Move bytecode cache-related filesystem code out of CodeCache
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-19  Tadeu Zagallo  <tzagallo@apple.com>
2
3         Move bytecode cache-related filesystem code out of CodeCache
4         https://bugs.webkit.org/show_bug.cgi?id=194675
5
6         Reviewed by Saam Barati.
7
8         The code is only used for the bytecode-cache tests, so it should live in
9         jsc.cpp rather than in the CodeCache. The logic now lives in ShellSourceProvider,
10         which overrides the a virtual method in SourceProvider, `cacheBytecode`,
11         in order to write the cache to disk.
12
13         * jsc.cpp:
14         (ShellSourceProvider::create):
15         (ShellSourceProvider::~ShellSourceProvider):
16         (ShellSourceProvider::cachePath const):
17         (ShellSourceProvider::loadBytecode):
18         (ShellSourceProvider::ShellSourceProvider):
19         (jscSource):
20         (GlobalObject::moduleLoaderFetch):
21         (functionDollarEvalScript):
22         (runWithOptions):
23         * parser/SourceProvider.h:
24         (JSC::SourceProvider::cacheBytecode const):
25         * runtime/CodeCache.cpp:
26         (JSC::writeCodeBlock):
27         * runtime/CodeCache.h:
28         (JSC::CodeCacheMap::fetchFromDiskImpl):
29
30 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
31
32         [ARM] Fix crash with sampling profiler
33         https://bugs.webkit.org/show_bug.cgi?id=194772
34
35         Reviewed by Mark Lam.
36
37         sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
38         did not update the stack pointer in a single instruction. The src register was first
39         moved into the stack pointer, the immediate imm was added in a subsequent instruction.
40
41         This was problematic when a signal handler was invoked before applying the immediate,
42         when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
43         a temporary register and then move it in one go into the stack pointer.
44
45         * assembler/MacroAssemblerARMv7.h:
46         (JSC::MacroAssemblerARMv7::add32):
47
48 2019-02-18  Mark Lam  <mark.lam@apple.com>
49
50         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
51         https://bugs.webkit.org/show_bug.cgi?id=194800
52         <rdar://problem/48183773>
53
54         Reviewed by Yusuke Suzuki.
55
56         Fix doesGC() for the following nodes:
57
58             CompareEq:
59             CompareLess:
60             CompareLessEq:
61             CompareGreater:
62             CompareGreaterEq:
63             CompareStrictEq:
64                 Only return false (i.e. does not GC) for child node use kinds that have
65                 been vetted to not do anything that can GC.  For all other use kinds
66                 (including StringUse and BigIntUse), we return true (i.e. does GC).
67
68         * dfg/DFGDoesGC.cpp:
69         (JSC::DFG::doesGC):
70
71 2019-02-16  Darin Adler  <darin@apple.com>
72
73         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
74         https://bugs.webkit.org/show_bug.cgi?id=194752
75
76         Reviewed by Daniel Bates.
77
78         * heap/HeapSnapshotBuilder.cpp:
79         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
80         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
81         keep behavior the same, so let's do that.
82
83         * parser/Lexer.cpp:
84         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
85         String::format and "%04x".
86
87 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
88
89         [JSC] Add LazyClassStructure::getInitializedOnMainThread
90         https://bugs.webkit.org/show_bug.cgi?id=194784
91         <rdar://problem/48154820>
92
93         Reviewed by Mark Lam.
94
95         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
96         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
97         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
98         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
99         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
100
101         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
102         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
103         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
104         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
105
106         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
107         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
108
109         * runtime/JSGlobalObject.h:
110         (JSC::JSGlobalObject::booleanPrototype const):
111         (JSC::JSGlobalObject::numberPrototype const):
112         (JSC::JSGlobalObject::symbolPrototype const):
113         * runtime/LazyClassStructure.h:
114         (JSC::LazyClassStructure::getInitializedOnMainThread const):
115         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
116         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
117         * runtime/LazyProperty.h:
118         (JSC::LazyProperty::get const):
119         (JSC::LazyProperty::getInitializedOnMainThread const):
120
121 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
122
123         Web Inspector: Better categorize CPU usage per-thread / worker
124         https://bugs.webkit.org/show_bug.cgi?id=194564
125
126         Reviewed by Devin Rousso.
127
128         * inspector/protocol/CPUProfiler.json:
129         Add additional properties per-Event, and new per-Thread object info.
130
131 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
132
133         Bytecode cache should a have a boot-specific validation
134         https://bugs.webkit.org/show_bug.cgi?id=194769
135         <rdar://problem/48149509>
136
137         Reviewed by Keith Miller.
138
139         Add the boot UUID to the cached bytecode to enforce that it is not reused
140         across reboots.
141
142         * runtime/CachedTypes.cpp:
143         (JSC::Encoder::malloc):
144         (JSC::GenericCacheEntry::GenericCacheEntry):
145         (JSC::GenericCacheEntry::tag const):
146         (JSC::CacheEntry::CacheEntry):
147         (JSC::CacheEntry::decode const):
148         (JSC::GenericCacheEntry::decode const):
149         (JSC::encodeCodeBlock):
150
151 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
152
153         Add MSE logging configuration
154         https://bugs.webkit.org/show_bug.cgi?id=194719
155         <rdar://problem/48122151>
156
157         Reviewed by Joseph Pecoraro.
158
159         * inspector/ConsoleMessage.cpp:
160         (Inspector::messageSourceValue):
161         * inspector/protocol/Console.json:
162         * inspector/scripts/codegen/generator.py:
163         * runtime/ConsoleTypes.h:
164
165 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
166
167         Add version number to cached bytecode
168         https://bugs.webkit.org/show_bug.cgi?id=194768
169         <rdar://problem/48147968>
170
171         Reviewed by Saam Barati.
172
173         Add a version number to the bytecode cache that should be unique per build.
174
175         * CMakeLists.txt:
176         * DerivedSources-output.xcfilelist:
177         * DerivedSources.make:
178         * runtime/CachedTypes.cpp:
179         (JSC::Encoder::malloc):
180         (JSC::GenericCacheEntry::GenericCacheEntry):
181         (JSC::CacheEntry::CacheEntry):
182         (JSC::CacheEntry::encode):
183         (JSC::CacheEntry::decode const):
184         (JSC::GenericCacheEntry::decode const):
185         (JSC::decodeCodeBlockImpl):
186         * runtime/CodeCache.h:
187         (JSC::CodeCacheMap::fetchFromDiskImpl):
188
189 2019-02-17  Saam Barati  <sbarati@apple.com>
190
191         WasmB3IRGenerator models some effects incorrectly
192         https://bugs.webkit.org/show_bug.cgi?id=194038
193
194         Reviewed by Keith Miller.
195
196         * wasm/WasmB3IRGenerator.cpp:
197         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
198         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
199         These two functions were using global state instead of the
200         arguments passed into the function.
201
202         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
203         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
204         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
205         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
206         Any patchpoint that allows scratch register usage must
207         also say that it clobbers the scratch registers.
208
209 2019-02-17  Saam Barati  <sbarati@apple.com>
210
211         Deadlock when adding a Structure property transition and then doing incremental marking
212         https://bugs.webkit.org/show_bug.cgi?id=194767
213
214         Reviewed by Mark Lam.
215
216         This can happen in the following scenario:
217         
218         You have a Structure S. S is on the mark stack. Then:
219         1. S grabs its lock
220         2. S adds a new property transition
221         3. We find out we need to do some incremental marking
222         4. We mark S
223         5. visitChildren on S will try to grab its lock
224         6. We are now in a deadlock
225
226         * heap/Heap.cpp:
227         (JSC::Heap::performIncrement):
228         * runtime/Structure.cpp:
229         (JSC::Structure::addNewPropertyTransition):
230
231 2019-02-17  David Kilzer  <ddkilzer@apple.com>
232
233         Unreviewed, rolling out r241620.
234
235         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
236         (Requested by ddkilzer on #webkit.)
237
238         Reverted changeset:
239
240         "[WTF] Add environment variable helpers"
241         https://bugs.webkit.org/show_bug.cgi?id=192405
242         https://trac.webkit.org/changeset/241620
243
244 2019-02-17  Commit Queue  <commit-queue@webkit.org>
245
246         Unreviewed, rolling out r241612.
247         https://bugs.webkit.org/show_bug.cgi?id=194762
248
249         "It regressed JetStream2 parsing tests by ~40%" (Requested by
250         saamyjoon on #webkit).
251
252         Reverted changeset:
253
254         "Move bytecode cache-related filesystem code out of CodeCache"
255         https://bugs.webkit.org/show_bug.cgi?id=194675
256         https://trac.webkit.org/changeset/241612
257
258 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
259
260         [JSC] JSWrapperObject should not be destructible
261         https://bugs.webkit.org/show_bug.cgi?id=194743
262
263         Reviewed by Saam Barati.
264
265         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
266         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
267         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
268
269         * runtime/BigIntObject.cpp:
270         (JSC::BigIntObject::BigIntObject):
271         * runtime/BooleanConstructor.cpp:
272         (JSC::BooleanConstructor::finishCreation):
273         * runtime/BooleanObject.cpp:
274         (JSC::BooleanObject::BooleanObject):
275         * runtime/BooleanObject.h:
276         * runtime/DateInstance.cpp:
277         (JSC::DateInstance::DateInstance):
278         (JSC::DateInstance::finishCreation):
279         * runtime/DateInstance.h:
280         * runtime/DatePrototype.cpp:
281         (JSC::dateProtoFuncGetTime):
282         (JSC::dateProtoFuncSetTime):
283         (JSC::setNewValueFromTimeArgs):
284         (JSC::setNewValueFromDateArgs):
285         (JSC::dateProtoFuncSetYear):
286         * runtime/JSCPoison.h:
287         * runtime/JSWrapperObject.h:
288         (JSC::JSWrapperObject::JSWrapperObject):
289         * runtime/NumberObject.cpp:
290         (JSC::NumberObject::NumberObject):
291         * runtime/NumberObject.h:
292         * runtime/StringConstructor.cpp:
293         (JSC::StringConstructor::finishCreation):
294         * runtime/StringObject.cpp:
295         (JSC::StringObject::StringObject):
296         * runtime/StringObject.h:
297         (JSC::StringObject::internalValue const):
298         * runtime/SymbolObject.cpp:
299         (JSC::SymbolObject::SymbolObject):
300         * runtime/SymbolObject.h:
301
302 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
303
304         [JSC] Shrink UnlinkedFunctionExecutable
305         https://bugs.webkit.org/show_bug.cgi?id=194733
306
307         Reviewed by Mark Lam.
308
309         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
310         directives can be found in the comment of non typical function's source code (Program,
311         Eval code, and Global function from function constructor etc.), and tricky thing is that
312         SourceProvider's directives are updated by Parser. The reason why we have these fields in
313         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
314         if we skip parsing by using CodeCache. These fields are effective only if (1)
315         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
316         or sourceMappingURLDirective. This is rare enough to purge them to a separated
317         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
318         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
319         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
320         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
321         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
322         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
323         one of size class.
324
325         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
326         And kill one MarkedBlock allocation in JSC initialization phase.
327
328         * bytecode/UnlinkedFunctionExecutable.cpp:
329         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
330         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
331         * bytecode/UnlinkedFunctionExecutable.h:
332         * debugger/DebuggerLocation.cpp:
333         (JSC::DebuggerLocation::DebuggerLocation):
334         * inspector/ScriptDebugServer.cpp:
335         (Inspector::ScriptDebugServer::dispatchDidParseSource):
336         * parser/Lexer.h:
337         (JSC::Lexer::sourceURLDirective const):
338         (JSC::Lexer::sourceMappingURLDirective const):
339         (JSC::Lexer::sourceURL const): Deleted.
340         (JSC::Lexer::sourceMappingURL const): Deleted.
341         * parser/Parser.h:
342         (JSC::Parser<LexerType>::parse):
343         * parser/SourceProvider.h:
344         (JSC::SourceProvider::sourceURLDirective const):
345         (JSC::SourceProvider::sourceMappingURLDirective const):
346         (JSC::SourceProvider::setSourceURLDirective):
347         (JSC::SourceProvider::setSourceMappingURLDirective):
348         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
349         since it is the correct name.
350         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
351         sourceMappingURLDirective since it is the correct name.
352         * runtime/CachedTypes.cpp:
353         (JSC::CachedSourceProviderShape::encode):
354         (JSC::CachedFunctionExecutableRareData::encode):
355         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
356         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
357         (JSC::CachedFunctionExecutable::rareData const):
358         (JSC::CachedFunctionExecutable::encode):
359         (JSC::CachedFunctionExecutable::decode const):
360         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
361         * runtime/CodeCache.cpp:
362         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
363         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
364         * runtime/CodeCache.h:
365         (JSC::generateUnlinkedCodeBlockImpl):
366         * runtime/FunctionExecutable.h:
367         * runtime/SamplingProfiler.cpp:
368         (JSC::SamplingProfiler::StackFrame::url):
369
370 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
371
372         [JSC] Remove unused global private variables
373         https://bugs.webkit.org/show_bug.cgi?id=194741
374
375         Reviewed by Joseph Pecoraro.
376
377         There are some private functions and constants that are no longer referenced from builtin JS code.
378         This patch cleans up them.
379
380         * builtins/BuiltinNames.h:
381         * builtins/ObjectConstructor.js:
382         (entries):
383         * runtime/JSGlobalObject.cpp:
384         (JSC::JSGlobalObject::init):
385
386 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
387
388         [JSC] Lazily create empty RegExp
389         https://bugs.webkit.org/show_bug.cgi?id=194735
390
391         Reviewed by Keith Miller.
392
393         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
394         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
395         one MarkedBlock.
396
397         * runtime/JSGlobalObject.cpp:
398         (JSC::JSGlobalObject::init):
399         * runtime/RegExpCache.cpp:
400         (JSC::RegExpCache::ensureEmptyRegExpSlow):
401         (JSC::RegExpCache::initialize): Deleted.
402         * runtime/RegExpCache.h:
403         (JSC::RegExpCache::ensureEmptyRegExp):
404         (JSC::RegExpCache::emptyRegExp const): Deleted.
405         * runtime/RegExpCachedResult.cpp:
406         (JSC::RegExpCachedResult::lastResult):
407         * runtime/RegExpCachedResult.h:
408         * runtime/VM.cpp:
409         (JSC::VM::VM):
410
411 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
412
413         [JSC] Make builtin objects more lazily initialized under non-JIT mode
414         https://bugs.webkit.org/show_bug.cgi?id=194727
415
416         Reviewed by Saam Barati.
417
418         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
419         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
420         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
421         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
422         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
423         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
424         MarkedBlock allocation just for Symbols.
425
426         * runtime/JSGlobalObject.cpp:
427         (JSC::JSGlobalObject::init):
428         (JSC::JSGlobalObject::visitChildren):
429         * runtime/JSGlobalObject.h:
430         (JSC::JSGlobalObject::numberToStringWatchpoint):
431         (JSC::JSGlobalObject::booleanPrototype const):
432         (JSC::JSGlobalObject::numberPrototype const):
433         (JSC::JSGlobalObject::symbolPrototype const):
434         (JSC::JSGlobalObject::booleanObjectStructure const):
435         (JSC::JSGlobalObject::symbolObjectStructure const):
436         (JSC::JSGlobalObject::numberObjectStructure const):
437         (JSC::JSGlobalObject::stringObjectStructure const):
438
439 2019-02-15  Michael Saboff  <msaboff@apple.com>
440
441         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
442         https://bugs.webkit.org/show_bug.cgi?id=194558
443
444         Reviewed by Saam Barati.
445
446         Added an in bounds check before the read of the next character for Unicode regular expressions
447         for pattern generation that didn't already have such checks.
448
449         * yarr/YarrJIT.cpp:
450         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
451         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
452         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
453         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
454
455 2019-02-15  Dean Jackson  <dino@apple.com>
456
457         Allow emulation of user gestures from Web Inspector console
458         https://bugs.webkit.org/show_bug.cgi?id=194725
459         <rdar://problem/48126604>
460
461         Reviewed by Joseph Pecoraro and Devin Rousso.
462
463         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
464         to the evaluate function, and mark the function as override so that PageRuntimeAgent
465         can change the behaviour.
466         (Inspector::InspectorRuntimeAgent::evaluate):
467         * inspector/agents/InspectorRuntimeAgent.h:
468         * inspector/protocol/Runtime.json:
469
470 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
471
472         [JSC] Do not initialize Wasm related data if Wasm is not enabled
473         https://bugs.webkit.org/show_bug.cgi?id=194728
474
475         Reviewed by Mark Lam.
476
477         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
478
479         * runtime/InitializeThreading.cpp:
480         (JSC::initializeThreading):
481         * runtime/JSLock.cpp:
482         (JSC::JSLock::didAcquireLock):
483
484 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
485
486         [WTF] Add environment variable helpers
487         https://bugs.webkit.org/show_bug.cgi?id=192405
488
489         Reviewed by Michael Catanzaro.
490
491         * inspector/remote/glib/RemoteInspectorGlib.cpp:
492         (Inspector::RemoteInspector::RemoteInspector):
493         (Inspector::RemoteInspector::start):
494         * jsc.cpp:
495         (startTimeoutThreadIfNeeded):
496         * runtime/Options.cpp:
497         (JSC::overrideOptionWithHeuristic):
498         (JSC::Options::overrideAliasedOptionWithHeuristic):
499         (JSC::Options::initialize):
500         * runtime/VM.cpp:
501         (JSC::enableAssembler):
502         (JSC::VM::VM):
503         * tools/CodeProfiling.cpp:
504         (JSC::CodeProfiling::notifyAllocator):
505         Utilize WTF::Environment where possible.
506
507 2019-02-15  Mark Lam  <mark.lam@apple.com>
508
509         SamplingProfiler::stackTracesAsJSON() should escape strings.
510         https://bugs.webkit.org/show_bug.cgi?id=194649
511         <rdar://problem/48072386>
512
513         Reviewed by Saam Barati.
514
515         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
516
517         * runtime/SamplingProfiler.cpp:
518         (JSC::SamplingProfiler::stackTracesAsJSON):
519         * runtime/TypeSet.cpp:
520         (JSC::TypeSet::toJSONString const):
521         (JSC::StructureShape::toJSONString const):
522
523 2019-02-15  Robin Morisset  <rmorisset@apple.com>
524
525         CodeBlock::jettison should clear related watchpoints
526         https://bugs.webkit.org/show_bug.cgi?id=194544
527
528         Reviewed by Mark Lam.
529
530         * bytecode/CodeBlock.cpp:
531         (JSC::CodeBlock::jettison):
532         * dfg/DFGCommonData.h:
533         (JSC::DFG::CommonData::clearWatchpoints): Added.
534         * dfg/CommonData.cpp:
535         (JSC::DFG::CommonData::clearWatchpoints): Added.
536
537 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
538
539         Move bytecode cache-related filesystem code out of CodeCache
540         https://bugs.webkit.org/show_bug.cgi?id=194675
541
542         Reviewed by Saam Barati.
543
544         That code is only used for the bytecode-cache tests, so it should live in
545         jsc.cpp rather than in the CodeCache.
546
547         * jsc.cpp:
548         (CliSourceProvider::create):
549         (CliSourceProvider::~CliSourceProvider):
550         (CliSourceProvider::cachePath const):
551         (CliSourceProvider::loadBytecode):
552         (CliSourceProvider::CliSourceProvider):
553         (jscSource):
554         (GlobalObject::moduleLoaderFetch):
555         (functionDollarEvalScript):
556         (runWithOptions):
557         * parser/SourceProvider.h:
558         (JSC::SourceProvider::cacheBytecode const):
559         * runtime/CodeCache.cpp:
560         (JSC::writeCodeBlock):
561         * runtime/CodeCache.h:
562         (JSC::CodeCacheMap::fetchFromDiskImpl):
563
564 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
565
566         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
567         https://bugs.webkit.org/show_bug.cgi?id=194714
568
569         Reviewed by Mark Lam.
570
571         Let's consider about the following extreme case.
572
573         1. VM (A) is created.
574         2. Another VM (B) is created on a different thread.
575         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
576         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
577         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
578         6. (A) sees the half-baked worklist, which may be in the middle of creation.
579
580         This patch puts store-store fence just before putting a pointer to a global variable.
581         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
582
583         * dfg/DFGWorklist.cpp:
584         (JSC::DFG::ensureGlobalDFGWorklist):
585         (JSC::DFG::ensureGlobalFTLWorklist):
586         * wasm/WasmWorklist.cpp:
587         (JSC::Wasm::ensureWorklist):
588
589 2019-02-15  Commit Queue  <commit-queue@webkit.org>
590
591         Unreviewed, rolling out r241559 and r241566.
592         https://bugs.webkit.org/show_bug.cgi?id=194710
593
594         Causes layout test crashes under GuardMalloc (Requested by
595         ryanhaddad on #webkit).
596
597         Reverted changesets:
598
599         "[WTF] Add environment variable helpers"
600         https://bugs.webkit.org/show_bug.cgi?id=192405
601         https://trac.webkit.org/changeset/241559
602
603         "Unreviewed build fix for WinCairo Debug after r241559."
604         https://trac.webkit.org/changeset/241566
605
606 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
607
608         [JSC] Do not even allocate JIT worklists in non-JIT mode
609         https://bugs.webkit.org/show_bug.cgi?id=194693
610
611         Reviewed by Mark Lam.
612
613         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
614         And we do not perform any GC operations that are only meaningful in JIT environment.
615
616         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
617         2. We remove DFG marking constraint in non-JIT mode.
618         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
619         4. We do not visit JITStubRoutineSet.
620         5. Align JITWorklist function names to the other worklists.
621
622         * dfg/DFGOSRExitPreparation.cpp:
623         (JSC::DFG::prepareCodeOriginForOSRExit):
624         * dfg/DFGPlan.h:
625         * dfg/DFGWorklist.cpp:
626         (JSC::DFG::markCodeBlocks): Deleted.
627         * dfg/DFGWorklist.h:
628         * heap/Heap.cpp:
629         (JSC::Heap::completeAllJITPlans):
630         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
631         (JSC::Heap::gatherScratchBufferRoots):
632         (JSC::Heap::removeDeadCompilerWorklistEntries):
633         (JSC::Heap::stopThePeriphery):
634         (JSC::Heap::suspendCompilerThreads):
635         (JSC::Heap::resumeCompilerThreads):
636         (JSC::Heap::addCoreConstraints):
637         * jit/JITWorklist.cpp:
638         (JSC::JITWorklist::existingGlobalWorklistOrNull):
639         (JSC::JITWorklist::ensureGlobalWorklist):
640         (JSC::JITWorklist::instance): Deleted.
641         * jit/JITWorklist.h:
642         * llint/LLIntSlowPaths.cpp:
643         (JSC::LLInt::jitCompileAndSetHeuristics):
644         * runtime/VM.cpp:
645         (JSC::VM::~VM):
646         (JSC::VM::gatherScratchBufferRoots):
647         (JSC::VM::gatherConservativeRoots): Deleted.
648         * runtime/VM.h:
649
650 2019-02-15  Saam barati  <sbarati@apple.com>
651
652         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
653         https://bugs.webkit.org/show_bug.cgi?id=194036
654
655         Reviewed by Yusuke Suzuki.
656
657         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
658         use linear scan for register allocation. Instead of linear scan, Air-O0 does
659         mostly block-local register allocation, and it does this as it's emitting
660         code directly. The register allocator uses liveness analysis to reduce
661         the number of spills. Doing register allocation as we're emitting code
662         allows us to skip editing the IR to insert spills, which saves a non trivial
663         amount of compile time. For stack allocation, we give each Tmp its own slot.
664         This is less than ideal. We probably want to do some trivial live range analysis
665         in the future. The reason this isn't a deal breaker for Wasm is that this patch
666         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
667         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
668         
669         This patch is another 25% Wasm startup time speedup. It seems to be worth
670         another 1% on JetStream2.
671
672         * JavaScriptCore.xcodeproj/project.pbxproj:
673         * Sources.txt:
674         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
675         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
676         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
677         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
678         (JSC::B3::Air::callFrameAddr):
679         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
680         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
681         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
682         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
683         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
684         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
685         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
686         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
687         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
688         * b3/air/AirCode.cpp:
689         * b3/air/AirCode.h:
690         * b3/air/AirGenerate.cpp:
691         (JSC::B3::Air::prepareForGeneration):
692         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
693         (JSC::B3::Air::generate):
694         * b3/air/AirHandleCalleeSaves.cpp:
695         (JSC::B3::Air::handleCalleeSaves):
696         * b3/air/AirHandleCalleeSaves.h:
697         * b3/air/AirTmpMap.h:
698         * runtime/Options.h:
699         * wasm/WasmAirIRGenerator.cpp:
700         (JSC::Wasm::AirIRGenerator::didKill):
701         (JSC::Wasm::AirIRGenerator::newTmp):
702         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
703         (JSC::Wasm::parseAndCompileAir):
704         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
705         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
706         * wasm/WasmAirIRGenerator.h:
707         * wasm/WasmB3IRGenerator.cpp:
708         (JSC::Wasm::B3IRGenerator::didKill):
709         * wasm/WasmBBQPlan.cpp:
710         (JSC::Wasm::BBQPlan::compileFunctions):
711         * wasm/WasmFunctionParser.h:
712         (JSC::Wasm::FunctionParser<Context>::parseBody):
713         (JSC::Wasm::FunctionParser<Context>::parseExpression):
714         * wasm/WasmValidate.cpp:
715         (JSC::Wasm::Validate::didKill):
716
717 2019-02-14  Saam barati  <sbarati@apple.com>
718
719         lowerStackArgs should lower Lea32/64 on ARM64 to Add
720         https://bugs.webkit.org/show_bug.cgi?id=194656
721
722         Reviewed by Yusuke Suzuki.
723
724         On arm64, Lea is just implemented as an add. However, Air treats it as an
725         address with a given width. Because of this width, we were incorrectly
726         computing whether or not this immediate could fit into the instruction itself
727         or it needed to be explicitly put into a register. This patch makes
728         AirLowerStackArgs lower Lea to Add on arm64.
729
730         * b3/air/AirLowerStackArgs.cpp:
731         (JSC::B3::Air::lowerStackArgs):
732         * b3/air/AirOpcode.opcodes:
733         * b3/air/testair.cpp:
734
735 2019-02-14  Saam Barati  <sbarati@apple.com>
736
737         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
738         https://bugs.webkit.org/show_bug.cgi?id=194583
739         <rdar://problem/48028140>
740
741         Reviewed by Yusuke Suzuki.
742
743         This patch makes it so that getVariablesUnderTDZ caches a result of
744         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
745         it's called in an environment where there are a lot of variables.
746         This patch makes it so we cache its results. This is profitable when
747         getVariablesUnderTDZ is called repeatedly with the same environment
748         state. This is common since we call this every time we encounter a
749         function definition/expression node.
750
751         * builtins/BuiltinExecutables.cpp:
752         (JSC::BuiltinExecutables::createExecutable):
753         * bytecode/UnlinkedFunctionExecutable.cpp:
754         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
755         * bytecode/UnlinkedFunctionExecutable.h:
756         * bytecompiler/BytecodeGenerator.cpp:
757         (JSC::BytecodeGenerator::popLexicalScopeInternal):
758         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
759         (JSC::BytecodeGenerator::pushTDZVariables):
760         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
761         (JSC::BytecodeGenerator::restoreTDZStack):
762         * bytecompiler/BytecodeGenerator.h:
763         (JSC::BytecodeGenerator::makeFunction):
764         * parser/VariableEnvironment.cpp:
765         (JSC::CompactVariableMap::Handle::Handle):
766         (JSC::CompactVariableMap::Handle::operator=):
767         * parser/VariableEnvironment.h:
768         (JSC::CompactVariableMap::Handle::operator bool const):
769         * runtime/CodeCache.cpp:
770         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
771
772 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
773
774         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
775         https://bugs.webkit.org/show_bug.cgi?id=194659
776
777         Reviewed by Mark Lam.
778
779         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
780         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
781         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
782
783         * dfg/DFGJITCode.h:
784         * dfg/DFGJITFinalizer.cpp:
785         (JSC::DFG::JITFinalizer::finalize):
786         (JSC::DFG::JITFinalizer::finalizeFunction):
787         * jit/JITCode.cpp:
788         (JSC::DirectJITCode::initializeCodeRefForDFG):
789         (JSC::DirectJITCode::initializeCodeRef): Deleted.
790         (JSC::NativeJITCode::initializeCodeRef): Deleted.
791         * jit/JITCode.h:
792         * llint/LLIntEntrypoint.cpp:
793         (JSC::LLInt::setFunctionEntrypoint):
794         (JSC::LLInt::setEvalEntrypoint):
795         (JSC::LLInt::setProgramEntrypoint):
796         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
797
798 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
799
800         [WTF] Add environment variable helpers
801         https://bugs.webkit.org/show_bug.cgi?id=192405
802
803         Reviewed by Michael Catanzaro.
804
805         * inspector/remote/glib/RemoteInspectorGlib.cpp:
806         (Inspector::RemoteInspector::RemoteInspector):
807         (Inspector::RemoteInspector::start):
808         * jsc.cpp:
809         (startTimeoutThreadIfNeeded):
810         * runtime/Options.cpp:
811         (JSC::overrideOptionWithHeuristic):
812         (JSC::Options::overrideAliasedOptionWithHeuristic):
813         (JSC::Options::initialize):
814         * runtime/VM.cpp:
815         (JSC::enableAssembler):
816         (JSC::VM::VM):
817         * tools/CodeProfiling.cpp:
818         (JSC::CodeProfiling::notifyAllocator):
819         Utilize WTF::Environment where possible.
820
821 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
822
823         [JSC] Should have default NativeJITCode
824         https://bugs.webkit.org/show_bug.cgi?id=194634
825
826         Reviewed by Mark Lam.
827
828         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
829         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
830         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
831         allocations, which takes 14KB.
832
833         * runtime/VM.cpp:
834         (JSC::jitCodeForCallTrampoline):
835         (JSC::jitCodeForConstructTrampoline):
836         (JSC::VM::getHostFunction):
837
838 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
839
840         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
841         https://bugs.webkit.org/show_bug.cgi?id=194576
842
843         Reviewed by Saam Barati.
844
845         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
846         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
847
848         * bytecode/UnlinkedFunctionExecutable.cpp:
849         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
850         (JSC::UnlinkedFunctionExecutable::link):
851         * bytecode/UnlinkedFunctionExecutable.h:
852         * runtime/CodeCache.cpp:
853         (JSC::generateUnlinkedCodeBlockForFunctions):
854
855 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
856
857         CachedBitVector's size must be converted from bits to bytes
858         https://bugs.webkit.org/show_bug.cgi?id=194441
859
860         Reviewed by Saam Barati.
861
862         CachedBitVector used its size in bits for memcpy. That didn't cause any
863         issues when encoding, since the size in bits was also used in the allocation,
864         but would overflow the actual BitVector buffer when decoding.
865
866         * runtime/CachedTypes.cpp:
867         (JSC::CachedBitVector::encode):
868         (JSC::CachedBitVector::decode const):
869
870 2019-02-13  Brian Burg  <bburg@apple.com>
871
872         Web Inspector: don't include accessibility role in DOM.Node object payloads
873         https://bugs.webkit.org/show_bug.cgi?id=194623
874         <rdar://problem/36384037>
875
876         Reviewed by Devin Rousso.
877
878         Remove property of DOM.Node that is no longer being sent.
879
880         * inspector/protocol/DOM.json:
881
882 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
883
884         We should only make rope strings when concatenating strings long enough.
885         https://bugs.webkit.org/show_bug.cgi?id=194465
886
887         Reviewed by Mark Lam.
888
889         This patch stops us from allocating a rope string if the resulting
890         rope would be smaller than the size of the JSRopeString object we
891         would need to allocate.
892
893         This patch also adds paths so that we don't unnecessarily allocate
894         JSString cells for primitives we are going to concatenate with a
895         string anyway.
896
897         The important change from the previous one is that we do not apply
898         the above rule to JSRopeStrings generated by JSStrings. If we convert
899         it to JSString, comparison of memory consumption becomes the following,
900         because JSRopeString does not have StringImpl until it is resolved.
901
902             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
903
904         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
905         resolving eagerly increases memory footprint. The point is that we need to
906         account newly created JSString and JSRopeString from the operands. This is the
907         reason why this patch adds different thresholds for each jsString functions.
908
909         This patch also avoids concatenation for ropes conservatively. Many ropes are
910         temporary cells. So we do not resolve eagerly if one of operands is already a
911         rope.
912
913         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
914
915             Before: 159.3778
916             After:  160.72340000000003
917
918         * dfg/DFGOperations.cpp:
919         * runtime/CommonSlowPaths.cpp:
920         (JSC::SLOW_PATH_DECL):
921         * runtime/JSString.h:
922         (JSC::JSString::isRope const):
923         * runtime/Operations.cpp:
924         (JSC::jsAddSlowCase):
925         * runtime/Operations.h:
926         (JSC::jsString):
927         (JSC::jsAddNonNumber):
928         (JSC::jsAdd):
929
930 2019-02-13  Saam Barati  <sbarati@apple.com>
931
932         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
933         https://bugs.webkit.org/show_bug.cgi?id=194610
934
935         Reviewed by Michael Saboff.
936
937         BinarySwitch might use the scratch register. We must model the
938         effects of that properly. This is already caught by our br-table
939         tests on arm64.
940
941         * wasm/WasmAirIRGenerator.cpp:
942         (JSC::Wasm::AirIRGenerator::addSwitch):
943
944 2019-02-13  Mark Lam  <mark.lam@apple.com>
945
946         Create a randomized free list for new StructureIDs on StructureIDTable resize.
947         https://bugs.webkit.org/show_bug.cgi?id=194566
948         <rdar://problem/47975502>
949
950         Reviewed by Michael Saboff.
951
952         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
953         implementation is a little easier to read.
954
955         This patch appears to be perf neutral on JetStream2 (as run from the command line).
956
957         * runtime/StructureIDTable.cpp:
958         (JSC::StructureIDTable::StructureIDTable):
959         (JSC::StructureIDTable::makeFreeListFromRange):
960         (JSC::StructureIDTable::resize):
961         (JSC::StructureIDTable::allocateID):
962         (JSC::StructureIDTable::deallocateID):
963         * runtime/StructureIDTable.h:
964         (JSC::StructureIDTable::get):
965         (JSC::StructureIDTable::deallocateID):
966         (JSC::StructureIDTable::allocateID):
967         (JSC::StructureIDTable::flushOldTables):
968
969 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
970
971         VariableLengthObject::allocate<T> should initialize objects
972         https://bugs.webkit.org/show_bug.cgi?id=194534
973
974         Reviewed by Michael Saboff.
975
976         `buffer()` should not be called for empty VariableLengthObjects, but
977         these cases were not being caught due to the objects not being properly
978         initialized. Fix it so that allocate calls the constructor and fix the
979         assertion failues.
980
981         * runtime/CachedTypes.cpp:
982         (JSC::CachedObject::operator new):
983         (JSC::VariableLengthObject::allocate):
984         (JSC::CachedVector::encode):
985         (JSC::CachedVector::decode const):
986         (JSC::CachedUniquedStringImpl::decode const):
987         (JSC::CachedBitVector::encode):
988         (JSC::CachedBitVector::decode const):
989         (JSC::CachedArray::encode):
990         (JSC::CachedArray::decode const):
991         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
992         (JSC::CachedBigInt::decode const):
993
994 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
995
996         CodeBlocks read from disk should not be re-written
997         https://bugs.webkit.org/show_bug.cgi?id=194535
998
999         Reviewed by Michael Saboff.
1000
1001         Keep track of which CodeBlocks have been read from disk or have already
1002         been serialized in CodeCache.
1003
1004         * runtime/CodeCache.cpp:
1005         (JSC::CodeCache::write):
1006         * runtime/CodeCache.h:
1007         (JSC::SourceCodeValue::SourceCodeValue):
1008         (JSC::CodeCacheMap::fetchFromDiskImpl):
1009
1010 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1011
1012         SourceCode should be copied when generating bytecode for functions
1013         https://bugs.webkit.org/show_bug.cgi?id=194536
1014
1015         Reviewed by Saam Barati.
1016
1017         The FunctionExecutable might be collected while generating the bytecode
1018         for nested functions, in which case the SourceCode reference would no
1019         longer be valid.
1020
1021         * runtime/CodeCache.cpp:
1022         (JSC::generateUnlinkedCodeBlockForFunctions):
1023
1024 2019-02-12  Saam barati  <sbarati@apple.com>
1025
1026         JSScript needs to retain its cache path NSURL*
1027         https://bugs.webkit.org/show_bug.cgi?id=194577
1028
1029         Reviewed by Tim Horton.
1030
1031         * API/JSScript.mm:
1032         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1033         (-[JSScript dealloc]):
1034
1035 2019-02-12  Robin Morisset  <rmorisset@apple.com>
1036
1037         Make B3Value::returnsBool() more precise
1038         https://bugs.webkit.org/show_bug.cgi?id=194457
1039
1040         Reviewed by Saam Barati.
1041
1042         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
1043         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
1044         No new tests added as this should be indirectly tested by the already existing tests.
1045
1046         * b3/B3Value.cpp:
1047         (JSC::B3::Value::returnsBool const):
1048
1049 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1050
1051         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1052         https://bugs.webkit.org/show_bug.cgi?id=194399
1053         <rdar://problem/47889777>
1054
1055         * dfg/DFGDoesGC.cpp:
1056         (JSC::DFG::doesGC):
1057
1058 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1059
1060         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1061         https://bugs.webkit.org/show_bug.cgi?id=194370
1062
1063         Reviewed by Darin Adler.
1064
1065         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1066         necessary, but it will make errors more visible.
1067
1068         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1069         (Inspector::RemoteInspector::start):
1070         (Inspector::dbusConnectionCallAsyncReadyCallback):
1071         * inspector/remote/glib/RemoteInspectorServer.cpp:
1072         (Inspector::RemoteInspectorServer::start):
1073
1074 2019-02-12  Andy Estes  <aestes@apple.com>
1075
1076         [iOSMac] Enable Parental Controls Content Filtering
1077         https://bugs.webkit.org/show_bug.cgi?id=194521
1078         <rdar://39732376>
1079
1080         Reviewed by Tim Horton.
1081
1082         * Configurations/FeatureDefines.xcconfig:
1083
1084 2019-02-11  Mark Lam  <mark.lam@apple.com>
1085
1086         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1087         https://bugs.webkit.org/show_bug.cgi?id=194512
1088         <rdar://problem/47975465>
1089
1090         Reviewed by Yusuke Suzuki.
1091
1092         * runtime/StructureIDTable.cpp:
1093         (JSC::StructureIDTable::StructureIDTable):
1094         (JSC::StructureIDTable::allocateID):
1095         (JSC::StructureIDTable::deallocateID):
1096         * runtime/StructureIDTable.h:
1097
1098 2019-02-10  Mark Lam  <mark.lam@apple.com>
1099
1100         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1101         https://bugs.webkit.org/show_bug.cgi?id=194493
1102         <rdar://problem/36380852>
1103
1104         Reviewed by Yusuke Suzuki.
1105
1106         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1107         however not good for performance and memory usage.  As such, a debug ASSERT will
1108         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1109         possible to be instantiated with duplicate cases in
1110         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1111
1112         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1113         see duplicate cases.
1114
1115         * jit/BinarySwitch.cpp:
1116         (JSC::BinarySwitch::BinarySwitch):
1117
1118 2019-02-10  Darin Adler  <darin@apple.com>
1119
1120         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1121         https://bugs.webkit.org/show_bug.cgi?id=194485
1122
1123         Reviewed by Daniel Bates.
1124
1125         * heap/HeapSnapshotBuilder.cpp:
1126         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1127         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1128
1129         * runtime/JSGlobalObjectFunctions.cpp:
1130         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1131         including one in a call to appendByteAsHex.
1132         (JSC::globalFuncEscape): Ditto.
1133
1134 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1135
1136         Unreviewed, rolling out r241230.
1137         https://bugs.webkit.org/show_bug.cgi?id=194488
1138
1139         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1140         #webkit).
1141
1142         Reverted changeset:
1143
1144         "We should only make rope strings when concatenating strings
1145         long enough."
1146         https://bugs.webkit.org/show_bug.cgi?id=194465
1147         https://trac.webkit.org/changeset/241230
1148
1149 2019-02-10  Saam barati  <sbarati@apple.com>
1150
1151         BBQ-Air: Emit better code for switch
1152         https://bugs.webkit.org/show_bug.cgi?id=194053
1153
1154         Reviewed by Yusuke Suzuki.
1155
1156         Instead of emitting a linear set of jumps for Switch, this patch
1157         makes the BBQ-Air backend emit a binary switch.
1158
1159         * wasm/WasmAirIRGenerator.cpp:
1160         (JSC::Wasm::AirIRGenerator::addSwitch):
1161
1162 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1163
1164         Unreviewed, Lexer should use isLatin1 implementation in WTF
1165         https://bugs.webkit.org/show_bug.cgi?id=194466
1166
1167         Follow-up after r241233 pointed by Darin.
1168
1169         * parser/Lexer.cpp:
1170         (JSC::isLatin1): Deleted.
1171
1172 2019-02-09  Darin Adler  <darin@apple.com>
1173
1174         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1175         https://bugs.webkit.org/show_bug.cgi?id=194021
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         * inspector/agents/InspectorConsoleAgent.cpp:
1180         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1181         makeString do the conversion without allocating/destroying a String.
1182         * inspector/agents/InspectorDebuggerAgent.cpp:
1183         (Inspector::objectGroupForBreakpointAction): Ditto.
1184         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1185         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1186         * runtime/JSGenericTypedArrayViewInlines.h:
1187         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1188         * runtime/NumberPrototype.cpp:
1189         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1190         of calling numberToFixedWidthString to do the same thing.
1191         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1192         numberToFixedPrecisionString to do the same thing.
1193         * runtime/SamplingProfiler.cpp:
1194         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1195
1196 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1197
1198         Unreviewed, rolling in r241237 again
1199         https://bugs.webkit.org/show_bug.cgi?id=194469
1200
1201         * runtime/JSString.h:
1202         (JSC::jsSubstring):
1203
1204 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1205
1206         Unreviewed, rolling out r241237.
1207         https://bugs.webkit.org/show_bug.cgi?id=194474
1208
1209         Shows significant memory increase in WSL (Requested by
1210         yusukesuzuki on #webkit).
1211
1212         Reverted changeset:
1213
1214         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1215         takes more memory"
1216         https://bugs.webkit.org/show_bug.cgi?id=194469
1217         https://trac.webkit.org/changeset/241237
1218
1219 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1222         https://bugs.webkit.org/show_bug.cgi?id=194469
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         * runtime/JSString.h:
1227         (JSC::jsSubstring):
1228
1229 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1230
1231         [JSC] CachedTypes should use jsString instead of JSString::create
1232         https://bugs.webkit.org/show_bug.cgi?id=194471
1233
1234         Reviewed by Mark Lam.
1235
1236         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1237
1238         * runtime/CachedTypes.cpp:
1239         (JSC::CachedJSValue::decode const):
1240
1241 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1242
1243         [JSC] Increase StructureIDTable initial capacity
1244         https://bugs.webkit.org/show_bug.cgi?id=194468
1245
1246         Reviewed by Mark Lam.
1247
1248         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1249         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1250         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1251         more memory dirty. We also remove some structures that are no longer used.
1252
1253         * runtime/JSGlobalObject.h:
1254         (JSC::JSGlobalObject::callbackObjectStructure const):
1255         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1256         * runtime/StructureIDTable.h:
1257         * runtime/VM.h:
1258
1259 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1260
1261         [JSC] String.fromCharCode's slow path always generates 16bit string
1262         https://bugs.webkit.org/show_bug.cgi?id=194466
1263
1264         Reviewed by Keith Miller.
1265
1266         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1267         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1268         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1269         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1270         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1271         as much as possible.
1272
1273         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1274
1275         * runtime/StringConstructor.cpp:
1276         (JSC::stringFromCharCode):
1277
1278 2019-02-08  Keith Miller  <keith_miller@apple.com>
1279
1280         We should only make rope strings when concatenating strings long enough.
1281         https://bugs.webkit.org/show_bug.cgi?id=194465
1282
1283         Reviewed by Saam Barati.
1284
1285         This patch stops us from allocating a rope string if the resulting
1286         rope would be smaller than the size of the JSRopeString object we
1287         would need to allocate.
1288
1289         This patch also adds paths so that we don't unnecessarily allocate
1290         JSString cells for primitives we are going to concatenate with a
1291         string anyway.
1292
1293         * dfg/DFGOperations.cpp:
1294         * runtime/CommonSlowPaths.cpp:
1295         (JSC::SLOW_PATH_DECL):
1296         * runtime/JSString.h:
1297         * runtime/Operations.cpp:
1298         (JSC::jsAddSlowCase):
1299         * runtime/Operations.h:
1300         (JSC::jsString):
1301         (JSC::jsAdd):
1302
1303 2019-02-08  Saam barati  <sbarati@apple.com>
1304
1305         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1306         https://bugs.webkit.org/show_bug.cgi?id=194334
1307         <rdar://problem/47844327>
1308
1309         Reviewed by Mark Lam.
1310
1311         * dfg/DFGAbstractInterpreterInlines.h:
1312         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1313         * dfg/DFGArgumentsEliminationPhase.cpp:
1314         * dfg/DFGByteCodeParser.cpp:
1315         (JSC::DFG::ByteCodeParser::parseBlock):
1316         * dfg/DFGClobberize.h:
1317         (JSC::DFG::clobberize):
1318         * dfg/DFGConstantFoldingPhase.cpp:
1319         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1320         * dfg/DFGFixupPhase.cpp:
1321         (JSC::DFG::FixupPhase::fixupNode):
1322         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1323         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1324         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1325         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1326         * dfg/DFGNodeType.h:
1327         * dfg/DFGSSALoweringPhase.cpp:
1328         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1329         * dfg/DFGSpeculativeJIT.cpp:
1330         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1331         * ftl/FTLLowerDFGToB3.cpp:
1332         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1333         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1334
1335 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1336
1337         [JSC] Shrink sizeof(CodeBlock) more
1338         https://bugs.webkit.org/show_bug.cgi?id=194419
1339
1340         Reviewed by Mark Lam.
1341
1342         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1343
1344         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1345         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1346         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1347
1348         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1349         And we do not touch it in CodeBlock::~CodeBlock.
1350
1351         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1352         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1353         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1354
1355         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1356
1357         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1358
1359         * bytecode/CodeBlock.cpp:
1360         (JSC::CodeBlock::hash const):
1361         (JSC::CodeBlock::sourceCodeForTools const):
1362         (JSC::CodeBlock::dumpAssumingJITType const):
1363         (JSC::CodeBlock::dumpSource):
1364         (JSC::CodeBlock::CodeBlock):
1365         (JSC::CodeBlock::finishCreation):
1366         (JSC::CodeBlock::propagateTransitions):
1367         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1368         (JSC::CodeBlock::setCalleeSaveRegisters):
1369         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1370         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1371         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1372         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1373         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1374         (JSC::CodeBlock::newReplacement):
1375         (JSC::CodeBlock::replacement):
1376         (JSC::CodeBlock::computeCapabilityLevel):
1377         (JSC::CodeBlock::jettison):
1378         (JSC::CodeBlock::calleeSaveRegisters const):
1379         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1380         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1381         (JSC::CodeBlock::getArrayProfile):
1382         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1383         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1384         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1385         (JSC::CodeBlock::validate):
1386         (JSC::CodeBlock::outOfLineJumpTarget):
1387         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1388         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1389         * bytecode/CodeBlock.h:
1390         (JSC::CodeBlock::specializationKind const):
1391         (JSC::CodeBlock::isStrictMode const):
1392         (JSC::CodeBlock::isConstructor const):
1393         (JSC::CodeBlock::codeType const):
1394         (JSC::CodeBlock::isKnownNotImmediate):
1395         (JSC::CodeBlock::instructions const):
1396         (JSC::CodeBlock::ownerExecutable const):
1397         (JSC::CodeBlock::thisRegister const):
1398         (JSC::CodeBlock::source const):
1399         (JSC::CodeBlock::sourceOffset const):
1400         (JSC::CodeBlock::firstLineColumnOffset const):
1401         (JSC::CodeBlock::createRareDataIfNecessary):
1402         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1403         (JSC::CodeBlock::setThisRegister): Deleted.
1404         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1405         * bytecode/EvalCodeBlock.h:
1406         * bytecode/FunctionCodeBlock.h:
1407         * bytecode/GlobalCodeBlock.h:
1408         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1409         * bytecode/ModuleProgramCodeBlock.h:
1410         * bytecode/ProgramCodeBlock.h:
1411         * debugger/Debugger.cpp:
1412         (JSC::Debugger::toggleBreakpoint):
1413         * debugger/DebuggerCallFrame.cpp:
1414         (JSC::DebuggerCallFrame::sourceID const):
1415         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1416         * debugger/DebuggerScope.cpp:
1417         (JSC::DebuggerScope::location const):
1418         * dfg/DFGByteCodeParser.cpp:
1419         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1420         (JSC::DFG::ByteCodeParser::inliningCost):
1421         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1422         * dfg/DFGCapabilities.cpp:
1423         (JSC::DFG::isSupportedForInlining):
1424         (JSC::DFG::mightCompileEval):
1425         (JSC::DFG::mightCompileProgram):
1426         (JSC::DFG::mightCompileFunctionForCall):
1427         (JSC::DFG::mightCompileFunctionForConstruct):
1428         (JSC::DFG::canUseOSRExitFuzzing):
1429         * dfg/DFGGraph.h:
1430         (JSC::DFG::Graph::executableFor):
1431         * dfg/DFGJITCompiler.cpp:
1432         (JSC::DFG::JITCompiler::compileFunction):
1433         * dfg/DFGOSREntry.cpp:
1434         (JSC::DFG::prepareOSREntry):
1435         * dfg/DFGOSRExit.cpp:
1436         (JSC::DFG::restoreCalleeSavesFor):
1437         (JSC::DFG::saveCalleeSavesFor):
1438         (JSC::DFG::saveOrCopyCalleeSavesFor):
1439         * dfg/DFGOSRExitCompilerCommon.cpp:
1440         (JSC::DFG::handleExitCounts):
1441         * dfg/DFGOperations.cpp:
1442         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1443         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1444         * ftl/FTLCapabilities.cpp:
1445         (JSC::FTL::canCompile):
1446         * ftl/FTLLink.cpp:
1447         (JSC::FTL::link):
1448         * ftl/FTLOSRExitCompiler.cpp:
1449         (JSC::FTL::compileStub):
1450         * interpreter/CallFrame.cpp:
1451         (JSC::CallFrame::callerSourceOrigin):
1452         * interpreter/Interpreter.cpp:
1453         (JSC::eval):
1454         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1455         * interpreter/StackVisitor.cpp:
1456         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1457         (JSC::StackVisitor::Frame::sourceURL const):
1458         (JSC::StackVisitor::Frame::sourceID):
1459         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1460         * interpreter/StackVisitor.h:
1461         * jit/AssemblyHelpers.h:
1462         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1463         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1464         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1465         * jit/CallFrameShuffleData.cpp:
1466         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1467         * jit/JIT.cpp:
1468         (JSC::JIT::compileWithoutLinking):
1469         * jit/JITToDFGDeferredCompilationCallback.cpp:
1470         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1471         * jit/JITWorklist.cpp:
1472         (JSC::JITWorklist::Plan::finalize):
1473         (JSC::JITWorklist::compileNow):
1474         * jit/RegisterAtOffsetList.cpp:
1475         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1476         * jit/RegisterAtOffsetList.h:
1477         (JSC::RegisterAtOffsetList::at const):
1478         * runtime/ErrorInstance.cpp:
1479         (JSC::appendSourceToError):
1480         * runtime/ScriptExecutable.cpp:
1481         (JSC::ScriptExecutable::newCodeBlockFor):
1482         * runtime/StackFrame.cpp:
1483         (JSC::StackFrame::sourceID const):
1484         (JSC::StackFrame::sourceURL const):
1485         (JSC::StackFrame::computeLineAndColumn const):
1486
1487 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1488
1489         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1490         https://bugs.webkit.org/show_bug.cgi?id=194460
1491
1492         Reviewed by Mark Lam.
1493
1494         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1495
1496         * b3/B3LowerMacros.cpp:
1497
1498 2019-02-08  Mark Lam  <mark.lam@apple.com>
1499
1500         Use maxSingleCharacterString in comparisons instead of literal constants.
1501         https://bugs.webkit.org/show_bug.cgi?id=194452
1502
1503         Reviewed by Yusuke Suzuki.
1504
1505         This way, if we ever change maxSingleCharacterString, it won't break all this code
1506         that relies on it being 0xff implicitly.
1507
1508         * dfg/DFGSpeculativeJIT.cpp:
1509         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1510         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1511         * ftl/FTLLowerDFGToB3.cpp:
1512         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1513         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1514         * jit/ThunkGenerators.cpp:
1515         (JSC::stringGetByValGenerator):
1516         (JSC::charToString):
1517
1518 2019-02-08  Mark Lam  <mark.lam@apple.com>
1519
1520         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1521         https://bugs.webkit.org/show_bug.cgi?id=194446
1522         <rdar://problem/47926792>
1523
1524         Reviewed by Saam Barati.
1525
1526         Fix doesGC() for the following nodes:
1527
1528             CheckTierUpAtReturn:
1529                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1530                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1531
1532             CheckTierUpInLoop:
1533                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1534                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1535
1536             CheckTierUpAndOSREnter:
1537                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1538                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1539
1540             GetByVal:
1541                 case Array::String calls operationSingleCharacterString(), which calls
1542                 jsSingleCharacterString(), which can allocate a string.
1543
1544             PutByValDirect:
1545             PutByVal:
1546             PutByValAlias:
1547                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1548                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1549                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1550                 slow paths call putByValInternal(), which may create exception objects, or
1551                 call the generic JSValue::put() which may execute arbitrary code.
1552
1553             StringCharAt:
1554                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1555                 which can allocate a string.
1556
1557         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1558         to use the maxSingleCharacterString constant instead of a literal constant.
1559
1560         * dfg/DFGDoesGC.cpp:
1561         (JSC::DFG::doesGC):
1562         * dfg/DFGSpeculativeJIT.cpp:
1563         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1564         * dfg/DFGSpeculativeJIT64.cpp:
1565         (JSC::DFG::SpeculativeJIT::compile):
1566         * ftl/FTLLowerDFGToB3.cpp:
1567         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1568         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1569         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1570
1571 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1572
1573         [JSC] SourceProviderCacheItem should be small
1574         https://bugs.webkit.org/show_bug.cgi?id=194432
1575
1576         Reviewed by Saam Barati.
1577
1578         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1579         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1580         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1581
1582         * parser/Parser.cpp:
1583         (JSC::Parser<LexerType>::parseFunctionInfo):
1584         * parser/ParserModes.h:
1585         * parser/ParserTokens.h:
1586         * parser/SourceProviderCacheItem.h:
1587         (JSC::SourceProviderCacheItem::endFunctionToken const):
1588         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1589
1590 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1591
1592         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1593         https://bugs.webkit.org/show_bug.cgi?id=194420
1594
1595         Reviewed by Saam Barati.
1596
1597         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1598         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1599         This trivial patch fixes both.
1600
1601         * b3/B3ReduceStrength.cpp:
1602         * b3/testb3.cpp:
1603         (JSC::B3::testAbsNegArg):
1604
1605 2019-02-07  Keith Miller  <keith_miller@apple.com>
1606
1607         Better error messages for module loader SPI
1608         https://bugs.webkit.org/show_bug.cgi?id=194421
1609
1610         Reviewed by Saam Barati.
1611
1612         * API/JSAPIGlobalObject.mm:
1613         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1614
1615 2019-02-07  Mark Lam  <mark.lam@apple.com>
1616
1617         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1618         https://bugs.webkit.org/show_bug.cgi?id=194399
1619         <rdar://problem/47889777>
1620
1621         Reviewed by Yusuke Suzuki.
1622
1623         Fix doesGC() for the following nodes:
1624
1625             CheckTraps:
1626                 We normally will not emit this node because Options::usePollingTraps() is
1627                 false by default.  However, as it is implemented now, CheckTraps can GC
1628                 because it can allocate a TerminatedExecutionException.  If we make the
1629                 TerminatedExecutionException a singleton allocated at initialization time,
1630                 doesGC() can return false for CheckTraps.
1631                 https://bugs.webkit.org/show_bug.cgi?id=194323
1632
1633             GetMapBucket:
1634                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1635                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1636                 can resolve a rope.
1637
1638             Switch:
1639                 If switchData kind is SwitchChar, can call operationResolveRope() .
1640                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1641                     can call operationSwitchString() which resolves ropes.
1642
1643             DirectTailCall:
1644             ForceOSRExit:
1645             Return:
1646             TailCallForwardVarargs:
1647             TailCallVarargs:
1648             Throw:
1649                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1650                 for them, but following our conservative practice, unless we have a good
1651                 reason for doesGC() to return false, we should just return true.
1652
1653         * dfg/DFGDoesGC.cpp:
1654         (JSC::DFG::doesGC):
1655
1656 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1657
1658         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1659         https://bugs.webkit.org/show_bug.cgi?id=194250
1660
1661         Reviewed by Saam Barati.
1662
1663         Adds the following optimizations for integers:
1664         - Sub(x, x) => 0
1665             Already covered by the test testSubArg
1666         - Sub(x1, Neg(x2)) => Add (x1, x2)
1667             Added test: testSubNeg
1668         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1669             Added test: testNegSub
1670         - Add(Neg(x1), x2) => Sub(x2, x1)
1671             Added test: testAddNeg1
1672         - Add(x1, Neg(x2)) => Sub(x1, x2)
1673             Added test: testAddNeg2
1674         Adds the following optimization for floating point values:
1675         - Abs(Neg(x)) => Abs(x)
1676             Added test: testAbsNegArg
1677             Adds the following optimization:
1678
1679         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1680
1681         * b3/B3ReduceStrength.cpp:
1682         * b3/testb3.cpp:
1683         (JSC::B3::testAddNeg1):
1684         (JSC::B3::testAddNeg2):
1685         (JSC::B3::testSubNeg):
1686         (JSC::B3::testNegSub):
1687         (JSC::B3::testAbsAbsArg):
1688         (JSC::B3::testAbsNegArg):
1689         (JSC::B3::run):
1690
1691 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1692
1693         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1694         https://bugs.webkit.org/show_bug.cgi?id=194374
1695
1696         Reviewed by Geoffrey Garen.
1697
1698         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1699         But pointer is larger than single character. BufferInternal StringImpl with single character
1700         is more memory efficient.
1701
1702         * runtime/SmallStrings.cpp:
1703         (JSC::SmallStringsStorage::SmallStringsStorage):
1704         (JSC::SmallStrings::SmallStrings):
1705         * runtime/SmallStrings.h:
1706
1707 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1708
1709         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1710         https://bugs.webkit.org/show_bug.cgi?id=194369
1711         <rdar://problem/47813087>
1712
1713         Reviewed by Saam Barati.
1714
1715         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1716         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1717         constant folding phase.
1718
1719         * dfg/DFGAbstractInterpreterInlines.h:
1720         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1721
1722 2019-02-06  Devin Rousso  <drousso@apple.com>
1723
1724         Web Inspector: DOM: don't send the entire function string with each event listener
1725         https://bugs.webkit.org/show_bug.cgi?id=194293
1726         <rdar://problem/47822809>
1727
1728         Reviewed by Joseph Pecoraro.
1729
1730         * inspector/protocol/DOM.json:
1731
1732         * runtime/JSFunction.h:
1733         Export `calculatedDisplayName`.
1734
1735 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1736
1737         [JSC] PrivateName to PublicName hash table is wasteful
1738         https://bugs.webkit.org/show_bug.cgi?id=194277
1739
1740         Reviewed by Michael Saboff.
1741
1742         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1743         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1744         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1745         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1746
1747         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1748
1749         1. PrivateName's content should be the same to PublicName.
1750         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1751            the public name should be easily crafted from the given PrivateName.
1752
1753         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1754         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1755
1756         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1757         WebCore.
1758
1759         * builtins/BuiltinNames.cpp:
1760         (JSC::BuiltinNames::BuiltinNames):
1761         * builtins/BuiltinNames.h:
1762         (JSC::BuiltinNames::lookUpPrivateName const):
1763         (JSC::BuiltinNames::getPublicName const):
1764         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1765         (JSC::BuiltinNames::appendExternalName):
1766         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1767         * builtins/BuiltinUtils.h:
1768         * bytecode/BytecodeDumper.cpp:
1769         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1770         * bytecompiler/NodesCodegen.cpp:
1771         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1772         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1773         * parser/Lexer.cpp:
1774         (JSC::Lexer<LChar>::parseIdentifier):
1775         (JSC::Lexer<UChar>::parseIdentifier):
1776         * parser/Parser.cpp:
1777         (JSC::Parser<LexerType>::createGeneratorParameters):
1778         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1779         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1780         (JSC::Parser<LexerType>::parseClassDeclaration):
1781         (JSC::Parser<LexerType>::parseExportDeclaration):
1782         (JSC::Parser<LexerType>::parseMemberExpression):
1783         * parser/ParserArena.h:
1784         (JSC::IdentifierArena::makeIdentifier):
1785         * runtime/CachedTypes.cpp:
1786         (JSC::CachedUniquedStringImpl::encode):
1787         (JSC::CachedUniquedStringImpl::decode const):
1788         * runtime/CommonIdentifiers.cpp:
1789         (JSC::CommonIdentifiers::CommonIdentifiers):
1790         (JSC::CommonIdentifiers::lookUpPrivateName const):
1791         (JSC::CommonIdentifiers::getPublicName const):
1792         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1793         * runtime/CommonIdentifiers.h:
1794         * runtime/ExceptionHelpers.cpp:
1795         (JSC::createUndefinedVariableError):
1796         * runtime/Identifier.cpp:
1797         (JSC::Identifier::dump const):
1798         * runtime/Identifier.h:
1799         * runtime/IdentifierInlines.h:
1800         (JSC::Identifier::fromUid):
1801         * runtime/JSTypedArrayViewPrototype.cpp:
1802         (JSC::JSTypedArrayViewPrototype::finishCreation):
1803         * tools/JSDollarVM.cpp:
1804         (JSC::functionGetPrivateProperty):
1805
1806 2019-02-06  Keith Rollin  <krollin@apple.com>
1807
1808         Really enable the automatic checking and regenerations of .xcfilelists during builds
1809         https://bugs.webkit.org/show_bug.cgi?id=194357
1810         <rdar://problem/47861231>
1811
1812         Reviewed by Chris Dumez.
1813
1814         Bug 194124 was supposed to enable the automatic checking and
1815         regenerating of .xcfilelist files during the build. While related
1816         changes were included in that patch, the change to actually enable the
1817         operation somehow was omitted. This patch actually enables the
1818         operation. The check-xcfilelist.sh scripts now check
1819         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1820         from the checking.
1821
1822         * Scripts/check-xcfilelists.sh:
1823
1824 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1825
1826         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1827         https://bugs.webkit.org/show_bug.cgi?id=194339
1828
1829         Reviewed by Michael Saboff.
1830
1831         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1832         They have even the same structure. This patch unifies the subspaces for them.
1833
1834         * runtime/DirectEvalExecutable.h:
1835         * runtime/EvalExecutable.h:
1836         (JSC::EvalExecutable::subspaceFor):
1837         * runtime/IndirectEvalExecutable.h:
1838         * runtime/VM.cpp:
1839         * runtime/VM.h:
1840         (JSC::VM::forEachScriptExecutableSpace):
1841
1842 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1843
1844         [JSC] NativeExecutable should be smaller
1845         https://bugs.webkit.org/show_bug.cgi?id=194331
1846
1847         Reviewed by Michael Saboff.
1848
1849         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1850         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1851         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1852         only takes one MarkedBlock for NativeExecutable.
1853
1854         To make NativeExecutable smaller,
1855
1856         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1857            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1858
1859         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1860            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1861            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1862
1863         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1864            Intrinsic for NativeExecutable.
1865
1866         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1867
1868         * CMakeLists.txt:
1869         * JavaScriptCore.xcodeproj/project.pbxproj:
1870         * bytecode/CallVariant.h:
1871         * interpreter/Interpreter.cpp:
1872         * jit/JITCode.cpp:
1873         (JSC::DirectJITCode::DirectJITCode):
1874         (JSC::NativeJITCode::NativeJITCode):
1875         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1876         * jit/JITCode.h:
1877         (JSC::JITCode::signature const):
1878         (JSC::JITCode::intrinsic):
1879         * jit/JITOperations.cpp:
1880         * jit/JITThunks.cpp:
1881         (JSC::JITThunks::hostFunctionStub):
1882         * jit/Repatch.cpp:
1883         * llint/LLIntSlowPaths.cpp:
1884         * runtime/ExecutableBase.cpp:
1885         (JSC::ExecutableBase::dump const):
1886         (JSC::ExecutableBase::hashFor const):
1887         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1888         (JSC::ExecutableBase::clearCode): Deleted.
1889         * runtime/ExecutableBase.h:
1890         (JSC::ExecutableBase::ExecutableBase):
1891         (JSC::ExecutableBase::isModuleProgramExecutable):
1892         (JSC::ExecutableBase::isHostFunction const):
1893         (JSC::ExecutableBase::generatedJITCodeForCall const):
1894         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1895         (JSC::ExecutableBase::generatedJITCodeFor const):
1896         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1897         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1898         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1899         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1900         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1901         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1902         (JSC::ExecutableBase::intrinsic const): Deleted.
1903         * runtime/ExecutableBaseInlines.h: Added.
1904         (JSC::ExecutableBase::intrinsic const):
1905         (JSC::ExecutableBase::hasJITCodeForCall const):
1906         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1907         * runtime/JSBoundFunction.cpp:
1908         * runtime/JSType.cpp:
1909         (WTF::printInternal):
1910         * runtime/JSType.h:
1911         * runtime/NativeExecutable.cpp:
1912         (JSC::NativeExecutable::create):
1913         (JSC::NativeExecutable::createStructure):
1914         (JSC::NativeExecutable::NativeExecutable):
1915         (JSC::NativeExecutable::signatureFor const):
1916         (JSC::NativeExecutable::intrinsic const):
1917         * runtime/NativeExecutable.h:
1918         * runtime/ScriptExecutable.cpp:
1919         (JSC::ScriptExecutable::ScriptExecutable):
1920         (JSC::ScriptExecutable::clearCode):
1921         (JSC::ScriptExecutable::installCode):
1922         (JSC::ScriptExecutable::hasClearableCode const):
1923         * runtime/ScriptExecutable.h:
1924         (JSC::ScriptExecutable::intrinsic const):
1925         (JSC::ScriptExecutable::hasJITCodeForCall const):
1926         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1927         * runtime/VM.cpp:
1928         (JSC::VM::getHostFunction):
1929
1930 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1931
1932         Build failure after r240431
1933         https://bugs.webkit.org/show_bug.cgi?id=194330
1934
1935         Reviewed by Žan Doberšek.
1936
1937         * API/glib/JSCOptions.cpp:
1938
1939 2019-02-05  Mark Lam  <mark.lam@apple.com>
1940
1941         Fix DFG's doesGC() for a few more nodes.
1942         https://bugs.webkit.org/show_bug.cgi?id=194307
1943         <rdar://problem/47832956>
1944
1945         Reviewed by Yusuke Suzuki.
1946
1947         Fix doesGC() for the following nodes:
1948
1949             NumberToStringWithValidRadixConstant:
1950                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1951                 which can allocate a string.
1952                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1953                 which can allocate a string.
1954                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1955                 which can allocate a string.
1956
1957             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1958                 memory for all kinds of objects.
1959             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1960                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1961                 these allocates memory for the match result.
1962             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1963                 calls RegExpObject's collectMatches(), which allocates an array amongst
1964                 other objects.
1965
1966             StringFromCharCode:
1967                 If the uint32 code to convert is greater than maxSingleCharacterString,
1968                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1969                 which allocates a new string if the code is greater than maxSingleCharacterString.
1970
1971         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1972         to use maxSingleCharacterString instead of a literal constant.
1973
1974         * dfg/DFGDoesGC.cpp:
1975         (JSC::DFG::doesGC):
1976         * dfg/DFGSpeculativeJIT.cpp:
1977         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1978         * ftl/FTLLowerDFGToB3.cpp:
1979         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1980
1981 2019-02-05  Keith Rollin  <krollin@apple.com>
1982
1983         Enable the automatic checking and regenerations of .xcfilelists during builds
1984         https://bugs.webkit.org/show_bug.cgi?id=194124
1985         <rdar://problem/47721277>
1986
1987         Reviewed by Tim Horton.
1988
1989         Bug 193790 add a facility for checking -- during build time -- that
1990         any needed .xcfilelist files are up-to-date and for updating them if
1991         they are not. This facility was initially opt-in by setting
1992         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1993         the process seemed robust. Its now time to enable this facility and
1994         make it opt-out. If there is a need to disable this facility, set and
1995         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1996         running `make` or `build-webkit`, or before running Xcode from the
1997         command line.
1998
1999         Additionally, remove the step that generates a list of source files
2000         going into the UnifiedSources build step. It's only necessarily to
2001         specify Sources.txt and SourcesCocoa.txt as inputs.
2002
2003         * JavaScriptCore.xcodeproj/project.pbxproj:
2004         * UnifiedSources-input.xcfilelist: Removed.
2005
2006 2019-02-05  Keith Rollin  <krollin@apple.com>
2007
2008         Update .xcfilelist files
2009         https://bugs.webkit.org/show_bug.cgi?id=194121
2010         <rdar://problem/47720863>
2011
2012         Reviewed by Tim Horton.
2013
2014         Preparatory to enabling the facility for automatically updating the
2015         .xcfilelist files, check in a freshly-updated set so that not everyone
2016         runs up against having to regenerate them themselves.
2017
2018         * DerivedSources-input.xcfilelist:
2019         * DerivedSources-output.xcfilelist:
2020
2021 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
2022
2023         [INTL] improve efficiency of Intl.NumberFormat formatToParts
2024         https://bugs.webkit.org/show_bug.cgi?id=185557
2025
2026         Reviewed by Mark Lam.
2027
2028         Since field nesting depth is minimal, this algorithm should be effectively O(n),
2029         where n is the number of characters in the formatted string.
2030         It may be less memory efficient than the previous impl, since the intermediate Vector
2031         is the length of the string, instead of the count of the fields.
2032
2033         * runtime/IntlNumberFormat.cpp:
2034         (JSC::IntlNumberFormat::formatToParts):
2035         * runtime/IntlNumberFormat.h:
2036
2037 2019-02-05  Mark Lam  <mark.lam@apple.com>
2038
2039         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
2040         https://bugs.webkit.org/show_bug.cgi?id=194298
2041         <rdar://problem/47827555>
2042
2043         Reviewed by Saam Barati.
2044
2045         We do this for 3 reasons:
2046         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2047         2. If things change in the future where clobberize() no longer reports these nodes
2048            as write(Heap), each node should be vetted first to make sure that it can never
2049            GC before being moved back to the doesGC() list that returns false.
2050         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2051            correct in its claims about the nodes' GCing possibility.
2052
2053         The list of nodes moved are:
2054
2055             ArrayPush
2056             ArrayPop
2057             Call
2058             CallEval
2059             CallForwardVarargs
2060             CallVarargs
2061             Construct
2062             ConstructForwardVarargs
2063             ConstructVarargs
2064             DefineDataProperty
2065             DefineAccessorProperty
2066             DeleteById
2067             DeleteByVal
2068             DirectCall
2069             DirectConstruct
2070             DirectTailCallInlinedCaller
2071             GetById
2072             GetByIdDirect
2073             GetByIdDirectFlush
2074             GetByIdFlush
2075             GetByIdWithThis
2076             GetByValWithThis
2077             GetDirectPname
2078             GetDynamicVar
2079             HasGenericProperty
2080             HasOwnProperty
2081             HasStructureProperty
2082             InById
2083             InByVal
2084             InstanceOf
2085             InstanceOfCustom
2086             LoadVarargs
2087             NumberToStringWithRadix
2088             PutById
2089             PutByIdDirect
2090             PutByIdFlush
2091             PutByIdWithThis
2092             PutByOffset
2093             PutByValWithThis
2094             PutDynamicVar
2095             PutGetterById
2096             PutGetterByVal
2097             PutGetterSetterById
2098             PutSetterById
2099             PutSetterByVal
2100             PutStack
2101             PutToArguments
2102             RegExpExec
2103             RegExpTest
2104             ResolveScope
2105             ResolveScopeForHoistingFuncDeclInEval
2106             TailCall
2107             TailCallForwardVarargsInlinedCaller
2108             TailCallInlinedCaller
2109             TailCallVarargsInlinedCaller
2110             ToNumber
2111             ToPrimitive
2112             ValueNegate
2113
2114         * dfg/DFGDoesGC.cpp:
2115         (JSC::DFG::doesGC):
2116
2117 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2118
2119         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2120         https://bugs.webkit.org/show_bug.cgi?id=194281
2121
2122         Reviewed by Michael Saboff.
2123
2124         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2125         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2126
2127         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2128         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2129         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2130
2131         * bytecode/CodeBlock.cpp:
2132         (JSC::CodeBlock::finishCreation):
2133         * bytecode/CodeBlock.h:
2134         (JSC::CodeBlock::bitVectors const): Deleted.
2135         * bytecode/CodeType.h:
2136         * bytecode/UnlinkedCodeBlock.cpp:
2137         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2138         (JSC::UnlinkedCodeBlock::shrinkToFit):
2139         * bytecode/UnlinkedCodeBlock.h:
2140         (JSC::UnlinkedCodeBlock::bitVector):
2141         (JSC::UnlinkedCodeBlock::addBitVector):
2142         (JSC::UnlinkedCodeBlock::addSetConstant):
2143         (JSC::UnlinkedCodeBlock::constantRegisters):
2144         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2145         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2146         (JSC::UnlinkedCodeBlock::codeType const):
2147         (JSC::UnlinkedCodeBlock::didOptimize const):
2148         (JSC::UnlinkedCodeBlock::setDidOptimize):
2149         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2150         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2151         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2152         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2153         * bytecompiler/BytecodeGenerator.cpp:
2154         (JSC::BytecodeGenerator::emitLoad):
2155         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2156         * bytecompiler/BytecodeGenerator.h:
2157         * runtime/CachedTypes.cpp:
2158         (JSC::CachedCodeBlockRareData::encode):
2159         (JSC::CachedCodeBlockRareData::decode const):
2160         (JSC::CachedCodeBlock::scopeRegister const):
2161         (JSC::CachedCodeBlock::codeType const):
2162         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2163         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2164         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2165         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2166
2167 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2168
2169         Unreviewed, add missing exception checks after r240637
2170         https://bugs.webkit.org/show_bug.cgi?id=193546
2171
2172         * tools/JSDollarVM.cpp:
2173         (JSC::functionShadowChickenFunctionsOnStack):
2174
2175 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2176
2177         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2178         https://bugs.webkit.org/show_bug.cgi?id=193993
2179
2180         Reviewed by Keith Miller.
2181
2182         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2183         And some of them are rarely used. We should allocate it lazily.
2184
2185         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2186         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2187         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2188         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2189         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2190         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2191         by using WTF::storeStoreFence when lazily allocating it.
2192
2193         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2194         existence of the space before touching this. This is not racy because the main thread is stopped when
2195         the constraint solving is working.
2196
2197         This changes sizeof(VM) from 64736 to 56472.
2198
2199         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2200         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2201         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2202         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2203         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2204         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2205         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2206
2207         * API/JSCallbackFunction.h:
2208         * API/ObjCCallbackFunction.h:
2209         (JSC::ObjCCallbackFunction::subspaceFor):
2210         * API/glib/JSCCallbackFunction.h:
2211         * CMakeLists.txt:
2212         * JavaScriptCore.xcodeproj/project.pbxproj:
2213         * bytecode/CodeBlock.cpp:
2214         (JSC::CodeBlock::visitChildren):
2215         (JSC::CodeBlock::finalizeUnconditionally):
2216         * bytecode/CodeBlock.h:
2217         * bytecode/EvalCodeBlock.h:
2218         * bytecode/ExecutableToCodeBlockEdge.h:
2219         * bytecode/FunctionCodeBlock.h:
2220         * bytecode/ModuleProgramCodeBlock.h:
2221         * bytecode/ProgramCodeBlock.h:
2222         * bytecode/UnlinkedFunctionExecutable.cpp:
2223         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2224         * bytecode/UnlinkedFunctionExecutable.h:
2225         * dfg/DFGSpeculativeJIT.cpp:
2226         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2227         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2228         (JSC::DFG::SpeculativeJIT::compileNewObject):
2229         * ftl/FTLLowerDFGToB3.cpp:
2230         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2231         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2232         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2233         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2234         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2235         * heap/Heap.cpp:
2236         (JSC::Heap::finalizeUnconditionalFinalizers):
2237         (JSC::Heap::deleteAllCodeBlocks):
2238         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2239         (JSC::Heap::addCoreConstraints):
2240         * heap/Subspace.cpp:
2241         (JSC::Subspace::initialize):
2242         * jit/AssemblyHelpers.h:
2243         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2244         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2245         * jit/JITOpcodes.cpp:
2246         (JSC::JIT::emit_op_new_object):
2247         * jit/JITOpcodes32_64.cpp:
2248         (JSC::JIT::emit_op_new_object):
2249         * runtime/DirectArguments.h:
2250         * runtime/DirectEvalExecutable.h:
2251         * runtime/ErrorInstance.h:
2252         (JSC::ErrorInstance::subspaceFor):
2253         * runtime/ExecutableBase.h:
2254         * runtime/FunctionExecutable.h:
2255         * runtime/IndirectEvalExecutable.h:
2256         * runtime/InferredValue.cpp:
2257         (JSC::InferredValue::visitChildren):
2258         * runtime/InferredValue.h:
2259         * runtime/InferredValueInlines.h:
2260         (JSC::InferredValue::finalizeUnconditionally):
2261         * runtime/InternalFunction.h:
2262         * runtime/JSAsyncFunction.h:
2263         * runtime/JSAsyncGeneratorFunction.h:
2264         * runtime/JSBoundFunction.h:
2265         * runtime/JSCell.h:
2266         (JSC::subspaceFor):
2267         (JSC::subspaceForConcurrently):
2268         * runtime/JSCellInlines.h:
2269         (JSC::allocatorForNonVirtualConcurrently):
2270         * runtime/JSCustomGetterSetterFunction.h:
2271         * runtime/JSDestructibleObject.h:
2272         * runtime/JSFunction.h:
2273         * runtime/JSGeneratorFunction.h:
2274         * runtime/JSImmutableButterfly.h:
2275         * runtime/JSLexicalEnvironment.h:
2276         (JSC::JSLexicalEnvironment::subspaceFor):
2277         * runtime/JSNativeStdFunction.h:
2278         * runtime/JSSegmentedVariableObject.h:
2279         * runtime/JSString.h:
2280         * runtime/ModuleProgramExecutable.h:
2281         * runtime/NativeExecutable.h:
2282         * runtime/ProgramExecutable.h:
2283         * runtime/PropertyMapHashTable.h:
2284         * runtime/ProxyRevoke.h:
2285         * runtime/ScopedArguments.h:
2286         * runtime/ScriptExecutable.cpp:
2287         (JSC::ScriptExecutable::clearCode):
2288         (JSC::ScriptExecutable::installCode):
2289         * runtime/Structure.h:
2290         * runtime/StructureRareData.h:
2291         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2292         * runtime/VM.cpp:
2293         (JSC::VM::VM):
2294         * runtime/VM.h:
2295         (JSC::VM::SpaceAndSet::SpaceAndSet):
2296         (JSC::VM::SpaceAndSet::setFor):
2297         (JSC::VM::forEachScriptExecutableSpace):
2298         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2299         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2300         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2301         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2302         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2303         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2304         * runtime/WeakMapImpl.h:
2305         (JSC::WeakMapImpl::subspaceFor):
2306         * wasm/js/JSWebAssemblyCodeBlock.h:
2307         * wasm/js/JSWebAssemblyMemory.h:
2308         * wasm/js/WebAssemblyFunction.h:
2309         * wasm/js/WebAssemblyWrapperFunction.h:
2310
2311 2019-02-04  Keith Miller  <keith_miller@apple.com>
2312
2313         Change llint operand macros to inline functions
2314         https://bugs.webkit.org/show_bug.cgi?id=194248
2315
2316         Reviewed by Mark Lam.
2317
2318         * llint/LLIntSlowPaths.cpp:
2319         (JSC::LLInt::getNonConstantOperand):
2320         (JSC::LLInt::getOperand):
2321         (JSC::LLInt::llint_trace_value):
2322         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2323         (JSC::LLInt::getByVal):
2324         (JSC::LLInt::genericCall):
2325         (JSC::LLInt::varargsSetup):
2326         (JSC::LLInt::commonCallEval):
2327
2328 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2329
2330         when lowering AssertNotEmpty, create the value before creating the patchpoint
2331         https://bugs.webkit.org/show_bug.cgi?id=194231
2332
2333         Reviewed by Saam Barati.
2334
2335         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2336         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2337
2338         * ftl/FTLLowerDFGToB3.cpp:
2339         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2340
2341 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2342
2343         [JSC] ExecutableToCodeBlockEdge should be smaller
2344         https://bugs.webkit.org/show_bug.cgi?id=194244
2345
2346         Reviewed by Michael Saboff.
2347
2348         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2349         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2350         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2351         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2352
2353         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2354         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2355         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2356
2357         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2358         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2359         does not touch it if it is called in non-main threads).
2360
2361         * bytecode/ExecutableToCodeBlockEdge.cpp:
2362         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2363         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2364         (JSC::ExecutableToCodeBlockEdge::activate):
2365         (JSC::ExecutableToCodeBlockEdge::deactivate):
2366         (JSC::ExecutableToCodeBlockEdge::isActive const):
2367         * bytecode/ExecutableToCodeBlockEdge.h:
2368         * runtime/JSCell.h:
2369         * runtime/JSCellInlines.h:
2370         (JSC::JSCell::perCellBit const):
2371         (JSC::JSCell::setPerCellBit):
2372         (JSC::JSCell::mayBePrototype const): Deleted.
2373         (JSC::JSCell::didBecomePrototype): Deleted.
2374         * runtime/JSObject.cpp:
2375         (JSC::JSObject::setPrototypeDirect):
2376         * runtime/JSObject.h:
2377         * runtime/JSObjectInlines.h:
2378         (JSC::JSObject::mayBePrototype const):
2379         (JSC::JSObject::didBecomePrototype):
2380         * runtime/JSTypeInfo.h:
2381         (JSC::TypeInfo::perCellBit):
2382         (JSC::TypeInfo::mergeInlineTypeFlags):
2383         (JSC::TypeInfo::mayBePrototype): Deleted.
2384
2385 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2386
2387         [JSC] Shrink size of FunctionExecutable
2388         https://bugs.webkit.org/show_bug.cgi?id=194191
2389
2390         Reviewed by Michael Saboff.
2391
2392         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2393         improves the allocation efficiency.
2394
2395         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2396            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2397
2398         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2399            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2400            the size of FunctionExecutable in the common case.
2401
2402         This patch changes the size of FunctionExecutable from 176 to 144.
2403
2404         * bytecode/CodeBlock.cpp:
2405         (JSC::CodeBlock::dumpSource):
2406         (JSC::CodeBlock::finishCreation):
2407         * dfg/DFGNode.h:
2408         (JSC::DFG::Node::OpInfoWrapper::as const):
2409         * interpreter/StackVisitor.cpp:
2410         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2411         * runtime/ExecutableBase.h:
2412         * runtime/FunctionExecutable.cpp:
2413         (JSC::FunctionExecutable::FunctionExecutable):
2414         (JSC::FunctionExecutable::ensureRareDataSlow):
2415         * runtime/FunctionExecutable.h:
2416         * runtime/Intrinsic.h:
2417         * runtime/ModuleProgramExecutable.cpp:
2418         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2419         * runtime/ProgramExecutable.cpp:
2420         (JSC::ProgramExecutable::ProgramExecutable):
2421         * runtime/ScriptExecutable.cpp:
2422         (JSC::ScriptExecutable::ScriptExecutable):
2423         (JSC::ScriptExecutable::overrideLineNumber const):
2424         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2425         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2426         * runtime/ScriptExecutable.h:
2427         (JSC::ScriptExecutable::firstLine const):
2428         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2429         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2430         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2431         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2432         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2433         * runtime/StackFrame.cpp:
2434         (JSC::StackFrame::computeLineAndColumn const):
2435         * tools/JSDollarVM.cpp:
2436         (JSC::functionReturnTypeFor):
2437
2438 2019-02-04  Mark Lam  <mark.lam@apple.com>
2439
2440         DFG's doesGC() is incorrect about the SameValue node's behavior.
2441         https://bugs.webkit.org/show_bug.cgi?id=194211
2442         <rdar://problem/47608913>
2443
2444         Reviewed by Saam Barati.
2445
2446         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2447         it calls operationSameValue() which may allocate memory for resolving ropes.
2448
2449         * dfg/DFGDoesGC.cpp:
2450         (JSC::DFG::doesGC):
2451
2452 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2453
2454         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2455         https://bugs.webkit.org/show_bug.cgi?id=194031
2456
2457         Reviewed by Saam Barati.
2458
2459         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2460         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2461         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2462         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2463
2464         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2465         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2466
2467         * bytecode/MetadataTable.cpp:
2468         (JSC::MetadataTable::MetadataTable):
2469         (JSC::MetadataTable::~MetadataTable):
2470         * bytecode/UnlinkedCodeBlock.cpp:
2471         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2472         (JSC::UnlinkedCodeBlock::visitChildren):
2473         (JSC::UnlinkedCodeBlock::estimatedSize):
2474         (JSC::UnlinkedCodeBlock::setInstructions):
2475         * bytecode/UnlinkedCodeBlock.h:
2476         (JSC::UnlinkedCodeBlock::metadata):
2477         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2478         * bytecode/UnlinkedMetadataTable.h:
2479         (JSC::UnlinkedMetadataTable::create):
2480         * bytecode/UnlinkedMetadataTableInlines.h:
2481         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2482         * runtime/CachedTypes.cpp:
2483         (JSC::CachedMetadataTable::decode const):
2484         (JSC::CachedCodeBlock::metadata const):
2485         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2486         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2487         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2488
2489 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2490
2491         [JSC] Decouple JIT related data from CodeBlock
2492         https://bugs.webkit.org/show_bug.cgi?id=194187
2493
2494         Reviewed by Saam Barati.
2495
2496         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2497         We have three types of data in CodeBlock.
2498
2499         1. The data which is always used. CodeBlock needs to hold it.
2500         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2501         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2502
2503         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2504         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2505         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2506         in both non-JIT and *JIT* modes.
2507
2508         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2509         by the lock of CodeBlock.
2510
2511         The size of CodeBlock is reduced from 512 to 352.
2512
2513         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2514
2515             Footprint geomean: 36696503 (34.997 MB)
2516             Peak Footprint geomean: 38595988 (36.808 MB)
2517             Score: 37634263 (35.891 MB)
2518
2519             Footprint geomean: 37172768 (35.451 MB)
2520             Peak Footprint geomean: 38978288 (37.173 MB)
2521             Score: 38064824 (36.301 MB)
2522
2523         * bytecode/CodeBlock.cpp:
2524         (JSC::CodeBlock::~CodeBlock):
2525         (JSC::CodeBlock::propagateTransitions):
2526         (JSC::CodeBlock::ensureJITDataSlow):
2527         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2528         (JSC::CodeBlock::getICStatusMap):
2529         (JSC::CodeBlock::addStubInfo):
2530         (JSC::CodeBlock::addJITAddIC):
2531         (JSC::CodeBlock::addJITMulIC):
2532         (JSC::CodeBlock::addJITSubIC):
2533         (JSC::CodeBlock::addJITNegIC):
2534         (JSC::CodeBlock::findStubInfo):
2535         (JSC::CodeBlock::addByValInfo):
2536         (JSC::CodeBlock::addCallLinkInfo):
2537         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2538         (JSC::CodeBlock::addRareCaseProfile):
2539         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2540         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2541         (JSC::CodeBlock::resetJITData):
2542         (JSC::CodeBlock::stronglyVisitStrongReferences):
2543         (JSC::CodeBlock::shrinkToFit):
2544         (JSC::CodeBlock::linkIncomingCall):
2545         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2546         (JSC::CodeBlock::unlinkIncomingCalls):
2547         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2548         (JSC::CodeBlock::dumpValueProfiles):
2549         (JSC::CodeBlock::setPCToCodeOriginMap):
2550         (JSC::CodeBlock::findPC):
2551         (JSC::CodeBlock::dumpMathICStats):
2552         * bytecode/CodeBlock.h:
2553         (JSC::CodeBlock::ensureJITData):
2554         (JSC::CodeBlock::setJITCodeMap):
2555         (JSC::CodeBlock::jitCodeMap):
2556         (JSC::CodeBlock::likelyToTakeSlowCase):
2557         (JSC::CodeBlock::couldTakeSlowCase):
2558         (JSC::CodeBlock::lazyOperandValueProfiles):
2559         (JSC::CodeBlock::stubInfoBegin): Deleted.
2560         (JSC::CodeBlock::stubInfoEnd): Deleted.
2561         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2562         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2563         (JSC::CodeBlock::jitCodeMap const): Deleted.
2564         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2565         * bytecode/MethodOfGettingAValueProfile.cpp:
2566         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2567         (JSC::MethodOfGettingAValueProfile::reportValue):
2568         * dfg/DFGByteCodeParser.cpp:
2569         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2570         * jit/JIT.h:
2571         * jit/JITOperations.cpp:
2572         (JSC::tryGetByValOptimize):
2573         * jit/JITPropertyAccess.cpp:
2574         (JSC::JIT::privateCompileGetByVal):
2575         (JSC::JIT::privateCompilePutByVal):
2576
2577 2018-12-16  Darin Adler  <darin@apple.com>
2578
2579         Convert additional String::format clients to alternative approaches
2580         https://bugs.webkit.org/show_bug.cgi?id=192746
2581
2582         Reviewed by Alexey Proskuryakov.
2583
2584         * inspector/agents/InspectorConsoleAgent.cpp:
2585         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2586         and FormattedNumber::fixedWidth.
2587
2588 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2589
2590         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2591         https://bugs.webkit.org/show_bug.cgi?id=194177
2592
2593         Reviewed by Saam Barati.
2594
2595         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2596         We can share the IsoSubspace for JSFunction.
2597
2598         * runtime/JSAsyncFunction.h:
2599         * runtime/JSAsyncGeneratorFunction.h:
2600         * runtime/JSGeneratorFunction.h:
2601         * runtime/VM.cpp:
2602         (JSC::VM::VM):
2603         * runtime/VM.h:
2604
2605 2019-02-01  Mark Lam  <mark.lam@apple.com>
2606
2607         Remove invalid assertion in DFG's compileDoubleRep().
2608         https://bugs.webkit.org/show_bug.cgi?id=194130
2609         <rdar://problem/47699474>
2610
2611         Reviewed by Saam Barati.
2612
2613         * dfg/DFGSpeculativeJIT.cpp:
2614         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2615
2616 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2617
2618         [JSC] Unify CodeBlock IsoSubspaces
2619         https://bugs.webkit.org/show_bug.cgi?id=194167
2620
2621         Reviewed by Saam Barati.
2622
2623         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2624         But this is not necessary since,
2625
2626         1. They do not override the classInfo methods.
2627         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2628
2629         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2630         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2631         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2632
2633         This patch unifies these IsoSubspaces into one.
2634
2635         * bytecode/CodeBlock.cpp:
2636         (JSC::CodeBlock::destroy):
2637         * bytecode/CodeBlock.h:
2638         * bytecode/EvalCodeBlock.cpp:
2639         (JSC::EvalCodeBlock::destroy): Deleted.
2640         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2641         * bytecode/FunctionCodeBlock.cpp:
2642         (JSC::FunctionCodeBlock::destroy): Deleted.
2643         * bytecode/FunctionCodeBlock.h:
2644         * bytecode/GlobalCodeBlock.h:
2645         * bytecode/ModuleProgramCodeBlock.cpp:
2646         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2647         * bytecode/ModuleProgramCodeBlock.h:
2648         * bytecode/ProgramCodeBlock.cpp:
2649         (JSC::ProgramCodeBlock::destroy): Deleted.
2650         * bytecode/ProgramCodeBlock.h:
2651         * interpreter/Interpreter.cpp:
2652         (JSC::Interpreter::execute):
2653         * runtime/VM.cpp:
2654         (JSC::VM::VM):
2655         * runtime/VM.h:
2656         (JSC::VM::forEachCodeBlockSpace):
2657
2658 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2659
2660         Unreviewed, follow-up after r240859
2661         https://bugs.webkit.org/show_bug.cgi?id=194145
2662
2663         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2664         And rename cellDangerousBitsSpace back to cellSpace.
2665
2666         * runtime/JSCellInlines.h:
2667         (JSC::JSCell::subspaceFor):
2668         * runtime/VM.cpp:
2669         (JSC::VM::VM):
2670         * runtime/VM.h:
2671
2672 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2673
2674         [JSC] Remove cellJSValueOOBSpace
2675         https://bugs.webkit.org/show_bug.cgi?id=194145
2676
2677         Reviewed by Mark Lam.
2678
2679         * runtime/JSObject.h:
2680         (JSC::JSObject::subspaceFor): Deleted.
2681         * runtime/VM.cpp:
2682         (JSC::VM::VM):
2683         * runtime/VM.h:
2684
2685 2019-01-31  Mark Lam  <mark.lam@apple.com>
2686
2687         Remove poisoning from CodeBlock and LLInt code.
2688         https://bugs.webkit.org/show_bug.cgi?id=194113
2689
2690         Reviewed by Yusuke Suzuki.
2691
2692         * bytecode/CodeBlock.cpp:
2693         (JSC::CodeBlock::CodeBlock):
2694         (JSC::CodeBlock::~CodeBlock):
2695         (JSC::CodeBlock::setConstantRegisters):
2696         (JSC::CodeBlock::propagateTransitions):
2697         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2698         (JSC::CodeBlock::jettison):
2699         (JSC::CodeBlock::predictedMachineCodeSize):
2700         * bytecode/CodeBlock.h:
2701         (JSC::CodeBlock::vm const):
2702         (JSC::CodeBlock::addConstant):
2703         (JSC::CodeBlock::heap const):
2704         (JSC::CodeBlock::replaceConstant):
2705         * llint/LLIntOfflineAsmConfig.h:
2706         * llint/LLIntSlowPaths.cpp:
2707         (JSC::LLInt::handleHostCall):
2708         (JSC::LLInt::setUpCall):
2709         * llint/LowLevelInterpreter.asm:
2710         * llint/LowLevelInterpreter32_64.asm:
2711         * llint/LowLevelInterpreter64.asm:
2712
2713 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2714
2715         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2716         https://bugs.webkit.org/show_bug.cgi?id=194107
2717
2718         Reviewed by Saam Barati.
2719
2720         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2721         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2722
2723         * CMakeLists.txt:
2724         * DerivedSources.make:
2725         * JavaScriptCore.xcodeproj/project.pbxproj:
2726         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2727         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2728         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2729         (JSC::AsyncFromSyncIteratorPrototype::create):
2730         * runtime/AsyncFromSyncIteratorPrototype.h:
2731
2732 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2733
2734         Fix `runJITThreadLimitTests` in testapi
2735         https://bugs.webkit.org/show_bug.cgi?id=194064
2736         <rdar://problem/46139147>
2737
2738         Reviewed by Mark Lam.
2739
2740         Fix typo where `targetNumberOfThreads` was not being used.
2741
2742         * API/tests/testapi.mm:
2743         (runJITThreadLimitTests):
2744
2745 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2746
2747         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2748         https://bugs.webkit.org/show_bug.cgi?id=194112
2749
2750         Reviewed by Mark Lam.
2751
2752         `testBytecodeCache` does not populate the bytecode cache for the global
2753         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2754
2755         * API/tests/testapi.mm:
2756         (testBytecodeCache):
2757
2758 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2759
2760         Unreviewed, follow-up after r240796
2761
2762         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2763         when allocating InferredValue in FunctionExecutable::finishCreation.
2764
2765         * runtime/FunctionExecutable.cpp:
2766         (JSC::FunctionExecutable::FunctionExecutable):
2767         (JSC::FunctionExecutable::finishCreation):
2768
2769 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2770
2771         [JSC] Do not use InferredValue in non-JIT configuration
2772         https://bugs.webkit.org/show_bug.cgi?id=194084
2773
2774         Reviewed by Saam Barati.
2775
2776         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2777         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2778         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2779         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2780         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2781         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2782         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2783         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2784
2785         * bytecode/ObjectAllocationProfileInlines.h:
2786         (JSC::ObjectAllocationProfile::initializeProfile):
2787         * runtime/FunctionExecutable.cpp:
2788         (JSC::FunctionExecutable::finishCreation):
2789         (JSC::FunctionExecutable::visitChildren):
2790         * runtime/FunctionExecutable.h:
2791         * runtime/InferredValue.cpp:
2792         (JSC::InferredValue::create):
2793         * runtime/JSAsyncFunction.cpp:
2794         (JSC::JSAsyncFunction::create):
2795         * runtime/JSAsyncGeneratorFunction.cpp:
2796         (JSC::JSAsyncGeneratorFunction::create):
2797         * runtime/JSFunction.cpp:
2798         (JSC::JSFunction::create):
2799         * runtime/JSFunctionInlines.h:
2800         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2801         * runtime/JSGeneratorFunction.cpp:
2802         (JSC::JSGeneratorFunction::create):
2803         * runtime/JSSymbolTableObject.h:
2804         (JSC::JSSymbolTableObject::setSymbolTable):
2805         * runtime/SymbolTable.cpp:
2806         (JSC::SymbolTable::finishCreation):
2807         * runtime/VM.cpp:
2808         (JSC::VM::VM):
2809
2810 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2811
2812         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2813         https://bugs.webkit.org/show_bug.cgi?id=194085
2814
2815         Reviewed by Yusuke Suzuki.
2816
2817         r240730 changed ud_itab.py and caused incremental build failures
2818         for Ninja builds.
2819
2820         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2821
2822 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2823
2824         [JSC] Symbol should be in destructibleCellSpace
2825         https://bugs.webkit.org/show_bug.cgi?id=194082
2826
2827         Reviewed by Saam Barati.
2828
2829         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2830         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2831         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2832         Symbol's space destructibleCellSpace to appropriately call the destructor.
2833
2834         * runtime/Symbol.h:
2835
2836 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2837
2838         Unreviewed, rolling out r240755.
2839
2840         This was not correct
2841
2842         Reverted changeset:
2843
2844         "Unreviewed, fix GCC build after r240730"
2845         https://bugs.webkit.org/show_bug.cgi?id=194041
2846         https://trac.webkit.org/changeset/240755
2847
2848 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2849
2850         Unreviewed, fix GCC build after r240730
2851         https://bugs.webkit.org/show_bug.cgi?id=194041
2852         <rdar://problem/47680981>
2853
2854         * disassembler/udis86/ud_itab.py:
2855         (UdItabGenerator.genOpcodeTablesLookupIndex):
2856
2857 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2858
2859         testapi's `testBytecodeCache` does not need to run the code twice
2860         https://bugs.webkit.org/show_bug.cgi?id=194046
2861
2862         Reviewed by Mark Lam.
2863
2864         Since we populate the cache eagerly (unlike the stress tests) we don't
2865         need to run the code twice.
2866
2867         * API/tests/testapi.mm:
2868         (testBytecodeCache):
2869
2870 2019-01-30  Saam barati  <sbarati@apple.com>
2871
2872         [WebAssembly] Change BBQ to generate Air IR
2873         https://bugs.webkit.org/show_bug.cgi?id=191802
2874         <rdar://problem/47651718>
2875
2876         Reviewed by Keith Miller.
2877
2878         This patch adds a new Wasm compiler for the BBQ tier. Instead
2879         of compiling using  B3-01, we now generate Air code directly.
2880         The goal of doing this was to speed up compile times for Wasm
2881         programs.
2882         
2883         This patch provides us with a 20-30% compile time speedup. However, I
2884         have ideas on how to improve compile times even further. For example,
2885         we should probably implement a faster running register allocator:
2886         https://bugs.webkit.org/show_bug.cgi?id=194036
2887         
2888         We can also improve on the code we generate.
2889         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2890         And we should do better instruction selection in various
2891         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2892
2893         * JavaScriptCore.xcodeproj/project.pbxproj:
2894         * Sources.txt:
2895         * b3/B3LowerToAir.cpp:
2896         * b3/B3StackmapSpecial.h:
2897         * b3/air/AirCode.cpp:
2898         (JSC::B3::Air::Code::emitDefaultPrologue):
2899         * b3/air/AirCode.h:
2900         * b3/air/AirTmp.h:
2901         (JSC::B3::Air::Tmp::Tmp):
2902         * runtime/Options.h:
2903         * wasm/WasmAirIRGenerator.cpp: Added.
2904         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2905         (JSC::Wasm::TypedTmp::TypedTmp):
2906         (JSC::Wasm::TypedTmp::operator== const):
2907         (JSC::Wasm::TypedTmp::operator!= const):
2908         (JSC::Wasm::TypedTmp::operator bool const):
2909         (JSC::Wasm::TypedTmp::operator Tmp const):
2910         (JSC::Wasm::TypedTmp::operator Arg const):
2911         (JSC::Wasm::TypedTmp::tmp const):
2912         (JSC::Wasm::TypedTmp::type const):
2913         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2914         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2915         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2916         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2917         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2918         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2919         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2920         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2921         (JSC::Wasm::AirIRGenerator::emptyExpression):
2922         (JSC::Wasm::AirIRGenerator::fail const):
2923         (JSC::Wasm::AirIRGenerator::setParser):
2924         (JSC::Wasm::AirIRGenerator::toTmpVector):
2925         (JSC::Wasm::AirIRGenerator::validateInst):
2926         (JSC::Wasm::AirIRGenerator::extractArg):
2927         (JSC::Wasm::AirIRGenerator::append):
2928         (JSC::Wasm::AirIRGenerator::appendEffectful):
2929         (JSC::Wasm::AirIRGenerator::newTmp):
2930         (JSC::Wasm::AirIRGenerator::g32):
2931         (JSC::Wasm::AirIRGenerator::g64):
2932         (JSC::Wasm::AirIRGenerator::f32):
2933         (JSC::Wasm::AirIRGenerator::f64):
2934         (JSC::Wasm::AirIRGenerator::tmpForType):
2935         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2936         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2937         (JSC::Wasm::AirIRGenerator::emitCheck):
2938         (JSC::Wasm::AirIRGenerator::emitCCall):
2939         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2940         (JSC::Wasm::AirIRGenerator::instanceValue):
2941         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2942         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2943         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2944         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2945         (JSC::Wasm::AirIRGenerator::emitThrowException):
2946         (JSC::Wasm::AirIRGenerator::addLocal):
2947         (JSC::Wasm::AirIRGenerator::addConstant):
2948         (JSC::Wasm::AirIRGenerator::addArguments):
2949         (JSC::Wasm::AirIRGenerator::getLocal):
2950         (JSC::Wasm::AirIRGenerator::addUnreachable):
2951         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2952         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2953         (JSC::Wasm::AirIRGenerator::setLocal):
2954         (JSC::Wasm::AirIRGenerator::getGlobal):
2955         (JSC::Wasm::AirIRGenerator::setGlobal):
2956         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2957         (JSC::Wasm::sizeOfLoadOp):
2958         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2959         (JSC::Wasm::AirIRGenerator::load):
2960         (JSC::Wasm::sizeOfStoreOp):
2961         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2962         (JSC::Wasm::AirIRGenerator::store):
2963         (JSC::Wasm::AirIRGenerator::addSelect):
2964         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2965         (JSC::Wasm::AirIRGenerator::addLoop):
2966         (JSC::Wasm::AirIRGenerator::addTopLevel):
2967         (JSC::Wasm::AirIRGenerator::addBlock):
2968         (JSC::Wasm::AirIRGenerator::addIf):
2969         (JSC::Wasm::AirIRGenerator::addElse):
2970         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2971         (JSC::Wasm::AirIRGenerator::addReturn):
2972         (JSC::Wasm::AirIRGenerator::addBranch):
2973         (JSC::Wasm::AirIRGenerator::addSwitch):
2974         (JSC::Wasm::AirIRGenerator::endBlock):
2975         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2976         (JSC::Wasm::AirIRGenerator::addCall):
2977         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2978         (JSC::Wasm::AirIRGenerator::unify):
2979         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2980         (JSC::Wasm::AirIRGenerator::dump):
2981         (JSC::Wasm::AirIRGenerator::origin):
2982         (JSC::Wasm::parseAndCompileAir):
2983         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2984         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2985         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2992         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2993         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2994         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2995         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2996         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2997         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2998         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2999         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
3000         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
3001         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
3002         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
3003         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
3004         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
3005         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
3006         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
3007         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
3011         (JSC::Wasm::AirIRGenerator::addShift):
3012         (JSC::Wasm::AirIRGenerator::addIntegerSub):
3013         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
3014         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
3020         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
3026         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
3027         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
3028         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
3029         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
3030         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
3031         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
3032         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
3033         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
3034         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
3035         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
3036         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
3037         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
3038         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
3039         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
3040         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
3041         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
3042         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
3043         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
3044         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
3045         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
3046         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3047         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3048         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3049         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3050         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3051         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3052         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3053         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3054         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3055         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3056         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3057         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3058         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3059         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3060         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3061         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3062         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3063         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3064         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3065         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3066         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3067         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3068         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3069         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3070         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3071         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3072         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3073         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3074         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3075         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3076         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3077         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3078         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3079         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3080         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3081         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3082         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3083         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3084         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3085         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3086         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3087         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3088         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3089         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3090         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3091         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3092         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3093         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3094         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3095         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3096         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3097         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3098         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3099         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3100         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3101         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3102         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3103         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3104         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3105         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3106         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3107         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3108         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3109         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3110         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3111         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3112         * wasm/WasmAirIRGenerator.h: Added.
3113         * wasm/WasmB3IRGenerator.cpp:
3114         (JSC::Wasm::B3IRGenerator::emptyExpression):
3115         * wasm/WasmBBQPlan.cpp:
3116         (JSC::Wasm::BBQPlan::compileFunctions):
3117         * wasm/WasmCallingConvention.cpp:
3118         (JSC::Wasm::jscCallingConventionAir):
3119         (JSC::Wasm::wasmCallingConventionAir):
3120         * wasm/WasmCallingConvention.h:
3121         (JSC::Wasm::CallingConvention::CallingConvention):
3122         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3123         (JSC::Wasm::CallingConvention::marshallArgument const):
3124         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3125         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3126         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3127         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3128         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3129         (JSC::Wasm::CallingConventionAir::loadArguments const):
3130         (JSC::Wasm::CallingConventionAir::setupCall const):
3131         (JSC::Wasm::nextJSCOffset):
3132         * wasm/WasmFunctionParser.h:
3133         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3134         * wasm/WasmValidate.cpp:
3135         (JSC::Wasm::Validate::emptyExpression):
3136
3137 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3138
3139         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3140         https://bugs.webkit.org/show_bug.cgi?id=194050
3141         <rdar://problem/47595592>
3142
3143         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3144         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3145
3146         Reviewed by Yusuke Suzuki.
3147
3148         * ftl/FTLOperations.cpp:
3149         (JSC::FTL::operationMaterializeObjectInOSR):
3150
3151 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3152
3153         Remove assertion that CachedSymbolTables should have no RareData
3154         https://bugs.webkit.org/show_bug.cgi?id=194037
3155
3156         Reviewed by Mark Lam.
3157
3158         It turns out that we don't need to cache the SymbolTableRareData and
3159         we should not assert that it's empty.
3160
3161         * runtime/CachedTypes.cpp:
3162         (JSC::CachedSymbolTable::encode):
3163
3164 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3165
3166         CachedBytecode's move constructor should not call `freeDataIfOwned`
3167         https://bugs.webkit.org/show_bug.cgi?id=194045
3168
3169         Reviewed by Mark Lam.
3170
3171         That might result in freeing a garbage value
3172
3173         * parser/SourceProvider.h:
3174         (JSC::CachedBytecode::CachedBytecode):
3175
3176 2019-01-30  Keith Miller  <keith_miller@apple.com>
3177
3178         mul32 should convert powers of 2 to an lshift
3179         https://bugs.webkit.org/show_bug.cgi?id=193957
3180
3181         Reviewed by Yusuke Suzuki.
3182
3183         * assembler/MacroAssembler.h:
3184         (JSC::MacroAssembler::mul32):
3185         * assembler/testmasm.cpp:
3186         (JSC::int32Operands):
3187         (JSC::testMul32WithImmediates):
3188         (JSC::run):
3189
3190 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3191
3192         [JSC] Make disassembler data structures constant read-only data
3193         https://bugs.webkit.org/show_bug.cgi?id=194041
3194
3195         Reviewed by Mark Lam.
3196
3197         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3198         This patch makes them "const".
3199
3200         * disassembler/ARM64/A64DOpcode.cpp:
3201         * disassembler/udis86/ud_itab.py:
3202         (UdItabGenerator.genOpcodeTablesLookupIndex):
3203         (UdItabGenerator.genInsnTable):
3204         (UdItabGenerator.genMnemonicsList):
3205         (genItabH):
3206         * disassembler/udis86/udis86_decode.h:
3207         * disassembler/udis86/udis86_syn.c:
3208         * disassembler/udis86/udis86_syn.h:
3209         * disassembler/udis86/udis86_types.h:
3210
3211 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3212
3213         Unreviewed, update the builtin test results
3214         https://bugs.webkit.org/show_bug.cgi?id=194015
3215
3216         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3217         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3218         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3219         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3220         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3221         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3222         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3223         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3224         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3225         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3226         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3227         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3228         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3229
3230 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3231
3232         [JSC] Make global static variables "const" as much as possible
3233         https://bugs.webkit.org/show_bug.cgi?id=194015
3234
3235         Reviewed by Mark Lam.
3236
3237         Some of global static variables are not "const". For example, `static const char* name = ...`
3238         is not constant variable. We should make it `static const char* const name = ...`.
3239
3240         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3241         (generate_externs_for_object):
3242         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3243         (generate_externs_for_object):
3244         * Scripts/wkbuiltins/builtins_generator.py:
3245         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3246         * assembler/MacroAssembler.h:
3247         (JSC::MacroAssembler::additionBlindedConstant):
3248         * b3/air/AirFormTable.h:
3249         * b3/air/opcode_generator.rb:
3250         * runtime/JSObject.cpp:
3251         (JSC::JSObject::visitButterfly):
3252         * tools/CodeProfile.cpp:
3253         * tools/CodeProfile.h:
3254
3255 2019-01-29  Keith Miller  <keith_miller@apple.com>
3256
3257         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3258         https://bugs.webkit.org/show_bug.cgi?id=194000
3259         <rdar://problem/47642894>
3260
3261         Reviewed by Mark Lam.
3262
3263         default constructor is unused and
3264         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3265         data member which causes sadness.
3266
3267         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3268
3269 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3270
3271         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3272
3273         Rubber-stamped by Yusuke Suzuki.
3274
3275         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3276
3277         * parser/Parser.h:
3278         (JSC::Parser::declareHoistedVariable):
3279
3280 2019-01-29  Mark Lam  <mark.lam@apple.com>
3281
3282         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3283         https://bugs.webkit.org/show_bug.cgi?id=132333
3284
3285         Reviewed by Yusuke Suzuki.
3286
3287         * bytecode/InstructionStream.h:
3288         (JSC::InstructionStreamWriter::write):
3289         - The 32-bit write() function need not invert the order of the bytes written to
3290           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3291           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3292
3293         * llint/LLIntOfflineAsmConfig.h:
3294         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3295
3296 2019-01-29  Mark Lam  <mark.lam@apple.com>
3297
3298         ValueRecovery::recover() should purify NaN values it recovers.
3299         https://bugs.webkit.org/show_bug.cgi?id=193978
3300         <rdar://problem/47625488>
3301
3302         Reviewed by Saam Barati.
3303
3304         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3305         recovered DoubleDisplacedInJSStack values need to be purified.
3306         ValueRecovery::recover() should do the same.
3307
3308         * bytecode/ValueRecovery.cpp:
3309         (JSC::ValueRecovery::recover const):
3310
3311 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3312
3313         [JSC] FTL should handle LocalAllocator*
3314         https://bugs.webkit.org/show_bug.cgi?id=193980
3315
3316         Reviewed by Saam Barati.
3317
3318         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3319         because the FTL still use the incoming value as 32bit integer there.
3320
3321         * ftl/FTLLowerDFGToB3.cpp:
3322         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3323
3324 2019-01-29  Keith Rollin  <krollin@apple.com>
3325
3326         Add .xcfilelists to Run Script build phases
3327         https://bugs.webkit.org/show_bug.cgi?id=193792
3328         <rdar://problem/47201785>
3329
3330         Reviewed by Alex Christensen.
3331
3332         As part of supporting XCBuild, update the necessary Run Script build
3333         phases in their Xcode projects to refer to their associated
3334         .xcfilelist files.
3335
3336         Note that the addition of these files bumps the Xcode project version
3337         number to something that's Xcode 10 compatible. This change means that
3338         older versions of the Xcode IDE can't read these projects. Nor can it
3339         fully load workspaces that refer to these projects (the updated
3340         projects are shown as non-expandable placeholders). `xcodebuild` can
3341         still build these projects; it's just that the IDE can't open them.
3342
3343         * JavaScriptCore.xcodeproj/project.pbxproj:
3344
3345 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3346
3347         [ARM] Check for negative zero instead of just zero
3348         https://bugs.webkit.org/show_bug.cgi?id=193689
3349
3350         Reviewed by Mark Lam.
3351
3352         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3353         of just bailing out for zero.
3354
3355         * assembler/MacroAssemblerARMv7.h:
3356         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3357
3358 2019-01-28  Devin Rousso  <drousso@apple.com>
3359
3360         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3361         https://bugs.webkit.org/show_bug.cgi?id=193863
3362         <rdar://problem/47572764>
3363
3364         Reviewed by Joseph Pecoraro.
3365
3366         * inspector/protocol/Page.json:
3367         Add more values to the `Setting` enum type:
3368          - `ICECandidateFilteringEnabled`
3369          - `MediaCaptureRequiresSecureConnection`
3370          - `MockCaptureDevicesEnabled`
3371
3372 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3373
3374         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3375         https://bugs.webkit.org/show_bug.cgi?id=193941
3376
3377         Reviewed by Alex Christensen.
3378
3379         * API/JSWeakObjectMapRefPrivate.cpp:
3380         * bytecompiler/NodesCodegen.cpp:
3381         * heap/MachineStackMarker.cpp:
3382         * jit/ExecutableAllocator.cpp:
3383         * jsc.cpp:
3384         * parser/Nodes.cpp:
3385         * runtime/DateConstructor.cpp:
3386         * runtime/DateConversion.cpp:
3387         * runtime/DateInstance.cpp:
3388         * runtime/DatePrototype.cpp:
3389         * runtime/InitializeThreading.cpp:
3390         * runtime/IteratorOperations.cpp:
3391         * runtime/JSDateMath.cpp:
3392         * runtime/JSGlobalObjectFunctions.cpp:
3393         * runtime/StringPrototype.cpp:
3394         * runtime/VM.cpp:
3395         * testRegExp.cpp:
3396         * tools/JSDollarVM.cpp:
3397         * yarr/YarrInterpreter.cpp:
3398         * yarr/YarrJIT.cpp:
3399         * yarr/YarrPattern.cpp:
3400         * yarr/YarrUnicodeProperties.cpp:
3401
3402 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3403
3404         [JSC] Reduce size of memory used for ShadowChicken
3405         https://bugs.webkit.org/show_bug.cgi?id=193546
3406
3407         Reviewed by Mark Lam.
3408
3409         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3410         The removal of ShadowChicken saves 55KB memory.
3411
3412         * debugger/DebuggerCallFrame.cpp:
3413         (JSC::DebuggerCallFrame::create):
3414         * ftl/FTLLowerDFGToB3.cpp:
3415         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3416         * heap/Heap.cpp:
3417         (JSC::Heap::stopThePeriphery):
3418         (JSC::Heap::addCoreConstraints):
3419         * jit/CCallHelpers.cpp:
3420         (JSC::CCallHelpers::ensureShadowChickenPacket):
3421         * jit/JITExceptions.cpp:
3422         (JSC::genericUnwind):
3423         * jit/JITOpcodes.cpp:
3424         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3425         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3426         * jit/JITOpcodes32_64.cpp:
3427         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3428         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3429         * jit/JITOperations.cpp:
3430         * llint/LLIntSlowPaths.cpp:
3431         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3432         * runtime/JSGlobalObject.cpp:
3433         (JSC::JSGlobalObject::setDebugger):
3434         * runtime/JSGlobalObject.h:
3435         (JSC::JSGlobalObject::setDebugger): Deleted.
3436         * runtime/VM.cpp:
3437         (JSC::VM::VM):
3438         (JSC::VM::ensureShadowChicken):
3439         * runtime/VM.h:
3440         (JSC::VM::shadowChicken):
3441         * tools/JSDollarVM.cpp:
3442         (JSC::functionShadowChickenFunctionsOnStack):
3443         (JSC::changeDebuggerModeWhenIdle):
3444
3445 2019-01-28  Andy Estes  <aestes@apple.com>
3446
3447         [watchOS] Enable Parental Controls content filtering
3448         https://bugs.webkit.org/show_bug.cgi?id=193939
3449         <rdar://problem/46641912>
3450
3451         Reviewed by Ryosuke Niwa.
3452
3453         * Configurations/FeatureDefines.xcconfig:
3454
3455 2019-01-28  Mark Lam  <mark.lam@apple.com>
3456
3457         ToString node actually does GC.
3458         https://bugs.webkit.org/show_bug.cgi?id=193920
3459         <rdar://problem/46695900>
3460
3461         Reviewed by Yusuke Suzuki.
3462
3463         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3464         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3465
3466         * dfg/DFGDoesGC.cpp:
3467         (JSC::DFG::doesGC):
3468
3469 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3470
3471         [JSC] RegExpConstructor should not have own IsoSubspace
3472         https://bugs.webkit.org/show_bug.cgi?id=193801
3473
3474         Reviewed by Mark Lam.
3475
3476         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3477         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3478         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3479         it from RegExpConstructor members.
3480
3481         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3482         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3483         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3484
3485         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3486
3487         * CMakeLists.txt:
3488         * JavaScriptCore.xcodeproj/project.pbxproj:
3489         * Sources.txt:
3490         * dfg/DFGOperations.cpp:
3491         * dfg/DFGSpeculativeJIT.cpp:
3492         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3493         * dfg/DFGStrengthReductionPhase.cpp:
3494         (JSC::DFG::StrengthReductionPhase::handleNode):
3495         * ftl/FTLAbstractHeapRepository.cpp:
3496         * ftl/FTLAbstractHeapRepository.h:
3497         * ftl/FTLLowerDFGToB3.cpp:
3498         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3499         * runtime/JSGlobalObject.cpp:
3500         (JSC::JSGlobalObject::init):
3501         (JSC::JSGlobalObject::visitChildren):
3502         * runtime/JSGlobalObject.h:
3503         (JSC::JSGlobalObject::regExpGlobalData):
3504         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3505         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3506         * runtime/RegExpCache.cpp:
3507         (JSC::RegExpCache::initialize):
3508         * runtime/RegExpCache.h:
3509         (JSC::RegExpCache::emptyRegExp const):
3510         * runtime/RegExpCachedResult.cpp:
3511         (JSC::RegExpCachedResult::visitAggregate):
3512         (JSC::RegExpCachedResult::visitChildren): Deleted.
3513         * runtime/RegExpCachedResult.h:
3514         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3515         * runtime/RegExpConstructor.cpp:
3516         (JSC::RegExpConstructor::RegExpConstructor):
3517         (JSC::regExpConstructorDollar):
3518         (JSC::regExpConstructorInput):
3519         (JSC::regExpConstructorMultiline):
3520         (JSC::regExpConstructorLastMatch):
3521         (JSC::regExpConstructorLastParen):
3522         (JSC::regExpConstructorLeftContext):
3523         (JSC::regExpConstructorRightContext):
3524         (JSC::setRegExpConstructorInput):
3525         (JSC::setRegExpConstructorMultiline):
3526         (JSC::RegExpConstructor::destroy): Deleted.
3527         (JSC::RegExpConstructor::visitChildren): Deleted.
3528         (JSC::RegExpConstructor::getBackref): Deleted.
3529         (JSC::RegExpConstructor::getLastParen): Deleted.
3530         (JSC::RegExpConstructor::getLeftContext): Deleted.
3531         (JSC::RegExpConstructor::getRightContext): Deleted.
3532         * runtime/RegExpConstructor.h:
3533         (JSC::RegExpConstructor::performMatch): Deleted.
3534         (JSC::RegExpConstructor::recordMatch): Deleted.
3535         * runtime/RegExpGlobalData.cpp: Added.
3536         (JSC::RegExpGlobalData::visitAggregate):
3537         (JSC::RegExpGlobalData::getBackref):
3538         (JSC::RegExpGlobalData::getLastParen):
3539         (JSC::RegExpGlobalData::getLeftContext):
3540         (JSC::RegExpGlobalData::getRightContext):
3541         * runtime/RegExpGlobalData.h: Added.
3542         (JSC::RegExpGlobalData::cachedResult):
3543         (JSC::RegExpGlobalData::setMultiline):
3544         (JSC::RegExpGlobalData::multiline const):
3545         (JSC::RegExpGlobalData::input):
3546         (JSC::RegExpGlobalData::offsetOfCachedResult):
3547         * runtime/RegExpGlobalDataInlines.h: Added.
3548         (JSC::RegExpGlobalData::setInput):
3549         (JSC::RegExpGlobalData::performMatch):
3550         (JSC::RegExpGlobalData::recordMatch):
3551         * runtime/RegExpObject.cpp:
3552         (JSC::RegExpObject::matchGlobal):
3553         * runtime/RegExpObjectInlines.h:
3554         (JSC::RegExpObject::execInline):
3555         (JSC::RegExpObject::matchInline):
3556         (JSC::collectMatches):
3557         * runtime/RegExpPrototype.cpp:
3558         (JSC::RegExpPrototype::finishCreation):
3559         (JSC::regExpProtoFuncSearchFast):
3560         (JSC::RegExpPrototype::visitChildren): Deleted.
3561         * runtime/RegExpPrototype.h:
3562         * runtime/StringPrototype.cpp:
3563         (JSC::removeUsingRegExpSearch):
3564         (JSC::replaceUsingRegExpSearch):
3565         * runtime/VM.cpp:
3566         (JSC::VM::VM):
3567         * runtime/VM.h:
3568
3569 2018-12-15  Darin Adler  <darin@apple.com>
3570
3571         Replace many uses of String::format with more type-safe alternatives
3572         https://bugs.webkit.org/show_bug.cgi?id=192742
3573
3574         Reviewed by Mark Lam.
3575
3576         * inspector/InjectedScriptBase.cpp:
3577         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3578         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3579         * inspector/InspectorBackendDispatcher.cpp:
3580         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3581         * inspector/agents/InspectorConsoleAgent.cpp:
3582         (Inspector::InspectorConsoleAgent::enable): Ditto.
3583         * jsc.cpp:
3584         (FunctionJSCStackFunctor::operator() const): Ditto.
3585
3586         * runtime/CodeCache.cpp:
3587         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3588         using String::number.
3589
3590         * runtime/IntlDateTimeFormat.cpp:
3591         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3592         * runtime/IntlObject.cpp:
3593         (JSC::canonicalizeLocaleList): Ditto.
3594
3595 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3596
3597         AX: Introduce a static accessibility tree
3598         https://bugs.webkit.org/show_bug.cgi?id=193348
3599         <rdar://problem/47203295>
3600
3601         Reviewed by Ryosuke Niwa.
3602
3603         * Configurations/FeatureDefines.xcconfig:
3604
3605 2019-01-26  Devin Rousso  <drousso@apple.com>
3606
3607         Web Inspector: provide a way to edit the user agent of a remote target
3608         https://bugs.webkit.org/show_bug.cgi?id=193862
3609         <rdar://problem/47359292>
3610
3611         Reviewed by Joseph Pecoraro.
3612
3613         * inspector/protocol/Page.json:
3614         Add `overrideUserAgent` command.
3615
3616 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3617
3618         [JSC] NativeErrorConstructor should not have own IsoSubspace
3619         https://bugs.webkit.org/show_bug.cgi?id=193713
3620
3621         Reviewed by Saam Barati.
3622
3623         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3624         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3625         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3626         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3627         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3628         referenced.
3629
3630         * CMakeLists.txt:
3631         * JavaScriptCore.xcodeproj/project.pbxproj:
3632         * Sources.txt:
3633         * builtins/BuiltinNames.h:
3634         * interpreter/Interpreter.h:
3635         * runtime/Error.cpp:
3636         (JSC::createEvalError):
3637         (JSC::createRangeError):
3638         (JSC::createReferenceError):
3639         (JSC::createSyntaxError):
3640         (JSC::createTypeError):
3641         (JSC::createURIError):
3642         (WTF::printInternal): Deleted.
3643         * runtime/Error.h:
3644         * runtime/ErrorPrototype.cpp:
3645         (JSC::ErrorPrototype::create):
3646         (JSC::ErrorPrototype::finishCreation):
3647         * runtime/ErrorPrototype.h:
3648         (JSC::ErrorPrototype::create): Deleted.
3649         * runtime/ErrorType.cpp: Added.
3650         (JSC::errorTypeName):
3651         (WTF::printInternal):
3652         * runtime/ErrorType.h: Added.
3653         * runtime/JSGlobalObject.cpp:
3654         (JSC::JSGlobalObject::initializeErrorConstructor):
3655         (JSC::JSGlobalObject::init):
3656         (JSC::JSGlobalObject::visitChildren):
3657         * runtime/JSGlobalObject.h:
3658         (JSC::JSGlobalObject::internalPromiseConstructor const):
3659         (JSC::JSGlobalObject::errorStructure const):
3660         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3661         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3662         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3663         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3664         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3665         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3666         * runtime/NativeErrorConstructor.cpp:
3667         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3668         (JSC::NativeErrorConstructorBase::finishCreation):
3669         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3670         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3671         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3672         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3673         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3674         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3675         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3676         * runtime/NativeErrorConstructor.h:
3677         (JSC::NativeErrorConstructorBase::createStructure):
3678         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3679         * runtime/NativeErrorPrototype.cpp:
3680         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3681         * runtime/NativeErrorPrototype.h:
3682         * runtime/VM.cpp:
3683         (JSC::VM::VM):
3684         * runtime/VM.h:
3685         * wasm/js/WasmToJS.cpp:
3686         (JSC::Wasm::handleBadI64Use):
3687
3688 2019-01-25  Devin Rousso  <drousso@apple.com>
3689
3690         Web Inspector: provide a way to edit page settings on a remote target
3691         https://bugs.webkit.org/show_bug.cgi?id=193813
3692         <rdar://problem/47359510>
3693
3694         Reviewed by Joseph Pecoraro.
3695
3696         * inspector/protocol/Page.json:
3697         Add `overrideSetting` command with supporting `Setting` enum type.
3698
3699 2019-01-25  Keith Rollin  <krollin@apple.com>
3700
3701         Update Xcode projects with "Check .xcfilelists" build phase
3702         https://bugs.webkit.org/show_bug.cgi?id=193790
3703         <rdar://problem/47201374>
3704
3705         Reviewed by Alex Christensen.
3706
3707         Support for XCBuild includes specifying inputs and outputs to various
3708         Run Script build phases. These inputs and outputs are specified as
3709         .xcfilelist files. Once created, these .xcfilelist files need to be
3710         kept up-to-date. In order to check that they are up-to-date or not,
3711         add an Xcode build step that invokes an external script that performs
3712         the checking. If the .xcfilelists are found to be out-of-date, update
3713         them, halt the build, and instruct the developer to restart the build
3714         with up-to-date files.
3715
3716         At this time, the checking and regenerating is performed only if the
3717         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3718         who want to use this facility can set this variable and test out the
3719         checking/regenerating. Once it seems like there are no egregious
3720         issues that upset a developer's workflow, we'll unconditionally enable
3721         this facility.
3722
3723         * JavaScriptCore.xcodeproj/project.pbxproj:
3724         * Scripts/check-xcfilelists.sh: Added.
3725
3726 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3727
3728         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3729         https://bugs.webkit.org/show_bug.cgi?id=193796
3730         <rdar://problem/47532910>
3731
3732         Reviewed by Devin Rousso.
3733
3734         * runtime/SamplingProfiler.cpp:
3735         (JSC::SamplingProfiler::machThread):
3736         * runtime/SamplingProfiler.h:
3737         Expose the mach_port_t of the SamplingProfiler thread
3738         so it can be tested against later.
3739
3740 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3741
3742         Fix Windows build after r240511
3743
3744         * bytecode/UnlinkedFunctionExecutable.cpp:
3745         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3746
3747 2019-01-25  Keith Rollin  <krollin@apple.com>
3748
3749         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3750         https://bugs.webkit.org/show_bug.cgi?id=193781
3751         <rdar://problem/47201153>
3752
3753         Reviewed by Alex Christensen.
3754
3755         Part of generating the .xcfilelists used as part of adopting XCBuild
3756         includes running `make DerivedSources.make` from a standalone script.
3757         It’s important for this invocation to have the same environment as
3758         when the actual build invokes `make DerivedSources.make`. If the
3759         environments are different, then the two invocations will provide
3760         different results. In order to get the same environment in the
3761         standalone script, have the script launch xcodebuild targeting the
3762         "Apply Configuration to XCFileLists" build target, which will then
3763         re-invoke our standalone script. The script is now running again, this
3764         time in an environment with all workspace, project, target, xcconfig
3765         and other environment variables established.
3766
3767         The "Apply Configuration to XCFileLists" build target accomplishes
3768         this task via a small embedded shell script that consists only of:
3769
3770             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3771
3772         The process that invokes "Apply Configuration to XCFileLists" first
3773         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3774         evaluated and exports it into the shell environment. When xcodebuild
3775         is invoked, it inherits the value of this variable and can `eval` the
3776         contents of that variable. Our external standalone script can then set
3777         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3778         of command-line parameters needed to restart itself in the appropriate
3779         state.
3780
3781         * JavaScriptCore.xcodeproj/project.pbxproj:
3782
3783 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3784
3785         Add API to generate and consume cached bytecode
3786         https://bugs.webkit.org/show_bug.cgi?id=193401
3787         <rdar://problem/47514099>
3788
3789         Reviewed by Keith Miller.
3790
3791         Add the `generateBytecode` and `generateModuleBytecode` functions to
3792         generate serialized bytecode for a given `SourceCode`. These functions
3793         will eagerly generate code for all the nested functions.
3794
3795         Additionally, update the API methods in JSScript to generate and use the
3796         bytecode when the bytecodeCache path is provided.
3797
3798         * API/JSAPIGlobalObject.mm:
3799         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3800         * API/JSContext.mm:
3801         (-[JSContext wrapperMap]):
3802         * API/JSContextInternal.h:
3803         * API/JSScript.mm:
3804         (+[JSScript scriptWithSource:inVirtualMachine:]):
3805         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3806         (-[JSScript dealloc]):
3807         (-[JSScript readCache]):
3808         (-[JSScript writeCache]):
3809         (-[JSScript hash]):
3810         (-[JSScript source]):
3811         (-[JSScript cachedBytecode]):
3812         (-[JSScript jsSourceCode:]):
3813         * API/JSScriptInternal.h:
3814         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3815         (JSScriptSourceProvider::create):
3816         (JSScriptSourceProvider::JSScriptSourceProvider):
3817         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3818         (JSScriptSourceProvider::hash const):
3819         (JSScriptSourceProvider::source const):
3820         (JSScriptSourceProvider::cachedBytecode const):
3821         * API/JSVirtualMachine.mm:
3822         (-[JSVirtualMachine vm]):
3823         * API/JSVirtualMachineInternal.h:
3824         * API/tests/testapi.mm:
3825         (testBytecodeCache):
3826         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3827         (testObjectiveCAPI):
3828         * JavaScriptCore.xcodeproj/project.pbxproj:
3829         * SourcesCocoa.txt:
3830         * bytecode/UnlinkedFunctionExecutable.cpp:
3831         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3832         * bytecode/UnlinkedFunctionExecutable.h:
3833         * parser/SourceCodeKey.h:
3834         (JSC::SourceCodeKey::source const):
3835         * parser/SourceProvider.h:
3836         (JSC::CachedBytecode::CachedBytecode):
3837         (JSC::CachedBytecode::operator=):
3838         (JSC::CachedBytecode::data const):
3839         (JSC::CachedBytecode::size const):
3840         (JSC::CachedBytecode::owned const):
3841         (JSC::CachedBytecode::~CachedBytecode):
3842         (JSC::CachedBytecode::freeDataIfOwned):
3843         (JSC::SourceProvider::cachedBytecode const):
3844         * parser/UnlinkedSourceCode.h:
3845         (JSC::UnlinkedSourceCode::provider const):
3846         * runtime/CodeCache.cpp:
3847         (JSC::generateUnlinkedCodeBlockForFunctions):
3848         (JSC::writeCodeBlock):
3849         (JSC::serializeBytecode):
3850         * runtime/CodeCache.h:
3851         (JSC::CodeCacheMap::fetchFromDiskImpl):
3852         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3853         (JSC::generateUnlinkedCodeBlockImpl):
3854         (JSC::generateUnlinkedCodeBlock):
3855         * runtime/Completion.cpp:
3856         (JSC::generateBytecode):
3857         (JSC::generateModuleBytecode):
3858         * runtime/Completion.h:
3859         * runtime/Options.cpp:
3860         (JSC::recomputeDependentOptions):
3861
3862 2019-01-25  Keith Rollin  <krollin@apple.com>
3863
3864         Update WebKitAdditions.xcconfig with correct order of variable definitions
3865         https://bugs.webkit.org/show_bug.cgi?id=193793
3866         <rdar://problem/47532439>
3867
3868         Reviewed by Alex Christensen.
3869
3870         XCBuild changes the way xcconfig variables are evaluated. In short,
3871         all config file assignments are now considered in part of the
3872         evaluation. When using the new build system and an .xcconfig file
3873         contains multiple assignments of the same build setting:
3874
3875         - Later assignments using $(inherited) will inherit from earlier
3876           assignments in the xcconfig file.
3877         - Later assignments not using $(inherited) will take precedence over
3878           earlier assignments. An assignment to a more general setting will
3879           mask an earlier assignment to a less general setting. For example,
3880           an assignment without a condition ('FOO = bar') will completely mask
3881           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3882
3883         This affects some of our .xcconfig files, in that sometimes platform-
3884         or sdk-specific definitions appear before the general definitions.
3885         Under the new evaluations rules, the general definitions alway take
3886         effect because they always overwrite the more-specific definitions. The
3887         solution is to swap the order, so that the general definitions are
3888         established first, and then conditionally overwritten by the
3889         more-specific definitions.
3890
3891         * Configurations/Version.xcconfig:
3892
3893 2019-01-25  Keith Rollin  <krollin@apple.com>
3894
3895         Update existing .xcfilelists
3896         https://bugs.webkit.org/show_bug.cgi?id=193791
3897         <rdar://problem/47201706>
3898
3899         Reviewed by Alex Christensen.
3900
3901         Many .xcfilelist files were added in r238824 in order to support