B3ReduceStrength::simplifyCFG() could do a lot more on each iteration
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-19  Robin Morisset  <rmorisset@apple.com>
2
3         B3ReduceStrength::simplifyCFG() could do a lot more on each iteration
4         https://bugs.webkit.org/show_bug.cgi?id=194475
5
6         Reviewed by Saam Barati.
7
8         B3ReduceStrength::simplifyCFG() does three optimizations (which I will call A, B and C):
9         - A makes any terminal that points to a block that is empty except for a jump point to that jump's target instead.
10         - B transforms any branch or switch that points to a single block into a jump
11         - C finds blocks ending with jumps, whose successor has a single predecessor, and inline that successor block in place of the jump
12
13         It currently is limited in the following way:
14         - A and C can only fire once per block per iteration
15         - B can create jumps that would trigger A, but they may not be seen until the next iteration
16
17         Both problems are mitigated by going through the blocks in post-order, so that when a block is optimized most of its successors have already been optimized.
18         In a sense it is the symmetric of the peephole optimizer that goes in pre-order so that when an instruction is optimized most of its children have already been optimized.
19
20         On JetStream2 it reduces the average number of iterations from 3.35 to 3.24.
21
22         * b3/B3ReduceStrength.cpp:
23
24 2019-02-19  Tadeu Zagallo  <tzagallo@apple.com>
25
26         Move bytecode cache-related filesystem code out of CodeCache
27         https://bugs.webkit.org/show_bug.cgi?id=194675
28
29         Reviewed by Saam Barati.
30
31         The code is only used for the bytecode-cache tests, so it should live in
32         jsc.cpp rather than in the CodeCache. The logic now lives in ShellSourceProvider,
33         which overrides the a virtual method in SourceProvider, `cacheBytecode`,
34         in order to write the cache to disk.
35
36         * jsc.cpp:
37         (ShellSourceProvider::create):
38         (ShellSourceProvider::~ShellSourceProvider):
39         (ShellSourceProvider::cachePath const):
40         (ShellSourceProvider::loadBytecode):
41         (ShellSourceProvider::ShellSourceProvider):
42         (jscSource):
43         (GlobalObject::moduleLoaderFetch):
44         (functionDollarEvalScript):
45         (runWithOptions):
46         * parser/SourceProvider.h:
47         (JSC::SourceProvider::cacheBytecode const):
48         * runtime/CodeCache.cpp:
49         (JSC::writeCodeBlock):
50         * runtime/CodeCache.h:
51         (JSC::CodeCacheMap::fetchFromDiskImpl):
52
53 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
54
55         [ARM] Fix crash with sampling profiler
56         https://bugs.webkit.org/show_bug.cgi?id=194772
57
58         Reviewed by Mark Lam.
59
60         sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
61         did not update the stack pointer in a single instruction. The src register was first
62         moved into the stack pointer, the immediate imm was added in a subsequent instruction.
63
64         This was problematic when a signal handler was invoked before applying the immediate,
65         when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
66         a temporary register and then move it in one go into the stack pointer.
67
68         * assembler/MacroAssemblerARMv7.h:
69         (JSC::MacroAssemblerARMv7::add32):
70
71 2019-02-18  Mark Lam  <mark.lam@apple.com>
72
73         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
74         https://bugs.webkit.org/show_bug.cgi?id=194800
75         <rdar://problem/48183773>
76
77         Reviewed by Yusuke Suzuki.
78
79         Fix doesGC() for the following nodes:
80
81             CompareEq:
82             CompareLess:
83             CompareLessEq:
84             CompareGreater:
85             CompareGreaterEq:
86             CompareStrictEq:
87                 Only return false (i.e. does not GC) for child node use kinds that have
88                 been vetted to not do anything that can GC.  For all other use kinds
89                 (including StringUse and BigIntUse), we return true (i.e. does GC).
90
91         * dfg/DFGDoesGC.cpp:
92         (JSC::DFG::doesGC):
93
94 2019-02-16  Darin Adler  <darin@apple.com>
95
96         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
97         https://bugs.webkit.org/show_bug.cgi?id=194752
98
99         Reviewed by Daniel Bates.
100
101         * heap/HeapSnapshotBuilder.cpp:
102         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
103         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
104         keep behavior the same, so let's do that.
105
106         * parser/Lexer.cpp:
107         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
108         String::format and "%04x".
109
110 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] Add LazyClassStructure::getInitializedOnMainThread
113         https://bugs.webkit.org/show_bug.cgi?id=194784
114         <rdar://problem/48154820>
115
116         Reviewed by Mark Lam.
117
118         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
119         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
120         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
121         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
122         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
123
124         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
125         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
126         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
127         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
128
129         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
130         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
131
132         * runtime/JSGlobalObject.h:
133         (JSC::JSGlobalObject::booleanPrototype const):
134         (JSC::JSGlobalObject::numberPrototype const):
135         (JSC::JSGlobalObject::symbolPrototype const):
136         * runtime/LazyClassStructure.h:
137         (JSC::LazyClassStructure::getInitializedOnMainThread const):
138         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
139         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
140         * runtime/LazyProperty.h:
141         (JSC::LazyProperty::get const):
142         (JSC::LazyProperty::getInitializedOnMainThread const):
143
144 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
145
146         Web Inspector: Better categorize CPU usage per-thread / worker
147         https://bugs.webkit.org/show_bug.cgi?id=194564
148
149         Reviewed by Devin Rousso.
150
151         * inspector/protocol/CPUProfiler.json:
152         Add additional properties per-Event, and new per-Thread object info.
153
154 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
155
156         Bytecode cache should a have a boot-specific validation
157         https://bugs.webkit.org/show_bug.cgi?id=194769
158         <rdar://problem/48149509>
159
160         Reviewed by Keith Miller.
161
162         Add the boot UUID to the cached bytecode to enforce that it is not reused
163         across reboots.
164
165         * runtime/CachedTypes.cpp:
166         (JSC::Encoder::malloc):
167         (JSC::GenericCacheEntry::GenericCacheEntry):
168         (JSC::GenericCacheEntry::tag const):
169         (JSC::CacheEntry::CacheEntry):
170         (JSC::CacheEntry::decode const):
171         (JSC::GenericCacheEntry::decode const):
172         (JSC::encodeCodeBlock):
173
174 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
175
176         Add MSE logging configuration
177         https://bugs.webkit.org/show_bug.cgi?id=194719
178         <rdar://problem/48122151>
179
180         Reviewed by Joseph Pecoraro.
181
182         * inspector/ConsoleMessage.cpp:
183         (Inspector::messageSourceValue):
184         * inspector/protocol/Console.json:
185         * inspector/scripts/codegen/generator.py:
186         * runtime/ConsoleTypes.h:
187
188 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
189
190         Add version number to cached bytecode
191         https://bugs.webkit.org/show_bug.cgi?id=194768
192         <rdar://problem/48147968>
193
194         Reviewed by Saam Barati.
195
196         Add a version number to the bytecode cache that should be unique per build.
197
198         * CMakeLists.txt:
199         * DerivedSources-output.xcfilelist:
200         * DerivedSources.make:
201         * runtime/CachedTypes.cpp:
202         (JSC::Encoder::malloc):
203         (JSC::GenericCacheEntry::GenericCacheEntry):
204         (JSC::CacheEntry::CacheEntry):
205         (JSC::CacheEntry::encode):
206         (JSC::CacheEntry::decode const):
207         (JSC::GenericCacheEntry::decode const):
208         (JSC::decodeCodeBlockImpl):
209         * runtime/CodeCache.h:
210         (JSC::CodeCacheMap::fetchFromDiskImpl):
211
212 2019-02-17  Saam Barati  <sbarati@apple.com>
213
214         WasmB3IRGenerator models some effects incorrectly
215         https://bugs.webkit.org/show_bug.cgi?id=194038
216
217         Reviewed by Keith Miller.
218
219         * wasm/WasmB3IRGenerator.cpp:
220         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
221         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
222         These two functions were using global state instead of the
223         arguments passed into the function.
224
225         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
226         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
227         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
228         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
229         Any patchpoint that allows scratch register usage must
230         also say that it clobbers the scratch registers.
231
232 2019-02-17  Saam Barati  <sbarati@apple.com>
233
234         Deadlock when adding a Structure property transition and then doing incremental marking
235         https://bugs.webkit.org/show_bug.cgi?id=194767
236
237         Reviewed by Mark Lam.
238
239         This can happen in the following scenario:
240         
241         You have a Structure S. S is on the mark stack. Then:
242         1. S grabs its lock
243         2. S adds a new property transition
244         3. We find out we need to do some incremental marking
245         4. We mark S
246         5. visitChildren on S will try to grab its lock
247         6. We are now in a deadlock
248
249         * heap/Heap.cpp:
250         (JSC::Heap::performIncrement):
251         * runtime/Structure.cpp:
252         (JSC::Structure::addNewPropertyTransition):
253
254 2019-02-17  David Kilzer  <ddkilzer@apple.com>
255
256         Unreviewed, rolling out r241620.
257
258         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
259         (Requested by ddkilzer on #webkit.)
260
261         Reverted changeset:
262
263         "[WTF] Add environment variable helpers"
264         https://bugs.webkit.org/show_bug.cgi?id=192405
265         https://trac.webkit.org/changeset/241620
266
267 2019-02-17  Commit Queue  <commit-queue@webkit.org>
268
269         Unreviewed, rolling out r241612.
270         https://bugs.webkit.org/show_bug.cgi?id=194762
271
272         "It regressed JetStream2 parsing tests by ~40%" (Requested by
273         saamyjoon on #webkit).
274
275         Reverted changeset:
276
277         "Move bytecode cache-related filesystem code out of CodeCache"
278         https://bugs.webkit.org/show_bug.cgi?id=194675
279         https://trac.webkit.org/changeset/241612
280
281 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
282
283         [JSC] JSWrapperObject should not be destructible
284         https://bugs.webkit.org/show_bug.cgi?id=194743
285
286         Reviewed by Saam Barati.
287
288         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
289         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
290         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
291
292         * runtime/BigIntObject.cpp:
293         (JSC::BigIntObject::BigIntObject):
294         * runtime/BooleanConstructor.cpp:
295         (JSC::BooleanConstructor::finishCreation):
296         * runtime/BooleanObject.cpp:
297         (JSC::BooleanObject::BooleanObject):
298         * runtime/BooleanObject.h:
299         * runtime/DateInstance.cpp:
300         (JSC::DateInstance::DateInstance):
301         (JSC::DateInstance::finishCreation):
302         * runtime/DateInstance.h:
303         * runtime/DatePrototype.cpp:
304         (JSC::dateProtoFuncGetTime):
305         (JSC::dateProtoFuncSetTime):
306         (JSC::setNewValueFromTimeArgs):
307         (JSC::setNewValueFromDateArgs):
308         (JSC::dateProtoFuncSetYear):
309         * runtime/JSCPoison.h:
310         * runtime/JSWrapperObject.h:
311         (JSC::JSWrapperObject::JSWrapperObject):
312         * runtime/NumberObject.cpp:
313         (JSC::NumberObject::NumberObject):
314         * runtime/NumberObject.h:
315         * runtime/StringConstructor.cpp:
316         (JSC::StringConstructor::finishCreation):
317         * runtime/StringObject.cpp:
318         (JSC::StringObject::StringObject):
319         * runtime/StringObject.h:
320         (JSC::StringObject::internalValue const):
321         * runtime/SymbolObject.cpp:
322         (JSC::SymbolObject::SymbolObject):
323         * runtime/SymbolObject.h:
324
325 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
326
327         [JSC] Shrink UnlinkedFunctionExecutable
328         https://bugs.webkit.org/show_bug.cgi?id=194733
329
330         Reviewed by Mark Lam.
331
332         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
333         directives can be found in the comment of non typical function's source code (Program,
334         Eval code, and Global function from function constructor etc.), and tricky thing is that
335         SourceProvider's directives are updated by Parser. The reason why we have these fields in
336         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
337         if we skip parsing by using CodeCache. These fields are effective only if (1)
338         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
339         or sourceMappingURLDirective. This is rare enough to purge them to a separated
340         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
341         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
342         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
343         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
344         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
345         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
346         one of size class.
347
348         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
349         And kill one MarkedBlock allocation in JSC initialization phase.
350
351         * bytecode/UnlinkedFunctionExecutable.cpp:
352         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
353         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
354         * bytecode/UnlinkedFunctionExecutable.h:
355         * debugger/DebuggerLocation.cpp:
356         (JSC::DebuggerLocation::DebuggerLocation):
357         * inspector/ScriptDebugServer.cpp:
358         (Inspector::ScriptDebugServer::dispatchDidParseSource):
359         * parser/Lexer.h:
360         (JSC::Lexer::sourceURLDirective const):
361         (JSC::Lexer::sourceMappingURLDirective const):
362         (JSC::Lexer::sourceURL const): Deleted.
363         (JSC::Lexer::sourceMappingURL const): Deleted.
364         * parser/Parser.h:
365         (JSC::Parser<LexerType>::parse):
366         * parser/SourceProvider.h:
367         (JSC::SourceProvider::sourceURLDirective const):
368         (JSC::SourceProvider::sourceMappingURLDirective const):
369         (JSC::SourceProvider::setSourceURLDirective):
370         (JSC::SourceProvider::setSourceMappingURLDirective):
371         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
372         since it is the correct name.
373         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
374         sourceMappingURLDirective since it is the correct name.
375         * runtime/CachedTypes.cpp:
376         (JSC::CachedSourceProviderShape::encode):
377         (JSC::CachedFunctionExecutableRareData::encode):
378         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
379         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
380         (JSC::CachedFunctionExecutable::rareData const):
381         (JSC::CachedFunctionExecutable::encode):
382         (JSC::CachedFunctionExecutable::decode const):
383         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
384         * runtime/CodeCache.cpp:
385         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
386         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
387         * runtime/CodeCache.h:
388         (JSC::generateUnlinkedCodeBlockImpl):
389         * runtime/FunctionExecutable.h:
390         * runtime/SamplingProfiler.cpp:
391         (JSC::SamplingProfiler::StackFrame::url):
392
393 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
394
395         [JSC] Remove unused global private variables
396         https://bugs.webkit.org/show_bug.cgi?id=194741
397
398         Reviewed by Joseph Pecoraro.
399
400         There are some private functions and constants that are no longer referenced from builtin JS code.
401         This patch cleans up them.
402
403         * builtins/BuiltinNames.h:
404         * builtins/ObjectConstructor.js:
405         (entries):
406         * runtime/JSGlobalObject.cpp:
407         (JSC::JSGlobalObject::init):
408
409 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
410
411         [JSC] Lazily create empty RegExp
412         https://bugs.webkit.org/show_bug.cgi?id=194735
413
414         Reviewed by Keith Miller.
415
416         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
417         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
418         one MarkedBlock.
419
420         * runtime/JSGlobalObject.cpp:
421         (JSC::JSGlobalObject::init):
422         * runtime/RegExpCache.cpp:
423         (JSC::RegExpCache::ensureEmptyRegExpSlow):
424         (JSC::RegExpCache::initialize): Deleted.
425         * runtime/RegExpCache.h:
426         (JSC::RegExpCache::ensureEmptyRegExp):
427         (JSC::RegExpCache::emptyRegExp const): Deleted.
428         * runtime/RegExpCachedResult.cpp:
429         (JSC::RegExpCachedResult::lastResult):
430         * runtime/RegExpCachedResult.h:
431         * runtime/VM.cpp:
432         (JSC::VM::VM):
433
434 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
435
436         [JSC] Make builtin objects more lazily initialized under non-JIT mode
437         https://bugs.webkit.org/show_bug.cgi?id=194727
438
439         Reviewed by Saam Barati.
440
441         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
442         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
443         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
444         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
445         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
446         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
447         MarkedBlock allocation just for Symbols.
448
449         * runtime/JSGlobalObject.cpp:
450         (JSC::JSGlobalObject::init):
451         (JSC::JSGlobalObject::visitChildren):
452         * runtime/JSGlobalObject.h:
453         (JSC::JSGlobalObject::numberToStringWatchpoint):
454         (JSC::JSGlobalObject::booleanPrototype const):
455         (JSC::JSGlobalObject::numberPrototype const):
456         (JSC::JSGlobalObject::symbolPrototype const):
457         (JSC::JSGlobalObject::booleanObjectStructure const):
458         (JSC::JSGlobalObject::symbolObjectStructure const):
459         (JSC::JSGlobalObject::numberObjectStructure const):
460         (JSC::JSGlobalObject::stringObjectStructure const):
461
462 2019-02-15  Michael Saboff  <msaboff@apple.com>
463
464         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
465         https://bugs.webkit.org/show_bug.cgi?id=194558
466
467         Reviewed by Saam Barati.
468
469         Added an in bounds check before the read of the next character for Unicode regular expressions
470         for pattern generation that didn't already have such checks.
471
472         * yarr/YarrJIT.cpp:
473         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
474         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
475         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
476         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
477
478 2019-02-15  Dean Jackson  <dino@apple.com>
479
480         Allow emulation of user gestures from Web Inspector console
481         https://bugs.webkit.org/show_bug.cgi?id=194725
482         <rdar://problem/48126604>
483
484         Reviewed by Joseph Pecoraro and Devin Rousso.
485
486         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
487         to the evaluate function, and mark the function as override so that PageRuntimeAgent
488         can change the behaviour.
489         (Inspector::InspectorRuntimeAgent::evaluate):
490         * inspector/agents/InspectorRuntimeAgent.h:
491         * inspector/protocol/Runtime.json:
492
493 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
494
495         [JSC] Do not initialize Wasm related data if Wasm is not enabled
496         https://bugs.webkit.org/show_bug.cgi?id=194728
497
498         Reviewed by Mark Lam.
499
500         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
501
502         * runtime/InitializeThreading.cpp:
503         (JSC::initializeThreading):
504         * runtime/JSLock.cpp:
505         (JSC::JSLock::didAcquireLock):
506
507 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
508
509         [WTF] Add environment variable helpers
510         https://bugs.webkit.org/show_bug.cgi?id=192405
511
512         Reviewed by Michael Catanzaro.
513
514         * inspector/remote/glib/RemoteInspectorGlib.cpp:
515         (Inspector::RemoteInspector::RemoteInspector):
516         (Inspector::RemoteInspector::start):
517         * jsc.cpp:
518         (startTimeoutThreadIfNeeded):
519         * runtime/Options.cpp:
520         (JSC::overrideOptionWithHeuristic):
521         (JSC::Options::overrideAliasedOptionWithHeuristic):
522         (JSC::Options::initialize):
523         * runtime/VM.cpp:
524         (JSC::enableAssembler):
525         (JSC::VM::VM):
526         * tools/CodeProfiling.cpp:
527         (JSC::CodeProfiling::notifyAllocator):
528         Utilize WTF::Environment where possible.
529
530 2019-02-15  Mark Lam  <mark.lam@apple.com>
531
532         SamplingProfiler::stackTracesAsJSON() should escape strings.
533         https://bugs.webkit.org/show_bug.cgi?id=194649
534         <rdar://problem/48072386>
535
536         Reviewed by Saam Barati.
537
538         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
539
540         * runtime/SamplingProfiler.cpp:
541         (JSC::SamplingProfiler::stackTracesAsJSON):
542         * runtime/TypeSet.cpp:
543         (JSC::TypeSet::toJSONString const):
544         (JSC::StructureShape::toJSONString const):
545
546 2019-02-15  Robin Morisset  <rmorisset@apple.com>
547
548         CodeBlock::jettison should clear related watchpoints
549         https://bugs.webkit.org/show_bug.cgi?id=194544
550
551         Reviewed by Mark Lam.
552
553         * bytecode/CodeBlock.cpp:
554         (JSC::CodeBlock::jettison):
555         * dfg/DFGCommonData.h:
556         (JSC::DFG::CommonData::clearWatchpoints): Added.
557         * dfg/CommonData.cpp:
558         (JSC::DFG::CommonData::clearWatchpoints): Added.
559
560 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
561
562         Move bytecode cache-related filesystem code out of CodeCache
563         https://bugs.webkit.org/show_bug.cgi?id=194675
564
565         Reviewed by Saam Barati.
566
567         That code is only used for the bytecode-cache tests, so it should live in
568         jsc.cpp rather than in the CodeCache.
569
570         * jsc.cpp:
571         (CliSourceProvider::create):
572         (CliSourceProvider::~CliSourceProvider):
573         (CliSourceProvider::cachePath const):
574         (CliSourceProvider::loadBytecode):
575         (CliSourceProvider::CliSourceProvider):
576         (jscSource):
577         (GlobalObject::moduleLoaderFetch):
578         (functionDollarEvalScript):
579         (runWithOptions):
580         * parser/SourceProvider.h:
581         (JSC::SourceProvider::cacheBytecode const):
582         * runtime/CodeCache.cpp:
583         (JSC::writeCodeBlock):
584         * runtime/CodeCache.h:
585         (JSC::CodeCacheMap::fetchFromDiskImpl):
586
587 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
588
589         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
590         https://bugs.webkit.org/show_bug.cgi?id=194714
591
592         Reviewed by Mark Lam.
593
594         Let's consider about the following extreme case.
595
596         1. VM (A) is created.
597         2. Another VM (B) is created on a different thread.
598         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
599         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
600         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
601         6. (A) sees the half-baked worklist, which may be in the middle of creation.
602
603         This patch puts store-store fence just before putting a pointer to a global variable.
604         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
605
606         * dfg/DFGWorklist.cpp:
607         (JSC::DFG::ensureGlobalDFGWorklist):
608         (JSC::DFG::ensureGlobalFTLWorklist):
609         * wasm/WasmWorklist.cpp:
610         (JSC::Wasm::ensureWorklist):
611
612 2019-02-15  Commit Queue  <commit-queue@webkit.org>
613
614         Unreviewed, rolling out r241559 and r241566.
615         https://bugs.webkit.org/show_bug.cgi?id=194710
616
617         Causes layout test crashes under GuardMalloc (Requested by
618         ryanhaddad on #webkit).
619
620         Reverted changesets:
621
622         "[WTF] Add environment variable helpers"
623         https://bugs.webkit.org/show_bug.cgi?id=192405
624         https://trac.webkit.org/changeset/241559
625
626         "Unreviewed build fix for WinCairo Debug after r241559."
627         https://trac.webkit.org/changeset/241566
628
629 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
630
631         [JSC] Do not even allocate JIT worklists in non-JIT mode
632         https://bugs.webkit.org/show_bug.cgi?id=194693
633
634         Reviewed by Mark Lam.
635
636         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
637         And we do not perform any GC operations that are only meaningful in JIT environment.
638
639         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
640         2. We remove DFG marking constraint in non-JIT mode.
641         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
642         4. We do not visit JITStubRoutineSet.
643         5. Align JITWorklist function names to the other worklists.
644
645         * dfg/DFGOSRExitPreparation.cpp:
646         (JSC::DFG::prepareCodeOriginForOSRExit):
647         * dfg/DFGPlan.h:
648         * dfg/DFGWorklist.cpp:
649         (JSC::DFG::markCodeBlocks): Deleted.
650         * dfg/DFGWorklist.h:
651         * heap/Heap.cpp:
652         (JSC::Heap::completeAllJITPlans):
653         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
654         (JSC::Heap::gatherScratchBufferRoots):
655         (JSC::Heap::removeDeadCompilerWorklistEntries):
656         (JSC::Heap::stopThePeriphery):
657         (JSC::Heap::suspendCompilerThreads):
658         (JSC::Heap::resumeCompilerThreads):
659         (JSC::Heap::addCoreConstraints):
660         * jit/JITWorklist.cpp:
661         (JSC::JITWorklist::existingGlobalWorklistOrNull):
662         (JSC::JITWorklist::ensureGlobalWorklist):
663         (JSC::JITWorklist::instance): Deleted.
664         * jit/JITWorklist.h:
665         * llint/LLIntSlowPaths.cpp:
666         (JSC::LLInt::jitCompileAndSetHeuristics):
667         * runtime/VM.cpp:
668         (JSC::VM::~VM):
669         (JSC::VM::gatherScratchBufferRoots):
670         (JSC::VM::gatherConservativeRoots): Deleted.
671         * runtime/VM.h:
672
673 2019-02-15  Saam barati  <sbarati@apple.com>
674
675         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
676         https://bugs.webkit.org/show_bug.cgi?id=194036
677
678         Reviewed by Yusuke Suzuki.
679
680         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
681         use linear scan for register allocation. Instead of linear scan, Air-O0 does
682         mostly block-local register allocation, and it does this as it's emitting
683         code directly. The register allocator uses liveness analysis to reduce
684         the number of spills. Doing register allocation as we're emitting code
685         allows us to skip editing the IR to insert spills, which saves a non trivial
686         amount of compile time. For stack allocation, we give each Tmp its own slot.
687         This is less than ideal. We probably want to do some trivial live range analysis
688         in the future. The reason this isn't a deal breaker for Wasm is that this patch
689         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
690         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
691         
692         This patch is another 25% Wasm startup time speedup. It seems to be worth
693         another 1% on JetStream2.
694
695         * JavaScriptCore.xcodeproj/project.pbxproj:
696         * Sources.txt:
697         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
698         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
699         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
700         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
701         (JSC::B3::Air::callFrameAddr):
702         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
703         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
704         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
705         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
706         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
707         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
708         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
709         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
710         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
711         * b3/air/AirCode.cpp:
712         * b3/air/AirCode.h:
713         * b3/air/AirGenerate.cpp:
714         (JSC::B3::Air::prepareForGeneration):
715         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
716         (JSC::B3::Air::generate):
717         * b3/air/AirHandleCalleeSaves.cpp:
718         (JSC::B3::Air::handleCalleeSaves):
719         * b3/air/AirHandleCalleeSaves.h:
720         * b3/air/AirTmpMap.h:
721         * runtime/Options.h:
722         * wasm/WasmAirIRGenerator.cpp:
723         (JSC::Wasm::AirIRGenerator::didKill):
724         (JSC::Wasm::AirIRGenerator::newTmp):
725         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
726         (JSC::Wasm::parseAndCompileAir):
727         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
728         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
729         * wasm/WasmAirIRGenerator.h:
730         * wasm/WasmB3IRGenerator.cpp:
731         (JSC::Wasm::B3IRGenerator::didKill):
732         * wasm/WasmBBQPlan.cpp:
733         (JSC::Wasm::BBQPlan::compileFunctions):
734         * wasm/WasmFunctionParser.h:
735         (JSC::Wasm::FunctionParser<Context>::parseBody):
736         (JSC::Wasm::FunctionParser<Context>::parseExpression):
737         * wasm/WasmValidate.cpp:
738         (JSC::Wasm::Validate::didKill):
739
740 2019-02-14  Saam barati  <sbarati@apple.com>
741
742         lowerStackArgs should lower Lea32/64 on ARM64 to Add
743         https://bugs.webkit.org/show_bug.cgi?id=194656
744
745         Reviewed by Yusuke Suzuki.
746
747         On arm64, Lea is just implemented as an add. However, Air treats it as an
748         address with a given width. Because of this width, we were incorrectly
749         computing whether or not this immediate could fit into the instruction itself
750         or it needed to be explicitly put into a register. This patch makes
751         AirLowerStackArgs lower Lea to Add on arm64.
752
753         * b3/air/AirLowerStackArgs.cpp:
754         (JSC::B3::Air::lowerStackArgs):
755         * b3/air/AirOpcode.opcodes:
756         * b3/air/testair.cpp:
757
758 2019-02-14  Saam Barati  <sbarati@apple.com>
759
760         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
761         https://bugs.webkit.org/show_bug.cgi?id=194583
762         <rdar://problem/48028140>
763
764         Reviewed by Yusuke Suzuki.
765
766         This patch makes it so that getVariablesUnderTDZ caches a result of
767         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
768         it's called in an environment where there are a lot of variables.
769         This patch makes it so we cache its results. This is profitable when
770         getVariablesUnderTDZ is called repeatedly with the same environment
771         state. This is common since we call this every time we encounter a
772         function definition/expression node.
773
774         * builtins/BuiltinExecutables.cpp:
775         (JSC::BuiltinExecutables::createExecutable):
776         * bytecode/UnlinkedFunctionExecutable.cpp:
777         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
778         * bytecode/UnlinkedFunctionExecutable.h:
779         * bytecompiler/BytecodeGenerator.cpp:
780         (JSC::BytecodeGenerator::popLexicalScopeInternal):
781         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
782         (JSC::BytecodeGenerator::pushTDZVariables):
783         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
784         (JSC::BytecodeGenerator::restoreTDZStack):
785         * bytecompiler/BytecodeGenerator.h:
786         (JSC::BytecodeGenerator::makeFunction):
787         * parser/VariableEnvironment.cpp:
788         (JSC::CompactVariableMap::Handle::Handle):
789         (JSC::CompactVariableMap::Handle::operator=):
790         * parser/VariableEnvironment.h:
791         (JSC::CompactVariableMap::Handle::operator bool const):
792         * runtime/CodeCache.cpp:
793         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
794
795 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
796
797         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
798         https://bugs.webkit.org/show_bug.cgi?id=194659
799
800         Reviewed by Mark Lam.
801
802         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
803         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
804         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
805
806         * dfg/DFGJITCode.h:
807         * dfg/DFGJITFinalizer.cpp:
808         (JSC::DFG::JITFinalizer::finalize):
809         (JSC::DFG::JITFinalizer::finalizeFunction):
810         * jit/JITCode.cpp:
811         (JSC::DirectJITCode::initializeCodeRefForDFG):
812         (JSC::DirectJITCode::initializeCodeRef): Deleted.
813         (JSC::NativeJITCode::initializeCodeRef): Deleted.
814         * jit/JITCode.h:
815         * llint/LLIntEntrypoint.cpp:
816         (JSC::LLInt::setFunctionEntrypoint):
817         (JSC::LLInt::setEvalEntrypoint):
818         (JSC::LLInt::setProgramEntrypoint):
819         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
820
821 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
822
823         [WTF] Add environment variable helpers
824         https://bugs.webkit.org/show_bug.cgi?id=192405
825
826         Reviewed by Michael Catanzaro.
827
828         * inspector/remote/glib/RemoteInspectorGlib.cpp:
829         (Inspector::RemoteInspector::RemoteInspector):
830         (Inspector::RemoteInspector::start):
831         * jsc.cpp:
832         (startTimeoutThreadIfNeeded):
833         * runtime/Options.cpp:
834         (JSC::overrideOptionWithHeuristic):
835         (JSC::Options::overrideAliasedOptionWithHeuristic):
836         (JSC::Options::initialize):
837         * runtime/VM.cpp:
838         (JSC::enableAssembler):
839         (JSC::VM::VM):
840         * tools/CodeProfiling.cpp:
841         (JSC::CodeProfiling::notifyAllocator):
842         Utilize WTF::Environment where possible.
843
844 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
845
846         [JSC] Should have default NativeJITCode
847         https://bugs.webkit.org/show_bug.cgi?id=194634
848
849         Reviewed by Mark Lam.
850
851         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
852         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
853         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
854         allocations, which takes 14KB.
855
856         * runtime/VM.cpp:
857         (JSC::jitCodeForCallTrampoline):
858         (JSC::jitCodeForConstructTrampoline):
859         (JSC::VM::getHostFunction):
860
861 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
862
863         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
864         https://bugs.webkit.org/show_bug.cgi?id=194576
865
866         Reviewed by Saam Barati.
867
868         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
869         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
870
871         * bytecode/UnlinkedFunctionExecutable.cpp:
872         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
873         (JSC::UnlinkedFunctionExecutable::link):
874         * bytecode/UnlinkedFunctionExecutable.h:
875         * runtime/CodeCache.cpp:
876         (JSC::generateUnlinkedCodeBlockForFunctions):
877
878 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
879
880         CachedBitVector's size must be converted from bits to bytes
881         https://bugs.webkit.org/show_bug.cgi?id=194441
882
883         Reviewed by Saam Barati.
884
885         CachedBitVector used its size in bits for memcpy. That didn't cause any
886         issues when encoding, since the size in bits was also used in the allocation,
887         but would overflow the actual BitVector buffer when decoding.
888
889         * runtime/CachedTypes.cpp:
890         (JSC::CachedBitVector::encode):
891         (JSC::CachedBitVector::decode const):
892
893 2019-02-13  Brian Burg  <bburg@apple.com>
894
895         Web Inspector: don't include accessibility role in DOM.Node object payloads
896         https://bugs.webkit.org/show_bug.cgi?id=194623
897         <rdar://problem/36384037>
898
899         Reviewed by Devin Rousso.
900
901         Remove property of DOM.Node that is no longer being sent.
902
903         * inspector/protocol/DOM.json:
904
905 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
906
907         We should only make rope strings when concatenating strings long enough.
908         https://bugs.webkit.org/show_bug.cgi?id=194465
909
910         Reviewed by Mark Lam.
911
912         This patch stops us from allocating a rope string if the resulting
913         rope would be smaller than the size of the JSRopeString object we
914         would need to allocate.
915
916         This patch also adds paths so that we don't unnecessarily allocate
917         JSString cells for primitives we are going to concatenate with a
918         string anyway.
919
920         The important change from the previous one is that we do not apply
921         the above rule to JSRopeStrings generated by JSStrings. If we convert
922         it to JSString, comparison of memory consumption becomes the following,
923         because JSRopeString does not have StringImpl until it is resolved.
924
925             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
926
927         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
928         resolving eagerly increases memory footprint. The point is that we need to
929         account newly created JSString and JSRopeString from the operands. This is the
930         reason why this patch adds different thresholds for each jsString functions.
931
932         This patch also avoids concatenation for ropes conservatively. Many ropes are
933         temporary cells. So we do not resolve eagerly if one of operands is already a
934         rope.
935
936         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
937
938             Before: 159.3778
939             After:  160.72340000000003
940
941         * dfg/DFGOperations.cpp:
942         * runtime/CommonSlowPaths.cpp:
943         (JSC::SLOW_PATH_DECL):
944         * runtime/JSString.h:
945         (JSC::JSString::isRope const):
946         * runtime/Operations.cpp:
947         (JSC::jsAddSlowCase):
948         * runtime/Operations.h:
949         (JSC::jsString):
950         (JSC::jsAddNonNumber):
951         (JSC::jsAdd):
952
953 2019-02-13  Saam Barati  <sbarati@apple.com>
954
955         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
956         https://bugs.webkit.org/show_bug.cgi?id=194610
957
958         Reviewed by Michael Saboff.
959
960         BinarySwitch might use the scratch register. We must model the
961         effects of that properly. This is already caught by our br-table
962         tests on arm64.
963
964         * wasm/WasmAirIRGenerator.cpp:
965         (JSC::Wasm::AirIRGenerator::addSwitch):
966
967 2019-02-13  Mark Lam  <mark.lam@apple.com>
968
969         Create a randomized free list for new StructureIDs on StructureIDTable resize.
970         https://bugs.webkit.org/show_bug.cgi?id=194566
971         <rdar://problem/47975502>
972
973         Reviewed by Michael Saboff.
974
975         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
976         implementation is a little easier to read.
977
978         This patch appears to be perf neutral on JetStream2 (as run from the command line).
979
980         * runtime/StructureIDTable.cpp:
981         (JSC::StructureIDTable::StructureIDTable):
982         (JSC::StructureIDTable::makeFreeListFromRange):
983         (JSC::StructureIDTable::resize):
984         (JSC::StructureIDTable::allocateID):
985         (JSC::StructureIDTable::deallocateID):
986         * runtime/StructureIDTable.h:
987         (JSC::StructureIDTable::get):
988         (JSC::StructureIDTable::deallocateID):
989         (JSC::StructureIDTable::allocateID):
990         (JSC::StructureIDTable::flushOldTables):
991
992 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
993
994         VariableLengthObject::allocate<T> should initialize objects
995         https://bugs.webkit.org/show_bug.cgi?id=194534
996
997         Reviewed by Michael Saboff.
998
999         `buffer()` should not be called for empty VariableLengthObjects, but
1000         these cases were not being caught due to the objects not being properly
1001         initialized. Fix it so that allocate calls the constructor and fix the
1002         assertion failues.
1003
1004         * runtime/CachedTypes.cpp:
1005         (JSC::CachedObject::operator new):
1006         (JSC::VariableLengthObject::allocate):
1007         (JSC::CachedVector::encode):
1008         (JSC::CachedVector::decode const):
1009         (JSC::CachedUniquedStringImpl::decode const):
1010         (JSC::CachedBitVector::encode):
1011         (JSC::CachedBitVector::decode const):
1012         (JSC::CachedArray::encode):
1013         (JSC::CachedArray::decode const):
1014         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
1015         (JSC::CachedBigInt::decode const):
1016
1017 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1018
1019         CodeBlocks read from disk should not be re-written
1020         https://bugs.webkit.org/show_bug.cgi?id=194535
1021
1022         Reviewed by Michael Saboff.
1023
1024         Keep track of which CodeBlocks have been read from disk or have already
1025         been serialized in CodeCache.
1026
1027         * runtime/CodeCache.cpp:
1028         (JSC::CodeCache::write):
1029         * runtime/CodeCache.h:
1030         (JSC::SourceCodeValue::SourceCodeValue):
1031         (JSC::CodeCacheMap::fetchFromDiskImpl):
1032
1033 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1034
1035         SourceCode should be copied when generating bytecode for functions
1036         https://bugs.webkit.org/show_bug.cgi?id=194536
1037
1038         Reviewed by Saam Barati.
1039
1040         The FunctionExecutable might be collected while generating the bytecode
1041         for nested functions, in which case the SourceCode reference would no
1042         longer be valid.
1043
1044         * runtime/CodeCache.cpp:
1045         (JSC::generateUnlinkedCodeBlockForFunctions):
1046
1047 2019-02-12  Saam barati  <sbarati@apple.com>
1048
1049         JSScript needs to retain its cache path NSURL*
1050         https://bugs.webkit.org/show_bug.cgi?id=194577
1051
1052         Reviewed by Tim Horton.
1053
1054         * API/JSScript.mm:
1055         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1056         (-[JSScript dealloc]):
1057
1058 2019-02-12  Robin Morisset  <rmorisset@apple.com>
1059
1060         Make B3Value::returnsBool() more precise
1061         https://bugs.webkit.org/show_bug.cgi?id=194457
1062
1063         Reviewed by Saam Barati.
1064
1065         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
1066         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
1067         No new tests added as this should be indirectly tested by the already existing tests.
1068
1069         * b3/B3Value.cpp:
1070         (JSC::B3::Value::returnsBool const):
1071
1072 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1073
1074         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1075         https://bugs.webkit.org/show_bug.cgi?id=194399
1076         <rdar://problem/47889777>
1077
1078         * dfg/DFGDoesGC.cpp:
1079         (JSC::DFG::doesGC):
1080
1081 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1082
1083         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1084         https://bugs.webkit.org/show_bug.cgi?id=194370
1085
1086         Reviewed by Darin Adler.
1087
1088         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1089         necessary, but it will make errors more visible.
1090
1091         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1092         (Inspector::RemoteInspector::start):
1093         (Inspector::dbusConnectionCallAsyncReadyCallback):
1094         * inspector/remote/glib/RemoteInspectorServer.cpp:
1095         (Inspector::RemoteInspectorServer::start):
1096
1097 2019-02-12  Andy Estes  <aestes@apple.com>
1098
1099         [iOSMac] Enable Parental Controls Content Filtering
1100         https://bugs.webkit.org/show_bug.cgi?id=194521
1101         <rdar://39732376>
1102
1103         Reviewed by Tim Horton.
1104
1105         * Configurations/FeatureDefines.xcconfig:
1106
1107 2019-02-11  Mark Lam  <mark.lam@apple.com>
1108
1109         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1110         https://bugs.webkit.org/show_bug.cgi?id=194512
1111         <rdar://problem/47975465>
1112
1113         Reviewed by Yusuke Suzuki.
1114
1115         * runtime/StructureIDTable.cpp:
1116         (JSC::StructureIDTable::StructureIDTable):
1117         (JSC::StructureIDTable::allocateID):
1118         (JSC::StructureIDTable::deallocateID):
1119         * runtime/StructureIDTable.h:
1120
1121 2019-02-10  Mark Lam  <mark.lam@apple.com>
1122
1123         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1124         https://bugs.webkit.org/show_bug.cgi?id=194493
1125         <rdar://problem/36380852>
1126
1127         Reviewed by Yusuke Suzuki.
1128
1129         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1130         however not good for performance and memory usage.  As such, a debug ASSERT will
1131         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1132         possible to be instantiated with duplicate cases in
1133         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1134
1135         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1136         see duplicate cases.
1137
1138         * jit/BinarySwitch.cpp:
1139         (JSC::BinarySwitch::BinarySwitch):
1140
1141 2019-02-10  Darin Adler  <darin@apple.com>
1142
1143         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1144         https://bugs.webkit.org/show_bug.cgi?id=194485
1145
1146         Reviewed by Daniel Bates.
1147
1148         * heap/HeapSnapshotBuilder.cpp:
1149         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1150         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1151
1152         * runtime/JSGlobalObjectFunctions.cpp:
1153         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1154         including one in a call to appendByteAsHex.
1155         (JSC::globalFuncEscape): Ditto.
1156
1157 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1158
1159         Unreviewed, rolling out r241230.
1160         https://bugs.webkit.org/show_bug.cgi?id=194488
1161
1162         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1163         #webkit).
1164
1165         Reverted changeset:
1166
1167         "We should only make rope strings when concatenating strings
1168         long enough."
1169         https://bugs.webkit.org/show_bug.cgi?id=194465
1170         https://trac.webkit.org/changeset/241230
1171
1172 2019-02-10  Saam barati  <sbarati@apple.com>
1173
1174         BBQ-Air: Emit better code for switch
1175         https://bugs.webkit.org/show_bug.cgi?id=194053
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         Instead of emitting a linear set of jumps for Switch, this patch
1180         makes the BBQ-Air backend emit a binary switch.
1181
1182         * wasm/WasmAirIRGenerator.cpp:
1183         (JSC::Wasm::AirIRGenerator::addSwitch):
1184
1185 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1186
1187         Unreviewed, Lexer should use isLatin1 implementation in WTF
1188         https://bugs.webkit.org/show_bug.cgi?id=194466
1189
1190         Follow-up after r241233 pointed by Darin.
1191
1192         * parser/Lexer.cpp:
1193         (JSC::isLatin1): Deleted.
1194
1195 2019-02-09  Darin Adler  <darin@apple.com>
1196
1197         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1198         https://bugs.webkit.org/show_bug.cgi?id=194021
1199
1200         Reviewed by Geoffrey Garen.
1201
1202         * inspector/agents/InspectorConsoleAgent.cpp:
1203         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1204         makeString do the conversion without allocating/destroying a String.
1205         * inspector/agents/InspectorDebuggerAgent.cpp:
1206         (Inspector::objectGroupForBreakpointAction): Ditto.
1207         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1208         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1209         * runtime/JSGenericTypedArrayViewInlines.h:
1210         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1211         * runtime/NumberPrototype.cpp:
1212         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1213         of calling numberToFixedWidthString to do the same thing.
1214         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1215         numberToFixedPrecisionString to do the same thing.
1216         * runtime/SamplingProfiler.cpp:
1217         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1218
1219 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1220
1221         Unreviewed, rolling in r241237 again
1222         https://bugs.webkit.org/show_bug.cgi?id=194469
1223
1224         * runtime/JSString.h:
1225         (JSC::jsSubstring):
1226
1227 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1228
1229         Unreviewed, rolling out r241237.
1230         https://bugs.webkit.org/show_bug.cgi?id=194474
1231
1232         Shows significant memory increase in WSL (Requested by
1233         yusukesuzuki on #webkit).
1234
1235         Reverted changeset:
1236
1237         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1238         takes more memory"
1239         https://bugs.webkit.org/show_bug.cgi?id=194469
1240         https://trac.webkit.org/changeset/241237
1241
1242 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1243
1244         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1245         https://bugs.webkit.org/show_bug.cgi?id=194469
1246
1247         Reviewed by Geoffrey Garen.
1248
1249         * runtime/JSString.h:
1250         (JSC::jsSubstring):
1251
1252 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1253
1254         [JSC] CachedTypes should use jsString instead of JSString::create
1255         https://bugs.webkit.org/show_bug.cgi?id=194471
1256
1257         Reviewed by Mark Lam.
1258
1259         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1260
1261         * runtime/CachedTypes.cpp:
1262         (JSC::CachedJSValue::decode const):
1263
1264 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1265
1266         [JSC] Increase StructureIDTable initial capacity
1267         https://bugs.webkit.org/show_bug.cgi?id=194468
1268
1269         Reviewed by Mark Lam.
1270
1271         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1272         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1273         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1274         more memory dirty. We also remove some structures that are no longer used.
1275
1276         * runtime/JSGlobalObject.h:
1277         (JSC::JSGlobalObject::callbackObjectStructure const):
1278         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1279         * runtime/StructureIDTable.h:
1280         * runtime/VM.h:
1281
1282 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1283
1284         [JSC] String.fromCharCode's slow path always generates 16bit string
1285         https://bugs.webkit.org/show_bug.cgi?id=194466
1286
1287         Reviewed by Keith Miller.
1288
1289         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1290         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1291         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1292         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1293         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1294         as much as possible.
1295
1296         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1297
1298         * runtime/StringConstructor.cpp:
1299         (JSC::stringFromCharCode):
1300
1301 2019-02-08  Keith Miller  <keith_miller@apple.com>
1302
1303         We should only make rope strings when concatenating strings long enough.
1304         https://bugs.webkit.org/show_bug.cgi?id=194465
1305
1306         Reviewed by Saam Barati.
1307
1308         This patch stops us from allocating a rope string if the resulting
1309         rope would be smaller than the size of the JSRopeString object we
1310         would need to allocate.
1311
1312         This patch also adds paths so that we don't unnecessarily allocate
1313         JSString cells for primitives we are going to concatenate with a
1314         string anyway.
1315
1316         * dfg/DFGOperations.cpp:
1317         * runtime/CommonSlowPaths.cpp:
1318         (JSC::SLOW_PATH_DECL):
1319         * runtime/JSString.h:
1320         * runtime/Operations.cpp:
1321         (JSC::jsAddSlowCase):
1322         * runtime/Operations.h:
1323         (JSC::jsString):
1324         (JSC::jsAdd):
1325
1326 2019-02-08  Saam barati  <sbarati@apple.com>
1327
1328         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1329         https://bugs.webkit.org/show_bug.cgi?id=194334
1330         <rdar://problem/47844327>
1331
1332         Reviewed by Mark Lam.
1333
1334         * dfg/DFGAbstractInterpreterInlines.h:
1335         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1336         * dfg/DFGArgumentsEliminationPhase.cpp:
1337         * dfg/DFGByteCodeParser.cpp:
1338         (JSC::DFG::ByteCodeParser::parseBlock):
1339         * dfg/DFGClobberize.h:
1340         (JSC::DFG::clobberize):
1341         * dfg/DFGConstantFoldingPhase.cpp:
1342         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1343         * dfg/DFGFixupPhase.cpp:
1344         (JSC::DFG::FixupPhase::fixupNode):
1345         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1346         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1347         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1348         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1349         * dfg/DFGNodeType.h:
1350         * dfg/DFGSSALoweringPhase.cpp:
1351         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1352         * dfg/DFGSpeculativeJIT.cpp:
1353         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1354         * ftl/FTLLowerDFGToB3.cpp:
1355         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1356         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1357
1358 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1359
1360         [JSC] Shrink sizeof(CodeBlock) more
1361         https://bugs.webkit.org/show_bug.cgi?id=194419
1362
1363         Reviewed by Mark Lam.
1364
1365         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1366
1367         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1368         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1369         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1370
1371         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1372         And we do not touch it in CodeBlock::~CodeBlock.
1373
1374         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1375         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1376         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1377
1378         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1379
1380         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1381
1382         * bytecode/CodeBlock.cpp:
1383         (JSC::CodeBlock::hash const):
1384         (JSC::CodeBlock::sourceCodeForTools const):
1385         (JSC::CodeBlock::dumpAssumingJITType const):
1386         (JSC::CodeBlock::dumpSource):
1387         (JSC::CodeBlock::CodeBlock):
1388         (JSC::CodeBlock::finishCreation):
1389         (JSC::CodeBlock::propagateTransitions):
1390         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1391         (JSC::CodeBlock::setCalleeSaveRegisters):
1392         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1393         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1394         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1395         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1396         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1397         (JSC::CodeBlock::newReplacement):
1398         (JSC::CodeBlock::replacement):
1399         (JSC::CodeBlock::computeCapabilityLevel):
1400         (JSC::CodeBlock::jettison):
1401         (JSC::CodeBlock::calleeSaveRegisters const):
1402         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1403         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1404         (JSC::CodeBlock::getArrayProfile):
1405         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1406         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1407         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1408         (JSC::CodeBlock::validate):
1409         (JSC::CodeBlock::outOfLineJumpTarget):
1410         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1411         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1412         * bytecode/CodeBlock.h:
1413         (JSC::CodeBlock::specializationKind const):
1414         (JSC::CodeBlock::isStrictMode const):
1415         (JSC::CodeBlock::isConstructor const):
1416         (JSC::CodeBlock::codeType const):
1417         (JSC::CodeBlock::isKnownNotImmediate):
1418         (JSC::CodeBlock::instructions const):
1419         (JSC::CodeBlock::ownerExecutable const):
1420         (JSC::CodeBlock::thisRegister const):
1421         (JSC::CodeBlock::source const):
1422         (JSC::CodeBlock::sourceOffset const):
1423         (JSC::CodeBlock::firstLineColumnOffset const):
1424         (JSC::CodeBlock::createRareDataIfNecessary):
1425         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1426         (JSC::CodeBlock::setThisRegister): Deleted.
1427         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1428         * bytecode/EvalCodeBlock.h:
1429         * bytecode/FunctionCodeBlock.h:
1430         * bytecode/GlobalCodeBlock.h:
1431         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1432         * bytecode/ModuleProgramCodeBlock.h:
1433         * bytecode/ProgramCodeBlock.h:
1434         * debugger/Debugger.cpp:
1435         (JSC::Debugger::toggleBreakpoint):
1436         * debugger/DebuggerCallFrame.cpp:
1437         (JSC::DebuggerCallFrame::sourceID const):
1438         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1439         * debugger/DebuggerScope.cpp:
1440         (JSC::DebuggerScope::location const):
1441         * dfg/DFGByteCodeParser.cpp:
1442         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1443         (JSC::DFG::ByteCodeParser::inliningCost):
1444         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1445         * dfg/DFGCapabilities.cpp:
1446         (JSC::DFG::isSupportedForInlining):
1447         (JSC::DFG::mightCompileEval):
1448         (JSC::DFG::mightCompileProgram):
1449         (JSC::DFG::mightCompileFunctionForCall):
1450         (JSC::DFG::mightCompileFunctionForConstruct):
1451         (JSC::DFG::canUseOSRExitFuzzing):
1452         * dfg/DFGGraph.h:
1453         (JSC::DFG::Graph::executableFor):
1454         * dfg/DFGJITCompiler.cpp:
1455         (JSC::DFG::JITCompiler::compileFunction):
1456         * dfg/DFGOSREntry.cpp:
1457         (JSC::DFG::prepareOSREntry):
1458         * dfg/DFGOSRExit.cpp:
1459         (JSC::DFG::restoreCalleeSavesFor):
1460         (JSC::DFG::saveCalleeSavesFor):
1461         (JSC::DFG::saveOrCopyCalleeSavesFor):
1462         * dfg/DFGOSRExitCompilerCommon.cpp:
1463         (JSC::DFG::handleExitCounts):
1464         * dfg/DFGOperations.cpp:
1465         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1466         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1467         * ftl/FTLCapabilities.cpp:
1468         (JSC::FTL::canCompile):
1469         * ftl/FTLLink.cpp:
1470         (JSC::FTL::link):
1471         * ftl/FTLOSRExitCompiler.cpp:
1472         (JSC::FTL::compileStub):
1473         * interpreter/CallFrame.cpp:
1474         (JSC::CallFrame::callerSourceOrigin):
1475         * interpreter/Interpreter.cpp:
1476         (JSC::eval):
1477         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1478         * interpreter/StackVisitor.cpp:
1479         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1480         (JSC::StackVisitor::Frame::sourceURL const):
1481         (JSC::StackVisitor::Frame::sourceID):
1482         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1483         * interpreter/StackVisitor.h:
1484         * jit/AssemblyHelpers.h:
1485         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1486         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1487         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1488         * jit/CallFrameShuffleData.cpp:
1489         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1490         * jit/JIT.cpp:
1491         (JSC::JIT::compileWithoutLinking):
1492         * jit/JITToDFGDeferredCompilationCallback.cpp:
1493         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1494         * jit/JITWorklist.cpp:
1495         (JSC::JITWorklist::Plan::finalize):
1496         (JSC::JITWorklist::compileNow):
1497         * jit/RegisterAtOffsetList.cpp:
1498         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1499         * jit/RegisterAtOffsetList.h:
1500         (JSC::RegisterAtOffsetList::at const):
1501         * runtime/ErrorInstance.cpp:
1502         (JSC::appendSourceToError):
1503         * runtime/ScriptExecutable.cpp:
1504         (JSC::ScriptExecutable::newCodeBlockFor):
1505         * runtime/StackFrame.cpp:
1506         (JSC::StackFrame::sourceID const):
1507         (JSC::StackFrame::sourceURL const):
1508         (JSC::StackFrame::computeLineAndColumn const):
1509
1510 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1511
1512         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1513         https://bugs.webkit.org/show_bug.cgi?id=194460
1514
1515         Reviewed by Mark Lam.
1516
1517         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1518
1519         * b3/B3LowerMacros.cpp:
1520
1521 2019-02-08  Mark Lam  <mark.lam@apple.com>
1522
1523         Use maxSingleCharacterString in comparisons instead of literal constants.
1524         https://bugs.webkit.org/show_bug.cgi?id=194452
1525
1526         Reviewed by Yusuke Suzuki.
1527
1528         This way, if we ever change maxSingleCharacterString, it won't break all this code
1529         that relies on it being 0xff implicitly.
1530
1531         * dfg/DFGSpeculativeJIT.cpp:
1532         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1533         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1534         * ftl/FTLLowerDFGToB3.cpp:
1535         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1536         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1537         * jit/ThunkGenerators.cpp:
1538         (JSC::stringGetByValGenerator):
1539         (JSC::charToString):
1540
1541 2019-02-08  Mark Lam  <mark.lam@apple.com>
1542
1543         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1544         https://bugs.webkit.org/show_bug.cgi?id=194446
1545         <rdar://problem/47926792>
1546
1547         Reviewed by Saam Barati.
1548
1549         Fix doesGC() for the following nodes:
1550
1551             CheckTierUpAtReturn:
1552                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1553                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1554
1555             CheckTierUpInLoop:
1556                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1557                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1558
1559             CheckTierUpAndOSREnter:
1560                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1561                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1562
1563             GetByVal:
1564                 case Array::String calls operationSingleCharacterString(), which calls
1565                 jsSingleCharacterString(), which can allocate a string.
1566
1567             PutByValDirect:
1568             PutByVal:
1569             PutByValAlias:
1570                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1571                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1572                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1573                 slow paths call putByValInternal(), which may create exception objects, or
1574                 call the generic JSValue::put() which may execute arbitrary code.
1575
1576             StringCharAt:
1577                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1578                 which can allocate a string.
1579
1580         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1581         to use the maxSingleCharacterString constant instead of a literal constant.
1582
1583         * dfg/DFGDoesGC.cpp:
1584         (JSC::DFG::doesGC):
1585         * dfg/DFGSpeculativeJIT.cpp:
1586         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1587         * dfg/DFGSpeculativeJIT64.cpp:
1588         (JSC::DFG::SpeculativeJIT::compile):
1589         * ftl/FTLLowerDFGToB3.cpp:
1590         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1591         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1592         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1593
1594 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1595
1596         [JSC] SourceProviderCacheItem should be small
1597         https://bugs.webkit.org/show_bug.cgi?id=194432
1598
1599         Reviewed by Saam Barati.
1600
1601         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1602         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1603         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1604
1605         * parser/Parser.cpp:
1606         (JSC::Parser<LexerType>::parseFunctionInfo):
1607         * parser/ParserModes.h:
1608         * parser/ParserTokens.h:
1609         * parser/SourceProviderCacheItem.h:
1610         (JSC::SourceProviderCacheItem::endFunctionToken const):
1611         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1612
1613 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1614
1615         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1616         https://bugs.webkit.org/show_bug.cgi?id=194420
1617
1618         Reviewed by Saam Barati.
1619
1620         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1621         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1622         This trivial patch fixes both.
1623
1624         * b3/B3ReduceStrength.cpp:
1625         * b3/testb3.cpp:
1626         (JSC::B3::testAbsNegArg):
1627
1628 2019-02-07  Keith Miller  <keith_miller@apple.com>
1629
1630         Better error messages for module loader SPI
1631         https://bugs.webkit.org/show_bug.cgi?id=194421
1632
1633         Reviewed by Saam Barati.
1634
1635         * API/JSAPIGlobalObject.mm:
1636         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1637
1638 2019-02-07  Mark Lam  <mark.lam@apple.com>
1639
1640         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1641         https://bugs.webkit.org/show_bug.cgi?id=194399
1642         <rdar://problem/47889777>
1643
1644         Reviewed by Yusuke Suzuki.
1645
1646         Fix doesGC() for the following nodes:
1647
1648             CheckTraps:
1649                 We normally will not emit this node because Options::usePollingTraps() is
1650                 false by default.  However, as it is implemented now, CheckTraps can GC
1651                 because it can allocate a TerminatedExecutionException.  If we make the
1652                 TerminatedExecutionException a singleton allocated at initialization time,
1653                 doesGC() can return false for CheckTraps.
1654                 https://bugs.webkit.org/show_bug.cgi?id=194323
1655
1656             GetMapBucket:
1657                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1658                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1659                 can resolve a rope.
1660
1661             Switch:
1662                 If switchData kind is SwitchChar, can call operationResolveRope() .
1663                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1664                     can call operationSwitchString() which resolves ropes.
1665
1666             DirectTailCall:
1667             ForceOSRExit:
1668             Return:
1669             TailCallForwardVarargs:
1670             TailCallVarargs:
1671             Throw:
1672                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1673                 for them, but following our conservative practice, unless we have a good
1674                 reason for doesGC() to return false, we should just return true.
1675
1676         * dfg/DFGDoesGC.cpp:
1677         (JSC::DFG::doesGC):
1678
1679 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1680
1681         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1682         https://bugs.webkit.org/show_bug.cgi?id=194250
1683
1684         Reviewed by Saam Barati.
1685
1686         Adds the following optimizations for integers:
1687         - Sub(x, x) => 0
1688             Already covered by the test testSubArg
1689         - Sub(x1, Neg(x2)) => Add (x1, x2)
1690             Added test: testSubNeg
1691         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1692             Added test: testNegSub
1693         - Add(Neg(x1), x2) => Sub(x2, x1)
1694             Added test: testAddNeg1
1695         - Add(x1, Neg(x2)) => Sub(x1, x2)
1696             Added test: testAddNeg2
1697         Adds the following optimization for floating point values:
1698         - Abs(Neg(x)) => Abs(x)
1699             Added test: testAbsNegArg
1700             Adds the following optimization:
1701
1702         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1703
1704         * b3/B3ReduceStrength.cpp:
1705         * b3/testb3.cpp:
1706         (JSC::B3::testAddNeg1):
1707         (JSC::B3::testAddNeg2):
1708         (JSC::B3::testSubNeg):
1709         (JSC::B3::testNegSub):
1710         (JSC::B3::testAbsAbsArg):
1711         (JSC::B3::testAbsNegArg):
1712         (JSC::B3::run):
1713
1714 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1715
1716         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1717         https://bugs.webkit.org/show_bug.cgi?id=194374
1718
1719         Reviewed by Geoffrey Garen.
1720
1721         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1722         But pointer is larger than single character. BufferInternal StringImpl with single character
1723         is more memory efficient.
1724
1725         * runtime/SmallStrings.cpp:
1726         (JSC::SmallStringsStorage::SmallStringsStorage):
1727         (JSC::SmallStrings::SmallStrings):
1728         * runtime/SmallStrings.h:
1729
1730 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1731
1732         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1733         https://bugs.webkit.org/show_bug.cgi?id=194369
1734         <rdar://problem/47813087>
1735
1736         Reviewed by Saam Barati.
1737
1738         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1739         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1740         constant folding phase.
1741
1742         * dfg/DFGAbstractInterpreterInlines.h:
1743         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1744
1745 2019-02-06  Devin Rousso  <drousso@apple.com>
1746
1747         Web Inspector: DOM: don't send the entire function string with each event listener
1748         https://bugs.webkit.org/show_bug.cgi?id=194293
1749         <rdar://problem/47822809>
1750
1751         Reviewed by Joseph Pecoraro.
1752
1753         * inspector/protocol/DOM.json:
1754
1755         * runtime/JSFunction.h:
1756         Export `calculatedDisplayName`.
1757
1758 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1759
1760         [JSC] PrivateName to PublicName hash table is wasteful
1761         https://bugs.webkit.org/show_bug.cgi?id=194277
1762
1763         Reviewed by Michael Saboff.
1764
1765         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1766         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1767         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1768         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1769
1770         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1771
1772         1. PrivateName's content should be the same to PublicName.
1773         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1774            the public name should be easily crafted from the given PrivateName.
1775
1776         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1777         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1778
1779         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1780         WebCore.
1781
1782         * builtins/BuiltinNames.cpp:
1783         (JSC::BuiltinNames::BuiltinNames):
1784         * builtins/BuiltinNames.h:
1785         (JSC::BuiltinNames::lookUpPrivateName const):
1786         (JSC::BuiltinNames::getPublicName const):
1787         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1788         (JSC::BuiltinNames::appendExternalName):
1789         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1790         * builtins/BuiltinUtils.h:
1791         * bytecode/BytecodeDumper.cpp:
1792         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1793         * bytecompiler/NodesCodegen.cpp:
1794         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1795         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1796         * parser/Lexer.cpp:
1797         (JSC::Lexer<LChar>::parseIdentifier):
1798         (JSC::Lexer<UChar>::parseIdentifier):
1799         * parser/Parser.cpp:
1800         (JSC::Parser<LexerType>::createGeneratorParameters):
1801         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1802         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1803         (JSC::Parser<LexerType>::parseClassDeclaration):
1804         (JSC::Parser<LexerType>::parseExportDeclaration):
1805         (JSC::Parser<LexerType>::parseMemberExpression):
1806         * parser/ParserArena.h:
1807         (JSC::IdentifierArena::makeIdentifier):
1808         * runtime/CachedTypes.cpp:
1809         (JSC::CachedUniquedStringImpl::encode):
1810         (JSC::CachedUniquedStringImpl::decode const):
1811         * runtime/CommonIdentifiers.cpp:
1812         (JSC::CommonIdentifiers::CommonIdentifiers):
1813         (JSC::CommonIdentifiers::lookUpPrivateName const):
1814         (JSC::CommonIdentifiers::getPublicName const):
1815         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1816         * runtime/CommonIdentifiers.h:
1817         * runtime/ExceptionHelpers.cpp:
1818         (JSC::createUndefinedVariableError):
1819         * runtime/Identifier.cpp:
1820         (JSC::Identifier::dump const):
1821         * runtime/Identifier.h:
1822         * runtime/IdentifierInlines.h:
1823         (JSC::Identifier::fromUid):
1824         * runtime/JSTypedArrayViewPrototype.cpp:
1825         (JSC::JSTypedArrayViewPrototype::finishCreation):
1826         * tools/JSDollarVM.cpp:
1827         (JSC::functionGetPrivateProperty):
1828
1829 2019-02-06  Keith Rollin  <krollin@apple.com>
1830
1831         Really enable the automatic checking and regenerations of .xcfilelists during builds
1832         https://bugs.webkit.org/show_bug.cgi?id=194357
1833         <rdar://problem/47861231>
1834
1835         Reviewed by Chris Dumez.
1836
1837         Bug 194124 was supposed to enable the automatic checking and
1838         regenerating of .xcfilelist files during the build. While related
1839         changes were included in that patch, the change to actually enable the
1840         operation somehow was omitted. This patch actually enables the
1841         operation. The check-xcfilelist.sh scripts now check
1842         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1843         from the checking.
1844
1845         * Scripts/check-xcfilelists.sh:
1846
1847 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1848
1849         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1850         https://bugs.webkit.org/show_bug.cgi?id=194339
1851
1852         Reviewed by Michael Saboff.
1853
1854         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1855         They have even the same structure. This patch unifies the subspaces for them.
1856
1857         * runtime/DirectEvalExecutable.h:
1858         * runtime/EvalExecutable.h:
1859         (JSC::EvalExecutable::subspaceFor):
1860         * runtime/IndirectEvalExecutable.h:
1861         * runtime/VM.cpp:
1862         * runtime/VM.h:
1863         (JSC::VM::forEachScriptExecutableSpace):
1864
1865 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1866
1867         [JSC] NativeExecutable should be smaller
1868         https://bugs.webkit.org/show_bug.cgi?id=194331
1869
1870         Reviewed by Michael Saboff.
1871
1872         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1873         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1874         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1875         only takes one MarkedBlock for NativeExecutable.
1876
1877         To make NativeExecutable smaller,
1878
1879         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1880            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1881
1882         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1883            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1884            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1885
1886         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1887            Intrinsic for NativeExecutable.
1888
1889         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1890
1891         * CMakeLists.txt:
1892         * JavaScriptCore.xcodeproj/project.pbxproj:
1893         * bytecode/CallVariant.h:
1894         * interpreter/Interpreter.cpp:
1895         * jit/JITCode.cpp:
1896         (JSC::DirectJITCode::DirectJITCode):
1897         (JSC::NativeJITCode::NativeJITCode):
1898         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1899         * jit/JITCode.h:
1900         (JSC::JITCode::signature const):
1901         (JSC::JITCode::intrinsic):
1902         * jit/JITOperations.cpp:
1903         * jit/JITThunks.cpp:
1904         (JSC::JITThunks::hostFunctionStub):
1905         * jit/Repatch.cpp:
1906         * llint/LLIntSlowPaths.cpp:
1907         * runtime/ExecutableBase.cpp:
1908         (JSC::ExecutableBase::dump const):
1909         (JSC::ExecutableBase::hashFor const):
1910         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1911         (JSC::ExecutableBase::clearCode): Deleted.
1912         * runtime/ExecutableBase.h:
1913         (JSC::ExecutableBase::ExecutableBase):
1914         (JSC::ExecutableBase::isModuleProgramExecutable):
1915         (JSC::ExecutableBase::isHostFunction const):
1916         (JSC::ExecutableBase::generatedJITCodeForCall const):
1917         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1918         (JSC::ExecutableBase::generatedJITCodeFor const):
1919         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1920         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1921         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1922         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1923         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1924         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1925         (JSC::ExecutableBase::intrinsic const): Deleted.
1926         * runtime/ExecutableBaseInlines.h: Added.
1927         (JSC::ExecutableBase::intrinsic const):
1928         (JSC::ExecutableBase::hasJITCodeForCall const):
1929         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1930         * runtime/JSBoundFunction.cpp:
1931         * runtime/JSType.cpp:
1932         (WTF::printInternal):
1933         * runtime/JSType.h:
1934         * runtime/NativeExecutable.cpp:
1935         (JSC::NativeExecutable::create):
1936         (JSC::NativeExecutable::createStructure):
1937         (JSC::NativeExecutable::NativeExecutable):
1938         (JSC::NativeExecutable::signatureFor const):
1939         (JSC::NativeExecutable::intrinsic const):
1940         * runtime/NativeExecutable.h:
1941         * runtime/ScriptExecutable.cpp:
1942         (JSC::ScriptExecutable::ScriptExecutable):
1943         (JSC::ScriptExecutable::clearCode):
1944         (JSC::ScriptExecutable::installCode):
1945         (JSC::ScriptExecutable::hasClearableCode const):
1946         * runtime/ScriptExecutable.h:
1947         (JSC::ScriptExecutable::intrinsic const):
1948         (JSC::ScriptExecutable::hasJITCodeForCall const):
1949         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1950         * runtime/VM.cpp:
1951         (JSC::VM::getHostFunction):
1952
1953 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1954
1955         Build failure after r240431
1956         https://bugs.webkit.org/show_bug.cgi?id=194330
1957
1958         Reviewed by Žan Doberšek.
1959
1960         * API/glib/JSCOptions.cpp:
1961
1962 2019-02-05  Mark Lam  <mark.lam@apple.com>
1963
1964         Fix DFG's doesGC() for a few more nodes.
1965         https://bugs.webkit.org/show_bug.cgi?id=194307
1966         <rdar://problem/47832956>
1967
1968         Reviewed by Yusuke Suzuki.
1969
1970         Fix doesGC() for the following nodes:
1971
1972             NumberToStringWithValidRadixConstant:
1973                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1974                 which can allocate a string.
1975                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1976                 which can allocate a string.
1977                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1978                 which can allocate a string.
1979
1980             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1981                 memory for all kinds of objects.
1982             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1983                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1984                 these allocates memory for the match result.
1985             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1986                 calls RegExpObject's collectMatches(), which allocates an array amongst
1987                 other objects.
1988
1989             StringFromCharCode:
1990                 If the uint32 code to convert is greater than maxSingleCharacterString,
1991                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1992                 which allocates a new string if the code is greater than maxSingleCharacterString.
1993
1994         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1995         to use maxSingleCharacterString instead of a literal constant.
1996
1997         * dfg/DFGDoesGC.cpp:
1998         (JSC::DFG::doesGC):
1999         * dfg/DFGSpeculativeJIT.cpp:
2000         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2001         * ftl/FTLLowerDFGToB3.cpp:
2002         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
2003
2004 2019-02-05  Keith Rollin  <krollin@apple.com>
2005
2006         Enable the automatic checking and regenerations of .xcfilelists during builds
2007         https://bugs.webkit.org/show_bug.cgi?id=194124
2008         <rdar://problem/47721277>
2009
2010         Reviewed by Tim Horton.
2011
2012         Bug 193790 add a facility for checking -- during build time -- that
2013         any needed .xcfilelist files are up-to-date and for updating them if
2014         they are not. This facility was initially opt-in by setting
2015         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
2016         the process seemed robust. Its now time to enable this facility and
2017         make it opt-out. If there is a need to disable this facility, set and
2018         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
2019         running `make` or `build-webkit`, or before running Xcode from the
2020         command line.
2021
2022         Additionally, remove the step that generates a list of source files
2023         going into the UnifiedSources build step. It's only necessarily to
2024         specify Sources.txt and SourcesCocoa.txt as inputs.
2025
2026         * JavaScriptCore.xcodeproj/project.pbxproj:
2027         * UnifiedSources-input.xcfilelist: Removed.
2028
2029 2019-02-05  Keith Rollin  <krollin@apple.com>
2030
2031         Update .xcfilelist files
2032         https://bugs.webkit.org/show_bug.cgi?id=194121
2033         <rdar://problem/47720863>
2034
2035         Reviewed by Tim Horton.
2036
2037         Preparatory to enabling the facility for automatically updating the
2038         .xcfilelist files, check in a freshly-updated set so that not everyone
2039         runs up against having to regenerate them themselves.
2040
2041         * DerivedSources-input.xcfilelist:
2042         * DerivedSources-output.xcfilelist:
2043
2044 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
2045
2046         [INTL] improve efficiency of Intl.NumberFormat formatToParts
2047         https://bugs.webkit.org/show_bug.cgi?id=185557
2048
2049         Reviewed by Mark Lam.
2050
2051         Since field nesting depth is minimal, this algorithm should be effectively O(n),
2052         where n is the number of characters in the formatted string.
2053         It may be less memory efficient than the previous impl, since the intermediate Vector
2054         is the length of the string, instead of the count of the fields.
2055
2056         * runtime/IntlNumberFormat.cpp:
2057         (JSC::IntlNumberFormat::formatToParts):
2058         * runtime/IntlNumberFormat.h:
2059
2060 2019-02-05  Mark Lam  <mark.lam@apple.com>
2061
2062         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
2063         https://bugs.webkit.org/show_bug.cgi?id=194298
2064         <rdar://problem/47827555>
2065
2066         Reviewed by Saam Barati.
2067
2068         We do this for 3 reasons:
2069         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2070         2. If things change in the future where clobberize() no longer reports these nodes
2071            as write(Heap), each node should be vetted first to make sure that it can never
2072            GC before being moved back to the doesGC() list that returns false.
2073         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2074            correct in its claims about the nodes' GCing possibility.
2075
2076         The list of nodes moved are:
2077
2078             ArrayPush
2079             ArrayPop
2080             Call
2081             CallEval
2082             CallForwardVarargs
2083             CallVarargs
2084             Construct
2085             ConstructForwardVarargs
2086             ConstructVarargs
2087             DefineDataProperty
2088             DefineAccessorProperty
2089             DeleteById
2090             DeleteByVal
2091             DirectCall
2092             DirectConstruct
2093             DirectTailCallInlinedCaller
2094             GetById
2095             GetByIdDirect
2096             GetByIdDirectFlush
2097             GetByIdFlush
2098             GetByIdWithThis
2099             GetByValWithThis
2100             GetDirectPname
2101             GetDynamicVar
2102             HasGenericProperty
2103             HasOwnProperty
2104             HasStructureProperty
2105             InById
2106             InByVal
2107             InstanceOf
2108             InstanceOfCustom
2109             LoadVarargs
2110             NumberToStringWithRadix
2111             PutById
2112             PutByIdDirect
2113             PutByIdFlush
2114             PutByIdWithThis
2115             PutByOffset
2116             PutByValWithThis
2117             PutDynamicVar
2118             PutGetterById
2119             PutGetterByVal
2120             PutGetterSetterById
2121             PutSetterById
2122             PutSetterByVal
2123             PutStack
2124             PutToArguments
2125             RegExpExec
2126             RegExpTest
2127             ResolveScope
2128             ResolveScopeForHoistingFuncDeclInEval
2129             TailCall
2130             TailCallForwardVarargsInlinedCaller
2131             TailCallInlinedCaller
2132             TailCallVarargsInlinedCaller
2133             ToNumber
2134             ToPrimitive
2135             ValueNegate
2136
2137         * dfg/DFGDoesGC.cpp:
2138         (JSC::DFG::doesGC):
2139
2140 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2141
2142         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2143         https://bugs.webkit.org/show_bug.cgi?id=194281
2144
2145         Reviewed by Michael Saboff.
2146
2147         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2148         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2149
2150         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2151         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2152         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2153
2154         * bytecode/CodeBlock.cpp:
2155         (JSC::CodeBlock::finishCreation):
2156         * bytecode/CodeBlock.h:
2157         (JSC::CodeBlock::bitVectors const): Deleted.
2158         * bytecode/CodeType.h:
2159         * bytecode/UnlinkedCodeBlock.cpp:
2160         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2161         (JSC::UnlinkedCodeBlock::shrinkToFit):
2162         * bytecode/UnlinkedCodeBlock.h:
2163         (JSC::UnlinkedCodeBlock::bitVector):
2164         (JSC::UnlinkedCodeBlock::addBitVector):
2165         (JSC::UnlinkedCodeBlock::addSetConstant):
2166         (JSC::UnlinkedCodeBlock::constantRegisters):
2167         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2168         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2169         (JSC::UnlinkedCodeBlock::codeType const):
2170         (JSC::UnlinkedCodeBlock::didOptimize const):
2171         (JSC::UnlinkedCodeBlock::setDidOptimize):
2172         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2173         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2174         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2175         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2176         * bytecompiler/BytecodeGenerator.cpp:
2177         (JSC::BytecodeGenerator::emitLoad):
2178         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2179         * bytecompiler/BytecodeGenerator.h:
2180         * runtime/CachedTypes.cpp:
2181         (JSC::CachedCodeBlockRareData::encode):
2182         (JSC::CachedCodeBlockRareData::decode const):
2183         (JSC::CachedCodeBlock::scopeRegister const):
2184         (JSC::CachedCodeBlock::codeType const):
2185         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2186         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2187         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2188         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2189
2190 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2191
2192         Unreviewed, add missing exception checks after r240637
2193         https://bugs.webkit.org/show_bug.cgi?id=193546
2194
2195         * tools/JSDollarVM.cpp:
2196         (JSC::functionShadowChickenFunctionsOnStack):
2197
2198 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2199
2200         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2201         https://bugs.webkit.org/show_bug.cgi?id=193993
2202
2203         Reviewed by Keith Miller.
2204
2205         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2206         And some of them are rarely used. We should allocate it lazily.
2207
2208         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2209         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2210         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2211         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2212         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2213         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2214         by using WTF::storeStoreFence when lazily allocating it.
2215
2216         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2217         existence of the space before touching this. This is not racy because the main thread is stopped when
2218         the constraint solving is working.
2219
2220         This changes sizeof(VM) from 64736 to 56472.
2221
2222         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2223         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2224         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2225         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2226         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2227         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2228         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2229
2230         * API/JSCallbackFunction.h:
2231         * API/ObjCCallbackFunction.h:
2232         (JSC::ObjCCallbackFunction::subspaceFor):
2233         * API/glib/JSCCallbackFunction.h:
2234         * CMakeLists.txt:
2235         * JavaScriptCore.xcodeproj/project.pbxproj:
2236         * bytecode/CodeBlock.cpp:
2237         (JSC::CodeBlock::visitChildren):
2238         (JSC::CodeBlock::finalizeUnconditionally):
2239         * bytecode/CodeBlock.h:
2240         * bytecode/EvalCodeBlock.h:
2241         * bytecode/ExecutableToCodeBlockEdge.h:
2242         * bytecode/FunctionCodeBlock.h:
2243         * bytecode/ModuleProgramCodeBlock.h:
2244         * bytecode/ProgramCodeBlock.h:
2245         * bytecode/UnlinkedFunctionExecutable.cpp:
2246         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2247         * bytecode/UnlinkedFunctionExecutable.h:
2248         * dfg/DFGSpeculativeJIT.cpp:
2249         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2250         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2251         (JSC::DFG::SpeculativeJIT::compileNewObject):
2252         * ftl/FTLLowerDFGToB3.cpp:
2253         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2254         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2255         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2256         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2257         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2258         * heap/Heap.cpp:
2259         (JSC::Heap::finalizeUnconditionalFinalizers):
2260         (JSC::Heap::deleteAllCodeBlocks):
2261         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2262         (JSC::Heap::addCoreConstraints):
2263         * heap/Subspace.cpp:
2264         (JSC::Subspace::initialize):
2265         * jit/AssemblyHelpers.h:
2266         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2267         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2268         * jit/JITOpcodes.cpp:
2269         (JSC::JIT::emit_op_new_object):
2270         * jit/JITOpcodes32_64.cpp:
2271         (JSC::JIT::emit_op_new_object):
2272         * runtime/DirectArguments.h:
2273         * runtime/DirectEvalExecutable.h:
2274         * runtime/ErrorInstance.h:
2275         (JSC::ErrorInstance::subspaceFor):
2276         * runtime/ExecutableBase.h:
2277         * runtime/FunctionExecutable.h:
2278         * runtime/IndirectEvalExecutable.h:
2279         * runtime/InferredValue.cpp:
2280         (JSC::InferredValue::visitChildren):
2281         * runtime/InferredValue.h:
2282         * runtime/InferredValueInlines.h:
2283         (JSC::InferredValue::finalizeUnconditionally):
2284         * runtime/InternalFunction.h:
2285         * runtime/JSAsyncFunction.h:
2286         * runtime/JSAsyncGeneratorFunction.h:
2287         * runtime/JSBoundFunction.h:
2288         * runtime/JSCell.h:
2289         (JSC::subspaceFor):
2290         (JSC::subspaceForConcurrently):
2291         * runtime/JSCellInlines.h:
2292         (JSC::allocatorForNonVirtualConcurrently):
2293         * runtime/JSCustomGetterSetterFunction.h:
2294         * runtime/JSDestructibleObject.h:
2295         * runtime/JSFunction.h:
2296         * runtime/JSGeneratorFunction.h:
2297         * runtime/JSImmutableButterfly.h:
2298         * runtime/JSLexicalEnvironment.h:
2299         (JSC::JSLexicalEnvironment::subspaceFor):
2300         * runtime/JSNativeStdFunction.h:
2301         * runtime/JSSegmentedVariableObject.h:
2302         * runtime/JSString.h:
2303         * runtime/ModuleProgramExecutable.h:
2304         * runtime/NativeExecutable.h:
2305         * runtime/ProgramExecutable.h:
2306         * runtime/PropertyMapHashTable.h:
2307         * runtime/ProxyRevoke.h:
2308         * runtime/ScopedArguments.h:
2309         * runtime/ScriptExecutable.cpp:
2310         (JSC::ScriptExecutable::clearCode):
2311         (JSC::ScriptExecutable::installCode):
2312         * runtime/Structure.h:
2313         * runtime/StructureRareData.h:
2314         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2315         * runtime/VM.cpp:
2316         (JSC::VM::VM):
2317         * runtime/VM.h:
2318         (JSC::VM::SpaceAndSet::SpaceAndSet):
2319         (JSC::VM::SpaceAndSet::setFor):
2320         (JSC::VM::forEachScriptExecutableSpace):
2321         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2322         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2323         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2324         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2325         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2326         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2327         * runtime/WeakMapImpl.h:
2328         (JSC::WeakMapImpl::subspaceFor):
2329         * wasm/js/JSWebAssemblyCodeBlock.h:
2330         * wasm/js/JSWebAssemblyMemory.h:
2331         * wasm/js/WebAssemblyFunction.h:
2332         * wasm/js/WebAssemblyWrapperFunction.h:
2333
2334 2019-02-04  Keith Miller  <keith_miller@apple.com>
2335
2336         Change llint operand macros to inline functions
2337         https://bugs.webkit.org/show_bug.cgi?id=194248
2338
2339         Reviewed by Mark Lam.
2340
2341         * llint/LLIntSlowPaths.cpp:
2342         (JSC::LLInt::getNonConstantOperand):
2343         (JSC::LLInt::getOperand):
2344         (JSC::LLInt::llint_trace_value):
2345         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2346         (JSC::LLInt::getByVal):
2347         (JSC::LLInt::genericCall):
2348         (JSC::LLInt::varargsSetup):
2349         (JSC::LLInt::commonCallEval):
2350
2351 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2352
2353         when lowering AssertNotEmpty, create the value before creating the patchpoint
2354         https://bugs.webkit.org/show_bug.cgi?id=194231
2355
2356         Reviewed by Saam Barati.
2357
2358         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2359         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2360
2361         * ftl/FTLLowerDFGToB3.cpp:
2362         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2363
2364 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2365
2366         [JSC] ExecutableToCodeBlockEdge should be smaller
2367         https://bugs.webkit.org/show_bug.cgi?id=194244
2368
2369         Reviewed by Michael Saboff.
2370
2371         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2372         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2373         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2374         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2375
2376         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2377         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2378         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2379
2380         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2381         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2382         does not touch it if it is called in non-main threads).
2383
2384         * bytecode/ExecutableToCodeBlockEdge.cpp:
2385         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2386         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2387         (JSC::ExecutableToCodeBlockEdge::activate):
2388         (JSC::ExecutableToCodeBlockEdge::deactivate):
2389         (JSC::ExecutableToCodeBlockEdge::isActive const):
2390         * bytecode/ExecutableToCodeBlockEdge.h:
2391         * runtime/JSCell.h:
2392         * runtime/JSCellInlines.h:
2393         (JSC::JSCell::perCellBit const):
2394         (JSC::JSCell::setPerCellBit):
2395         (JSC::JSCell::mayBePrototype const): Deleted.
2396         (JSC::JSCell::didBecomePrototype): Deleted.
2397         * runtime/JSObject.cpp:
2398         (JSC::JSObject::setPrototypeDirect):
2399         * runtime/JSObject.h:
2400         * runtime/JSObjectInlines.h:
2401         (JSC::JSObject::mayBePrototype const):
2402         (JSC::JSObject::didBecomePrototype):
2403         * runtime/JSTypeInfo.h:
2404         (JSC::TypeInfo::perCellBit):
2405         (JSC::TypeInfo::mergeInlineTypeFlags):
2406         (JSC::TypeInfo::mayBePrototype): Deleted.
2407
2408 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2409
2410         [JSC] Shrink size of FunctionExecutable
2411         https://bugs.webkit.org/show_bug.cgi?id=194191
2412
2413         Reviewed by Michael Saboff.
2414
2415         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2416         improves the allocation efficiency.
2417
2418         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2419            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2420
2421         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2422            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2423            the size of FunctionExecutable in the common case.
2424
2425         This patch changes the size of FunctionExecutable from 176 to 144.
2426
2427         * bytecode/CodeBlock.cpp:
2428         (JSC::CodeBlock::dumpSource):
2429         (JSC::CodeBlock::finishCreation):
2430         * dfg/DFGNode.h:
2431         (JSC::DFG::Node::OpInfoWrapper::as const):
2432         * interpreter/StackVisitor.cpp:
2433         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2434         * runtime/ExecutableBase.h:
2435         * runtime/FunctionExecutable.cpp:
2436         (JSC::FunctionExecutable::FunctionExecutable):
2437         (JSC::FunctionExecutable::ensureRareDataSlow):
2438         * runtime/FunctionExecutable.h:
2439         * runtime/Intrinsic.h:
2440         * runtime/ModuleProgramExecutable.cpp:
2441         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2442         * runtime/ProgramExecutable.cpp:
2443         (JSC::ProgramExecutable::ProgramExecutable):
2444         * runtime/ScriptExecutable.cpp:
2445         (JSC::ScriptExecutable::ScriptExecutable):
2446         (JSC::ScriptExecutable::overrideLineNumber const):
2447         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2448         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2449         * runtime/ScriptExecutable.h:
2450         (JSC::ScriptExecutable::firstLine const):
2451         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2452         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2453         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2454         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2455         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2456         * runtime/StackFrame.cpp:
2457         (JSC::StackFrame::computeLineAndColumn const):
2458         * tools/JSDollarVM.cpp:
2459         (JSC::functionReturnTypeFor):
2460
2461 2019-02-04  Mark Lam  <mark.lam@apple.com>
2462
2463         DFG's doesGC() is incorrect about the SameValue node's behavior.
2464         https://bugs.webkit.org/show_bug.cgi?id=194211
2465         <rdar://problem/47608913>
2466
2467         Reviewed by Saam Barati.
2468
2469         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2470         it calls operationSameValue() which may allocate memory for resolving ropes.
2471
2472         * dfg/DFGDoesGC.cpp:
2473         (JSC::DFG::doesGC):
2474
2475 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2476
2477         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2478         https://bugs.webkit.org/show_bug.cgi?id=194031
2479
2480         Reviewed by Saam Barati.
2481
2482         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2483         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2484         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2485         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2486
2487         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2488         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2489
2490         * bytecode/MetadataTable.cpp:
2491         (JSC::MetadataTable::MetadataTable):
2492         (JSC::MetadataTable::~MetadataTable):
2493         * bytecode/UnlinkedCodeBlock.cpp:
2494         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2495         (JSC::UnlinkedCodeBlock::visitChildren):
2496         (JSC::UnlinkedCodeBlock::estimatedSize):
2497         (JSC::UnlinkedCodeBlock::setInstructions):
2498         * bytecode/UnlinkedCodeBlock.h:
2499         (JSC::UnlinkedCodeBlock::metadata):
2500         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2501         * bytecode/UnlinkedMetadataTable.h:
2502         (JSC::UnlinkedMetadataTable::create):
2503         * bytecode/UnlinkedMetadataTableInlines.h:
2504         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2505         * runtime/CachedTypes.cpp:
2506         (JSC::CachedMetadataTable::decode const):
2507         (JSC::CachedCodeBlock::metadata const):
2508         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2509         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2510         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2511
2512 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2513
2514         [JSC] Decouple JIT related data from CodeBlock
2515         https://bugs.webkit.org/show_bug.cgi?id=194187
2516
2517         Reviewed by Saam Barati.
2518
2519         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2520         We have three types of data in CodeBlock.
2521
2522         1. The data which is always used. CodeBlock needs to hold it.
2523         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2524         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2525
2526         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2527         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2528         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2529         in both non-JIT and *JIT* modes.
2530
2531         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2532         by the lock of CodeBlock.
2533
2534         The size of CodeBlock is reduced from 512 to 352.
2535
2536         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2537
2538             Footprint geomean: 36696503 (34.997 MB)
2539             Peak Footprint geomean: 38595988 (36.808 MB)
2540             Score: 37634263 (35.891 MB)
2541
2542             Footprint geomean: 37172768 (35.451 MB)
2543             Peak Footprint geomean: 38978288 (37.173 MB)
2544             Score: 38064824 (36.301 MB)
2545
2546         * bytecode/CodeBlock.cpp:
2547         (JSC::CodeBlock::~CodeBlock):
2548         (JSC::CodeBlock::propagateTransitions):
2549         (JSC::CodeBlock::ensureJITDataSlow):
2550         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2551         (JSC::CodeBlock::getICStatusMap):
2552         (JSC::CodeBlock::addStubInfo):
2553         (JSC::CodeBlock::addJITAddIC):
2554         (JSC::CodeBlock::addJITMulIC):
2555         (JSC::CodeBlock::addJITSubIC):
2556         (JSC::CodeBlock::addJITNegIC):
2557         (JSC::CodeBlock::findStubInfo):
2558         (JSC::CodeBlock::addByValInfo):
2559         (JSC::CodeBlock::addCallLinkInfo):
2560         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2561         (JSC::CodeBlock::addRareCaseProfile):
2562         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2563         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2564         (JSC::CodeBlock::resetJITData):
2565         (JSC::CodeBlock::stronglyVisitStrongReferences):
2566         (JSC::CodeBlock::shrinkToFit):
2567         (JSC::CodeBlock::linkIncomingCall):
2568         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2569         (JSC::CodeBlock::unlinkIncomingCalls):
2570         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2571         (JSC::CodeBlock::dumpValueProfiles):
2572         (JSC::CodeBlock::setPCToCodeOriginMap):
2573         (JSC::CodeBlock::findPC):
2574         (JSC::CodeBlock::dumpMathICStats):
2575         * bytecode/CodeBlock.h:
2576         (JSC::CodeBlock::ensureJITData):
2577         (JSC::CodeBlock::setJITCodeMap):
2578         (JSC::CodeBlock::jitCodeMap):
2579         (JSC::CodeBlock::likelyToTakeSlowCase):
2580         (JSC::CodeBlock::couldTakeSlowCase):
2581         (JSC::CodeBlock::lazyOperandValueProfiles):
2582         (JSC::CodeBlock::stubInfoBegin): Deleted.
2583         (JSC::CodeBlock::stubInfoEnd): Deleted.
2584         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2585         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2586         (JSC::CodeBlock::jitCodeMap const): Deleted.
2587         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2588         * bytecode/MethodOfGettingAValueProfile.cpp:
2589         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2590         (JSC::MethodOfGettingAValueProfile::reportValue):
2591         * dfg/DFGByteCodeParser.cpp:
2592         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2593         * jit/JIT.h:
2594         * jit/JITOperations.cpp:
2595         (JSC::tryGetByValOptimize):
2596         * jit/JITPropertyAccess.cpp:
2597         (JSC::JIT::privateCompileGetByVal):
2598         (JSC::JIT::privateCompilePutByVal):
2599
2600 2018-12-16  Darin Adler  <darin@apple.com>
2601
2602         Convert additional String::format clients to alternative approaches
2603         https://bugs.webkit.org/show_bug.cgi?id=192746
2604
2605         Reviewed by Alexey Proskuryakov.
2606
2607         * inspector/agents/InspectorConsoleAgent.cpp:
2608         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2609         and FormattedNumber::fixedWidth.
2610
2611 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2612
2613         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2614         https://bugs.webkit.org/show_bug.cgi?id=194177
2615
2616         Reviewed by Saam Barati.
2617
2618         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2619         We can share the IsoSubspace for JSFunction.
2620
2621         * runtime/JSAsyncFunction.h:
2622         * runtime/JSAsyncGeneratorFunction.h:
2623         * runtime/JSGeneratorFunction.h:
2624         * runtime/VM.cpp:
2625         (JSC::VM::VM):
2626         * runtime/VM.h:
2627
2628 2019-02-01  Mark Lam  <mark.lam@apple.com>
2629
2630         Remove invalid assertion in DFG's compileDoubleRep().
2631         https://bugs.webkit.org/show_bug.cgi?id=194130
2632         <rdar://problem/47699474>
2633
2634         Reviewed by Saam Barati.
2635
2636         * dfg/DFGSpeculativeJIT.cpp:
2637         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2638
2639 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2640
2641         [JSC] Unify CodeBlock IsoSubspaces
2642         https://bugs.webkit.org/show_bug.cgi?id=194167
2643
2644         Reviewed by Saam Barati.
2645
2646         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2647         But this is not necessary since,
2648
2649         1. They do not override the classInfo methods.
2650         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2651
2652         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2653         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2654         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2655
2656         This patch unifies these IsoSubspaces into one.
2657
2658         * bytecode/CodeBlock.cpp:
2659         (JSC::CodeBlock::destroy):
2660         * bytecode/CodeBlock.h:
2661         * bytecode/EvalCodeBlock.cpp:
2662         (JSC::EvalCodeBlock::destroy): Deleted.
2663         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2664         * bytecode/FunctionCodeBlock.cpp:
2665         (JSC::FunctionCodeBlock::destroy): Deleted.
2666         * bytecode/FunctionCodeBlock.h:
2667         * bytecode/GlobalCodeBlock.h:
2668         * bytecode/ModuleProgramCodeBlock.cpp:
2669         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2670         * bytecode/ModuleProgramCodeBlock.h:
2671         * bytecode/ProgramCodeBlock.cpp:
2672         (JSC::ProgramCodeBlock::destroy): Deleted.
2673         * bytecode/ProgramCodeBlock.h:
2674         * interpreter/Interpreter.cpp:
2675         (JSC::Interpreter::execute):
2676         * runtime/VM.cpp:
2677         (JSC::VM::VM):
2678         * runtime/VM.h:
2679         (JSC::VM::forEachCodeBlockSpace):
2680
2681 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2682
2683         Unreviewed, follow-up after r240859
2684         https://bugs.webkit.org/show_bug.cgi?id=194145
2685
2686         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2687         And rename cellDangerousBitsSpace back to cellSpace.
2688
2689         * runtime/JSCellInlines.h:
2690         (JSC::JSCell::subspaceFor):
2691         * runtime/VM.cpp:
2692         (JSC::VM::VM):
2693         * runtime/VM.h:
2694
2695 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2696
2697         [JSC] Remove cellJSValueOOBSpace
2698         https://bugs.webkit.org/show_bug.cgi?id=194145
2699
2700         Reviewed by Mark Lam.
2701
2702         * runtime/JSObject.h:
2703         (JSC::JSObject::subspaceFor): Deleted.
2704         * runtime/VM.cpp:
2705         (JSC::VM::VM):
2706         * runtime/VM.h:
2707
2708 2019-01-31  Mark Lam  <mark.lam@apple.com>
2709
2710         Remove poisoning from CodeBlock and LLInt code.
2711         https://bugs.webkit.org/show_bug.cgi?id=194113
2712
2713         Reviewed by Yusuke Suzuki.
2714
2715         * bytecode/CodeBlock.cpp:
2716         (JSC::CodeBlock::CodeBlock):
2717         (JSC::CodeBlock::~CodeBlock):
2718         (JSC::CodeBlock::setConstantRegisters):
2719         (JSC::CodeBlock::propagateTransitions):
2720         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2721         (JSC::CodeBlock::jettison):
2722         (JSC::CodeBlock::predictedMachineCodeSize):
2723         * bytecode/CodeBlock.h:
2724         (JSC::CodeBlock::vm const):
2725         (JSC::CodeBlock::addConstant):
2726         (JSC::CodeBlock::heap const):
2727         (JSC::CodeBlock::replaceConstant):
2728         * llint/LLIntOfflineAsmConfig.h:
2729         * llint/LLIntSlowPaths.cpp:
2730         (JSC::LLInt::handleHostCall):
2731         (JSC::LLInt::setUpCall):
2732         * llint/LowLevelInterpreter.asm:
2733         * llint/LowLevelInterpreter32_64.asm:
2734         * llint/LowLevelInterpreter64.asm:
2735
2736 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2737
2738         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2739         https://bugs.webkit.org/show_bug.cgi?id=194107
2740
2741         Reviewed by Saam Barati.
2742
2743         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2744         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2745
2746         * CMakeLists.txt:
2747         * DerivedSources.make:
2748         * JavaScriptCore.xcodeproj/project.pbxproj:
2749         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2750         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2751         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2752         (JSC::AsyncFromSyncIteratorPrototype::create):
2753         * runtime/AsyncFromSyncIteratorPrototype.h:
2754
2755 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2756
2757         Fix `runJITThreadLimitTests` in testapi
2758         https://bugs.webkit.org/show_bug.cgi?id=194064
2759         <rdar://problem/46139147>
2760
2761         Reviewed by Mark Lam.
2762
2763         Fix typo where `targetNumberOfThreads` was not being used.
2764
2765         * API/tests/testapi.mm:
2766         (runJITThreadLimitTests):
2767
2768 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2769
2770         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2771         https://bugs.webkit.org/show_bug.cgi?id=194112
2772
2773         Reviewed by Mark Lam.
2774
2775         `testBytecodeCache` does not populate the bytecode cache for the global
2776         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2777
2778         * API/tests/testapi.mm:
2779         (testBytecodeCache):
2780
2781 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2782
2783         Unreviewed, follow-up after r240796
2784
2785         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2786         when allocating InferredValue in FunctionExecutable::finishCreation.
2787
2788         * runtime/FunctionExecutable.cpp:
2789         (JSC::FunctionExecutable::FunctionExecutable):
2790         (JSC::FunctionExecutable::finishCreation):
2791
2792 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2793
2794         [JSC] Do not use InferredValue in non-JIT configuration
2795         https://bugs.webkit.org/show_bug.cgi?id=194084
2796
2797         Reviewed by Saam Barati.
2798
2799         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2800         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2801         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2802         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2803         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2804         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2805         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2806         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2807
2808         * bytecode/ObjectAllocationProfileInlines.h:
2809         (JSC::ObjectAllocationProfile::initializeProfile):
2810         * runtime/FunctionExecutable.cpp:
2811         (JSC::FunctionExecutable::finishCreation):
2812         (JSC::FunctionExecutable::visitChildren):
2813         * runtime/FunctionExecutable.h:
2814         * runtime/InferredValue.cpp:
2815         (JSC::InferredValue::create):
2816         * runtime/JSAsyncFunction.cpp:
2817         (JSC::JSAsyncFunction::create):
2818         * runtime/JSAsyncGeneratorFunction.cpp:
2819         (JSC::JSAsyncGeneratorFunction::create):
2820         * runtime/JSFunction.cpp:
2821         (JSC::JSFunction::create):
2822         * runtime/JSFunctionInlines.h:
2823         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2824         * runtime/JSGeneratorFunction.cpp:
2825         (JSC::JSGeneratorFunction::create):
2826         * runtime/JSSymbolTableObject.h:
2827         (JSC::JSSymbolTableObject::setSymbolTable):
2828         * runtime/SymbolTable.cpp:
2829         (JSC::SymbolTable::finishCreation):
2830         * runtime/VM.cpp:
2831         (JSC::VM::VM):
2832
2833 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2834
2835         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2836         https://bugs.webkit.org/show_bug.cgi?id=194085
2837
2838         Reviewed by Yusuke Suzuki.
2839
2840         r240730 changed ud_itab.py and caused incremental build failures
2841         for Ninja builds.
2842
2843         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2844
2845 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2846
2847         [JSC] Symbol should be in destructibleCellSpace
2848         https://bugs.webkit.org/show_bug.cgi?id=194082
2849
2850         Reviewed by Saam Barati.
2851
2852         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2853         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2854         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2855         Symbol's space destructibleCellSpace to appropriately call the destructor.
2856
2857         * runtime/Symbol.h:
2858
2859 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2860
2861         Unreviewed, rolling out r240755.
2862
2863         This was not correct
2864
2865         Reverted changeset:
2866
2867         "Unreviewed, fix GCC build after r240730"
2868         https://bugs.webkit.org/show_bug.cgi?id=194041
2869         https://trac.webkit.org/changeset/240755
2870
2871 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2872
2873         Unreviewed, fix GCC build after r240730
2874         https://bugs.webkit.org/show_bug.cgi?id=194041
2875         <rdar://problem/47680981>
2876
2877         * disassembler/udis86/ud_itab.py:
2878         (UdItabGenerator.genOpcodeTablesLookupIndex):
2879
2880 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2881
2882         testapi's `testBytecodeCache` does not need to run the code twice
2883         https://bugs.webkit.org/show_bug.cgi?id=194046
2884
2885         Reviewed by Mark Lam.
2886
2887         Since we populate the cache eagerly (unlike the stress tests) we don't
2888         need to run the code twice.
2889
2890         * API/tests/testapi.mm:
2891         (testBytecodeCache):
2892
2893 2019-01-30  Saam barati  <sbarati@apple.com>
2894
2895         [WebAssembly] Change BBQ to generate Air IR
2896         https://bugs.webkit.org/show_bug.cgi?id=191802
2897         <rdar://problem/47651718>
2898
2899         Reviewed by Keith Miller.
2900
2901         This patch adds a new Wasm compiler for the BBQ tier. Instead
2902         of compiling using  B3-01, we now generate Air code directly.
2903         The goal of doing this was to speed up compile times for Wasm
2904         programs.
2905         
2906         This patch provides us with a 20-30% compile time speedup. However, I
2907         have ideas on how to improve compile times even further. For example,
2908         we should probably implement a faster running register allocator:
2909         https://bugs.webkit.org/show_bug.cgi?id=194036
2910         
2911         We can also improve on the code we generate.
2912         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2913         And we should do better instruction selection in various
2914         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2915
2916         * JavaScriptCore.xcodeproj/project.pbxproj:
2917         * Sources.txt:
2918         * b3/B3LowerToAir.cpp:
2919         * b3/B3StackmapSpecial.h:
2920         * b3/air/AirCode.cpp:
2921         (JSC::B3::Air::Code::emitDefaultPrologue):
2922         * b3/air/AirCode.h:
2923         * b3/air/AirTmp.h:
2924         (JSC::B3::Air::Tmp::Tmp):
2925         * runtime/Options.h:
2926         * wasm/WasmAirIRGenerator.cpp: Added.
2927         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2928         (JSC::Wasm::TypedTmp::TypedTmp):
2929         (JSC::Wasm::TypedTmp::operator== const):
2930         (JSC::Wasm::TypedTmp::operator!= const):
2931         (JSC::Wasm::TypedTmp::operator bool const):
2932         (JSC::Wasm::TypedTmp::operator Tmp const):
2933         (JSC::Wasm::TypedTmp::operator Arg const):
2934         (JSC::Wasm::TypedTmp::tmp const):
2935         (JSC::Wasm::TypedTmp::type const):
2936         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2937         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2938         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2939         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2940         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2941         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2942         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2943         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2944         (JSC::Wasm::AirIRGenerator::emptyExpression):
2945         (JSC::Wasm::AirIRGenerator::fail const):
2946         (JSC::Wasm::AirIRGenerator::setParser):
2947         (JSC::Wasm::AirIRGenerator::toTmpVector):
2948         (JSC::Wasm::AirIRGenerator::validateInst):
2949         (JSC::Wasm::AirIRGenerator::extractArg):
2950         (JSC::Wasm::AirIRGenerator::append):
2951         (JSC::Wasm::AirIRGenerator::appendEffectful):
2952         (JSC::Wasm::AirIRGenerator::newTmp):
2953         (JSC::Wasm::AirIRGenerator::g32):
2954         (JSC::Wasm::AirIRGenerator::g64):
2955         (JSC::Wasm::AirIRGenerator::f32):
2956         (JSC::Wasm::AirIRGenerator::f64):
2957         (JSC::Wasm::AirIRGenerator::tmpForType):
2958         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2959         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2960         (JSC::Wasm::AirIRGenerator::emitCheck):
2961         (JSC::Wasm::AirIRGenerator::emitCCall):
2962         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2963         (JSC::Wasm::AirIRGenerator::instanceValue):
2964         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2965         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2966         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2967         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2968         (JSC::Wasm::AirIRGenerator::emitThrowException):
2969         (JSC::Wasm::AirIRGenerator::addLocal):
2970         (JSC::Wasm::AirIRGenerator::addConstant):
2971         (JSC::Wasm::AirIRGenerator::addArguments):
2972         (JSC::Wasm::AirIRGenerator::getLocal):
2973         (JSC::Wasm::AirIRGenerator::addUnreachable):
2974         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2975         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2976         (JSC::Wasm::AirIRGenerator::setLocal):
2977         (JSC::Wasm::AirIRGenerator::getGlobal):
2978         (JSC::Wasm::AirIRGenerator::setGlobal):
2979         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2980         (JSC::Wasm::sizeOfLoadOp):
2981         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2982         (JSC::Wasm::AirIRGenerator::load):
2983         (JSC::Wasm::sizeOfStoreOp):
2984         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2985         (JSC::Wasm::AirIRGenerator::store):
2986         (JSC::Wasm::AirIRGenerator::addSelect):
2987         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2988         (JSC::Wasm::AirIRGenerator::addLoop):
2989         (JSC::Wasm::AirIRGenerator::addTopLevel):
2990         (JSC::Wasm::AirIRGenerator::addBlock):
2991         (JSC::Wasm::AirIRGenerator::addIf):
2992         (JSC::Wasm::AirIRGenerator::addElse):
2993         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2994         (JSC::Wasm::AirIRGenerator::addReturn):
2995         (JSC::Wasm::AirIRGenerator::addBranch):
2996         (JSC::Wasm::AirIRGenerator::addSwitch):
2997         (JSC::Wasm::AirIRGenerator::endBlock):
2998         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2999         (JSC::Wasm::AirIRGenerator::addCall):
3000         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3001         (JSC::Wasm::AirIRGenerator::unify):
3002         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
3003         (JSC::Wasm::AirIRGenerator::dump):
3004         (JSC::Wasm::AirIRGenerator::origin):
3005         (JSC::Wasm::parseAndCompileAir):
3006         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
3007         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
3011         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
3012         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
3013         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
3014         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
3020         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
3026         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
3027         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
3028         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
3029         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
3030         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
3031         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
3032         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
3033         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
3034         (JSC::Wasm::AirIRGenerator::addShift):
3035         (JSC::Wasm::AirIRGenerator::addIntegerSub):
3036         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
3037         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
3038         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
3039         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
3040         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
3041         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
3042         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
3043         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
3044         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
3045         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
3046         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3047         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
3048         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
3049         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
3050         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
3051         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
3052         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
3053         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
3054         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
3055         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
3056         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
3057         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
3058         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
3059         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
3060         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
3061         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
3062         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
3063         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
3064         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
3065         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
3066         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
3067         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
3068         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
3069         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3070         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3071         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3072         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3073         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3074         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3075         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3076         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3077         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3078         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3079         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3080         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3081         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3082         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3083         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3084         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3085         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3086         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3087         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3088         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3089         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3090         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3091         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3092         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3093         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3094         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3095         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3096         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3097         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3098         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3099         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3100         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3101         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3102         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3103         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3104         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3105         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3106         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3107         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3108         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3109         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3110         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3111         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3112         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3113         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3114         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3115         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3116         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3117         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3118         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3119         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3120         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3121         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3122         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3123         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3124         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3125         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3126         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3127         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3128         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3129         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3130         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3131         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3132         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3133         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3134         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3135         * wasm/WasmAirIRGenerator.h: Added.
3136         * wasm/WasmB3IRGenerator.cpp:
3137         (JSC::Wasm::B3IRGenerator::emptyExpression):
3138         * wasm/WasmBBQPlan.cpp:
3139         (JSC::Wasm::BBQPlan::compileFunctions):
3140         * wasm/WasmCallingConvention.cpp:
3141         (JSC::Wasm::jscCallingConventionAir):
3142         (JSC::Wasm::wasmCallingConventionAir):
3143         * wasm/WasmCallingConvention.h:
3144         (JSC::Wasm::CallingConvention::CallingConvention):
3145         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3146         (JSC::Wasm::CallingConvention::marshallArgument const):
3147         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3148         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3149         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3150         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3151         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3152         (JSC::Wasm::CallingConventionAir::loadArguments const):
3153         (JSC::Wasm::CallingConventionAir::setupCall const):
3154         (JSC::Wasm::nextJSCOffset):
3155         * wasm/WasmFunctionParser.h:
3156         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3157         * wasm/WasmValidate.cpp:
3158         (JSC::Wasm::Validate::emptyExpression):
3159
3160 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3161
3162         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3163         https://bugs.webkit.org/show_bug.cgi?id=194050
3164         <rdar://problem/47595592>
3165
3166         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3167         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3168
3169         Reviewed by Yusuke Suzuki.
3170
3171         * ftl/FTLOperations.cpp:
3172         (JSC::FTL::operationMaterializeObjectInOSR):
3173
3174 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3175
3176         Remove assertion that CachedSymbolTables should have no RareData
3177         https://bugs.webkit.org/show_bug.cgi?id=194037
3178
3179         Reviewed by Mark Lam.
3180
3181         It turns out that we don't need to cache the SymbolTableRareData and
3182         we should not assert that it's empty.
3183
3184         * runtime/CachedTypes.cpp:
3185         (JSC::CachedSymbolTable::encode):
3186
3187 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3188
3189         CachedBytecode's move constructor should not call `freeDataIfOwned`
3190         https://bugs.webkit.org/show_bug.cgi?id=194045
3191
3192         Reviewed by Mark Lam.
3193
3194         That might result in freeing a garbage value
3195
3196         * parser/SourceProvider.h:
3197         (JSC::CachedBytecode::CachedBytecode):
3198
3199 2019-01-30  Keith Miller  <keith_miller@apple.com>
3200
3201         mul32 should convert powers of 2 to an lshift
3202         https://bugs.webkit.org/show_bug.cgi?id=193957
3203
3204         Reviewed by Yusuke Suzuki.
3205
3206         * assembler/MacroAssembler.h:
3207         (JSC::MacroAssembler::mul32):
3208         * assembler/testmasm.cpp:
3209         (JSC::int32Operands):
3210         (JSC::testMul32WithImmediates):
3211         (JSC::run):
3212
3213 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3214
3215         [JSC] Make disassembler data structures constant read-only data
3216         https://bugs.webkit.org/show_bug.cgi?id=194041
3217
3218         Reviewed by Mark Lam.
3219
3220         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3221         This patch makes them "const".
3222
3223         * disassembler/ARM64/A64DOpcode.cpp:
3224         * disassembler/udis86/ud_itab.py:
3225         (UdItabGenerator.genOpcodeTablesLookupIndex):
3226         (UdItabGenerator.genInsnTable):
3227         (UdItabGenerator.genMnemonicsList):
3228         (genItabH):
3229         * disassembler/udis86/udis86_decode.h:
3230         * disassembler/udis86/udis86_syn.c:
3231         * disassembler/udis86/udis86_syn.h:
3232         * disassembler/udis86/udis86_types.h:
3233
3234 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3235
3236         Unreviewed, update the builtin test results
3237         https://bugs.webkit.org/show_bug.cgi?id=194015
3238
3239         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3240         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3241         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3242         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3243         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3244         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3245         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3246         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3247         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3248         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3249         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3250         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3251         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3252
3253 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3254
3255         [JSC] Make global static variables "const" as much as possible
3256         https://bugs.webkit.org/show_bug.cgi?id=194015
3257
3258         Reviewed by Mark Lam.
3259
3260         Some of global static variables are not "const". For example, `static const char* name = ...`
3261         is not constant variable. We should make it `static const char* const name = ...`.
3262
3263         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3264         (generate_externs_for_object):
3265         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3266         (generate_externs_for_object):
3267         * Scripts/wkbuiltins/builtins_generator.py:
3268         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3269         * assembler/MacroAssembler.h:
3270         (JSC::MacroAssembler::additionBlindedConstant):
3271         * b3/air/AirFormTable.h:
3272         * b3/air/opcode_generator.rb:
3273         * runtime/JSObject.cpp:
3274         (JSC::JSObject::visitButterfly):
3275         * tools/CodeProfile.cpp:
3276         * tools/CodeProfile.h:
3277
3278 2019-01-29  Keith Miller  <keith_miller@apple.com>
3279
3280         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3281         https://bugs.webkit.org/show_bug.cgi?id=194000
3282         <rdar://problem/47642894>
3283
3284         Reviewed by Mark Lam.
3285
3286         default constructor is unused and
3287         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3288         data member which causes sadness.
3289
3290         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3291
3292 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3293
3294         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3295
3296         Rubber-stamped by Yusuke Suzuki.
3297
3298         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3299
3300         * parser/Parser.h:
3301         (JSC::Parser::declareHoistedVariable):
3302
3303 2019-01-29  Mark Lam  <mark.lam@apple.com>
3304
3305         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3306         https://bugs.webkit.org/show_bug.cgi?id=132333
3307
3308         Reviewed by Yusuke Suzuki.
3309
3310         * bytecode/InstructionStream.h:
3311         (JSC::InstructionStreamWriter::write):
3312         - The 32-bit write() function need not invert the order of the bytes written to
3313           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3314           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3315
3316         * llint/LLIntOfflineAsmConfig.h:
3317         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3318
3319 2019-01-29  Mark Lam  <mark.lam@apple.com>
3320
3321         ValueRecovery::recover() should purify NaN values it recovers.
3322         https://bugs.webkit.org/show_bug.cgi?id=193978
3323         <rdar://problem/47625488>
3324
3325         Reviewed by Saam Barati.
3326
3327         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3328         recovered DoubleDisplacedInJSStack values need to be purified.
3329         ValueRecovery::recover() should do the same.
3330
3331         * bytecode/ValueRecovery.cpp:
3332         (JSC::ValueRecovery::recover const):
3333
3334 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3335
3336         [JSC] FTL should handle LocalAllocator*
3337         https://bugs.webkit.org/show_bug.cgi?id=193980
3338
3339         Reviewed by Saam Barati.
3340
3341         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3342         because the FTL still use the incoming value as 32bit integer there.
3343
3344         * ftl/FTLLowerDFGToB3.cpp:
3345         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3346
3347 2019-01-29  Keith Rollin  <krollin@apple.com>
3348
3349         Add .xcfilelists to Run Script build phases
3350         https://bugs.webkit.org/show_bug.cgi?id=193792
3351         <rdar://problem/47201785>
3352
3353         Reviewed by Alex Christensen.
3354
3355         As part of supporting XCBuild, update the necessary Run Script build
3356         phases in their Xcode projects to refer to their associated
3357         .xcfilelist files.
3358
3359         Note that the addition of these files bumps the Xcode project version
3360         number to something that's Xcode 10 compatible. This change means that
3361         older versions of the Xcode IDE can't read these projects. Nor can it
3362         fully load workspaces that refer to these projects (the updated
3363         projects are shown as non-expandable placeholders). `xcodebuild` can
3364         still build these projects; it's just that the IDE can't open them.
3365
3366         * JavaScriptCore.xcodeproj/project.pbxproj:
3367
3368 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3369
3370         [ARM] Check for negative zero instead of just zero
3371         https://bugs.webkit.org/show_bug.cgi?id=193689
3372
3373         Reviewed by Mark Lam.
3374
3375         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3376         of just bailing out for zero.
3377
3378         * assembler/MacroAssemblerARMv7.h:
3379         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3380
3381 2019-01-28  Devin Rousso  <drousso@apple.com>
3382
3383         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3384         https://bugs.webkit.org/show_bug.cgi?id=193863
3385         <rdar://problem/47572764>
3386
3387         Reviewed by Joseph Pecoraro.
3388
3389         * inspector/protocol/Page.json:
3390         Add more values to the `Setting` enum type:
3391          - `ICECandidateFilteringEnabled`
3392          - `MediaCaptureRequiresSecureConnection`
3393          - `MockCaptureDevicesEnabled`
3394
3395 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3396
3397         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3398         https://bugs.webkit.org/show_bug.cgi?id=193941
3399
3400         Reviewed by Alex Christensen.
3401
3402         * API/JSWeakObjectMapRefPrivate.cpp:
3403         * bytecompiler/NodesCodegen.cpp:
3404         * heap/MachineStackMarker.cpp:
3405         * jit/ExecutableAllocator.cpp:
3406         * jsc.cpp:
3407         * parser/Nodes.cpp:
3408         * runtime/DateConstructor.cpp:
3409         * runtime/DateConversion.cpp:
3410         * runtime/DateInstance.cpp:
3411         * runtime/DatePrototype.cpp:
3412         * runtime/InitializeThreading.cpp:
3413         * runtime/IteratorOperations.cpp:
3414         * runtime/JSDateMath.cpp:
3415         * runtime/JSGlobalObjectFunctions.cpp:
3416         * runtime/StringPrototype.cpp:
3417         * runtime/VM.cpp:
3418         * testRegExp.cpp:
3419         * tools/JSDollarVM.cpp:
3420         * yarr/YarrInterpreter.cpp:
3421         * yarr/YarrJIT.cpp:
3422         * yarr/YarrPattern.cpp:
3423         * yarr/YarrUnicodeProperties.cpp:
3424
3425 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3426
3427         [JSC] Reduce size of memory used for ShadowChicken
3428         https://bugs.webkit.org/show_bug.cgi?id=193546
3429
3430         Reviewed by Mark Lam.
3431
3432         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3433         The removal of ShadowChicken saves 55KB memory.
3434
3435         * debugger/DebuggerCallFrame.cpp:
3436         (JSC::DebuggerCallFrame::create):
3437         * ftl/FTLLowerDFGToB3.cpp:
3438         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3439         * heap/Heap.cpp:
3440         (JSC::Heap::stopThePeriphery):
3441         (JSC::Heap::addCoreConstraints):
3442         * jit/CCallHelpers.cpp:
3443         (JSC::CCallHelpers::ensureShadowChickenPacket):
3444         * jit/JITExceptions.cpp:
3445         (JSC::genericUnwind):
3446         * jit/JITOpcodes.cpp:
3447         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3448         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3449         * jit/JITOpcodes32_64.cpp:
3450         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3451         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3452         * jit/JITOperations.cpp:
3453         * llint/LLIntSlowPaths.cpp:
3454         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3455         * runtime/JSGlobalObject.cpp:
3456         (JSC::JSGlobalObject::setDebugger):
3457         * runtime/JSGlobalObject.h:
3458         (JSC::JSGlobalObject::setDebugger): Deleted.
3459         * runtime/VM.cpp:
3460         (JSC::VM::VM):
3461         (JSC::VM::ensureShadowChicken):
3462         * runtime/VM.h:
3463         (JSC::VM::shadowChicken):
3464         * tools/JSDollarVM.cpp:
3465         (JSC::functionShadowChickenFunctionsOnStack):
3466         (JSC::changeDebuggerModeWhenIdle):
3467
3468 2019-01-28  Andy Estes  <aestes@apple.com>
3469
3470         [watchOS] Enable Parental Controls content filtering
3471         https://bugs.webkit.org/show_bug.cgi?id=193939
3472         <rdar://problem/46641912>
3473
3474         Reviewed by Ryosuke Niwa.
3475
3476         * Configurations/FeatureDefines.xcconfig:
3477
3478 2019-01-28  Mark Lam  <mark.lam@apple.com>
3479
3480         ToString node actually does GC.
3481         https://bugs.webkit.org/show_bug.cgi?id=193920
3482         <rdar://problem/46695900>
3483
3484         Reviewed by Yusuke Suzuki.
3485
3486         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3487         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3488
3489         * dfg/DFGDoesGC.cpp:
3490         (JSC::DFG::doesGC):
3491
3492 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3493
3494         [JSC] RegExpConstructor should not have own IsoSubspace
3495         https://bugs.webkit.org/show_bug.cgi?id=193801
3496
3497         Reviewed by Mark Lam.
3498
3499         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3500         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3501         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3502         it from RegExpConstructor members.
3503
3504         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3505         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3506         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3507
3508         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3509
3510         * CMakeLists.txt:
3511         * JavaScriptCore.xcodeproj/project.pbxproj:
3512         * Sources.txt:
3513         * dfg/DFGOperations.cpp:
3514         * dfg/DFGSpeculativeJIT.cpp:
3515         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3516         * dfg/DFGStrengthReductionPhase.cpp:
3517         (JSC::DFG::StrengthReductionPhase::handleNode):
3518         * ftl/FTLAbstractHeapRepository.cpp:
3519         * ftl/FTLAbstractHeapRepository.h:
3520         * ftl/FTLLowerDFGToB3.cpp:
3521         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3522         * runtime/JSGlobalObject.cpp:
3523         (JSC::JSGlobalObject::init):
3524         (JSC::JSGlobalObject::visitChildren):
3525         * runtime/JSGlobalObject.h:
3526         (JSC::JSGlobalObject::regExpGlobalData):
3527         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3528         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3529         * runtime/RegExpCache.cpp:
3530         (JSC::RegExpCache::initialize):
3531         * runtime/RegExpCache.h:
3532         (JSC::RegExpCache::emptyRegExp const):
3533         * runtime/RegExpCachedResult.cpp:
3534         (JSC::RegExpCachedResult::visitAggregate):
3535         (JSC::RegExpCachedResult::visitChildren): Deleted.
3536         * runtime/RegExpCachedResult.h:
3537         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3538         * runtime/RegExpConstructor.cpp:
3539         (JSC::RegExpConstructor::RegExpConstructor):
3540         (JSC::regExpConstructorDollar):
3541         (JSC::regExpConstructorInput):
3542         (JSC::regExpConstructorMultiline):
3543         (JSC::regExpConstructorLastMatch):
3544         (JSC::regExpConstructorLastParen):
3545         (JSC::regExpConstructorLeftContext):
3546         (JSC::regExpConstructorRightContext):
3547         (JSC::setRegExpConstructorInput):
3548         (JSC::setRegExpConstructorMultiline):
3549         (JSC::RegExpConstructor::destroy): Deleted.
3550         (JSC::RegExpConstructor::visitChildren): Deleted.
3551         (JSC::RegExpConstructor::getBackref): Deleted.
3552         (JSC::RegExpConstructor::getLastParen): Deleted.
3553         (JSC::RegExpConstructor::getLeftContext): Deleted.
3554         (JSC::RegExpConstructor::getRightContext): Deleted.
3555         * runtime/RegExpConstructor.h:
3556         (JSC::RegExpConstructor::performMatch): Deleted.
3557         (JSC::RegExpConstructor::recordMatch): Deleted.
3558         * runtime/RegExpGlobalData.cpp: Added.
3559         (JSC::RegExpGlobalData::visitAggregate):
3560         (JSC::RegExpGlobalData::getBackref):
3561         (JSC::RegExpGlobalData::getLastParen):
3562         (JSC::RegExpGlobalData::getLeftContext):
3563         (JSC::RegExpGlobalData::getRightContext):
3564         * runtime/RegExpGlobalData.h: Added.
3565         (JSC::RegExpGlobalData::cachedResult):
3566         (JSC::RegExpGlobalData::setMultiline):
3567         (JSC::RegExpGlobalData::multiline const):
3568         (JSC::RegExpGlobalData::input):
3569         (JSC::RegExpGlobalData::offsetOfCachedResult):
3570         * runtime/RegExpGlobalDataInlines.h: Added.
3571         (JSC::RegExpGlobalData::setInput):
3572         (JSC::RegExpGlobalData::performMatch):
3573         (JSC::RegExpGlobalData::recordMatch):
3574         * runtime/RegExpObject.cpp:
3575         (JSC::RegExpObject::matchGlobal):
3576         * runtime/RegExpObjectInlines.h:
3577         (JSC::RegExpObject::execInline):
3578         (JSC::RegExpObject::matchInline):
3579         (JSC::collectMatches):
3580         * runtime/RegExpPrototype.cpp:
3581         (JSC::RegExpPrototype::finishCreation):
3582         (JSC::regExpProtoFuncSearchFast):
3583         (JSC::RegExpPrototype::visitChildren): Deleted.
3584         * runtime/RegExpPrototype.h:
3585         * runtime/StringPrototype.cpp:
3586         (JSC::removeUsingRegExpSearch):
3587         (JSC::replaceUsingRegExpSearch):
3588         * runtime/VM.cpp:
3589         (JSC::VM::VM):
3590         * runtime/VM.h:
3591
3592 2018-12-15  Darin Adler  <darin@apple.com>
3593
3594         Replace many uses of String::format with more type-safe alternatives
3595         https://bugs.webkit.org/show_bug.cgi?id=192742
3596
3597         Reviewed by Mark Lam.
3598
3599         * inspector/InjectedScriptBase.cpp:
3600         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3601         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3602         * inspector/InspectorBackendDispatcher.cpp:
3603         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3604         * inspector/agents/InspectorConsoleAgent.cpp:
3605         (Inspector::InspectorConsoleAgent::enable): Ditto.
3606         * jsc.cpp:
3607         (FunctionJSCStackFunctor::operator() const): Ditto.
3608
3609         * runtime/CodeCache.cpp:
3610         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3611         using String::number.
3612
3613         * runtime/IntlDateTimeFormat.cpp:
3614         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3615         * runtime/IntlObject.cpp:
3616         (JSC::canonicalizeLocaleList): Ditto.
3617
3618 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3619
3620         AX: Introduce a static accessibility tree
3621         https://bugs.webkit.org/show_bug.cgi?id=193348
3622         <rdar://problem/47203295>
3623
3624         Reviewed by Ryosuke Niwa.
3625
3626         * Configurations/FeatureDefines.xcconfig:
3627
3628 2019-01-26  Devin Rousso  <drousso@apple.com>
3629
3630         Web Inspector: provide a way to edit the user agent of a remote target
3631         https://bugs.webkit.org/show_bug.cgi?id=193862
3632         <rdar://problem/47359292>
3633
3634         Reviewed by Joseph Pecoraro.
3635
3636         * inspector/protocol/Page.json:
3637         Add `overrideUserAgent` command.
3638
3639 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3640
3641         [JSC] NativeErrorConstructor should not have own IsoSubspace
3642         https://bugs.webkit.org/show_bug.cgi?id=193713
3643
3644         Reviewed by Saam Barati.
3645
3646         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3647         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3648         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3649         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3650         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3651         referenced.
3652
3653         * CMakeLists.txt:
3654         * JavaScriptCore.xcodeproj/project.pbxproj:
3655         * Sources.txt:
3656         * builtins/BuiltinNames.h:
3657         * interpreter/Interpreter.h:
3658         * runtime/Error.cpp:
3659         (JSC::createEvalError):
3660         (JSC::createRangeError):
3661         (JSC::createReferenceError):
3662         (JSC::createSyntaxError):
3663         (JSC::createTypeError):
3664         (JSC::createURIError):
3665         (WTF::printInternal): Deleted.
3666         * runtime/Error.h:
3667         * runtime/ErrorPrototype.cpp:
3668         (JSC::ErrorPrototype::create):
3669         (JSC::ErrorPrototype::finishCreation):
3670         * runtime/ErrorPrototype.h:
3671         (JSC::ErrorPrototype::create): Deleted.
3672         * runtime/ErrorType.cpp: Added.
3673         (JSC::errorTypeName):
3674         (WTF::printInternal):
3675         * runtime/ErrorType.h: Added.
3676         * runtime/JSGlobalObject.cpp:
3677         (JSC::JSGlobalObject::initializeErrorConstructor):
3678         (JSC::JSGlobalObject::init):
3679         (JSC::JSGlobalObject::visitChildren):
3680         * runtime/JSGlobalObject.h:
3681         (JSC::JSGlobalObject::internalPromiseConstructor const):
3682         (JSC::JSGlobalObject::errorStructure const):
3683         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3684         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3685         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3686         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3687         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3688         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3689         * runtime/NativeErrorConstructor.cpp:
3690         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3691         (JSC::NativeErrorConstructorBase::finishCreation):
3692         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3693         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3694         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3695         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3696         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3697         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3698         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3699         * runtime/NativeErrorConstructor.h:
3700         (JSC::NativeErrorConstructorBase::createStructure):
3701         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3702         * runtime/NativeErrorPrototype.cpp:
3703         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3704         * runtime/NativeErrorPrototype.h:
3705         * runtime/VM.cpp:
3706         (JSC::VM::VM):
3707         * runtime/VM.h:
3708         * wasm/js/WasmToJS.cpp:
3709         (JSC::Wasm::handleBadI64Use):
3710
3711 2019-01-25  Devin Rousso  <drousso@apple.com>
3712
3713         Web Inspector: provide a way to edit page settings on a remote target
3714         https://bugs.webkit.org/show_bug.cgi?id=193813
3715         <rdar://problem/47359510>
3716
3717         Reviewed by Joseph Pecoraro.
3718
3719         * inspector/protocol/Page.json:
3720         Add `overrideSetting` command with supporting `Setting` enum type.
3721
3722 2019-01-25  Keith Rollin  <krollin@apple.com>
3723
3724         Update Xcode projects with "Check .xcfilelists" build phase
3725         https://bugs.webkit.org/show_bug.cgi?id=193790
3726         <rdar://problem/47201374>
3727
3728         Reviewed by Alex Christensen.
3729
3730         Support for XCBuild includes specifying inputs and outputs to various
3731         Run Script build phases. These inputs and outputs are specified as
3732         .xcfilelist files. Once created, these .xcfilelist files need to be
3733         kept up-to-date. In order to check that they are up-to-date or not,
3734         add an Xcode build step that invokes an external script that performs
3735         the checking. If the .xcfilelists are found to be out-of-date, update
3736         them, halt the build, and instruct the developer to restart the build
3737         with up-to-date files.
3738
3739         At this time, the checking and regenerating is performed only if the
3740         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3741         who want to use this facility can set this variable and test out the
3742         checking/regenerating. Once it seems like there are no egregious
3743         issues that upset a developer's workflow, we'll unconditionally enable
3744         this facility.
3745
3746         * JavaScriptCore.xcodeproj/project.pbxproj:
3747         * Scripts/check-xcfilelists.sh: Added.
3748
3749 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3750
3751         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3752         https://bugs.webkit.org/show_bug.cgi?id=193796
3753         <rdar://problem/47532910>
3754
3755         Reviewed by Devin Rousso.
3756
3757         * runtime/SamplingProfiler.cpp:
3758         (JSC::SamplingProfiler::machThread):
3759         * runtime/SamplingProfiler.h:
3760         Expose the mach_port_t of the SamplingProfiler thread
3761         so it can be tested against later.
3762
3763 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3764
3765         Fix Windows build after r240511
3766
3767         * bytecode/UnlinkedFunctionExecutable.cpp:
3768         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3769
3770 2019-01-25  Keith Rollin  <krollin@apple.com>
3771
3772         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3773         https://bugs.webkit.org/show_bug.cgi?id=193781
3774         <rdar://problem/47201153>
3775
3776         Reviewed by Alex Christensen.
3777
3778         Part of generating the .xcfilelists used as part of adopting XCBuild
3779         includes running `make DerivedSources.make` from a standalone script.
3780         It’s important for this invocation to have the same environment as
3781         when the actual build invokes `make DerivedSources.make`. If the
3782         environments are different, then the two invocations will provide
3783         different results. In order to get the same environment in the
3784         standalone script, have the script launch xcodebuild targeting the
3785         "Apply Configuration to XCFileLists" build target, which will then
3786         re-invoke our standalone script. The script is now running again, this
3787         time in an environment with all workspace, project, target, xcconfig
3788         and other environment variables established.
3789
3790         The "Apply Configuration to XCFileLists" build target accomplishes
3791         this task via a small embedded shell script that consists only of:
3792
3793             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3794
3795         The process that invokes "Apply Configuration to XCFileLists" first
3796         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3797         evaluated and exports it into the shell environment. When xcodebuild
3798         is invoked, it inherits the value of this variable and can `eval` the
3799         contents of that variable. Our external standalone script can then set
3800         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3801         of command-line parameters needed to restart itself in the appropriate
3802         state.
3803
3804         * JavaScriptCore.xcodeproj/project.pbxproj:
3805
3806 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3807
3808         Add API to generate and consume cached bytecode
3809         https://bugs.webkit.org/show_bug.cgi?id=193401
3810         <rdar://problem/47514099>
3811
3812         Reviewed by Keith Miller.
3813
3814         Add the `generateBytecode` and `generateModuleBytecode` functions to
3815         generate serialized bytecode for a given `SourceCode`. These functions
3816         will eagerly generate code for all the nested functions.
3817
3818         Additionally, update the API methods in JSScript to generate and use the
3819         bytecode when the bytecodeCache path is provided.
3820
3821         * API/JSAPIGlobalObject.mm:
3822         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3823         * API/JSContext.mm:
3824         (-[JSContext wrapperMap]):
3825         * API/JSContextInternal.h:
3826         * API/JSScript.mm:
3827         (+[JSScript scriptWithSource:inVirtualMachine:]):
3828         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3829         (-[JSScript dealloc]):
3830         (-[JSScript readCache]):
3831         (-[JSScript writeCache]):
3832         (-[JSScript hash]):
3833         (-[JSScript source]):
3834         (-[JSScript cachedBytecode]):
3835         (-[JSScript jsSourceCode:]):
3836         * API/JSScriptInternal.h:
3837         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3838         (JSScriptSourceProvider::create):
3839         (JSScriptSourceProvider::JSScriptSourceProvider):
3840         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3841         (JSScriptSourceProvider::hash const):
3842         (JSScriptSourceProvider::source const):
3843         (JSScriptSourceProvider::cachedBytecode const):
3844         * API/JSVirtualMachine.mm:
3845         (-[JSVirtualMachine vm]):
3846         * API/JSVirtualMachineInternal.h:
3847         * API/tests/testapi.mm:
3848         (testBytecodeCache):
3849         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3850         (testObjectiveCAPI):
3851         * JavaScriptCore.xcodeproj/project.pbxproj:
3852         * SourcesCocoa.txt:
3853         * bytecode/UnlinkedFunctionExecutable.cpp:
3854         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3855         * bytecode/UnlinkedFunctionExecutable.h:
3856         * parser/SourceCodeKey.h:
3857         (JSC::SourceCodeKey::source const):
3858         * parser/SourceProvider.h:
3859         (JSC::CachedBytecode::CachedBytecode):
3860         (JSC::CachedBytecode::operator=):
3861         (JSC::CachedBytecode::data const):
3862         (JSC::CachedBytecode::size const):
3863         (JSC::CachedBytecode::owned const):
3864         (JSC::CachedBytecode::~CachedBytecode):
3865         (JSC::CachedBytecode::freeDataIfOwned):
3866         (JSC::SourceProvider::cachedBytecode const):
3867         * parser/UnlinkedSourceCode.h:
3868         (JSC::UnlinkedSourceCode::provider const):
3869         * runtime/CodeCache.cpp:
3870         (JSC::generateUnlinkedCodeBlockForFunctions):
3871         (JSC::writeCodeBlock):
3872         (JSC::serializeBytecode):
3873         * runtime/CodeCache.h:
3874         (JSC::CodeCacheMap::fetchFromDiskImpl):
3875         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3876         (JSC::generateUnlinkedCodeBlockImpl):
3877         (JSC::generateUnlinkedCodeBlock):
3878         * runtime/Completion.cpp:
3879         (JSC::generateBytecode):
3880         (JSC::generateModuleBytecode):
3881         * runtime/Completion.h:
3882         * runtime/Options.cpp:
3883         (JSC::recomputeDependentOptions):
3884
3885 2019-01-25  Keith Rollin  <krollin@apple.com>
3886
3887         Update WebKitAdditions.xcconfig with correct order of variable definitions
3888         https://bugs.webkit.org/show_bug.cgi?id=193793
3889         <rdar://problem/47532439>
3890
3891         Reviewed by Alex Christensen.
3892
3893         XCBuild changes the way xcconfig variables are evaluated. In short,
3894         all config file assignments are now considered in part of the
3895         evaluation. When using the new build system and an .xcconfig file
3896         contains multiple assignments of the same build setting:
3897
3898         - Later assignments using $(inherited) will inherit from earlier
3899           assignments in the xcconfig file.