk or have already
592         been serialized in CodeCache.
593
594         * runtime/CodeCache.cpp:
595         (JSC::CodeCache::write):
596         * runtime/CodeCache.h:
597         (JSC::SourceCodeValue::SourceCodeValue):
598         (JSC::CodeCacheMap::fetchFromDiskImpl):
599
600 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
601
602         SourceCode should be copied when generating bytecode for functions
603         https://bugs.webkit.org/show_bug.cgi?id=194536
604
605         Reviewed by Saam Barati.
606
607         The FunctionExecutable might be collected while generating the bytecode
608         for nested functions, in which case the SourceCode reference would no
609         longer be valid.
610
611         * runtime/CodeCache.cpp:
612         (JSC::generateUnlinkedCodeBlockForFunctions):
613
614 2019-02-12  Saam barati  <sbarati@apple.com>
615
616         JSScript needs to retain its cache path NSURL*
617         https://bugs.webkit.org/show_bug.cgi?id=194577
618
619         Reviewed by Tim Horton.
620
621         * API/JSScript.mm:
622         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
623         (-[JSScript dealloc]):
624
625 2019-02-12  Robin Morisset  <rmorisset@apple.com>
626
627         Make B3Value::returnsBool() more precise
628         https://bugs.webkit.org/show_bug.cgi?id=194457
629
630         Reviewed by Saam Barati.
631
632         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
633         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
634         No new tests added as this should be indirectly tested by the already existing tests.
635
636         * b3/B3Value.cpp:
637         (JSC::B3::Value::returnsBool const):
638
639 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
640
641         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
642         https://bugs.webkit.org/show_bug.cgi?id=194399
643         <rdar://problem/47889777>
644
645         * dfg/DFGDoesGC.cpp:
646         (JSC::DFG::doesGC):
647
648 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
649
650         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
651         https://bugs.webkit.org/show_bug.cgi?id=194370
652
653         Reviewed by Darin Adler.
654
655         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
656         necessary, but it will make errors more visible.
657
658         * inspector/remote/glib/RemoteInspectorGlib.cpp:
659         (Inspector::RemoteInspector::start):
660         (Inspector::dbusConnectionCallAsyncReadyCallback):
661         * inspector/remote/glib/RemoteInspectorServer.cpp:
662         (Inspector::RemoteInspectorServer::start):
663
664 2019-02-12  Andy Estes  <aestes@apple.com>
665
666         [iOSMac] Enable Parental Controls Content Filtering
667         https://bugs.webkit.org/show_bug.cgi?id=194521
668         <rdar://39732376>
669
670         Reviewed by Tim Horton.
671
672         * Configurations/FeatureDefines.xcconfig:
673
674 2019-02-11  Mark Lam  <mark.lam@apple.com>
675
676         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
677         https://bugs.webkit.org/show_bug.cgi?id=194512
678         <rdar://problem/47975465>
679
680         Reviewed by Yusuke Suzuki.
681
682         * runtime/StructureIDTable.cpp:
683         (JSC::StructureIDTable::StructureIDTable):
684         (JSC::StructureIDTable::allocateID):
685         (JSC::StructureIDTable::deallocateID):
686         * runtime/StructureIDTable.h:
687
688 2019-02-10  Mark Lam  <mark.lam@apple.com>
689
690         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
691         https://bugs.webkit.org/show_bug.cgi?id=194493
692         <rdar://problem/36380852>
693
694         Reviewed by Yusuke Suzuki.
695
696         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
697         however not good for performance and memory usage.  As such, a debug ASSERT will
698         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
699         possible to be instantiated with duplicate cases in
700         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
701
702         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
703         see duplicate cases.
704
705         * jit/BinarySwitch.cpp:
706         (JSC::BinarySwitch::BinarySwitch):
707
708 2019-02-10  Darin Adler  <darin@apple.com>
709
710         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
711         https://bugs.webkit.org/show_bug.cgi?id=194485
712
713         Reviewed by Daniel Bates.
714
715         * heap/HeapSnapshotBuilder.cpp:
716         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
717         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
718
719         * runtime/JSGlobalObjectFunctions.cpp:
720         (JSC::encode): Removed some unneeded casts in StringBuilder code,
721         including one in a call to appendByteAsHex.
722         (JSC::globalFuncEscape): Ditto.
723
724 2019-02-10  Commit Queue  <commit-queue@webkit.org>
725
726         Unreviewed, rolling out r241230.
727         https://bugs.webkit.org/show_bug.cgi?id=194488
728
729         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
730         #webkit).
731
732         Reverted changeset:
733
734         "We should only make rope strings when concatenating strings
735         long enough."
736         https://bugs.webkit.org/show_bug.cgi?id=194465
737         https://trac.webkit.org/changeset/241230
738
739 2019-02-10  Saam barati  <sbarati@apple.com>
740
741         BBQ-Air: Emit better code for switch
742         https://bugs.webkit.org/show_bug.cgi?id=194053
743
744         Reviewed by Yusuke Suzuki.
745
746         Instead of emitting a linear set of jumps for Switch, this patch
747         makes the BBQ-Air backend emit a binary switch.
748
749         * wasm/WasmAirIRGenerator.cpp:
750         (JSC::Wasm::AirIRGenerator::addSwitch):
751
752 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
753
754         Unreviewed, Lexer should use isLatin1 implementation in WTF
755         https://bugs.webkit.org/show_bug.cgi?id=194466
756
757         Follow-up after r241233 pointed by Darin.
758
759         * parser/Lexer.cpp:
760         (JSC::isLatin1): Deleted.
761
762 2019-02-09  Darin Adler  <darin@apple.com>
763
764         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
765         https://bugs.webkit.org/show_bug.cgi?id=194021
766
767         Reviewed by Geoffrey Garen.
768
769         * inspector/agents/InspectorConsoleAgent.cpp:
770         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
771         makeString do the conversion without allocating/destroying a String.
772         * inspector/agents/InspectorDebuggerAgent.cpp:
773         (Inspector::objectGroupForBreakpointAction): Ditto.
774         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
775         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
776         * runtime/JSGenericTypedArrayViewInlines.h:
777         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
778         * runtime/NumberPrototype.cpp:
779         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
780         of calling numberToFixedWidthString to do the same thing.
781         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
782         numberToFixedPrecisionString to do the same thing.
783         * runtime/SamplingProfiler.cpp:
784         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
785
786 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
787
788         Unreviewed, rolling in r241237 again
789         https://bugs.webkit.org/show_bug.cgi?id=194469
790
791         * runtime/JSString.h:
792         (JSC::jsSubstring):
793
794 2019-02-09  Commit Queue  <commit-queue@webkit.org>
795
796         Unreviewed, rolling out r241237.
797         https://bugs.webkit.org/show_bug.cgi?id=194474
798
799         Shows significant memory increase in WSL (Requested by
800         yusukesuzuki on #webkit).
801
802         Reverted changeset:
803
804         "[WTF] Use BufferInternal StringImpl if substring StringImpl
805         takes more memory"
806         https://bugs.webkit.org/show_bug.cgi?id=194469
807         https://trac.webkit.org/changeset/241237
808
809 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
810
811         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
812         https://bugs.webkit.org/show_bug.cgi?id=194469
813
814         Reviewed by Geoffrey Garen.
815
816         * runtime/JSString.h:
817         (JSC::jsSubstring):
818
819 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
820
821         [JSC] CachedTypes should use jsString instead of JSString::create
822         https://bugs.webkit.org/show_bug.cgi?id=194471
823
824         Reviewed by Mark Lam.
825
826         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
827
828         * runtime/CachedTypes.cpp:
829         (JSC::CachedJSValue::decode const):
830
831 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
832
833         [JSC] Increase StructureIDTable initial capacity
834         https://bugs.webkit.org/show_bug.cgi?id=194468
835
836         Reviewed by Mark Lam.
837
838         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
839         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
840         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
841         more memory dirty. We also remove some structures that are no longer used.
842
843         * runtime/JSGlobalObject.h:
844         (JSC::JSGlobalObject::callbackObjectStructure const):
845         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
846         * runtime/StructureIDTable.h:
847         * runtime/VM.h:
848
849 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
850
851         [JSC] String.fromCharCode's slow path always generates 16bit string
852         https://bugs.webkit.org/show_bug.cgi?id=194466
853
854         Reviewed by Keith Miller.
855
856         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
857         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
858         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
859         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
860         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
861         as much as possible.
862
863         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
864
865         * runtime/StringConstructor.cpp:
866         (JSC::stringFromCharCode):
867
868 2019-02-08  Keith Miller  <keith_miller@apple.com>
869
870         We should only make rope strings when concatenating strings long enough.
871         https://bugs.webkit.org/show_bug.cgi?id=194465
872
873         Reviewed by Saam Barati.
874
875         This patch stops us from allocating a rope string if the resulting
876         rope would be smaller than the size of the JSRopeString object we
877         would need to allocate.
878
879         This patch also adds paths so that we don't unnecessarily allocate
880         JSString cells for primitives we are going to concatenate with a
881         string anyway.
882
883         * dfg/DFGOperations.cpp:
884         * runtime/CommonSlowPaths.cpp:
885         (JSC::SLOW_PATH_DECL):
886         * runtime/JSString.h:
887         * runtime/Operations.cpp:
888         (JSC::jsAddSlowCase):
889         * runtime/Operations.h:
890         (JSC::jsString):
891         (JSC::jsAdd):
892
893 2019-02-08  Saam barati  <sbarati@apple.com>
894
895         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
896         https://bugs.webkit.org/show_bug.cgi?id=194334
897         <rdar://problem/47844327>
898
899         Reviewed by Mark Lam.
900
901         * dfg/DFGAbstractInterpreterInlines.h:
902         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
903         * dfg/DFGArgumentsEliminationPhase.cpp:
904         * dfg/DFGByteCodeParser.cpp:
905         (JSC::DFG::ByteCodeParser::parseBlock):
906         * dfg/DFGClobberize.h:
907         (JSC::DFG::clobberize):
908         * dfg/DFGConstantFoldingPhase.cpp:
909         (JSC::DFG::ConstantFoldingPhase::foldConstants):
910         * dfg/DFGFixupPhase.cpp:
911         (JSC::DFG::FixupPhase::fixupNode):
912         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
913         * dfg/DFGIntegerCheckCombiningPhase.cpp:
914         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
915         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
916         * dfg/DFGNodeType.h:
917         * dfg/DFGSSALoweringPhase.cpp:
918         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
919         * dfg/DFGSpeculativeJIT.cpp:
920         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
921         * ftl/FTLLowerDFGToB3.cpp:
922         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
923         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
924
925 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
926
927         [JSC] Shrink sizeof(CodeBlock) more
928         https://bugs.webkit.org/show_bug.cgi?id=194419
929
930         Reviewed by Mark Lam.
931
932         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
933
934         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
935         has the same information. These data is not touched in CodeBlock::~CodeBlock,
936         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
937
938         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
939         And we do not touch it in CodeBlock::~CodeBlock.
940
941         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
942         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
943         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
944
945         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
946
947         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
948
949         * bytecode/CodeBlock.cpp:
950         (JSC::CodeBlock::hash const):
951         (JSC::CodeBlock::sourceCodeForTools const):
952         (JSC::CodeBlock::dumpAssumingJITType const):
953         (JSC::CodeBlock::dumpSource):
954         (JSC::CodeBlock::CodeBlock):
955         (JSC::CodeBlock::finishCreation):
956         (JSC::CodeBlock::propagateTransitions):
957         (JSC::CodeBlock::finalizeLLIntInlineCaches):
958         (JSC::CodeBlock::setCalleeSaveRegisters):
959         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
960         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
961         (JSC::CodeBlock::lineNumberForBytecodeOffset):
962         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
963         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
964         (JSC::CodeBlock::newReplacement):
965         (JSC::CodeBlock::replacement):
966         (JSC::CodeBlock::computeCapabilityLevel):
967         (JSC::CodeBlock::jettison):
968         (JSC::CodeBlock::calleeSaveRegisters const):
969         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
970         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
971         (JSC::CodeBlock::getArrayProfile):
972         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
973         (JSC::CodeBlock::notifyLexicalBindingUpdate):
974         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
975         (JSC::CodeBlock::validate):
976         (JSC::CodeBlock::outOfLineJumpTarget):
977         (JSC::CodeBlock::arithProfileForBytecodeOffset):
978         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
979         * bytecode/CodeBlock.h:
980         (JSC::CodeBlock::specializationKind const):
981         (JSC::CodeBlock::isStrictMode const):
982         (JSC::CodeBlock::isConstructor const):
983         (JSC::CodeBlock::codeType const):
984         (JSC::CodeBlock::isKnownNotImmediate):
985         (JSC::CodeBlock::instructions const):
986         (JSC::CodeBlock::ownerExecutable const):
987         (JSC::CodeBlock::thisRegister const):
988         (JSC::CodeBlock::source const):
989         (JSC::CodeBlock::sourceOffset const):
990         (JSC::CodeBlock::firstLineColumnOffset const):
991         (JSC::CodeBlock::createRareDataIfNecessary):
992         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
993         (JSC::CodeBlock::setThisRegister): Deleted.
994         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
995         * bytecode/EvalCodeBlock.h:
996         * bytecode/FunctionCodeBlock.h:
997         * bytecode/GlobalCodeBlock.h:
998         (JSC::GlobalCodeBlock::GlobalCodeBlock):
999         * bytecode/ModuleProgramCodeBlock.h:
1000         * bytecode/ProgramCodeBlock.h:
1001         * debugger/Debugger.cpp:
1002         (JSC::Debugger::toggleBreakpoint):
1003         * debugger/DebuggerCallFrame.cpp:
1004         (JSC::DebuggerCallFrame::sourceID const):
1005         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1006         * debugger/DebuggerScope.cpp:
1007         (JSC::DebuggerScope::location const):
1008         * dfg/DFGByteCodeParser.cpp:
1009         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1010         (JSC::DFG::ByteCodeParser::inliningCost):
1011         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1012         * dfg/DFGCapabilities.cpp:
1013         (JSC::DFG::isSupportedForInlining):
1014         (JSC::DFG::mightCompileEval):
1015         (JSC::DFG::mightCompileProgram):
1016         (JSC::DFG::mightCompileFunctionForCall):
1017         (JSC::DFG::mightCompileFunctionForConstruct):
1018         (JSC::DFG::canUseOSRExitFuzzing):
1019         * dfg/DFGGraph.h:
1020         (JSC::DFG::Graph::executableFor):
1021         * dfg/DFGJITCompiler.cpp:
1022         (JSC::DFG::JITCompiler::compileFunction):
1023         * dfg/DFGOSREntry.cpp:
1024         (JSC::DFG::prepareOSREntry):
1025         * dfg/DFGOSRExit.cpp:
1026         (JSC::DFG::restoreCalleeSavesFor):
1027         (JSC::DFG::saveCalleeSavesFor):
1028         (JSC::DFG::saveOrCopyCalleeSavesFor):
1029         * dfg/DFGOSRExitCompilerCommon.cpp:
1030         (JSC::DFG::handleExitCounts):
1031         * dfg/DFGOperations.cpp:
1032         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1033         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1034         * ftl/FTLCapabilities.cpp:
1035         (JSC::FTL::canCompile):
1036         * ftl/FTLLink.cpp:
1037         (JSC::FTL::link):
1038         * ftl/FTLOSRExitCompiler.cpp:
1039         (JSC::FTL::compileStub):
1040         * interpreter/CallFrame.cpp:
1041         (JSC::CallFrame::callerSourceOrigin):
1042         * interpreter/Interpreter.cpp:
1043         (JSC::eval):
1044         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1045         * interpreter/StackVisitor.cpp:
1046         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1047         (JSC::StackVisitor::Frame::sourceURL const):
1048         (JSC::StackVisitor::Frame::sourceID):
1049         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1050         * interpreter/StackVisitor.h:
1051         * jit/AssemblyHelpers.h:
1052         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1053         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1054         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1055         * jit/CallFrameShuffleData.cpp:
1056         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1057         * jit/JIT.cpp:
1058         (JSC::JIT::compileWithoutLinking):
1059         * jit/JITToDFGDeferredCompilationCallback.cpp:
1060         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1061         * jit/JITWorklist.cpp:
1062         (JSC::JITWorklist::Plan::finalize):
1063         (JSC::JITWorklist::compileNow):
1064         * jit/RegisterAtOffsetList.cpp:
1065         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1066         * jit/RegisterAtOffsetList.h:
1067         (JSC::RegisterAtOffsetList::at const):
1068         * runtime/ErrorInstance.cpp:
1069         (JSC::appendSourceToError):
1070         * runtime/ScriptExecutable.cpp:
1071         (JSC::ScriptExecutable::newCodeBlockFor):
1072         * runtime/StackFrame.cpp:
1073         (JSC::StackFrame::sourceID const):
1074         (JSC::StackFrame::sourceURL const):
1075         (JSC::StackFrame::computeLineAndColumn const):
1076
1077 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1078
1079         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1080         https://bugs.webkit.org/show_bug.cgi?id=194460
1081
1082         Reviewed by Mark Lam.
1083
1084         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1085
1086         * b3/B3LowerMacros.cpp:
1087
1088 2019-02-08  Mark Lam  <mark.lam@apple.com>
1089
1090         Use maxSingleCharacterString in comparisons instead of literal constants.
1091         https://bugs.webkit.org/show_bug.cgi?id=194452
1092
1093         Reviewed by Yusuke Suzuki.
1094
1095         This way, if we ever change maxSingleCharacterString, it won't break all this code
1096         that relies on it being 0xff implicitly.
1097
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1100         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1101         * ftl/FTLLowerDFGToB3.cpp:
1102         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1103         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1104         * jit/ThunkGenerators.cpp:
1105         (JSC::stringGetByValGenerator):
1106         (JSC::charToString):
1107
1108 2019-02-08  Mark Lam  <mark.lam@apple.com>
1109
1110         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1111         https://bugs.webkit.org/show_bug.cgi?id=194446
1112         <rdar://problem/47926792>
1113
1114         Reviewed by Saam Barati.
1115
1116         Fix doesGC() for the following nodes:
1117
1118             CheckTierUpAtReturn:
1119                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1120                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1121
1122             CheckTierUpInLoop:
1123                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1124                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1125
1126             CheckTierUpAndOSREnter:
1127                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1128                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1129
1130             GetByVal:
1131                 case Array::String calls operationSingleCharacterString(), which calls
1132                 jsSingleCharacterString(), which can allocate a string.
1133
1134             PutByValDirect:
1135             PutByVal:
1136             PutByValAlias:
1137                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1138                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1139                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1140                 slow paths call putByValInternal(), which may create exception objects, or
1141                 call the generic JSValue::put() which may execute arbitrary code.
1142
1143             StringCharAt:
1144                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1145                 which can allocate a string.
1146
1147         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1148         to use the maxSingleCharacterString constant instead of a literal constant.
1149
1150         * dfg/DFGDoesGC.cpp:
1151         (JSC::DFG::doesGC):
1152         * dfg/DFGSpeculativeJIT.cpp:
1153         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1154         * dfg/DFGSpeculativeJIT64.cpp:
1155         (JSC::DFG::SpeculativeJIT::compile):
1156         * ftl/FTLLowerDFGToB3.cpp:
1157         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1158         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1159         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1160
1161 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1162
1163         [JSC] SourceProviderCacheItem should be small
1164         https://bugs.webkit.org/show_bug.cgi?id=194432
1165
1166         Reviewed by Saam Barati.
1167
1168         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1169         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1170         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1171
1172         * parser/Parser.cpp:
1173         (JSC::Parser<LexerType>::parseFunctionInfo):
1174         * parser/ParserModes.h:
1175         * parser/ParserTokens.h:
1176         * parser/SourceProviderCacheItem.h:
1177         (JSC::SourceProviderCacheItem::endFunctionToken const):
1178         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1179
1180 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1181
1182         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1183         https://bugs.webkit.org/show_bug.cgi?id=194420
1184
1185         Reviewed by Saam Barati.
1186
1187         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1188         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1189         This trivial patch fixes both.
1190
1191         * b3/B3ReduceStrength.cpp:
1192         * b3/testb3.cpp:
1193         (JSC::B3::testAbsNegArg):
1194
1195 2019-02-07  Keith Miller  <keith_miller@apple.com>
1196
1197         Better error messages for module loader SPI
1198         https://bugs.webkit.org/show_bug.cgi?id=194421
1199
1200         Reviewed by Saam Barati.
1201
1202         * API/JSAPIGlobalObject.mm:
1203         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1204
1205 2019-02-07  Mark Lam  <mark.lam@apple.com>
1206
1207         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1208         https://bugs.webkit.org/show_bug.cgi?id=194399
1209         <rdar://problem/47889777>
1210
1211         Reviewed by Yusuke Suzuki.
1212
1213         Fix doesGC() for the following nodes:
1214
1215             CheckTraps:
1216                 We normally will not emit this node because Options::usePollingTraps() is
1217                 false by default.  However, as it is implemented now, CheckTraps can GC
1218                 because it can allocate a TerminatedExecutionException.  If we make the
1219                 TerminatedExecutionException a singleton allocated at initialization time,
1220                 doesGC() can return false for CheckTraps.
1221                 https://bugs.webkit.org/show_bug.cgi?id=194323
1222
1223             GetMapBucket:
1224                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1225                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1226                 can resolve a rope.
1227
1228             Switch:
1229                 If switchData kind is SwitchChar, can call operationResolveRope() .
1230                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1231                     can call operationSwitchString() which resolves ropes.
1232
1233             DirectTailCall:
1234             ForceOSRExit:
1235             Return:
1236             TailCallForwardVarargs:
1237             TailCallVarargs:
1238             Throw:
1239                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1240                 for them, but following our conservative practice, unless we have a good
1241                 reason for doesGC() to return false, we should just return true.
1242
1243         * dfg/DFGDoesGC.cpp:
1244         (JSC::DFG::doesGC):
1245
1246 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1247
1248         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1249         https://bugs.webkit.org/show_bug.cgi?id=194250
1250
1251         Reviewed by Saam Barati.
1252
1253         Adds the following optimizations for integers:
1254         - Sub(x, x) => 0
1255             Already covered by the test testSubArg
1256         - Sub(x1, Neg(x2)) => Add (x1, x2)
1257             Added test: testSubNeg
1258         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1259             Added test: testNegSub
1260         - Add(Neg(x1), x2) => Sub(x2, x1)
1261             Added test: testAddNeg1
1262         - Add(x1, Neg(x2)) => Sub(x1, x2)
1263             Added test: testAddNeg2
1264         Adds the following optimization for floating point values:
1265         - Abs(Neg(x)) => Abs(x)
1266             Added test: testAbsNegArg
1267             Adds the following optimization:
1268
1269         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1270
1271         * b3/B3ReduceStrength.cpp:
1272         * b3/testb3.cpp:
1273         (JSC::B3::testAddNeg1):
1274         (JSC::B3::testAddNeg2):
1275         (JSC::B3::testSubNeg):
1276         (JSC::B3::testNegSub):
1277         (JSC::B3::testAbsAbsArg):
1278         (JSC::B3::testAbsNegArg):
1279         (JSC::B3::run):
1280
1281 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1282
1283         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1284         https://bugs.webkit.org/show_bug.cgi?id=194374
1285
1286         Reviewed by Geoffrey Garen.
1287
1288         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1289         But pointer is larger than single character. BufferInternal StringImpl with single character
1290         is more memory efficient.
1291
1292         * runtime/SmallStrings.cpp:
1293         (JSC::SmallStringsStorage::SmallStringsStorage):
1294         (JSC::SmallStrings::SmallStrings):
1295         * runtime/SmallStrings.h:
1296
1297 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1298
1299         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1300         https://bugs.webkit.org/show_bug.cgi?id=194369
1301         <rdar://problem/47813087>
1302
1303         Reviewed by Saam Barati.
1304
1305         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1306         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1307         constant folding phase.
1308
1309         * dfg/DFGAbstractInterpreterInlines.h:
1310         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1311
1312 2019-02-06  Devin Rousso  <drousso@apple.com>
1313
1314         Web Inspector: DOM: don't send the entire function string with each event listener
1315         https://bugs.webkit.org/show_bug.cgi?id=194293
1316         <rdar://problem/47822809>
1317
1318         Reviewed by Joseph Pecoraro.
1319
1320         * inspector/protocol/DOM.json:
1321
1322         * runtime/JSFunction.h:
1323         Export `calculatedDisplayName`.
1324
1325 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1326
1327         [JSC] PrivateName to PublicName hash table is wasteful
1328         https://bugs.webkit.org/show_bug.cgi?id=194277
1329
1330         Reviewed by Michael Saboff.
1331
1332         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1333         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1334         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1335         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1336
1337         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1338
1339         1. PrivateName's content should be the same to PublicName.
1340         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1341            the public name should be easily crafted from the given PrivateName.
1342
1343         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1344         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1345
1346         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1347         WebCore.
1348
1349         * builtins/BuiltinNames.cpp:
1350         (JSC::BuiltinNames::BuiltinNames):
1351         * builtins/BuiltinNames.h:
1352         (JSC::BuiltinNames::lookUpPrivateName const):
1353         (JSC::BuiltinNames::getPublicName const):
1354         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1355         (JSC::BuiltinNames::appendExternalName):
1356         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1357         * builtins/BuiltinUtils.h:
1358         * bytecode/BytecodeDumper.cpp:
1359         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1360         * bytecompiler/NodesCodegen.cpp:
1361         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1362         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1363         * parser/Lexer.cpp:
1364         (JSC::Lexer<LChar>::parseIdentifier):
1365         (JSC::Lexer<UChar>::parseIdentifier):
1366         * parser/Parser.cpp:
1367         (JSC::Parser<LexerType>::createGeneratorParameters):
1368         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1369         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1370         (JSC::Parser<LexerType>::parseClassDeclaration):
1371         (JSC::Parser<LexerType>::parseExportDeclaration):
1372         (JSC::Parser<LexerType>::parseMemberExpression):
1373         * parser/ParserArena.h:
1374         (JSC::IdentifierArena::makeIdentifier):
1375         * runtime/CachedTypes.cpp:
1376         (JSC::CachedUniquedStringImpl::encode):
1377         (JSC::CachedUniquedStringImpl::decode const):
1378         * runtime/CommonIdentifiers.cpp:
1379         (JSC::CommonIdentifiers::CommonIdentifiers):
1380         (JSC::CommonIdentifiers::lookUpPrivateName const):
1381         (JSC::CommonIdentifiers::getPublicName const):
1382         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1383         * runtime/CommonIdentifiers.h:
1384         * runtime/ExceptionHelpers.cpp:
1385         (JSC::createUndefinedVariableError):
1386         * runtime/Identifier.cpp:
1387         (JSC::Identifier::dump const):
1388         * runtime/Identifier.h:
1389         * runtime/IdentifierInlines.h:
1390         (JSC::Identifier::fromUid):
1391         * runtime/JSTypedArrayViewPrototype.cpp:
1392         (JSC::JSTypedArrayViewPrototype::finishCreation):
1393         * tools/JSDollarVM.cpp:
1394         (JSC::functionGetPrivateProperty):
1395
1396 2019-02-06  Keith Rollin  <krollin@apple.com>
1397
1398         Really enable the automatic checking and regenerations of .xcfilelists during builds
1399         https://bugs.webkit.org/show_bug.cgi?id=194357
1400         <rdar://problem/47861231>
1401
1402         Reviewed by Chris Dumez.
1403
1404         Bug 194124 was supposed to enable the automatic checking and
1405         regenerating of .xcfilelist files during the build. While related
1406         changes were included in that patch, the change to actually enable the
1407         operation somehow was omitted. This patch actually enables the
1408         operation. The check-xcfilelist.sh scripts now check
1409         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1410         from the checking.
1411
1412         * Scripts/check-xcfilelists.sh:
1413
1414 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1415
1416         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1417         https://bugs.webkit.org/show_bug.cgi?id=194339
1418
1419         Reviewed by Michael Saboff.
1420
1421         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1422         They have even the same structure. This patch unifies the subspaces for them.
1423
1424         * runtime/DirectEvalExecutable.h:
1425         * runtime/EvalExecutable.h:
1426         (JSC::EvalExecutable::subspaceFor):
1427         * runtime/IndirectEvalExecutable.h:
1428         * runtime/VM.cpp:
1429         * runtime/VM.h:
1430         (JSC::VM::forEachScriptExecutableSpace):
1431
1432 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1433
1434         [JSC] NativeExecutable should be smaller
1435         https://bugs.webkit.org/show_bug.cgi?id=194331
1436
1437         Reviewed by Michael Saboff.
1438
1439         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1440         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1441         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1442         only takes one MarkedBlock for NativeExecutable.
1443
1444         To make NativeExecutable smaller,
1445
1446         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1447            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1448
1449         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1450            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1451            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1452
1453         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1454            Intrinsic for NativeExecutable.
1455
1456         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1457
1458         * CMakeLists.txt:
1459         * JavaScriptCore.xcodeproj/project.pbxproj:
1460         * bytecode/CallVariant.h:
1461         * interpreter/Interpreter.cpp:
1462         * jit/JITCode.cpp:
1463         (JSC::DirectJITCode::DirectJITCode):
1464         (JSC::NativeJITCode::NativeJITCode):
1465         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1466         * jit/JITCode.h:
1467         (JSC::JITCode::signature const):
1468         (JSC::JITCode::intrinsic):
1469         * jit/JITOperations.cpp:
1470         * jit/JITThunks.cpp:
1471         (JSC::JITThunks::hostFunctionStub):
1472         * jit/Repatch.cpp:
1473         * llint/LLIntSlowPaths.cpp:
1474         * runtime/ExecutableBase.cpp:
1475         (JSC::ExecutableBase::dump const):
1476         (JSC::ExecutableBase::hashFor const):
1477         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1478         (JSC::ExecutableBase::clearCode): Deleted.
1479         * runtime/ExecutableBase.h:
1480         (JSC::ExecutableBase::ExecutableBase):
1481         (JSC::ExecutableBase::isModuleProgramExecutable):
1482         (JSC::ExecutableBase::isHostFunction const):
1483         (JSC::ExecutableBase::generatedJITCodeForCall const):
1484         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1485         (JSC::ExecutableBase::generatedJITCodeFor const):
1486         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1487         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1488         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1489         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1490         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1491         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1492         (JSC::ExecutableBase::intrinsic const): Deleted.
1493         * runtime/ExecutableBaseInlines.h: Added.
1494         (JSC::ExecutableBase::intrinsic const):
1495         (JSC::ExecutableBase::hasJITCodeForCall const):
1496         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1497         * runtime/JSBoundFunction.cpp:
1498         * runtime/JSType.cpp:
1499         (WTF::printInternal):
1500         * runtime/JSType.h:
1501         * runtime/NativeExecutable.cpp:
1502         (JSC::NativeExecutable::create):
1503         (JSC::NativeExecutable::createStructure):
1504         (JSC::NativeExecutable::NativeExecutable):
1505         (JSC::NativeExecutable::signatureFor const):
1506         (JSC::NativeExecutable::intrinsic const):
1507         * runtime/NativeExecutable.h:
1508         * runtime/ScriptExecutable.cpp:
1509         (JSC::ScriptExecutable::ScriptExecutable):
1510         (JSC::ScriptExecutable::clearCode):
1511         (JSC::ScriptExecutable::installCode):
1512         (JSC::ScriptExecutable::hasClearableCode const):
1513         * runtime/ScriptExecutable.h:
1514         (JSC::ScriptExecutable::intrinsic const):
1515         (JSC::ScriptExecutable::hasJITCodeForCall const):
1516         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1517         * runtime/VM.cpp:
1518         (JSC::VM::getHostFunction):
1519
1520 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1521
1522         Build failure after r240431
1523         https://bugs.webkit.org/show_bug.cgi?id=194330
1524
1525         Reviewed by Žan Doberšek.
1526
1527         * API/glib/JSCOptions.cpp:
1528
1529 2019-02-05  Mark Lam  <mark.lam@apple.com>
1530
1531         Fix DFG's doesGC() for a few more nodes.
1532         https://bugs.webkit.org/show_bug.cgi?id=194307
1533         <rdar://problem/47832956>
1534
1535         Reviewed by Yusuke Suzuki.
1536
1537         Fix doesGC() for the following nodes:
1538
1539             NumberToStringWithValidRadixConstant:
1540                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1541                 which can allocate a string.
1542                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1543                 which can allocate a string.
1544                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1545                 which can allocate a string.
1546
1547             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1548                 memory for all kinds of objects.
1549             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1550                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1551                 these allocates memory for the match result.
1552             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1553                 calls RegExpObject's collectMatches(), which allocates an array amongst
1554                 other objects.
1555
1556             StringFromCharCode:
1557                 If the uint32 code to convert is greater than maxSingleCharacterString,
1558                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1559                 which allocates a new string if the code is greater than maxSingleCharacterString.
1560
1561         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1562         to use maxSingleCharacterString instead of a literal constant.
1563
1564         * dfg/DFGDoesGC.cpp:
1565         (JSC::DFG::doesGC):
1566         * dfg/DFGSpeculativeJIT.cpp:
1567         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1568         * ftl/FTLLowerDFGToB3.cpp:
1569         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1570
1571 2019-02-05  Keith Rollin  <krollin@apple.com>
1572
1573         Enable the automatic checking and regenerations of .xcfilelists during builds
1574         https://bugs.webkit.org/show_bug.cgi?id=194124
1575         <rdar://problem/47721277>
1576
1577         Reviewed by Tim Horton.
1578
1579         Bug 193790 add a facility for checking -- during build time -- that
1580         any needed .xcfilelist files are up-to-date and for updating them if
1581         they are not. This facility was initially opt-in by setting
1582         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1583         the process seemed robust. Its now time to enable this facility and
1584         make it opt-out. If there is a need to disable this facility, set and
1585         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1586         running `make` or `build-webkit`, or before running Xcode from the
1587         command line.
1588
1589         Additionally, remove the step that generates a list of source files
1590         going into the UnifiedSources build step. It's only necessarily to
1591         specify Sources.txt and SourcesCocoa.txt as inputs.
1592
1593         * JavaScriptCore.xcodeproj/project.pbxproj:
1594         * UnifiedSources-input.xcfilelist: Removed.
1595
1596 2019-02-05  Keith Rollin  <krollin@apple.com>
1597
1598         Update .xcfilelist files
1599         https://bugs.webkit.org/show_bug.cgi?id=194121
1600         <rdar://problem/47720863>
1601
1602         Reviewed by Tim Horton.
1603
1604         Preparatory to enabling the facility for automatically updating the
1605         .xcfilelist files, check in a freshly-updated set so that not everyone
1606         runs up against having to regenerate them themselves.
1607
1608         * DerivedSources-input.xcfilelist:
1609         * DerivedSources-output.xcfilelist:
1610
1611 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1612
1613         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1614         https://bugs.webkit.org/show_bug.cgi?id=185557
1615
1616         Reviewed by Mark Lam.
1617
1618         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1619         where n is the number of characters in the formatted string.
1620         It may be less memory efficient than the previous impl, since the intermediate Vector
1621         is the length of the string, instead of the count of the fields.
1622
1623         * runtime/IntlNumberFormat.cpp:
1624         (JSC::IntlNumberFormat::formatToParts):
1625         * runtime/IntlNumberFormat.h:
1626
1627 2019-02-05  Mark Lam  <mark.lam@apple.com>
1628
1629         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1630         https://bugs.webkit.org/show_bug.cgi?id=194298
1631         <rdar://problem/47827555>
1632
1633         Reviewed by Saam Barati.
1634
1635         We do this for 3 reasons:
1636         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1637         2. If things change in the future where clobberize() no longer reports these nodes
1638            as write(Heap), each node should be vetted first to make sure that it can never
1639            GC before being moved back to the doesGC() list that returns false.
1640         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1641            correct in its claims about the nodes' GCing possibility.
1642
1643         The list of nodes moved are:
1644
1645             ArrayPush
1646             ArrayPop
1647             Call
1648             CallEval
1649             CallForwardVarargs
1650             CallVarargs
1651             Construct
1652             ConstructForwardVarargs
1653             ConstructVarargs
1654             DefineDataProperty
1655             DefineAccessorProperty
1656             DeleteById
1657             DeleteByVal
1658             DirectCall
1659             DirectConstruct
1660             DirectTailCallInlinedCaller
1661             GetById
1662             GetByIdDirect
1663             GetByIdDirectFlush
1664             GetByIdFlush
1665             GetByIdWithThis
1666             GetByValWithThis
1667             GetDirectPname
1668             GetDynamicVar
1669             HasGenericProperty
1670             HasOwnProperty
1671             HasStructureProperty
1672             InById
1673             InByVal
1674             InstanceOf
1675             InstanceOfCustom
1676             LoadVarargs
1677             NumberToStringWithRadix
1678             PutById
1679             PutByIdDirect
1680             PutByIdFlush
1681             PutByIdWithThis
1682             PutByOffset
1683             PutByValWithThis
1684             PutDynamicVar
1685             PutGetterById
1686             PutGetterByVal
1687             PutGetterSetterById
1688             PutSetterById
1689             PutSetterByVal
1690             PutStack
1691             PutToArguments
1692             RegExpExec
1693             RegExpTest
1694             ResolveScope
1695             ResolveScopeForHoistingFuncDeclInEval
1696             TailCall
1697             TailCallForwardVarargsInlinedCaller
1698             TailCallInlinedCaller
1699             TailCallVarargsInlinedCaller
1700             ToNumber
1701             ToPrimitive
1702             ValueNegate
1703
1704         * dfg/DFGDoesGC.cpp:
1705         (JSC::DFG::doesGC):
1706
1707 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1708
1709         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1710         https://bugs.webkit.org/show_bug.cgi?id=194281
1711
1712         Reviewed by Michael Saboff.
1713
1714         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1715         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1716
1717         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1718         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1719         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1720
1721         * bytecode/CodeBlock.cpp:
1722         (JSC::CodeBlock::finishCreation):
1723         * bytecode/CodeBlock.h:
1724         (JSC::CodeBlock::bitVectors const): Deleted.
1725         * bytecode/CodeType.h:
1726         * bytecode/UnlinkedCodeBlock.cpp:
1727         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1728         (JSC::UnlinkedCodeBlock::shrinkToFit):
1729         * bytecode/UnlinkedCodeBlock.h:
1730         (JSC::UnlinkedCodeBlock::bitVector):
1731         (JSC::UnlinkedCodeBlock::addBitVector):
1732         (JSC::UnlinkedCodeBlock::addSetConstant):
1733         (JSC::UnlinkedCodeBlock::constantRegisters):
1734         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1735         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1736         (JSC::UnlinkedCodeBlock::codeType const):
1737         (JSC::UnlinkedCodeBlock::didOptimize const):
1738         (JSC::UnlinkedCodeBlock::setDidOptimize):
1739         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1740         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1741         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1742         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1743         * bytecompiler/BytecodeGenerator.cpp:
1744         (JSC::BytecodeGenerator::emitLoad):
1745         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1746         * bytecompiler/BytecodeGenerator.h:
1747         * runtime/CachedTypes.cpp:
1748         (JSC::CachedCodeBlockRareData::encode):
1749         (JSC::CachedCodeBlockRareData::decode const):
1750         (JSC::CachedCodeBlock::scopeRegister const):
1751         (JSC::CachedCodeBlock::codeType const):
1752         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1753         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1754         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1755         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1756
1757 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1758
1759         Unreviewed, add missing exception checks after r240637
1760         https://bugs.webkit.org/show_bug.cgi?id=193546
1761
1762         * tools/JSDollarVM.cpp:
1763         (JSC::functionShadowChickenFunctionsOnStack):
1764
1765 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1766
1767         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1768         https://bugs.webkit.org/show_bug.cgi?id=193993
1769
1770         Reviewed by Keith Miller.
1771
1772         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1773         And some of them are rarely used. We should allocate it lazily.
1774
1775         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1776         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1777         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1778         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1779         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1780         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1781         by using WTF::storeStoreFence when lazily allocating it.
1782
1783         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1784         existence of the space before touching this. This is not racy because the main thread is stopped when
1785         the constraint solving is working.
1786
1787         This changes sizeof(VM) from 64736 to 56472.
1788
1789         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1790         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1791         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1792         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1793         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1794         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1795         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1796
1797         * API/JSCallbackFunction.h:
1798         * API/ObjCCallbackFunction.h:
1799         (JSC::ObjCCallbackFunction::subspaceFor):
1800         * API/glib/JSCCallbackFunction.h:
1801         * CMakeLists.txt:
1802         * JavaScriptCore.xcodeproj/project.pbxproj:
1803         * bytecode/CodeBlock.cpp:
1804         (JSC::CodeBlock::visitChildren):
1805         (JSC::CodeBlock::finalizeUnconditionally):
1806         * bytecode/CodeBlock.h:
1807         * bytecode/EvalCodeBlock.h:
1808         * bytecode/ExecutableToCodeBlockEdge.h:
1809         * bytecode/FunctionCodeBlock.h:
1810         * bytecode/ModuleProgramCodeBlock.h:
1811         * bytecode/ProgramCodeBlock.h:
1812         * bytecode/UnlinkedFunctionExecutable.cpp:
1813         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1814         * bytecode/UnlinkedFunctionExecutable.h:
1815         * dfg/DFGSpeculativeJIT.cpp:
1816         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1817         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1818         (JSC::DFG::SpeculativeJIT::compileNewObject):
1819         * ftl/FTLLowerDFGToB3.cpp:
1820         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1821         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1822         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1823         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1824         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1825         * heap/Heap.cpp:
1826         (JSC::Heap::finalizeUnconditionalFinalizers):
1827         (JSC::Heap::deleteAllCodeBlocks):
1828         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1829         (JSC::Heap::addCoreConstraints):
1830         * heap/Subspace.cpp:
1831         (JSC::Subspace::initialize):
1832         * jit/AssemblyHelpers.h:
1833         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1834         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1835         * jit/JITOpcodes.cpp:
1836         (JSC::JIT::emit_op_new_object):
1837         * jit/JITOpcodes32_64.cpp:
1838         (JSC::JIT::emit_op_new_object):
1839         * runtime/DirectArguments.h:
1840         * runtime/DirectEvalExecutable.h:
1841         * runtime/ErrorInstance.h:
1842         (JSC::ErrorInstance::subspaceFor):
1843         * runtime/ExecutableBase.h:
1844         * runtime/FunctionExecutable.h:
1845         * runtime/IndirectEvalExecutable.h:
1846         * runtime/InferredValue.cpp:
1847         (JSC::InferredValue::visitChildren):
1848         * runtime/InferredValue.h:
1849         * runtime/InferredValueInlines.h:
1850         (JSC::InferredValue::finalizeUnconditionally):
1851         * runtime/InternalFunction.h:
1852         * runtime/JSAsyncFunction.h:
1853         * runtime/JSAsyncGeneratorFunction.h:
1854         * runtime/JSBoundFunction.h:
1855         * runtime/JSCell.h:
1856         (JSC::subspaceFor):
1857         (JSC::subspaceForConcurrently):
1858         * runtime/JSCellInlines.h:
1859         (JSC::allocatorForNonVirtualConcurrently):
1860         * runtime/JSCustomGetterSetterFunction.h:
1861         * runtime/JSDestructibleObject.h:
1862         * runtime/JSFunction.h:
1863         * runtime/JSGeneratorFunction.h:
1864         * runtime/JSImmutableButterfly.h:
1865         * runtime/JSLexicalEnvironment.h:
1866         (JSC::JSLexicalEnvironment::subspaceFor):
1867         * runtime/JSNativeStdFunction.h:
1868         * runtime/JSSegmentedVariableObject.h:
1869         * runtime/JSString.h:
1870         * runtime/ModuleProgramExecutable.h:
1871         * runtime/NativeExecutable.h:
1872         * runtime/ProgramExecutable.h:
1873         * runtime/PropertyMapHashTable.h:
1874         * runtime/ProxyRevoke.h:
1875         * runtime/ScopedArguments.h:
1876         * runtime/ScriptExecutable.cpp:
1877         (JSC::ScriptExecutable::clearCode):
1878         (JSC::ScriptExecutable::installCode):
1879         * runtime/Structure.h:
1880         * runtime/StructureRareData.h:
1881         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1882         * runtime/VM.cpp:
1883         (JSC::VM::VM):
1884         * runtime/VM.h:
1885         (JSC::VM::SpaceAndSet::SpaceAndSet):
1886         (JSC::VM::SpaceAndSet::setFor):
1887         (JSC::VM::forEachScriptExecutableSpace):
1888         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1889         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1890         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1891         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1892         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1893         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1894         * runtime/WeakMapImpl.h:
1895         (JSC::WeakMapImpl::subspaceFor):
1896         * wasm/js/JSWebAssemblyCodeBlock.h:
1897         * wasm/js/JSWebAssemblyMemory.h:
1898         * wasm/js/WebAssemblyFunction.h:
1899         * wasm/js/WebAssemblyWrapperFunction.h:
1900
1901 2019-02-04  Keith Miller  <keith_miller@apple.com>
1902
1903         Change llint operand macros to inline functions
1904         https://bugs.webkit.org/show_bug.cgi?id=194248
1905
1906         Reviewed by Mark Lam.
1907
1908         * llint/LLIntSlowPaths.cpp:
1909         (JSC::LLInt::getNonConstantOperand):
1910         (JSC::LLInt::getOperand):
1911         (JSC::LLInt::llint_trace_value):
1912         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1913         (JSC::LLInt::getByVal):
1914         (JSC::LLInt::genericCall):
1915         (JSC::LLInt::varargsSetup):
1916         (JSC::LLInt::commonCallEval):
1917
1918 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1919
1920         when lowering AssertNotEmpty, create the value before creating the patchpoint
1921         https://bugs.webkit.org/show_bug.cgi?id=194231
1922
1923         Reviewed by Saam Barati.
1924
1925         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1926         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1927
1928         * ftl/FTLLowerDFGToB3.cpp:
1929         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1930
1931 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1932
1933         [JSC] ExecutableToCodeBlockEdge should be smaller
1934         https://bugs.webkit.org/show_bug.cgi?id=194244
1935
1936         Reviewed by Michael Saboff.
1937
1938         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1939         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1940         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1941         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1942
1943         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1944         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1945         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1946
1947         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1948         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1949         does not touch it if it is called in non-main threads).
1950
1951         * bytecode/ExecutableToCodeBlockEdge.cpp:
1952         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1953         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1954         (JSC::ExecutableToCodeBlockEdge::activate):
1955         (JSC::ExecutableToCodeBlockEdge::deactivate):
1956         (JSC::ExecutableToCodeBlockEdge::isActive const):
1957         * bytecode/ExecutableToCodeBlockEdge.h:
1958         * runtime/JSCell.h:
1959         * runtime/JSCellInlines.h:
1960         (JSC::JSCell::perCellBit const):
1961         (JSC::JSCell::setPerCellBit):
1962         (JSC::JSCell::mayBePrototype const): Deleted.
1963         (JSC::JSCell::didBecomePrototype): Deleted.
1964         * runtime/JSObject.cpp:
1965         (JSC::JSObject::setPrototypeDirect):
1966         * runtime/JSObject.h:
1967         * runtime/JSObjectInlines.h:
1968         (JSC::JSObject::mayBePrototype const):
1969         (JSC::JSObject::didBecomePrototype):
1970         * runtime/JSTypeInfo.h:
1971         (JSC::TypeInfo::perCellBit):
1972         (JSC::TypeInfo::mergeInlineTypeFlags):
1973         (JSC::TypeInfo::mayBePrototype): Deleted.
1974
1975 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1976
1977         [JSC] Shrink size of FunctionExecutable
1978         https://bugs.webkit.org/show_bug.cgi?id=194191
1979
1980         Reviewed by Michael Saboff.
1981
1982         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
1983         improves the allocation efficiency.
1984
1985         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
1986            We remove this from ScriptExecutable, and move it to FunctionExecutable.
1987
1988         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
1989            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
1990            the size of FunctionExecutable in the common case.
1991
1992         This patch changes the size of FunctionExecutable from 176 to 144.
1993
1994         * bytecode/CodeBlock.cpp:
1995         (JSC::CodeBlock::dumpSource):
1996         (JSC::CodeBlock::finishCreation):
1997         * dfg/DFGNode.h:
1998         (JSC::DFG::Node::OpInfoWrapper::as const):
1999         * interpreter/StackVisitor.cpp:
2000         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2001         * runtime/ExecutableBase.h:
2002         * runtime/FunctionExecutable.cpp:
2003         (JSC::FunctionExecutable::FunctionExecutable):
2004         (JSC::FunctionExecutable::ensureRareDataSlow):
2005         * runtime/FunctionExecutable.h:
2006         * runtime/Intrinsic.h:
2007         * runtime/ModuleProgramExecutable.cpp:
2008         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2009         * runtime/ProgramExecutable.cpp:
2010         (JSC::ProgramExecutable::ProgramExecutable):
2011         * runtime/ScriptExecutable.cpp:
2012         (JSC::ScriptExecutable::ScriptExecutable):
2013         (JSC::ScriptExecutable::overrideLineNumber const):
2014         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2015         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2016         * runtime/ScriptExecutable.h:
2017         (JSC::ScriptExecutable::firstLine const):
2018         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2019         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2020         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2021         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2022         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2023         * runtime/StackFrame.cpp:
2024         (JSC::StackFrame::computeLineAndColumn const):
2025         * tools/JSDollarVM.cpp:
2026         (JSC::functionReturnTypeFor):
2027
2028 2019-02-04  Mark Lam  <mark.lam@apple.com>
2029
2030         DFG's doesGC() is incorrect about the SameValue node's behavior.
2031         https://bugs.webkit.org/show_bug.cgi?id=194211
2032         <rdar://problem/47608913>
2033
2034         Reviewed by Saam Barati.
2035
2036         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2037         it calls operationSameValue() which may allocate memory for resolving ropes.
2038
2039         * dfg/DFGDoesGC.cpp:
2040         (JSC::DFG::doesGC):
2041
2042 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2043
2044         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2045         https://bugs.webkit.org/show_bug.cgi?id=194031
2046
2047         Reviewed by Saam Barati.
2048
2049         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2050         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2051         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2052         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2053
2054         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2055         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2056
2057         * bytecode/MetadataTable.cpp:
2058         (JSC::MetadataTable::MetadataTable):
2059         (JSC::MetadataTable::~MetadataTable):
2060         * bytecode/UnlinkedCodeBlock.cpp:
2061         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2062         (JSC::UnlinkedCodeBlock::visitChildren):
2063         (JSC::UnlinkedCodeBlock::estimatedSize):
2064         (JSC::UnlinkedCodeBlock::setInstructions):
2065         * bytecode/UnlinkedCodeBlock.h:
2066         (JSC::UnlinkedCodeBlock::metadata):
2067         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2068         * bytecode/UnlinkedMetadataTable.h:
2069         (JSC::UnlinkedMetadataTable::create):
2070         * bytecode/UnlinkedMetadataTableInlines.h:
2071         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2072         * runtime/CachedTypes.cpp:
2073         (JSC::CachedMetadataTable::decode const):
2074         (JSC::CachedCodeBlock::metadata const):
2075         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2076         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2077         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2078
2079 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2080
2081         [JSC] Decouple JIT related data from CodeBlock
2082         https://bugs.webkit.org/show_bug.cgi?id=194187
2083
2084         Reviewed by Saam Barati.
2085
2086         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2087         We have three types of data in CodeBlock.
2088
2089         1. The data which is always used. CodeBlock needs to hold it.
2090         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2091         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2092
2093         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2094         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2095         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2096         in both non-JIT and *JIT* modes.
2097
2098         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2099         by the lock of CodeBlock.
2100
2101         The size of CodeBlock is reduced from 512 to 352.
2102
2103         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2104
2105             Footprint geomean: 36696503 (34.997 MB)
2106             Peak Footprint geomean: 38595988 (36.808 MB)
2107             Score: 37634263 (35.891 MB)
2108
2109             Footprint geomean: 37172768 (35.451 MB)
2110             Peak Footprint geomean: 38978288 (37.173 MB)
2111             Score: 38064824 (36.301 MB)
2112
2113         * bytecode/CodeBlock.cpp:
2114         (JSC::CodeBlock::~CodeBlock):
2115         (JSC::CodeBlock::propagateTransitions):
2116         (JSC::CodeBlock::ensureJITDataSlow):
2117         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2118         (JSC::CodeBlock::getICStatusMap):
2119         (JSC::CodeBlock::addStubInfo):
2120         (JSC::CodeBlock::addJITAddIC):
2121         (JSC::CodeBlock::addJITMulIC):
2122         (JSC::CodeBlock::addJITSubIC):
2123         (JSC::CodeBlock::addJITNegIC):
2124         (JSC::CodeBlock::findStubInfo):
2125         (JSC::CodeBlock::addByValInfo):
2126         (JSC::CodeBlock::addCallLinkInfo):
2127         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2128         (JSC::CodeBlock::addRareCaseProfile):
2129         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2130         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2131         (JSC::CodeBlock::resetJITData):
2132         (JSC::CodeBlock::stronglyVisitStrongReferences):
2133         (JSC::CodeBlock::shrinkToFit):
2134         (JSC::CodeBlock::linkIncomingCall):
2135         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2136         (JSC::CodeBlock::unlinkIncomingCalls):
2137         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2138         (JSC::CodeBlock::dumpValueProfiles):
2139         (JSC::CodeBlock::setPCToCodeOriginMap):
2140         (JSC::CodeBlock::findPC):
2141         (JSC::CodeBlock::dumpMathICStats):
2142         * bytecode/CodeBlock.h:
2143         (JSC::CodeBlock::ensureJITData):
2144         (JSC::CodeBlock::setJITCodeMap):
2145         (JSC::CodeBlock::jitCodeMap):
2146         (JSC::CodeBlock::likelyToTakeSlowCase):
2147         (JSC::CodeBlock::couldTakeSlowCase):
2148         (JSC::CodeBlock::lazyOperandValueProfiles):
2149         (JSC::CodeBlock::stubInfoBegin): Deleted.
2150         (JSC::CodeBlock::stubInfoEnd): Deleted.
2151         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2152         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2153         (JSC::CodeBlock::jitCodeMap const): Deleted.
2154         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2155         * bytecode/MethodOfGettingAValueProfile.cpp:
2156         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2157         (JSC::MethodOfGettingAValueProfile::reportValue):
2158         * dfg/DFGByteCodeParser.cpp:
2159         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2160         * jit/JIT.h:
2161         * jit/JITOperations.cpp:
2162         (JSC::tryGetByValOptimize):
2163         * jit/JITPropertyAccess.cpp:
2164         (JSC::JIT::privateCompileGetByVal):
2165         (JSC::JIT::privateCompilePutByVal):
2166
2167 2018-12-16  Darin Adler  <darin@apple.com>
2168
2169         Convert additional String::format clients to alternative approaches
2170         https://bugs.webkit.org/show_bug.cgi?id=192746
2171
2172         Reviewed by Alexey Proskuryakov.
2173
2174         * inspector/agents/InspectorConsoleAgent.cpp:
2175         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2176         and FormattedNumber::fixedWidth.
2177
2178 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2179
2180         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2181         https://bugs.webkit.org/show_bug.cgi?id=194177
2182
2183         Reviewed by Saam Barati.
2184
2185         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2186         We can share the IsoSubspace for JSFunction.
2187
2188         * runtime/JSAsyncFunction.h:
2189         * runtime/JSAsyncGeneratorFunction.h:
2190         * runtime/JSGeneratorFunction.h:
2191         * runtime/VM.cpp:
2192         (JSC::VM::VM):
2193         * runtime/VM.h:
2194
2195 2019-02-01  Mark Lam  <mark.lam@apple.com>
2196
2197         Remove invalid assertion in DFG's compileDoubleRep().
2198         https://bugs.webkit.org/show_bug.cgi?id=194130
2199         <rdar://problem/47699474>
2200
2201         Reviewed by Saam Barati.
2202
2203         * dfg/DFGSpeculativeJIT.cpp:
2204         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2205
2206 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2207
2208         [JSC] Unify CodeBlock IsoSubspaces
2209         https://bugs.webkit.org/show_bug.cgi?id=194167
2210
2211         Reviewed by Saam Barati.
2212
2213         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2214         But this is not necessary since,
2215
2216         1. They do not override the classInfo methods.
2217         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2218
2219         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2220         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2221         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2222
2223         This patch unifies these IsoSubspaces into one.
2224
2225         * bytecode/CodeBlock.cpp:
2226         (JSC::CodeBlock::destroy):
2227         * bytecode/CodeBlock.h:
2228         * bytecode/EvalCodeBlock.cpp:
2229         (JSC::EvalCodeBlock::destroy): Deleted.
2230         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2231         * bytecode/FunctionCodeBlock.cpp:
2232         (JSC::FunctionCodeBlock::destroy): Deleted.
2233         * bytecode/FunctionCodeBlock.h:
2234         * bytecode/GlobalCodeBlock.h:
2235         * bytecode/ModuleProgramCodeBlock.cpp:
2236         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2237         * bytecode/ModuleProgramCodeBlock.h:
2238         * bytecode/ProgramCodeBlock.cpp:
2239         (JSC::ProgramCodeBlock::destroy): Deleted.
2240         * bytecode/ProgramCodeBlock.h:
2241         * interpreter/Interpreter.cpp:
2242         (JSC::Interpreter::execute):
2243         * runtime/VM.cpp:
2244         (JSC::VM::VM):
2245         * runtime/VM.h:
2246         (JSC::VM::forEachCodeBlockSpace):
2247
2248 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2249
2250         Unreviewed, follow-up after r240859
2251         https://bugs.webkit.org/show_bug.cgi?id=194145
2252
2253         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2254         And rename cellDangerousBitsSpace back to cellSpace.
2255
2256         * runtime/JSCellInlines.h:
2257         (JSC::JSCell::subspaceFor):
2258         * runtime/VM.cpp:
2259         (JSC::VM::VM):
2260         * runtime/VM.h:
2261
2262 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2263
2264         [JSC] Remove cellJSValueOOBSpace
2265         https://bugs.webkit.org/show_bug.cgi?id=194145
2266
2267         Reviewed by Mark Lam.
2268
2269         * runtime/JSObject.h:
2270         (JSC::JSObject::subspaceFor): Deleted.
2271         * runtime/VM.cpp:
2272         (JSC::VM::VM):
2273         * runtime/VM.h:
2274
2275 2019-01-31  Mark Lam  <mark.lam@apple.com>
2276
2277         Remove poisoning from CodeBlock and LLInt code.
2278         https://bugs.webkit.org/show_bug.cgi?id=194113
2279
2280         Reviewed by Yusuke Suzuki.
2281
2282         * bytecode/CodeBlock.cpp:
2283         (JSC::CodeBlock::CodeBlock):
2284         (JSC::CodeBlock::~CodeBlock):
2285         (JSC::CodeBlock::setConstantRegisters):
2286         (JSC::CodeBlock::propagateTransitions):
2287         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2288         (JSC::CodeBlock::jettison):
2289         (JSC::CodeBlock::predictedMachineCodeSize):
2290         * bytecode/CodeBlock.h:
2291         (JSC::CodeBlock::vm const):
2292         (JSC::CodeBlock::addConstant):
2293         (JSC::CodeBlock::heap const):
2294         (JSC::CodeBlock::replaceConstant):
2295         * llint/LLIntOfflineAsmConfig.h:
2296         * llint/LLIntSlowPaths.cpp:
2297         (JSC::LLInt::handleHostCall):
2298         (JSC::LLInt::setUpCall):
2299         * llint/LowLevelInterpreter.asm:
2300         * llint/LowLevelInterpreter32_64.asm:
2301         * llint/LowLevelInterpreter64.asm:
2302
2303 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2304
2305         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2306         https://bugs.webkit.org/show_bug.cgi?id=194107
2307
2308         Reviewed by Saam Barati.
2309
2310         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2311         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2312
2313         * CMakeLists.txt:
2314         * DerivedSources.make:
2315         * JavaScriptCore.xcodeproj/project.pbxproj:
2316         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2317         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2318         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2319         (JSC::AsyncFromSyncIteratorPrototype::create):
2320         * runtime/AsyncFromSyncIteratorPrototype.h:
2321
2322 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2323
2324         Fix `runJITThreadLimitTests` in testapi
2325         https://bugs.webkit.org/show_bug.cgi?id=194064
2326         <rdar://problem/46139147>
2327
2328         Reviewed by Mark Lam.
2329
2330         Fix typo where `targetNumberOfThreads` was not being used.
2331
2332         * API/tests/testapi.mm:
2333         (runJITThreadLimitTests):
2334
2335 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2336
2337         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2338         https://bugs.webkit.org/show_bug.cgi?id=194112
2339
2340         Reviewed by Mark Lam.
2341
2342         `testBytecodeCache` does not populate the bytecode cache for the global
2343         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2344
2345         * API/tests/testapi.mm:
2346         (testBytecodeCache):
2347
2348 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2349
2350         Unreviewed, follow-up after r240796
2351
2352         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2353         when allocating InferredValue in FunctionExecutable::finishCreation.
2354
2355         * runtime/FunctionExecutable.cpp:
2356         (JSC::FunctionExecutable::FunctionExecutable):
2357         (JSC::FunctionExecutable::finishCreation):
2358
2359 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2360
2361         [JSC] Do not use InferredValue in non-JIT configuration
2362         https://bugs.webkit.org/show_bug.cgi?id=194084
2363
2364         Reviewed by Saam Barati.
2365
2366         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2367         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2368         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2369         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2370         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2371         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2372         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2373         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2374
2375         * bytecode/ObjectAllocationProfileInlines.h:
2376         (JSC::ObjectAllocationProfile::initializeProfile):
2377         * runtime/FunctionExecutable.cpp:
2378         (JSC::FunctionExecutable::finishCreation):
2379         (JSC::FunctionExecutable::visitChildren):
2380         * runtime/FunctionExecutable.h:
2381         * runtime/InferredValue.cpp:
2382         (JSC::InferredValue::create):
2383         * runtime/JSAsyncFunction.cpp:
2384         (JSC::JSAsyncFunction::create):
2385         * runtime/JSAsyncGeneratorFunction.cpp:
2386         (JSC::JSAsyncGeneratorFunction::create):
2387         * runtime/JSFunction.cpp:
2388         (JSC::JSFunction::create):
2389         * runtime/JSFunctionInlines.h:
2390         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2391         * runtime/JSGeneratorFunction.cpp:
2392         (JSC::JSGeneratorFunction::create):
2393         * runtime/JSSymbolTableObject.h:
2394         (JSC::JSSymbolTableObject::setSymbolTable):
2395         * runtime/SymbolTable.cpp:
2396         (JSC::SymbolTable::finishCreation):
2397         * runtime/VM.cpp:
2398         (JSC::VM::VM):
2399
2400 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2401
2402         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2403         https://bugs.webkit.org/show_bug.cgi?id=194085
2404
2405         Reviewed by Yusuke Suzuki.
2406
2407         r240730 changed ud_itab.py and caused incremental build failures
2408         for Ninja builds.
2409
2410         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2411
2412 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2413
2414         [JSC] Symbol should be in destructibleCellSpace
2415         https://bugs.webkit.org/show_bug.cgi?id=194082
2416
2417         Reviewed by Saam Barati.
2418
2419         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2420         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2421         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2422         Symbol's space destructibleCellSpace to appropriately call the destructor.
2423
2424         * runtime/Symbol.h:
2425
2426 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2427
2428         Unreviewed, rolling out r240755.
2429
2430         This was not correct
2431
2432         Reverted changeset:
2433
2434         "Unreviewed, fix GCC build after r240730"
2435         https://bugs.webkit.org/show_bug.cgi?id=194041
2436         https://trac.webkit.org/changeset/240755
2437
2438 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2439
2440         Unreviewed, fix GCC build after r240730
2441         https://bugs.webkit.org/show_bug.cgi?id=194041
2442         <rdar://problem/47680981>
2443
2444         * disassembler/udis86/ud_itab.py:
2445         (UdItabGenerator.genOpcodeTablesLookupIndex):
2446
2447 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2448
2449         testapi's `testBytecodeCache` does not need to run the code twice
2450         https://bugs.webkit.org/show_bug.cgi?id=194046
2451
2452         Reviewed by Mark Lam.
2453
2454         Since we populate the cache eagerly (unlike the stress tests) we don't
2455         need to run the code twice.
2456
2457         * API/tests/testapi.mm:
2458         (testBytecodeCache):
2459
2460 2019-01-30  Saam barati  <sbarati@apple.com>
2461
2462         [WebAssembly] Change BBQ to generate Air IR
2463         https://bugs.webkit.org/show_bug.cgi?id=191802
2464         <rdar://problem/47651718>
2465
2466         Reviewed by Keith Miller.
2467
2468         This patch adds a new Wasm compiler for the BBQ tier. Instead
2469         of compiling using  B3-01, we now generate Air code directly.
2470         The goal of doing this was to speed up compile times for Wasm
2471         programs.
2472         
2473         This patch provides us with a 20-30% compile time speedup. However, I
2474         have ideas on how to improve compile times even further. For example,
2475         we should probably implement a faster running register allocator:
2476         https://bugs.webkit.org/show_bug.cgi?id=194036
2477         
2478         We can also improve on the code we generate.
2479         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2480         And we should do better instruction selection in various
2481         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2482
2483         * JavaScriptCore.xcodeproj/project.pbxproj:
2484         * Sources.txt:
2485         * b3/B3LowerToAir.cpp:
2486         * b3/B3StackmapSpecial.h:
2487         * b3/air/AirCode.cpp:
2488         (JSC::B3::Air::Code::emitDefaultPrologue):
2489         * b3/air/AirCode.h:
2490         * b3/air/AirTmp.h:
2491         (JSC::B3::Air::Tmp::Tmp):
2492         * runtime/Options.h:
2493         * wasm/WasmAirIRGenerator.cpp: Added.
2494         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2495         (JSC::Wasm::TypedTmp::TypedTmp):
2496         (JSC::Wasm::TypedTmp::operator== const):
2497         (JSC::Wasm::TypedTmp::operator!= const):
2498         (JSC::Wasm::TypedTmp::operator bool const):
2499         (JSC::Wasm::TypedTmp::operator Tmp const):
2500         (JSC::Wasm::TypedTmp::operator Arg const):
2501         (JSC::Wasm::TypedTmp::tmp const):
2502         (JSC::Wasm::TypedTmp::type const):
2503         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2504         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2505         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2506         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2507         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2508         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2509         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2510         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2511         (JSC::Wasm::AirIRGenerator::emptyExpression):
2512         (JSC::Wasm::AirIRGenerator::fail const):
2513         (JSC::Wasm::AirIRGenerator::setParser):
2514         (JSC::Wasm::AirIRGenerator::toTmpVector):
2515         (JSC::Wasm::AirIRGenerator::validateInst):
2516         (JSC::Wasm::AirIRGenerator::extractArg):
2517         (JSC::Wasm::AirIRGenerator::append):
2518         (JSC::Wasm::AirIRGenerator::appendEffectful):
2519         (JSC::Wasm::AirIRGenerator::newTmp):
2520         (JSC::Wasm::AirIRGenerator::g32):
2521         (JSC::Wasm::AirIRGenerator::g64):
2522         (JSC::Wasm::AirIRGenerator::f32):
2523         (JSC::Wasm::AirIRGenerator::f64):
2524         (JSC::Wasm::AirIRGenerator::tmpForType):
2525         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2526         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2527         (JSC::Wasm::AirIRGenerator::emitCheck):
2528         (JSC::Wasm::AirIRGenerator::emitCCall):
2529         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2530         (JSC::Wasm::AirIRGenerator::instanceValue):
2531         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2532         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2533         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2534         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2535         (JSC::Wasm::AirIRGenerator::emitThrowException):
2536         (JSC::Wasm::AirIRGenerator::addLocal):
2537         (JSC::Wasm::AirIRGenerator::addConstant):
2538         (JSC::Wasm::AirIRGenerator::addArguments):
2539         (JSC::Wasm::AirIRGenerator::getLocal):
2540         (JSC::Wasm::AirIRGenerator::addUnreachable):
2541         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2542         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2543         (JSC::Wasm::AirIRGenerator::setLocal):
2544         (JSC::Wasm::AirIRGenerator::getGlobal):
2545         (JSC::Wasm::AirIRGenerator::setGlobal):
2546         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2547         (JSC::Wasm::sizeOfLoadOp):
2548         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2549         (JSC::Wasm::AirIRGenerator::load):
2550         (JSC::Wasm::sizeOfStoreOp):
2551         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2552         (JSC::Wasm::AirIRGenerator::store):
2553         (JSC::Wasm::AirIRGenerator::addSelect):
2554         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2555         (JSC::Wasm::AirIRGenerator::addLoop):
2556         (JSC::Wasm::AirIRGenerator::addTopLevel):
2557         (JSC::Wasm::AirIRGenerator::addBlock):
2558         (JSC::Wasm::AirIRGenerator::addIf):
2559         (JSC::Wasm::AirIRGenerator::addElse):
2560         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2561         (JSC::Wasm::AirIRGenerator::addReturn):
2562         (JSC::Wasm::AirIRGenerator::addBranch):
2563         (JSC::Wasm::AirIRGenerator::addSwitch):
2564         (JSC::Wasm::AirIRGenerator::endBlock):
2565         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2566         (JSC::Wasm::AirIRGenerator::addCall):
2567         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2568         (JSC::Wasm::AirIRGenerator::unify):
2569         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2570         (JSC::Wasm::AirIRGenerator::dump):
2571         (JSC::Wasm::AirIRGenerator::origin):
2572         (JSC::Wasm::parseAndCompileAir):
2573         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2574         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2575         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2576         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2577         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2578         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2579         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2580         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2581         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2582         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2583         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2584         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2585         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2586         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2587         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2588         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2589         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2590         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2591         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2592         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2593         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2594         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2595         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2596         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2597         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2598         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2599         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2600         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2601         (JSC::Wasm::AirIRGenerator::addShift):
2602         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2603         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2604         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2605         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2606         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2607         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2608         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2609         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2610         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2611         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2612         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2613         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2614         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2615         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2616         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2617         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2618         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2619         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2620         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2621         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2622         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2623         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2624         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2625         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2626         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2627         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2628         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2629         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2630         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2631         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2632         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2633         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2634         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2635         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2636         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2637         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2638         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2639         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2640         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2641         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2642         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2643         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2644         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2645         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2646         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2647         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2648         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2649         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2650         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2651         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2652         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2653         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2654         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2655         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2656         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2657         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2658         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2659         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2660         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2661         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2662         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2663         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2664         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2665         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2666         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2667         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2668         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2669         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2670         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2671         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2672         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2673         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2674         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2675         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2676         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2677         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2678         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2679         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2680         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2681         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2682         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2683         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2684         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2685         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2686         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2687         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2688         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2689         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2690         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2691         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2692         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2693         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2694         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2695         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2696         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2697         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2698         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2699         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2700         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2701         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2702         * wasm/WasmAirIRGenerator.h: Added.
2703         * wasm/WasmB3IRGenerator.cpp:
2704         (JSC::Wasm::B3IRGenerator::emptyExpression):
2705         * wasm/WasmBBQPlan.cpp:
2706         (JSC::Wasm::BBQPlan::compileFunctions):
2707         * wasm/WasmCallingConvention.cpp:
2708         (JSC::Wasm::jscCallingConventionAir):
2709         (JSC::Wasm::wasmCallingConventionAir):
2710         * wasm/WasmCallingConvention.h:
2711         (JSC::Wasm::CallingConvention::CallingConvention):
2712         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2713         (JSC::Wasm::CallingConvention::marshallArgument const):
2714         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2715         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2716         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2717         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2718         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2719         (JSC::Wasm::CallingConventionAir::loadArguments const):
2720         (JSC::Wasm::CallingConventionAir::setupCall const):
2721         (JSC::Wasm::nextJSCOffset):
2722         * wasm/WasmFunctionParser.h:
2723         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2724         * wasm/WasmValidate.cpp:
2725         (JSC::Wasm::Validate::emptyExpression):
2726
2727 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2728
2729         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2730         https://bugs.webkit.org/show_bug.cgi?id=194050
2731         <rdar://problem/47595592>
2732
2733         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2734         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2735
2736         Reviewed by Yusuke Suzuki.
2737
2738         * ftl/FTLOperations.cpp:
2739         (JSC::FTL::operationMaterializeObjectInOSR):
2740
2741 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2742
2743         Remove assertion that CachedSymbolTables should have no RareData
2744         https://bugs.webkit.org/show_bug.cgi?id=194037
2745
2746         Reviewed by Mark Lam.
2747
2748         It turns out that we don't need to cache the SymbolTableRareData and
2749         we should not assert that it's empty.
2750
2751         * runtime/CachedTypes.cpp:
2752         (JSC::CachedSymbolTable::encode):
2753
2754 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2755
2756         CachedBytecode's move constructor should not call `freeDataIfOwned`
2757         https://bugs.webkit.org/show_bug.cgi?id=194045
2758
2759         Reviewed by Mark Lam.
2760
2761         That might result in freeing a garbage value
2762
2763         * parser/SourceProvider.h:
2764         (JSC::CachedBytecode::CachedBytecode):
2765
2766 2019-01-30  Keith Miller  <keith_miller@apple.com>
2767
2768         mul32 should convert powers of 2 to an lshift
2769         https://bugs.webkit.org/show_bug.cgi?id=193957
2770
2771         Reviewed by Yusuke Suzuki.
2772
2773         * assembler/MacroAssembler.h:
2774         (JSC::MacroAssembler::mul32):
2775         * assembler/testmasm.cpp:
2776         (JSC::int32Operands):
2777         (JSC::testMul32WithImmediates):
2778         (JSC::run):
2779
2780 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2781
2782         [JSC] Make disassembler data structures constant read-only data
2783         https://bugs.webkit.org/show_bug.cgi?id=194041
2784
2785         Reviewed by Mark Lam.
2786
2787         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2788         This patch makes them "const".
2789
2790         * disassembler/ARM64/A64DOpcode.cpp:
2791         * disassembler/udis86/ud_itab.py:
2792         (UdItabGenerator.genOpcodeTablesLookupIndex):
2793         (UdItabGenerator.genInsnTable):
2794         (UdItabGenerator.genMnemonicsList):
2795         (genItabH):
2796         * disassembler/udis86/udis86_decode.h:
2797         * disassembler/udis86/udis86_syn.c:
2798         * disassembler/udis86/udis86_syn.h:
2799         * disassembler/udis86/udis86_types.h:
2800
2801 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2802
2803         Unreviewed, update the builtin test results
2804         https://bugs.webkit.org/show_bug.cgi?id=194015
2805
2806         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2807         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2808         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2809         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2810         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2811         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2812         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2813         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2814         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2815         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2816         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2817         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2818         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2819
2820 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2821
2822         [JSC] Make global static variables "const" as much as possible
2823         https://bugs.webkit.org/show_bug.cgi?id=194015
2824
2825         Reviewed by Mark Lam.
2826
2827         Some of global static variables are not "const". For example, `static const char* name = ...`
2828         is not constant variable. We should make it `static const char* const name = ...`.
2829
2830         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2831         (generate_externs_for_object):
2832         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2833         (generate_externs_for_object):
2834         * Scripts/wkbuiltins/builtins_generator.py:
2835         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2836         * assembler/MacroAssembler.h:
2837         (JSC::MacroAssembler::additionBlindedConstant):
2838         * b3/air/AirFormTable.h:
2839         * b3/air/opcode_generator.rb:
2840         * runtime/JSObject.cpp:
2841         (JSC::JSObject::visitButterfly):
2842         * tools/CodeProfile.cpp:
2843         * tools/CodeProfile.h:
2844
2845 2019-01-29  Keith Miller  <keith_miller@apple.com>
2846
2847         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2848         https://bugs.webkit.org/show_bug.cgi?id=194000
2849         <rdar://problem/47642894>
2850
2851         Reviewed by Mark Lam.
2852
2853         default constructor is unused and
2854         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2855         data member which causes sadness.
2856
2857         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2858
2859 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2860
2861         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2862
2863         Rubber-stamped by Yusuke Suzuki.
2864
2865         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2866
2867         * parser/Parser.h:
2868         (JSC::Parser::declareHoistedVariable):
2869
2870 2019-01-29  Mark Lam  <mark.lam@apple.com>
2871
2872         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2873         https://bugs.webkit.org/show_bug.cgi?id=132333
2874
2875         Reviewed by Yusuke Suzuki.
2876
2877         * bytecode/InstructionStream.h:
2878         (JSC::InstructionStreamWriter::write):
2879         - The 32-bit write() function need not invert the order of the bytes written to
2880           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2881           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2882
2883         * llint/LLIntOfflineAsmConfig.h:
2884         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2885
2886 2019-01-29  Mark Lam  <mark.lam@apple.com>
2887
2888         ValueRecovery::recover() should purify NaN values it recovers.
2889         https://bugs.webkit.org/show_bug.cgi?id=193978
2890         <rdar://problem/47625488>
2891
2892         Reviewed by Saam Barati.
2893
2894         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2895         recovered DoubleDisplacedInJSStack values need to be purified.
2896         ValueRecovery::recover() should do the same.
2897
2898         * bytecode/ValueRecovery.cpp:
2899         (JSC::ValueRecovery::recover const):
2900
2901 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2902
2903         [JSC] FTL should handle LocalAllocator*
2904         https://bugs.webkit.org/show_bug.cgi?id=193980
2905
2906         Reviewed by Saam Barati.
2907
2908         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2909         because the FTL still use the incoming value as 32bit integer there.
2910
2911         * ftl/FTLLowerDFGToB3.cpp:
2912         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2913
2914 2019-01-29  Keith Rollin  <krollin@apple.com>
2915
2916         Add .xcfilelists to Run Script build phases
2917         https://bugs.webkit.org/show_bug.cgi?id=193792
2918         <rdar://problem/47201785>
2919
2920         Reviewed by Alex Christensen.
2921
2922         As part of supporting XCBuild, update the necessary Run Script build
2923         phases in their Xcode projects to refer to their associated
2924         .xcfilelist files.
2925
2926         Note that the addition of these files bumps the Xcode project version
2927         number to something that's Xcode 10 compatible. This change means that
2928         older versions of the Xcode IDE can't read these projects. Nor can it
2929         fully load workspaces that refer to these projects (the updated
2930         projects are shown as non-expandable placeholders). `xcodebuild` can
2931         still build these projects; it's just that the IDE can't open them.
2932
2933         * JavaScriptCore.xcodeproj/project.pbxproj:
2934
2935 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2936
2937         [ARM] Check for negative zero instead of just zero
2938         https://bugs.webkit.org/show_bug.cgi?id=193689
2939
2940         Reviewed by Mark Lam.
2941
2942         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2943         of just bailing out for zero.
2944
2945         * assembler/MacroAssemblerARMv7.h:
2946         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2947
2948 2019-01-28  Devin Rousso  <drousso@apple.com>
2949
2950         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2951         https://bugs.webkit.org/show_bug.cgi?id=193863
2952         <rdar://problem/47572764>
2953
2954         Reviewed by Joseph Pecoraro.
2955
2956         * inspector/protocol/Page.json:
2957         Add more values to the `Setting` enum type:
2958          - `ICECandidateFilteringEnabled`
2959          - `MediaCaptureRequiresSecureConnection`
2960          - `MockCaptureDevicesEnabled`
2961
2962 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
2963
2964         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
2965         https://bugs.webkit.org/show_bug.cgi?id=193941
2966
2967         Reviewed by Alex Christensen.
2968
2969         * API/JSWeakObjectMapRefPrivate.cpp:
2970         * bytecompiler/NodesCodegen.cpp:
2971         * heap/MachineStackMarker.cpp:
2972         * jit/ExecutableAllocator.cpp:
2973         * jsc.cpp:
2974         * parser/Nodes.cpp:
2975         * runtime/DateConstructor.cpp:
2976         * runtime/DateConversion.cpp:
2977         * runtime/DateInstance.cpp:
2978         * runtime/DatePrototype.cpp:
2979         * runtime/InitializeThreading.cpp:
2980         * runtime/IteratorOperations.cpp:
2981         * runtime/JSDateMath.cpp:
2982         * runtime/JSGlobalObjectFunctions.cpp:
2983         * runtime/StringPrototype.cpp:
2984         * runtime/VM.cpp:
2985         * testRegExp.cpp:
2986         * tools/JSDollarVM.cpp:
2987         * yarr/YarrInterpreter.cpp:
2988         * yarr/YarrJIT.cpp:
2989         * yarr/YarrPattern.cpp:
2990         * yarr/YarrUnicodeProperties.cpp:
2991
2992 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2993
2994         [JSC] Reduce size of memory used for ShadowChicken
2995         https://bugs.webkit.org/show_bug.cgi?id=193546
2996
2997         Reviewed by Mark Lam.
2998
2999         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3000         The removal of ShadowChicken saves 55KB memory.
3001
3002         * debugger/DebuggerCallFrame.cpp:
3003         (JSC::DebuggerCallFrame::create):
3004         * ftl/FTLLowerDFGToB3.cpp:
3005         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3006         * heap/Heap.cpp:
3007         (JSC::Heap::stopThePeriphery):
3008         (JSC::Heap::addCoreConstraints):
3009         * jit/CCallHelpers.cpp:
3010         (JSC::CCallHelpers::ensureShadowChickenPacket):
3011         * jit/JITExceptions.cpp:
3012         (JSC::genericUnwind):
3013         * jit/JITOpcodes.cpp:
3014         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3015         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3016         * jit/JITOpcodes32_64.cpp:
3017         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3018         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3019         * jit/JITOperations.cpp:
3020         * llint/LLIntSlowPaths.cpp:
3021         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3022         * runtime/JSGlobalObject.cpp:
3023         (JSC::JSGlobalObject::setDebugger):
3024         * runtime/JSGlobalObject.h:
3025         (JSC::JSGlobalObject::setDebugger): Deleted.
3026         * runtime/VM.cpp:
3027         (JSC::VM::VM):
3028         (JSC::VM::ensureShadowChicken):
3029         * runtime/VM.h:
3030         (JSC::VM::shadowChicken):
3031         * tools/JSDollarVM.cpp:
3032         (JSC::functionShadowChickenFunctionsOnStack):
3033         (JSC::changeDebuggerModeWhenIdle):
3034
3035 2019-01-28  Andy Estes  <aestes@apple.com>
3036
3037         [watchOS] Enable Parental Controls content filtering
3038         https://bugs.webkit.org/show_bug.cgi?id=193939
3039         <rdar://problem/46641912>
3040
3041         Reviewed by Ryosuke Niwa.
3042
3043         * Configurations/FeatureDefines.xcconfig:
3044
3045 2019-01-28  Mark Lam  <mark.lam@apple.com>
3046
3047         ToString node actually does GC.
3048         https://bugs.webkit.org/show_bug.cgi?id=193920
3049         <rdar://problem/46695900>
3050
3051         Reviewed by Yusuke Suzuki.
3052
3053         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3054         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3055
3056         * dfg/DFGDoesGC.cpp:
3057         (JSC::DFG::doesGC):
3058
3059 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3060
3061         [JSC] RegExpConstructor should not have own IsoSubspace
3062         https://bugs.webkit.org/show_bug.cgi?id=193801
3063
3064         Reviewed by Mark Lam.
3065
3066         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3067         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3068         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3069         it from RegExpConstructor members.
3070
3071         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3072         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3073         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3074
3075         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3076
3077         * CMakeLists.txt:
3078         * JavaScriptCore.xcodeproj/project.pbxproj:
3079         * Sources.txt:
3080         * dfg/DFGOperations.cpp:
3081         * dfg/DFGSpeculativeJIT.cpp:
3082         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3083         * dfg/DFGStrengthReductionPhase.cpp:
3084         (JSC::DFG::StrengthReductionPhase::handleNode):
3085         * ftl/FTLAbstractHeapRepository.cpp:
3086         * ftl/FTLAbstractHeapRepository.h:
3087         * ftl/FTLLowerDFGToB3.cpp:
3088         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3089         * runtime/JSGlobalObject.cpp:
3090         (JSC::JSGlobalObject::init):
3091         (JSC::JSGlobalObject::visitChildren):
3092         * runtime/JSGlobalObject.h:
3093         (JSC::JSGlobalObject::regExpGlobalData):
3094         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3095         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3096         * runtime/RegExpCache.cpp:
3097         (JSC::RegExpCache::initialize):
3098         * runtime/RegExpCache.h:
3099         (JSC::RegExpCache::emptyRegExp const):
3100         * runtime/RegExpCachedResult.cpp:
3101         (JSC::RegExpCachedResult::visitAggregate):
3102         (JSC::RegExpCachedResult::visitChildren): Deleted.
3103         * runtime/RegExpCachedResult.h:
3104         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3105         * runtime/RegExpConstructor.cpp:
3106         (JSC::RegExpConstructor::RegExpConstructor):
3107         (JSC::regExpConstructorDollar):
3108         (JSC::regExpConstructorInput):
3109         (JSC::regExpConstructorMultiline):
3110         (JSC::regExpConstructorLastMatch):
3111         (JSC::regExpConstructorLastParen):
3112         (JSC::regExpConstructorLeftContext):
3113         (JSC::regExpConstructorRightContext):
3114         (JSC::setRegExpConstructorInput):
3115         (JSC::setRegExpConstructorMultiline):
3116         (JSC::RegExpConstructor::destroy): Deleted.
3117         (JSC::RegExpConstructor::visitChildren): Deleted.
3118         (JSC::RegExpConstructor::getBackref): Deleted.
3119         (JSC::RegExpConstructor::getLastParen): Deleted.
3120         (JSC::RegExpConstructor::getLeftContext): Deleted.
3121         (JSC::RegExpConstructor::getRightContext): Deleted.
3122         * runtime/RegExpConstructor.h:
3123         (JSC::RegExpConstructor::performMatch): Deleted.
3124         (JSC::RegExpConstructor::recordMatch): Deleted.
3125         * runtime/RegExpGlobalData.cpp: Added.
3126         (JSC::RegExpGlobalData::visitAggregate):
3127         (JSC::RegExpGlobalData::getBackref):
3128         (JSC::RegExpGlobalData::getLastParen):
3129         (JSC::RegExpGlobalData::getLeftContext):
3130         (JSC::RegExpGlobalData::getRightContext):
3131         * runtime/RegExpGlobalData.h: Added.
3132         (JSC::RegExpGlobalData::cachedResult):
3133         (JSC::RegExpGlobalData::setMultiline):
3134         (JSC::RegExpGlobalData::multiline const):
3135         (JSC::RegExpGlobalData::input):
3136         (JSC::RegExpGlobalData::offsetOfCachedResult):
3137         * runtime/RegExpGlobalDataInlines.h: Added.
3138         (JSC::RegExpGlobalData::setInput):
3139         (JSC::RegExpGlobalData::performMatch):
3140         (JSC::RegExpGlobalData::recordMatch):
3141         * runtime/RegExpObject.cpp:
3142         (JSC::RegExpObject::matchGlobal):
3143         * runtime/RegExpObjectInlines.h:
3144         (JSC::RegExpObject::execInline):
3145         (JSC::RegExpObject::matchInline):
3146         (JSC::collectMatches):
3147         * runtime/RegExpPrototype.cpp:
3148         (JSC::RegExpPrototype::finishCreation):
3149         (JSC::regExpProtoFuncSearchFast):
3150         (JSC::RegExpPrototype::visitChildren): Deleted.
3151         * runtime/RegExpPrototype.h:
3152         * runtime/StringPrototype.cpp:
3153         (JSC::removeUsingRegExpSearch):
3154         (JSC::replaceUsingRegExpSearch):
3155         * runtime/VM.cpp:
3156         (JSC::VM::VM):
3157         * runtime/VM.h:
3158
3159 2018-12-15  Darin Adler  <darin@apple.com>
3160
3161         Replace many uses of String::format with more type-safe alternatives
3162         https://bugs.webkit.org/show_bug.cgi?id=192742
3163
3164         Reviewed by Mark Lam.
3165
3166         * inspector/InjectedScriptBase.cpp:
3167         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3168         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3169         * inspector/InspectorBackendDispatcher.cpp:
3170         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3171         * inspector/agents/InspectorConsoleAgent.cpp:
3172         (Inspector::InspectorConsoleAgent::enable): Ditto.
3173         * jsc.cpp:
3174         (FunctionJSCStackFunctor::operator() const): Ditto.
3175
3176         * runtime/CodeCache.cpp:
3177         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3178         using String::number.
3179
3180         * runtime/IntlDateTimeFormat.cpp:
3181         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3182         * runtime/IntlObject.cpp:
3183         (JSC::canonicalizeLocaleList): Ditto.
3184
3185 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3186
3187         AX: Introduce a static accessibility tree
3188         https://bugs.webkit.org/show_bug.cgi?id=193348
3189         <rdar://problem/47203295>
3190
3191         Reviewed by Ryosuke Niwa.
3192
3193         * Configurations/FeatureDefines.xcconfig:
3194
3195 2019-01-26  Devin Rousso  <drousso@apple.com>
3196
3197         Web Inspector: provide a way to edit the user agent of a remote target
3198         https://bugs.webkit.org/show_bug.cgi?id=193862
3199         <rdar://problem/47359292>
3200
3201         Reviewed by Joseph Pecoraro.
3202
3203         * inspector/protocol/Page.json:
3204         Add `overrideUserAgent` command.
3205
3206 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3207
3208         [JSC] NativeErrorConstructor should not have own IsoSubspace
3209         https://bugs.webkit.org/show_bug.cgi?id=193713
3210
3211         Reviewed by Saam Barati.
3212
3213         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3214         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3215         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3216         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3217         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3218         referenced.
3219
3220         * CMakeLists.txt:
3221         * JavaScriptCore.xcodeproj/project.pbxproj:
3222         * Sources.txt:
3223         * builtins/BuiltinNames.h:
3224         * interpreter/Interpreter.h:
3225         * runtime/Error.cpp:
3226         (JSC::createEvalError):
3227         (JSC::createRangeError):
3228         (JSC::createReferenceError):
3229         (JSC::createSyntaxError):
3230         (JSC::createTypeError):
3231         (JSC::createURIError):
3232         (WTF::printInternal): Deleted.
3233         * runtime/Error.h:
3234         * runtime/ErrorPrototype.cpp:
3235         (JSC::ErrorPrototype::create):
3236         (JSC::ErrorPrototype::finishCreation):
3237         * runtime/ErrorPrototype.h:
3238         (JSC::ErrorPrototype::create): Deleted.
3239         * runtime/ErrorType.cpp: Added.
3240         (JSC::errorTypeName):
3241         (WTF::printInternal):
3242         * runtime/ErrorType.h: Added.
3243         * runtime/JSGlobalObject.cpp:
3244         (JSC::JSGlobalObject::initializeErrorConstructor):
3245         (JSC::JSGlobalObject::init):
3246         (JSC::JSGlobalObject::visitChildren):
3247         * runtime/JSGlobalObject.h:
3248         (JSC::JSGlobalObject::internalPromiseConstructor const):
3249         (JSC::JSGlobalObject::errorStructure const):
3250         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3251         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3252         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3253         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3254         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3255         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3256         * runtime/NativeErrorConstructor.cpp:
3257         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3258         (JSC::NativeErrorConstructorBase::finishCreation):
3259         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3260         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3261         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3262         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3263         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3264         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3265         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3266         * runtime/NativeErrorConstructor.h:
3267         (JSC::NativeErrorConstructorBase::createStructure):
3268         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3269         * runtime/NativeErrorPrototype.cpp:
3270         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3271         * runtime/NativeErrorPrototype.h:
3272         * runtime/VM.cpp:
3273         (JSC::VM::VM):
3274         * runtime/VM.h:
3275         * wasm/js/WasmToJS.cpp:
3276         (JSC::Wasm::handleBadI64Use):
3277
3278 2019-01-25  Devin Rousso  <drousso@apple.com>
3279
3280         Web Inspector: provide a way to edit page settings on a remote target
3281         https://bugs.webkit.org/show_bug.cgi?id=193813
3282         <rdar://problem/47359510>
3283
3284         Reviewed by Joseph Pecoraro.
3285
3286         * inspector/protocol/Page.json:
3287         Add `overrideSetting` command with supporting `Setting` enum type.
3288
3289 2019-01-25  Keith Rollin  <krollin@apple.com>
3290
3291         Update Xcode projects with "Check .xcfilelists" build phase
3292         https://bugs.webkit.org/show_bug.cgi?id=193790
3293         <rdar://problem/47201374>
3294
3295         Reviewed by Alex Christensen.
3296
3297         Support for XCBuild includes specifying inputs and outputs to various
3298         Run Script build phases. These inputs and outputs are specified as
3299         .xcfilelist files. Once created, these .xcfilelist files need to be
3300         kept up-to-date. In order to check that they are up-to-date or not,
3301         add an Xcode build step that invokes an external script that performs
3302         the checking. If the .xcfilelists are found to be out-of-date, update
3303         them, halt the build, and instruct the developer to restart the build
3304         with up-to-date files.
3305
3306         At this time, the checking and regenerating is performed only if the
3307         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3308         who want to use this facility can set this variable and test out the
3309         checking/regenerating. Once it seems like there are no egregious
3310         issues that upset a developer's workflow, we'll unconditionally enable
3311         this facility.
3312
3313         * JavaScriptCore.xcodeproj/project.pbxproj:
3314         * Scripts/check-xcfilelists.sh: Added.
3315
3316 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3317
3318         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3319         https://bugs.webkit.org/show_bug.cgi?id=193796
3320         <rdar://problem/47532910>
3321
3322         Reviewed by Devin Rousso.
3323
3324         * runtime/SamplingProfiler.cpp:
3325         (JSC::SamplingProfiler::machThread):
3326         * runtime/SamplingProfiler.h:
3327         Expose the mach_port_t of the SamplingProfiler thread
3328         so it can be tested against later.
3329
3330 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3331
3332         Fix Windows build after r240511
3333
3334         * bytecode/UnlinkedFunctionExecutable.cpp:
3335         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3336
3337 2019-01-25  Keith Rollin  <krollin@apple.com>
3338
3339         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3340         https://bugs.webkit.org/show_bug.cgi?id=193781
3341         <rdar://problem/47201153>
3342
3343         Reviewed by Alex Christensen.
3344
3345         Part of generating the .xcfilelists used as part of adopting XCBuild
3346         includes running `make DerivedSources.make` from a standalone script.
3347         It’s important for this invocation to have the same environment as
3348         when the actual build invokes `make DerivedSources.make`. If the
3349         environments are different, then the two invocations will provide
3350         different results. In order to get the same environment in the
3351         standalone script, have the script launch xcodebuild targeting the
3352         "Apply Configuration to XCFileLists" build target, which will then
3353         re-invoke our standalone script. The script is now running again, this
3354         time in an environment with all workspace, project, target, xcconfig
3355         and other environment variables established.
3356
3357         The "Apply Configuration to XCFileLists" build target accomplishes
3358         this task via a small embedded shell script that consists only of:
3359
3360             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3361
3362         The process that invokes "Apply Configuration to XCFileLists" first
3363         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3364         evaluated and exports it into the shell environment. When xcodebuild
3365         is invoked, it inherits the value of this variable and can `eval` the
3366         contents of that variable. Our external standalone script can then set
3367         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3368         of command-line parameters needed to restart itself in the appropriate
3369         state.
3370
3371         * JavaScriptCore.xcodeproj/project.pbxproj:
3372
3373 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3374
3375         Add API to generate and consume cached bytecode
3376         https://bugs.webkit.org/show_bug.cgi?id=193401
3377         <rdar://problem/47514099>
3378
3379         Reviewed by Keith Miller.
3380
3381         Add the `generateBytecode` and `generateModuleBytecode` functions to
3382         generate serialized bytecode for a given `SourceCode`. These functions
3383         will eagerly generate code for all the nested functions.
3384
3385         Additionally, update the API methods in JSScript to generate and use the
3386         bytecode when the bytecodeCache path is provided.
3387
3388         * API/JSAPIGlobalObject.mm:
3389         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3390         * API/JSContext.mm:
3391         (-[JSContext wrapperMap]):
3392         * API/JSContextInternal.h:
3393         * API/JSScript.mm:
3394         (+[JSScript scriptWithSource:inVirtualMachine:]):
3395         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3396         (-[JSScript dealloc]):
3397         (-[JSScript readCache]):
3398         (-[JSScript writeCache]):
3399         (-[JSScript hash]):
3400         (-[JSScript source]):
3401         (-[JSScript cachedBytecode]):
3402         (-[JSScript jsSourceCode:]):
3403         * API/JSScriptInternal.h:
3404         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3405         (JSScriptSourceProvider::create):
3406         (JSScriptSourceProvider::JSScriptSourceProvider):
3407         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3408         (JSScriptSourceProvider::hash const):
3409         (JSScriptSourceProvider::source const):
3410         (JSScriptSourceProvider::cachedBytecode const):
3411         * API/JSVirtualMachine.mm:
3412         (-[JSVirtualMachine vm]):
3413         * API/JSVirtualMachineInternal.h:
3414         * API/tests/testapi.mm:
3415         (testBytecodeCache):
3416         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3417         (testObjectiveCAPI):
3418         * JavaScriptCore.xcodeproj/project.pbxproj:
3419         * SourcesCocoa.txt:
3420         * bytecode/UnlinkedFunctionExecutable.cpp:
3421         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3422         * bytecode/UnlinkedFunctionExecutable.h:
3423         * parser/SourceCodeKey.h:
3424         (JSC::SourceCodeKey::source const):
3425         * parser/SourceProvider.h:
3426         (JSC::CachedBytecode::CachedBytecode):
3427         (JSC::CachedBytecode::operator=):
3428         (JSC::CachedBytecode::data const):
3429         (JSC::CachedBytecode::size const):
3430         (JSC::CachedBytecode::owned const):
3431         (JSC::CachedBytecode::~CachedBytecode):
3432         (JSC::CachedBytecode::freeDataIfOwned):
3433         (JSC::SourceProvider::cachedBytecode const):
3434         * parser/UnlinkedSourceCode.h:
3435         (JSC::UnlinkedSourceCode::provider const):
3436         * runtime/CodeCache.cpp:
3437         (JSC::generateUnlinkedCodeBlockForFunctions):
3438         (JSC::writeCodeBlock):
3439         (JSC::serializeBytecode):
3440         * runtime/CodeCache.h:
3441         (JSC::CodeCacheMap::fetchFromDiskImpl):
3442         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3443         (JSC::generateUnlinkedCodeBlockImpl):
3444         (JSC::generateUnlinkedCodeBlock):
3445         * runtime/Completion.cpp:
3446         (JSC::generateBytecode):
3447         (JSC::generateModuleBytecode):
3448         * runtime/Completion.h:
3449         * runtime/Options.cpp:
3450         (JSC::recomputeDependentOptions):
3451
3452 2019-01-25  Keith Rollin  <krollin@apple.com>
3453
3454         Update WebKitAdditions.xcconfig with correct order of variable definitions
3455         https://bugs.webkit.org/show_bug.cgi?id=193793
3456         <rdar://problem/47532439>
3457
3458         Reviewed by Alex Christensen.
3459
3460         XCBuild changes the way xcconfig variables are evaluated. In short,
3461         all config file assignments are now considered in part of the
3462         evaluation. When using the new build system and an .xcconfig file
3463         contains multiple assignments of the same build setting:
3464
3465         - Later assignments using $(inherited) will inherit from earlier
3466           assignments in the xcconfig file.
3467         - Later assignments not using $(inherited) will take precedence over
3468           earlier assignments. An assignment to a more general setting will
3469           mask an earlier assignment to a less general setting. For example,
3470           an assignment without a condition ('FOO = bar') will completely mask
3471           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3472
3473         This affects some of our .xcconfig files, in that sometimes platform-
3474         or sdk-specific definitions appear before the general definitions.
3475         Under the new evaluations rules, the general definitions alway take
3476         effect because they always overwrite the more-specific definitions. The
3477         solution is to swap the order, so that the general definitions are
3478         established first, and then conditionally overwritten by the
3479         more-specific definitions.
3480
3481         * Configurations/Version.xcconfig:
3482
3483 2019-01-25  Keith Rollin  <krollin@apple.com>
3484
3485         Update existing .xcfilelists
3486         https://bugs.webkit.org/show_bug.cgi?id=193791
3487         <rdar://problem/47201706>
3488
3489         Reviewed by Alex Christensen.
3490
3491         Many .xcfilelist files were added in r238824 in order to support
3492         XCBuild. Update these with recent changes to the set of build files
3493         and with the current generate-xcfilelist script.
3494
3495         * DerivedSources-input.xcfilelist:
3496         * DerivedSources-output.xcfilelist:
3497         * UnifiedSources-input.xcfilelist:
3498         * UnifiedSources-output.xcfilelist:
3499
3500 2019-01-25  Jon Davis  <jond@apple.com>
3501
3502         Update JavaScriptCore feature status entries.
3503         https://bugs.webkit.org/show_bug.cgi?id=193797
3504
3505         Reviewed by Mark Lam.
3506         
3507         Updated feature status for Async Iteration, and Object rest/spread.
3508
3509         * features.json:
3510
3511 2019-01-24  Keith Miller  <keith_miller@apple.com>
3512
3513         Remove usage of internal macro from private header
3514         https://bugs.webkit.org/show_bug.cgi?id=193809
3515
3516         Reviewed by Saam Barati.
3517
3518         Also, add a new file to include all of our API headers to make sure
3519         they don't accidentally include C++ or internal values.
3520
3521         * API/JSScript.h:
3522         * API/tests/testIncludes.m: Added.
3523         * JavaScriptCore.xcodeproj/project.pbxproj:
3524
3525 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3526
3527         [JSC] ErrorConstructor should not have own IsoSubspace
3528         https://bugs.webkit.org/show_bug.cgi?id=193800
3529
3530         Reviewed by Saam Barati.
3531
3532         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3533         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3534         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3535         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3536         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3537         into IsoSubspaces) described,
3538
3539             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3540             appear to just override methods, which are called dynamically via the structure or class of the object.
3541             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3542
3543         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3544         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3545         This reduces the memory usage.
3546
3547         * interpreter/Interpreter.h:
3548         * runtime/Error.cpp:
3549         (JSC::getStackTrace):
3550         * runtime/ErrorConstructor.cpp:
3551         (JSC::ErrorConstructor::ErrorConstructor):
3552         (JSC::ErrorConstructor::finishCreation):
3553         (JSC::constructErrorConstructor):
3554         (JSC::callErrorConstructor):
3555         (JSC::ErrorConstructor::put):
3556         (JSC::ErrorConstructor::deleteProperty):
3557         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3558         (JSC::Interpreter::callErrorConstructor): Deleted.
3559         * runtime/ErrorConstructor.h:
3560         * runtime/JSGlobalObject.cpp:
3561         (JSC::JSGlobalObject::JSGlobalObject):
3562         (JSC::JSGlobalObject::init):
3563         (JSC::JSGlobalObject::visitChildren):
3564         * runtime/JSGlobalObject.h:
3565         (JSC::JSGlobalObject::stackTraceLimit const):
3566         (JSC::JSGlobalObject::setStackTraceLimit):
3567         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3568         * runtime/VM.cpp:
3569         (JSC::VM::VM):
3570         * runtime/VM.h:
3571
3572 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3573
3574         Web Inspector: CPU Usage Timeline
3575         https://bugs.webkit.org/show_bug.cgi?id=193730
3576         <rdar://problem/46797201>
3577
3578         Reviewed by Devin Rousso.
3579
3580         * CMakeLists.txt:
3581         * DerivedSources-input.xcfilelist:
3582         * DerivedSources.make:
3583         New files.
3584
3585         * inspector/protocol/CPUProfiler.json: Added.
3586         New domain that follows the pattern of Memory/ScriptProfiler.
3587
3588         * inspector/protocol/Timeline.json:
3589         New enum to auto-start a CPU instrument in the backend.
3590
3591 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3592
3593         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3594         https://bugs.webkit.org/show_bug.cgi?id=193774
3595
3596         Reviewed by Mark Lam.
3597
3598         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3599         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3600         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3601         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3602         for these two constructor instances. They are only two instances per JSGlobalObject.
3603
3604         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3605         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3606         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3607         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3608         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3609         for ArrayBufferConstructors, and reduces the memory usage.
3610
3611         * runtime/JSArrayBufferConstructor.cpp:
3612         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3613         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3614         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3615         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3616         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3617         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3618         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3619         (JSC::JSArrayBufferConstructor::create): Deleted.
3620         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3621         (JSC::constructArrayBuffer): Deleted.
3622         * runtime/JSArrayBufferConstructor.h:
3623         * runtime/JSGlobalObject.cpp:
3624         (JSC::JSGlobalObject::init):
3625         * runtime/JSGlobalObject.h:
3626         * runtime/VM.cpp:
3627         (JSC::VM::VM):
3628         * runtime/VM.h:
3629
3630 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3631
3632         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3633         https://bugs.webkit.org/show_bug.cgi?id=190693
3634
3635         Reviewed by Michael Saboff.
3636
3637         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3638         This becomes true when we find the executable address in our conservative roots, which
3639         means that we could be executing it right now. This means that object liveness in
3640         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3641         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3642         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3643         executing JITStubRoutine because "Conservative Scan" finds it later.
3644         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3645         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3646         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3647         attempt to mark the depending objects, and encounter the dead objects which are collected
3648         in the previous cycles.
3649
3650         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3651         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3652         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3653         GC stop time.
3654
3655         * heap/ConservativeRoots.h:
3656         (JSC::ConservativeRoots::roots const):
3657         (JSC::ConservativeRoots::roots): Deleted.
3658         * heap/Heap.cpp:
3659         (JSC::Heap::addCoreConstraints):
3660         * heap/SlotVisitor.cpp:
3661         (JSC::SlotVisitor::append):
3662         * heap/SlotVisitor.h:
3663         * jit/GCAwareJITStubRoutine.cpp:
3664         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3665         * jit/GCAwareJITStubRoutine.h:
3666
3667 2019-01-24  Saam Barati  <sbarati@apple.com>
3668
3669         Update ARM64EHash
3670         https://bugs.webkit.org/show_bug.cgi?id=193776
3671         <rdar://problem/47526457>
3672
3673         Reviewed by Mark Lam.
3674
3675         See radar for details.
3676
3677         * assembler/AssemblerBuffer.h:
3678         (JSC::ARM64EHash::update):
3679         (JSC::ARM64EHash::finalHash const):
3680
3681 2019-01-24  Saam Barati  <sbarati@apple.com>
3682
3683         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3684         https://bugs.webkit.org/show_bug.cgi?id=193751
3685         <rdar://problem/47280215>
3686
3687         Reviewed by Michael Saboff.
3688
3689         The Object Allocation Sinking phase may move allocations around inside
3690         of the program. However, it was not ensuring that it's still possible 
3691         to walk the stack at the point in the program that it moved the allocation to.
3692         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3693         All allocation sites can do a stack walk (we do a stack walk when we GC).
3694         Conservatively, this patch says we're ok to move this allocation if we are
3695         moving within the same InlineCallFrame. We could be more precise and do an
3696         analysis of stack writes. However, this scenario is so rare that we just
3697         take the conservative-and-straight-forward approach of checking that the place
3698         we're moving to is the same InlineCallFrame as the allocation site.
3699         
3700         In general, this issue arises anytime we do any kind of code motion.
3701         Interestingly, LICM gets this right. It gets it right because the only
3702         InlineCallFrames we can't move out of are the InlineCallFrames that
3703         have metadata stored on the stack (callee for closure calls and argument
3704         count for varargs calls). LICM doesn't have this issue because it relies
3705         on Clobberize for doing its effects analysis. In clobberize, we model every
3706         node within an InlineCallFrame that meets the above criteria as reading
3707         from those stack fields. Consequently, LICM won't hoist any node in that
3708         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3709         we generate to set up such an InlineCallFrame contains writes to that
3710         stack location.
3711
3712         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3713
3714 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3715
3716         [JSC] Reenable baseline JIT on mips
3717         https://bugs.webkit.org/show_bug.cgi?id=192983
3718
3719         Reviewed by Mark Lam.
3720
3721         Use $s0 as metadata register and make sure it's properly saved and
3722         restored.
3723
3724         * jit/GPRInfo.h:
3725         * jit/RegisterSet.cpp:
3726         (JSC::RegisterSet::vmCalleeSaveRegisters):
3727         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3728         * llint/LowLevelInterpreter.asm:
3729         * offlineasm/mips.rb:
3730
3731 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3732
3733         [GLIB] Expose JavaScriptCore options in GLib public API
3734         https://bugs.webkit.org/show_bug.cgi?id=188742
3735
3736         Reviewed by Michael Catanzaro.
3737
3738         Add new API to set, get and iterate JSC options.
3739
3740         * API/glib/JSCOptions.cpp: Added.
3741         (valueFromGValue):
3742         (valueToGValue):
3743         (jscOptionsSetValue):
3744         (jscOptionsGetValue):
3745         (jsc_options_set_boolean):
3746         (jsc_options_get_boolean):
3747         (jsc_options_set_int):
3748         (jsc_options_get_int):
3749         (jsc_options_set_uint):
3750         (jsc_options_get_uint):
3751         (jsc_options_set_size):
3752         (jsc_options_get_size):
3753         (jsc_options_set_double):
3754         (jsc_options_get_double):
3755         (jsc_options_set_string):
3756         (jsc_options_get_string):
3757         (jsc_options_set_range_string):
3758         (jsc_options_get_range_string):
3759         (jscOptionsType):
3760         (jsc_options_foreach):
3761         (setOptionEntry):
3762         (jsc_options_get_option_group):
3763         * API/glib/JSCOptions.h: Added.
3764         * API/glib/docs/jsc-glib-4.0-sections.txt:
3765         * API/glib/docs/jsc-glib-docs.sgml:
3766         * API/glib/jsc.h:
3767         * GLib.cmake:
3768
3769 2019-01-23  Mark Lam  <mark.lam@apple.com>
3770
3771         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
3772         https://bugs.webkit.org/show_bug.cgi?id=193744
3773         <rdar://problem/46262952>
3774
3775         Reviewed by Saam Barati.
3776
3777         * assembler/LinkBuffer.cpp:
3778         (JSC::LinkBuffer::copyCompactAndLinkCode):
3779
3780 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3781
3782         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3783         https://bugs.webkit.org/show_bug.cgi?id=193711
3784         <rdar://problem/47250262>
3785
3786         Reviewed by Saam Barati.
3787
3788         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
3789         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
3790         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
3791         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
3792         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
3793         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
3794         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
3795         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
3796         as follows.
3797
3798             BB0 -> BB1 -> BB2 -> BB4
3799              |        \        ^
3800              v          > BB3 /
3801             BB5
3802
3803         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
3804
3805             BB0 does nothing
3806                 head: loc1 is dead
3807                 tail: loc1 is dead
3808
3809             BB1 has MovHint @1, loc1
3810                 head: loc1 is dead
3811                 tail: loc1 is live
3812
3813             BB2 does nothing
3814                 head: loc1 is live
3815                 tail: loc1 is live
3816
3817             BB3 has PutStack @1, loc1
3818                 head: loc1 is live
3819                 tail: loc1 is live
3820
3821             BB4 has OSR exit using loc1
3822                 head: loc1 is live
3823                 tail: loc1 is live (in bytecode)
3824
3825             BB5 does nothing
3826                 head: loc1 is dead
3827                 tail: loc1 is dead
3828
3829         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
3830         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
3831
3832         So, the flush format of loc1 in each tail of BB is like this.
3833
3834             BB0
3835                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
3836             BB1
3837                 DeadFlush+@1 (pruning clears it)
3838             BB2
3839                 DeadFlush+@1 (since it is propagated from BB1)
3840             BB3
3841                 FlushedJSValue+@1 with loc1 (since it has PutStack)
3842             BB4
3843                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
3844             BB5
3845                 DeadFlush (pruning clears it)
3846
3847         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
3848         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
3849
3850         * dfg/DFGAvailabilityMap.cpp:
3851         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
3852         and copy the calculated value from the current availability map.
3853         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3854         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
3855
3856 2019-01-23  David Kilzer  <ddkilzer@apple.com>
3857
3858         [JSC] Duplicate global variables: JSC::opcodeLengths
3859         <https://webkit.org/b/193714>
3860         <rdar://problem/47340200>
3861
3862         Reviewed by Mark Lam.
3863
3864         * bytecode/Opcode.cpp:
3865         (JSC::opcodeLengths): Move array implementation here and mark
3866         const.
3867         * bytecode/Opcode.h:
3868         (JSC::opcodeLengths): Change to extern declaration.
3869
3870 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
3871
3872         [GLIB] Remote Inspector: no data displayed
3873         https://bugs.webkit.org/show_bug.cgi?id=193569
3874
3875         Reviewed by Michael Catanzaro.
3876
3877         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
3878         deadlock.
3879
3880         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3881         (Inspector::RemoteInspector::receivedSetupMessage):
3882         (Inspector::RemoteInspector::setup):
3883
3884 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3885
3886         Unreviewed, fix initial global lexical binding epoch
3887         https://bugs.webkit.org/show_bug.cgi?id=193603
3888         <rdar://problem/47380869>
3889
3890         * bytecode/CodeBlock.cpp:
3891         (JSC::CodeBlock::finishCreation):
3892