[ARM] Fix crash with sampling profiler
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
2
3         [ARM] Fix crash with sampling profiler
4         https://bugs.webkit.org/show_bug.cgi?id=194772
5
6         Reviewed by Mark Lam.
7
8         sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
9         did not update the stack pointer in a single instruction. The src register was first
10         moved into the stack pointer, the immediate imm was added in a subsequent instruction.
11
12         This was problematic when a signal handler was invoked before applying the immediate,
13         when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
14         a temporary register and then move it in one go into the stack pointer.
15
16         * assembler/MacroAssemblerARMv7.h:
17         (JSC::MacroAssemblerARMv7::add32):
18
19 2019-02-18  Mark Lam  <mark.lam@apple.com>
20
21         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
22         https://bugs.webkit.org/show_bug.cgi?id=194800
23         <rdar://problem/48183773>
24
25         Reviewed by Yusuke Suzuki.
26
27         Fix doesGC() for the following nodes:
28
29             CompareEq:
30             CompareLess:
31             CompareLessEq:
32             CompareGreater:
33             CompareGreaterEq:
34             CompareStrictEq:
35                 Only return false (i.e. does not GC) for child node use kinds that have
36                 been vetted to not do anything that can GC.  For all other use kinds
37                 (including StringUse and BigIntUse), we return true (i.e. does GC).
38
39         * dfg/DFGDoesGC.cpp:
40         (JSC::DFG::doesGC):
41
42 2019-02-16  Darin Adler  <darin@apple.com>
43
44         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
45         https://bugs.webkit.org/show_bug.cgi?id=194752
46
47         Reviewed by Daniel Bates.
48
49         * heap/HeapSnapshotBuilder.cpp:
50         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
51         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
52         keep behavior the same, so let's do that.
53
54         * parser/Lexer.cpp:
55         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
56         String::format and "%04x".
57
58 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
59
60         [JSC] Add LazyClassStructure::getInitializedOnMainThread
61         https://bugs.webkit.org/show_bug.cgi?id=194784
62         <rdar://problem/48154820>
63
64         Reviewed by Mark Lam.
65
66         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
67         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
68         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
69         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
70         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
71
72         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
73         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
74         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
75         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
76
77         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
78         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
79
80         * runtime/JSGlobalObject.h:
81         (JSC::JSGlobalObject::booleanPrototype const):
82         (JSC::JSGlobalObject::numberPrototype const):
83         (JSC::JSGlobalObject::symbolPrototype const):
84         * runtime/LazyClassStructure.h:
85         (JSC::LazyClassStructure::getInitializedOnMainThread const):
86         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
87         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
88         * runtime/LazyProperty.h:
89         (JSC::LazyProperty::get const):
90         (JSC::LazyProperty::getInitializedOnMainThread const):
91
92 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
93
94         Web Inspector: Better categorize CPU usage per-thread / worker
95         https://bugs.webkit.org/show_bug.cgi?id=194564
96
97         Reviewed by Devin Rousso.
98
99         * inspector/protocol/CPUProfiler.json:
100         Add additional properties per-Event, and new per-Thread object info.
101
102 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
103
104         Bytecode cache should a have a boot-specific validation
105         https://bugs.webkit.org/show_bug.cgi?id=194769
106         <rdar://problem/48149509>
107
108         Reviewed by Keith Miller.
109
110         Add the boot UUID to the cached bytecode to enforce that it is not reused
111         across reboots.
112
113         * runtime/CachedTypes.cpp:
114         (JSC::Encoder::malloc):
115         (JSC::GenericCacheEntry::GenericCacheEntry):
116         (JSC::GenericCacheEntry::tag const):
117         (JSC::CacheEntry::CacheEntry):
118         (JSC::CacheEntry::decode const):
119         (JSC::GenericCacheEntry::decode const):
120         (JSC::encodeCodeBlock):
121
122 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
123
124         Add MSE logging configuration
125         https://bugs.webkit.org/show_bug.cgi?id=194719
126         <rdar://problem/48122151>
127
128         Reviewed by Joseph Pecoraro.
129
130         * inspector/ConsoleMessage.cpp:
131         (Inspector::messageSourceValue):
132         * inspector/protocol/Console.json:
133         * inspector/scripts/codegen/generator.py:
134         * runtime/ConsoleTypes.h:
135
136 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
137
138         Add version number to cached bytecode
139         https://bugs.webkit.org/show_bug.cgi?id=194768
140         <rdar://problem/48147968>
141
142         Reviewed by Saam Barati.
143
144         Add a version number to the bytecode cache that should be unique per build.
145
146         * CMakeLists.txt:
147         * DerivedSources-output.xcfilelist:
148         * DerivedSources.make:
149         * runtime/CachedTypes.cpp:
150         (JSC::Encoder::malloc):
151         (JSC::GenericCacheEntry::GenericCacheEntry):
152         (JSC::CacheEntry::CacheEntry):
153         (JSC::CacheEntry::encode):
154         (JSC::CacheEntry::decode const):
155         (JSC::GenericCacheEntry::decode const):
156         (JSC::decodeCodeBlockImpl):
157         * runtime/CodeCache.h:
158         (JSC::CodeCacheMap::fetchFromDiskImpl):
159
160 2019-02-17  Saam Barati  <sbarati@apple.com>
161
162         WasmB3IRGenerator models some effects incorrectly
163         https://bugs.webkit.org/show_bug.cgi?id=194038
164
165         Reviewed by Keith Miller.
166
167         * wasm/WasmB3IRGenerator.cpp:
168         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
169         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
170         These two functions were using global state instead of the
171         arguments passed into the function.
172
173         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
174         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
175         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
176         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
177         Any patchpoint that allows scratch register usage must
178         also say that it clobbers the scratch registers.
179
180 2019-02-17  Saam Barati  <sbarati@apple.com>
181
182         Deadlock when adding a Structure property transition and then doing incremental marking
183         https://bugs.webkit.org/show_bug.cgi?id=194767
184
185         Reviewed by Mark Lam.
186
187         This can happen in the following scenario:
188         
189         You have a Structure S. S is on the mark stack. Then:
190         1. S grabs its lock
191         2. S adds a new property transition
192         3. We find out we need to do some incremental marking
193         4. We mark S
194         5. visitChildren on S will try to grab its lock
195         6. We are now in a deadlock
196
197         * heap/Heap.cpp:
198         (JSC::Heap::performIncrement):
199         * runtime/Structure.cpp:
200         (JSC::Structure::addNewPropertyTransition):
201
202 2019-02-17  David Kilzer  <ddkilzer@apple.com>
203
204         Unreviewed, rolling out r241620.
205
206         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
207         (Requested by ddkilzer on #webkit.)
208
209         Reverted changeset:
210
211         "[WTF] Add environment variable helpers"
212         https://bugs.webkit.org/show_bug.cgi?id=192405
213         https://trac.webkit.org/changeset/241620
214
215 2019-02-17  Commit Queue  <commit-queue@webkit.org>
216
217         Unreviewed, rolling out r241612.
218         https://bugs.webkit.org/show_bug.cgi?id=194762
219
220         "It regressed JetStream2 parsing tests by ~40%" (Requested by
221         saamyjoon on #webkit).
222
223         Reverted changeset:
224
225         "Move bytecode cache-related filesystem code out of CodeCache"
226         https://bugs.webkit.org/show_bug.cgi?id=194675
227         https://trac.webkit.org/changeset/241612
228
229 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
230
231         [JSC] JSWrapperObject should not be destructible
232         https://bugs.webkit.org/show_bug.cgi?id=194743
233
234         Reviewed by Saam Barati.
235
236         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
237         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
238         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
239
240         * runtime/BigIntObject.cpp:
241         (JSC::BigIntObject::BigIntObject):
242         * runtime/BooleanConstructor.cpp:
243         (JSC::BooleanConstructor::finishCreation):
244         * runtime/BooleanObject.cpp:
245         (JSC::BooleanObject::BooleanObject):
246         * runtime/BooleanObject.h:
247         * runtime/DateInstance.cpp:
248         (JSC::DateInstance::DateInstance):
249         (JSC::DateInstance::finishCreation):
250         * runtime/DateInstance.h:
251         * runtime/DatePrototype.cpp:
252         (JSC::dateProtoFuncGetTime):
253         (JSC::dateProtoFuncSetTime):
254         (JSC::setNewValueFromTimeArgs):
255         (JSC::setNewValueFromDateArgs):
256         (JSC::dateProtoFuncSetYear):
257         * runtime/JSCPoison.h:
258         * runtime/JSWrapperObject.h:
259         (JSC::JSWrapperObject::JSWrapperObject):
260         * runtime/NumberObject.cpp:
261         (JSC::NumberObject::NumberObject):
262         * runtime/NumberObject.h:
263         * runtime/StringConstructor.cpp:
264         (JSC::StringConstructor::finishCreation):
265         * runtime/StringObject.cpp:
266         (JSC::StringObject::StringObject):
267         * runtime/StringObject.h:
268         (JSC::StringObject::internalValue const):
269         * runtime/SymbolObject.cpp:
270         (JSC::SymbolObject::SymbolObject):
271         * runtime/SymbolObject.h:
272
273 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
274
275         [JSC] Shrink UnlinkedFunctionExecutable
276         https://bugs.webkit.org/show_bug.cgi?id=194733
277
278         Reviewed by Mark Lam.
279
280         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
281         directives can be found in the comment of non typical function's source code (Program,
282         Eval code, and Global function from function constructor etc.), and tricky thing is that
283         SourceProvider's directives are updated by Parser. The reason why we have these fields in
284         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
285         if we skip parsing by using CodeCache. These fields are effective only if (1)
286         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
287         or sourceMappingURLDirective. This is rare enough to purge them to a separated
288         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
289         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
290         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
291         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
292         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
293         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
294         one of size class.
295
296         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
297         And kill one MarkedBlock allocation in JSC initialization phase.
298
299         * bytecode/UnlinkedFunctionExecutable.cpp:
300         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
301         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
302         * bytecode/UnlinkedFunctionExecutable.h:
303         * debugger/DebuggerLocation.cpp:
304         (JSC::DebuggerLocation::DebuggerLocation):
305         * inspector/ScriptDebugServer.cpp:
306         (Inspector::ScriptDebugServer::dispatchDidParseSource):
307         * parser/Lexer.h:
308         (JSC::Lexer::sourceURLDirective const):
309         (JSC::Lexer::sourceMappingURLDirective const):
310         (JSC::Lexer::sourceURL const): Deleted.
311         (JSC::Lexer::sourceMappingURL const): Deleted.
312         * parser/Parser.h:
313         (JSC::Parser<LexerType>::parse):
314         * parser/SourceProvider.h:
315         (JSC::SourceProvider::sourceURLDirective const):
316         (JSC::SourceProvider::sourceMappingURLDirective const):
317         (JSC::SourceProvider::setSourceURLDirective):
318         (JSC::SourceProvider::setSourceMappingURLDirective):
319         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
320         since it is the correct name.
321         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
322         sourceMappingURLDirective since it is the correct name.
323         * runtime/CachedTypes.cpp:
324         (JSC::CachedSourceProviderShape::encode):
325         (JSC::CachedFunctionExecutableRareData::encode):
326         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
327         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
328         (JSC::CachedFunctionExecutable::rareData const):
329         (JSC::CachedFunctionExecutable::encode):
330         (JSC::CachedFunctionExecutable::decode const):
331         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
332         * runtime/CodeCache.cpp:
333         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
334         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
335         * runtime/CodeCache.h:
336         (JSC::generateUnlinkedCodeBlockImpl):
337         * runtime/FunctionExecutable.h:
338         * runtime/SamplingProfiler.cpp:
339         (JSC::SamplingProfiler::StackFrame::url):
340
341 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] Remove unused global private variables
344         https://bugs.webkit.org/show_bug.cgi?id=194741
345
346         Reviewed by Joseph Pecoraro.
347
348         There are some private functions and constants that are no longer referenced from builtin JS code.
349         This patch cleans up them.
350
351         * builtins/BuiltinNames.h:
352         * builtins/ObjectConstructor.js:
353         (entries):
354         * runtime/JSGlobalObject.cpp:
355         (JSC::JSGlobalObject::init):
356
357 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
358
359         [JSC] Lazily create empty RegExp
360         https://bugs.webkit.org/show_bug.cgi?id=194735
361
362         Reviewed by Keith Miller.
363
364         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
365         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
366         one MarkedBlock.
367
368         * runtime/JSGlobalObject.cpp:
369         (JSC::JSGlobalObject::init):
370         * runtime/RegExpCache.cpp:
371         (JSC::RegExpCache::ensureEmptyRegExpSlow):
372         (JSC::RegExpCache::initialize): Deleted.
373         * runtime/RegExpCache.h:
374         (JSC::RegExpCache::ensureEmptyRegExp):
375         (JSC::RegExpCache::emptyRegExp const): Deleted.
376         * runtime/RegExpCachedResult.cpp:
377         (JSC::RegExpCachedResult::lastResult):
378         * runtime/RegExpCachedResult.h:
379         * runtime/VM.cpp:
380         (JSC::VM::VM):
381
382 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
383
384         [JSC] Make builtin objects more lazily initialized under non-JIT mode
385         https://bugs.webkit.org/show_bug.cgi?id=194727
386
387         Reviewed by Saam Barati.
388
389         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
390         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
391         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
392         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
393         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
394         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
395         MarkedBlock allocation just for Symbols.
396
397         * runtime/JSGlobalObject.cpp:
398         (JSC::JSGlobalObject::init):
399         (JSC::JSGlobalObject::visitChildren):
400         * runtime/JSGlobalObject.h:
401         (JSC::JSGlobalObject::numberToStringWatchpoint):
402         (JSC::JSGlobalObject::booleanPrototype const):
403         (JSC::JSGlobalObject::numberPrototype const):
404         (JSC::JSGlobalObject::symbolPrototype const):
405         (JSC::JSGlobalObject::booleanObjectStructure const):
406         (JSC::JSGlobalObject::symbolObjectStructure const):
407         (JSC::JSGlobalObject::numberObjectStructure const):
408         (JSC::JSGlobalObject::stringObjectStructure const):
409
410 2019-02-15  Michael Saboff  <msaboff@apple.com>
411
412         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
413         https://bugs.webkit.org/show_bug.cgi?id=194558
414
415         Reviewed by Saam Barati.
416
417         Added an in bounds check before the read of the next character for Unicode regular expressions
418         for pattern generation that didn't already have such checks.
419
420         * yarr/YarrJIT.cpp:
421         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
422         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
423         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
424         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
425
426 2019-02-15  Dean Jackson  <dino@apple.com>
427
428         Allow emulation of user gestures from Web Inspector console
429         https://bugs.webkit.org/show_bug.cgi?id=194725
430         <rdar://problem/48126604>
431
432         Reviewed by Joseph Pecoraro and Devin Rousso.
433
434         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
435         to the evaluate function, and mark the function as override so that PageRuntimeAgent
436         can change the behaviour.
437         (Inspector::InspectorRuntimeAgent::evaluate):
438         * inspector/agents/InspectorRuntimeAgent.h:
439         * inspector/protocol/Runtime.json:
440
441 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
442
443         [JSC] Do not initialize Wasm related data if Wasm is not enabled
444         https://bugs.webkit.org/show_bug.cgi?id=194728
445
446         Reviewed by Mark Lam.
447
448         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
449
450         * runtime/InitializeThreading.cpp:
451         (JSC::initializeThreading):
452         * runtime/JSLock.cpp:
453         (JSC::JSLock::didAcquireLock):
454
455 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
456
457         [WTF] Add environment variable helpers
458         https://bugs.webkit.org/show_bug.cgi?id=192405
459
460         Reviewed by Michael Catanzaro.
461
462         * inspector/remote/glib/RemoteInspectorGlib.cpp:
463         (Inspector::RemoteInspector::RemoteInspector):
464         (Inspector::RemoteInspector::start):
465         * jsc.cpp:
466         (startTimeoutThreadIfNeeded):
467         * runtime/Options.cpp:
468         (JSC::overrideOptionWithHeuristic):
469         (JSC::Options::overrideAliasedOptionWithHeuristic):
470         (JSC::Options::initialize):
471         * runtime/VM.cpp:
472         (JSC::enableAssembler):
473         (JSC::VM::VM):
474         * tools/CodeProfiling.cpp:
475         (JSC::CodeProfiling::notifyAllocator):
476         Utilize WTF::Environment where possible.
477
478 2019-02-15  Mark Lam  <mark.lam@apple.com>
479
480         SamplingProfiler::stackTracesAsJSON() should escape strings.
481         https://bugs.webkit.org/show_bug.cgi?id=194649
482         <rdar://problem/48072386>
483
484         Reviewed by Saam Barati.
485
486         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
487
488         * runtime/SamplingProfiler.cpp:
489         (JSC::SamplingProfiler::stackTracesAsJSON):
490         * runtime/TypeSet.cpp:
491         (JSC::TypeSet::toJSONString const):
492         (JSC::StructureShape::toJSONString const):
493
494 2019-02-15  Robin Morisset  <rmorisset@apple.com>
495
496         CodeBlock::jettison should clear related watchpoints
497         https://bugs.webkit.org/show_bug.cgi?id=194544
498
499         Reviewed by Mark Lam.
500
501         * bytecode/CodeBlock.cpp:
502         (JSC::CodeBlock::jettison):
503         * dfg/DFGCommonData.h:
504         (JSC::DFG::CommonData::clearWatchpoints): Added.
505         * dfg/CommonData.cpp:
506         (JSC::DFG::CommonData::clearWatchpoints): Added.
507
508 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
509
510         Move bytecode cache-related filesystem code out of CodeCache
511         https://bugs.webkit.org/show_bug.cgi?id=194675
512
513         Reviewed by Saam Barati.
514
515         That code is only used for the bytecode-cache tests, so it should live in
516         jsc.cpp rather than in the CodeCache.
517
518         * jsc.cpp:
519         (CliSourceProvider::create):
520         (CliSourceProvider::~CliSourceProvider):
521         (CliSourceProvider::cachePath const):
522         (CliSourceProvider::loadBytecode):
523         (CliSourceProvider::CliSourceProvider):
524         (jscSource):
525         (GlobalObject::moduleLoaderFetch):
526         (functionDollarEvalScript):
527         (runWithOptions):
528         * parser/SourceProvider.h:
529         (JSC::SourceProvider::cacheBytecode const):
530         * runtime/CodeCache.cpp:
531         (JSC::writeCodeBlock):
532         * runtime/CodeCache.h:
533         (JSC::CodeCacheMap::fetchFromDiskImpl):
534
535 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
536
537         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
538         https://bugs.webkit.org/show_bug.cgi?id=194714
539
540         Reviewed by Mark Lam.
541
542         Let's consider about the following extreme case.
543
544         1. VM (A) is created.
545         2. Another VM (B) is created on a different thread.
546         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
547         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
548         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
549         6. (A) sees the half-baked worklist, which may be in the middle of creation.
550
551         This patch puts store-store fence just before putting a pointer to a global variable.
552         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
553
554         * dfg/DFGWorklist.cpp:
555         (JSC::DFG::ensureGlobalDFGWorklist):
556         (JSC::DFG::ensureGlobalFTLWorklist):
557         * wasm/WasmWorklist.cpp:
558         (JSC::Wasm::ensureWorklist):
559
560 2019-02-15  Commit Queue  <commit-queue@webkit.org>
561
562         Unreviewed, rolling out r241559 and r241566.
563         https://bugs.webkit.org/show_bug.cgi?id=194710
564
565         Causes layout test crashes under GuardMalloc (Requested by
566         ryanhaddad on #webkit).
567
568         Reverted changesets:
569
570         "[WTF] Add environment variable helpers"
571         https://bugs.webkit.org/show_bug.cgi?id=192405
572         https://trac.webkit.org/changeset/241559
573
574         "Unreviewed build fix for WinCairo Debug after r241559."
575         https://trac.webkit.org/changeset/241566
576
577 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
578
579         [JSC] Do not even allocate JIT worklists in non-JIT mode
580         https://bugs.webkit.org/show_bug.cgi?id=194693
581
582         Reviewed by Mark Lam.
583
584         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
585         And we do not perform any GC operations that are only meaningful in JIT environment.
586
587         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
588         2. We remove DFG marking constraint in non-JIT mode.
589         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
590         4. We do not visit JITStubRoutineSet.
591         5. Align JITWorklist function names to the other worklists.
592
593         * dfg/DFGOSRExitPreparation.cpp:
594         (JSC::DFG::prepareCodeOriginForOSRExit):
595         * dfg/DFGPlan.h:
596         * dfg/DFGWorklist.cpp:
597         (JSC::DFG::markCodeBlocks): Deleted.
598         * dfg/DFGWorklist.h:
599         * heap/Heap.cpp:
600         (JSC::Heap::completeAllJITPlans):
601         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
602         (JSC::Heap::gatherScratchBufferRoots):
603         (JSC::Heap::removeDeadCompilerWorklistEntries):
604         (JSC::Heap::stopThePeriphery):
605         (JSC::Heap::suspendCompilerThreads):
606         (JSC::Heap::resumeCompilerThreads):
607         (JSC::Heap::addCoreConstraints):
608         * jit/JITWorklist.cpp:
609         (JSC::JITWorklist::existingGlobalWorklistOrNull):
610         (JSC::JITWorklist::ensureGlobalWorklist):
611         (JSC::JITWorklist::instance): Deleted.
612         * jit/JITWorklist.h:
613         * llint/LLIntSlowPaths.cpp:
614         (JSC::LLInt::jitCompileAndSetHeuristics):
615         * runtime/VM.cpp:
616         (JSC::VM::~VM):
617         (JSC::VM::gatherScratchBufferRoots):
618         (JSC::VM::gatherConservativeRoots): Deleted.
619         * runtime/VM.h:
620
621 2019-02-15  Saam barati  <sbarati@apple.com>
622
623         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
624         https://bugs.webkit.org/show_bug.cgi?id=194036
625
626         Reviewed by Yusuke Suzuki.
627
628         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
629         use linear scan for register allocation. Instead of linear scan, Air-O0 does
630         mostly block-local register allocation, and it does this as it's emitting
631         code directly. The register allocator uses liveness analysis to reduce
632         the number of spills. Doing register allocation as we're emitting code
633         allows us to skip editing the IR to insert spills, which saves a non trivial
634         amount of compile time. For stack allocation, we give each Tmp its own slot.
635         This is less than ideal. We probably want to do some trivial live range analysis
636         in the future. The reason this isn't a deal breaker for Wasm is that this patch
637         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
638         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
639         
640         This patch is another 25% Wasm startup time speedup. It seems to be worth
641         another 1% on JetStream2.
642
643         * JavaScriptCore.xcodeproj/project.pbxproj:
644         * Sources.txt:
645         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
646         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
647         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
648         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
649         (JSC::B3::Air::callFrameAddr):
650         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
651         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
652         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
653         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
654         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
655         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
656         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
657         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
658         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
659         * b3/air/AirCode.cpp:
660         * b3/air/AirCode.h:
661         * b3/air/AirGenerate.cpp:
662         (JSC::B3::Air::prepareForGeneration):
663         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
664         (JSC::B3::Air::generate):
665         * b3/air/AirHandleCalleeSaves.cpp:
666         (JSC::B3::Air::handleCalleeSaves):
667         * b3/air/AirHandleCalleeSaves.h:
668         * b3/air/AirTmpMap.h:
669         * runtime/Options.h:
670         * wasm/WasmAirIRGenerator.cpp:
671         (JSC::Wasm::AirIRGenerator::didKill):
672         (JSC::Wasm::AirIRGenerator::newTmp):
673         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
674         (JSC::Wasm::parseAndCompileAir):
675         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
676         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
677         * wasm/WasmAirIRGenerator.h:
678         * wasm/WasmB3IRGenerator.cpp:
679         (JSC::Wasm::B3IRGenerator::didKill):
680         * wasm/WasmBBQPlan.cpp:
681         (JSC::Wasm::BBQPlan::compileFunctions):
682         * wasm/WasmFunctionParser.h:
683         (JSC::Wasm::FunctionParser<Context>::parseBody):
684         (JSC::Wasm::FunctionParser<Context>::parseExpression):
685         * wasm/WasmValidate.cpp:
686         (JSC::Wasm::Validate::didKill):
687
688 2019-02-14  Saam barati  <sbarati@apple.com>
689
690         lowerStackArgs should lower Lea32/64 on ARM64 to Add
691         https://bugs.webkit.org/show_bug.cgi?id=194656
692
693         Reviewed by Yusuke Suzuki.
694
695         On arm64, Lea is just implemented as an add. However, Air treats it as an
696         address with a given width. Because of this width, we were incorrectly
697         computing whether or not this immediate could fit into the instruction itself
698         or it needed to be explicitly put into a register. This patch makes
699         AirLowerStackArgs lower Lea to Add on arm64.
700
701         * b3/air/AirLowerStackArgs.cpp:
702         (JSC::B3::Air::lowerStackArgs):
703         * b3/air/AirOpcode.opcodes:
704         * b3/air/testair.cpp:
705
706 2019-02-14  Saam Barati  <sbarati@apple.com>
707
708         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
709         https://bugs.webkit.org/show_bug.cgi?id=194583
710         <rdar://problem/48028140>
711
712         Reviewed by Yusuke Suzuki.
713
714         This patch makes it so that getVariablesUnderTDZ caches a result of
715         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
716         it's called in an environment where there are a lot of variables.
717         This patch makes it so we cache its results. This is profitable when
718         getVariablesUnderTDZ is called repeatedly with the same environment
719         state. This is common since we call this every time we encounter a
720         function definition/expression node.
721
722         * builtins/BuiltinExecutables.cpp:
723         (JSC::BuiltinExecutables::createExecutable):
724         * bytecode/UnlinkedFunctionExecutable.cpp:
725         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
726         * bytecode/UnlinkedFunctionExecutable.h:
727         * bytecompiler/BytecodeGenerator.cpp:
728         (JSC::BytecodeGenerator::popLexicalScopeInternal):
729         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
730         (JSC::BytecodeGenerator::pushTDZVariables):
731         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
732         (JSC::BytecodeGenerator::restoreTDZStack):
733         * bytecompiler/BytecodeGenerator.h:
734         (JSC::BytecodeGenerator::makeFunction):
735         * parser/VariableEnvironment.cpp:
736         (JSC::CompactVariableMap::Handle::Handle):
737         (JSC::CompactVariableMap::Handle::operator=):
738         * parser/VariableEnvironment.h:
739         (JSC::CompactVariableMap::Handle::operator bool const):
740         * runtime/CodeCache.cpp:
741         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
742
743 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
744
745         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
746         https://bugs.webkit.org/show_bug.cgi?id=194659
747
748         Reviewed by Mark Lam.
749
750         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
751         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
752         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
753
754         * dfg/DFGJITCode.h:
755         * dfg/DFGJITFinalizer.cpp:
756         (JSC::DFG::JITFinalizer::finalize):
757         (JSC::DFG::JITFinalizer::finalizeFunction):
758         * jit/JITCode.cpp:
759         (JSC::DirectJITCode::initializeCodeRefForDFG):
760         (JSC::DirectJITCode::initializeCodeRef): Deleted.
761         (JSC::NativeJITCode::initializeCodeRef): Deleted.
762         * jit/JITCode.h:
763         * llint/LLIntEntrypoint.cpp:
764         (JSC::LLInt::setFunctionEntrypoint):
765         (JSC::LLInt::setEvalEntrypoint):
766         (JSC::LLInt::setProgramEntrypoint):
767         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
768
769 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
770
771         [WTF] Add environment variable helpers
772         https://bugs.webkit.org/show_bug.cgi?id=192405
773
774         Reviewed by Michael Catanzaro.
775
776         * inspector/remote/glib/RemoteInspectorGlib.cpp:
777         (Inspector::RemoteInspector::RemoteInspector):
778         (Inspector::RemoteInspector::start):
779         * jsc.cpp:
780         (startTimeoutThreadIfNeeded):
781         * runtime/Options.cpp:
782         (JSC::overrideOptionWithHeuristic):
783         (JSC::Options::overrideAliasedOptionWithHeuristic):
784         (JSC::Options::initialize):
785         * runtime/VM.cpp:
786         (JSC::enableAssembler):
787         (JSC::VM::VM):
788         * tools/CodeProfiling.cpp:
789         (JSC::CodeProfiling::notifyAllocator):
790         Utilize WTF::Environment where possible.
791
792 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
793
794         [JSC] Should have default NativeJITCode
795         https://bugs.webkit.org/show_bug.cgi?id=194634
796
797         Reviewed by Mark Lam.
798
799         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
800         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
801         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
802         allocations, which takes 14KB.
803
804         * runtime/VM.cpp:
805         (JSC::jitCodeForCallTrampoline):
806         (JSC::jitCodeForConstructTrampoline):
807         (JSC::VM::getHostFunction):
808
809 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
810
811         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
812         https://bugs.webkit.org/show_bug.cgi?id=194576
813
814         Reviewed by Saam Barati.
815
816         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
817         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
818
819         * bytecode/UnlinkedFunctionExecutable.cpp:
820         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
821         (JSC::UnlinkedFunctionExecutable::link):
822         * bytecode/UnlinkedFunctionExecutable.h:
823         * runtime/CodeCache.cpp:
824         (JSC::generateUnlinkedCodeBlockForFunctions):
825
826 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
827
828         CachedBitVector's size must be converted from bits to bytes
829         https://bugs.webkit.org/show_bug.cgi?id=194441
830
831         Reviewed by Saam Barati.
832
833         CachedBitVector used its size in bits for memcpy. That didn't cause any
834         issues when encoding, since the size in bits was also used in the allocation,
835         but would overflow the actual BitVector buffer when decoding.
836
837         * runtime/CachedTypes.cpp:
838         (JSC::CachedBitVector::encode):
839         (JSC::CachedBitVector::decode const):
840
841 2019-02-13  Brian Burg  <bburg@apple.com>
842
843         Web Inspector: don't include accessibility role in DOM.Node object payloads
844         https://bugs.webkit.org/show_bug.cgi?id=194623
845         <rdar://problem/36384037>
846
847         Reviewed by Devin Rousso.
848
849         Remove property of DOM.Node that is no longer being sent.
850
851         * inspector/protocol/DOM.json:
852
853 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
854
855         We should only make rope strings when concatenating strings long enough.
856         https://bugs.webkit.org/show_bug.cgi?id=194465
857
858         Reviewed by Mark Lam.
859
860         This patch stops us from allocating a rope string if the resulting
861         rope would be smaller than the size of the JSRopeString object we
862         would need to allocate.
863
864         This patch also adds paths so that we don't unnecessarily allocate
865         JSString cells for primitives we are going to concatenate with a
866         string anyway.
867
868         The important change from the previous one is that we do not apply
869         the above rule to JSRopeStrings generated by JSStrings. If we convert
870         it to JSString, comparison of memory consumption becomes the following,
871         because JSRopeString does not have StringImpl until it is resolved.
872
873             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
874
875         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
876         resolving eagerly increases memory footprint. The point is that we need to
877         account newly created JSString and JSRopeString from the operands. This is the
878         reason why this patch adds different thresholds for each jsString functions.
879
880         This patch also avoids concatenation for ropes conservatively. Many ropes are
881         temporary cells. So we do not resolve eagerly if one of operands is already a
882         rope.
883
884         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
885
886             Before: 159.3778
887             After:  160.72340000000003
888
889         * dfg/DFGOperations.cpp:
890         * runtime/CommonSlowPaths.cpp:
891         (JSC::SLOW_PATH_DECL):
892         * runtime/JSString.h:
893         (JSC::JSString::isRope const):
894         * runtime/Operations.cpp:
895         (JSC::jsAddSlowCase):
896         * runtime/Operations.h:
897         (JSC::jsString):
898         (JSC::jsAddNonNumber):
899         (JSC::jsAdd):
900
901 2019-02-13  Saam Barati  <sbarati@apple.com>
902
903         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
904         https://bugs.webkit.org/show_bug.cgi?id=194610
905
906         Reviewed by Michael Saboff.
907
908         BinarySwitch might use the scratch register. We must model the
909         effects of that properly. This is already caught by our br-table
910         tests on arm64.
911
912         * wasm/WasmAirIRGenerator.cpp:
913         (JSC::Wasm::AirIRGenerator::addSwitch):
914
915 2019-02-13  Mark Lam  <mark.lam@apple.com>
916
917         Create a randomized free list for new StructureIDs on StructureIDTable resize.
918         https://bugs.webkit.org/show_bug.cgi?id=194566
919         <rdar://problem/47975502>
920
921         Reviewed by Michael Saboff.
922
923         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
924         implementation is a little easier to read.
925
926         This patch appears to be perf neutral on JetStream2 (as run from the command line).
927
928         * runtime/StructureIDTable.cpp:
929         (JSC::StructureIDTable::StructureIDTable):
930         (JSC::StructureIDTable::makeFreeListFromRange):
931         (JSC::StructureIDTable::resize):
932         (JSC::StructureIDTable::allocateID):
933         (JSC::StructureIDTable::deallocateID):
934         * runtime/StructureIDTable.h:
935         (JSC::StructureIDTable::get):
936         (JSC::StructureIDTable::deallocateID):
937         (JSC::StructureIDTable::allocateID):
938         (JSC::StructureIDTable::flushOldTables):
939
940 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
941
942         VariableLengthObject::allocate<T> should initialize objects
943         https://bugs.webkit.org/show_bug.cgi?id=194534
944
945         Reviewed by Michael Saboff.
946
947         `buffer()` should not be called for empty VariableLengthObjects, but
948         these cases were not being caught due to the objects not being properly
949         initialized. Fix it so that allocate calls the constructor and fix the
950         assertion failues.
951
952         * runtime/CachedTypes.cpp:
953         (JSC::CachedObject::operator new):
954         (JSC::VariableLengthObject::allocate):
955         (JSC::CachedVector::encode):
956         (JSC::CachedVector::decode const):
957         (JSC::CachedUniquedStringImpl::decode const):
958         (JSC::CachedBitVector::encode):
959         (JSC::CachedBitVector::decode const):
960         (JSC::CachedArray::encode):
961         (JSC::CachedArray::decode const):
962         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
963         (JSC::CachedBigInt::decode const):
964
965 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
966
967         CodeBlocks read from disk should not be re-written
968         https://bugs.webkit.org/show_bug.cgi?id=194535
969
970         Reviewed by Michael Saboff.
971
972         Keep track of which CodeBlocks have been read from disk or have already
973         been serialized in CodeCache.
974
975         * runtime/CodeCache.cpp:
976         (JSC::CodeCache::write):
977         * runtime/CodeCache.h:
978         (JSC::SourceCodeValue::SourceCodeValue):
979         (JSC::CodeCacheMap::fetchFromDiskImpl):
980
981 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
982
983         SourceCode should be copied when generating bytecode for functions
984         https://bugs.webkit.org/show_bug.cgi?id=194536
985
986         Reviewed by Saam Barati.
987
988         The FunctionExecutable might be collected while generating the bytecode
989         for nested functions, in which case the SourceCode reference would no
990         longer be valid.
991
992         * runtime/CodeCache.cpp:
993         (JSC::generateUnlinkedCodeBlockForFunctions):
994
995 2019-02-12  Saam barati  <sbarati@apple.com>
996
997         JSScript needs to retain its cache path NSURL*
998         https://bugs.webkit.org/show_bug.cgi?id=194577
999
1000         Reviewed by Tim Horton.
1001
1002         * API/JSScript.mm:
1003         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1004         (-[JSScript dealloc]):
1005
1006 2019-02-12  Robin Morisset  <rmorisset@apple.com>
1007
1008         Make B3Value::returnsBool() more precise
1009         https://bugs.webkit.org/show_bug.cgi?id=194457
1010
1011         Reviewed by Saam Barati.
1012
1013         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
1014         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
1015         No new tests added as this should be indirectly tested by the already existing tests.
1016
1017         * b3/B3Value.cpp:
1018         (JSC::B3::Value::returnsBool const):
1019
1020 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1021
1022         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1023         https://bugs.webkit.org/show_bug.cgi?id=194399
1024         <rdar://problem/47889777>
1025
1026         * dfg/DFGDoesGC.cpp:
1027         (JSC::DFG::doesGC):
1028
1029 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1030
1031         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1032         https://bugs.webkit.org/show_bug.cgi?id=194370
1033
1034         Reviewed by Darin Adler.
1035
1036         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1037         necessary, but it will make errors more visible.
1038
1039         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1040         (Inspector::RemoteInspector::start):
1041         (Inspector::dbusConnectionCallAsyncReadyCallback):
1042         * inspector/remote/glib/RemoteInspectorServer.cpp:
1043         (Inspector::RemoteInspectorServer::start):
1044
1045 2019-02-12  Andy Estes  <aestes@apple.com>
1046
1047         [iOSMac] Enable Parental Controls Content Filtering
1048         https://bugs.webkit.org/show_bug.cgi?id=194521
1049         <rdar://39732376>
1050
1051         Reviewed by Tim Horton.
1052
1053         * Configurations/FeatureDefines.xcconfig:
1054
1055 2019-02-11  Mark Lam  <mark.lam@apple.com>
1056
1057         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1058         https://bugs.webkit.org/show_bug.cgi?id=194512
1059         <rdar://problem/47975465>
1060
1061         Reviewed by Yusuke Suzuki.
1062
1063         * runtime/StructureIDTable.cpp:
1064         (JSC::StructureIDTable::StructureIDTable):
1065         (JSC::StructureIDTable::allocateID):
1066         (JSC::StructureIDTable::deallocateID):
1067         * runtime/StructureIDTable.h:
1068
1069 2019-02-10  Mark Lam  <mark.lam@apple.com>
1070
1071         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1072         https://bugs.webkit.org/show_bug.cgi?id=194493
1073         <rdar://problem/36380852>
1074
1075         Reviewed by Yusuke Suzuki.
1076
1077         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1078         however not good for performance and memory usage.  As such, a debug ASSERT will
1079         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1080         possible to be instantiated with duplicate cases in
1081         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1082
1083         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1084         see duplicate cases.
1085
1086         * jit/BinarySwitch.cpp:
1087         (JSC::BinarySwitch::BinarySwitch):
1088
1089 2019-02-10  Darin Adler  <darin@apple.com>
1090
1091         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1092         https://bugs.webkit.org/show_bug.cgi?id=194485
1093
1094         Reviewed by Daniel Bates.
1095
1096         * heap/HeapSnapshotBuilder.cpp:
1097         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1098         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1099
1100         * runtime/JSGlobalObjectFunctions.cpp:
1101         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1102         including one in a call to appendByteAsHex.
1103         (JSC::globalFuncEscape): Ditto.
1104
1105 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1106
1107         Unreviewed, rolling out r241230.
1108         https://bugs.webkit.org/show_bug.cgi?id=194488
1109
1110         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1111         #webkit).
1112
1113         Reverted changeset:
1114
1115         "We should only make rope strings when concatenating strings
1116         long enough."
1117         https://bugs.webkit.org/show_bug.cgi?id=194465
1118         https://trac.webkit.org/changeset/241230
1119
1120 2019-02-10  Saam barati  <sbarati@apple.com>
1121
1122         BBQ-Air: Emit better code for switch
1123         https://bugs.webkit.org/show_bug.cgi?id=194053
1124
1125         Reviewed by Yusuke Suzuki.
1126
1127         Instead of emitting a linear set of jumps for Switch, this patch
1128         makes the BBQ-Air backend emit a binary switch.
1129
1130         * wasm/WasmAirIRGenerator.cpp:
1131         (JSC::Wasm::AirIRGenerator::addSwitch):
1132
1133 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1134
1135         Unreviewed, Lexer should use isLatin1 implementation in WTF
1136         https://bugs.webkit.org/show_bug.cgi?id=194466
1137
1138         Follow-up after r241233 pointed by Darin.
1139
1140         * parser/Lexer.cpp:
1141         (JSC::isLatin1): Deleted.
1142
1143 2019-02-09  Darin Adler  <darin@apple.com>
1144
1145         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1146         https://bugs.webkit.org/show_bug.cgi?id=194021
1147
1148         Reviewed by Geoffrey Garen.
1149
1150         * inspector/agents/InspectorConsoleAgent.cpp:
1151         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1152         makeString do the conversion without allocating/destroying a String.
1153         * inspector/agents/InspectorDebuggerAgent.cpp:
1154         (Inspector::objectGroupForBreakpointAction): Ditto.
1155         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1156         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1157         * runtime/JSGenericTypedArrayViewInlines.h:
1158         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1159         * runtime/NumberPrototype.cpp:
1160         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1161         of calling numberToFixedWidthString to do the same thing.
1162         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1163         numberToFixedPrecisionString to do the same thing.
1164         * runtime/SamplingProfiler.cpp:
1165         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1166
1167 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1168
1169         Unreviewed, rolling in r241237 again
1170         https://bugs.webkit.org/show_bug.cgi?id=194469
1171
1172         * runtime/JSString.h:
1173         (JSC::jsSubstring):
1174
1175 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1176
1177         Unreviewed, rolling out r241237.
1178         https://bugs.webkit.org/show_bug.cgi?id=194474
1179
1180         Shows significant memory increase in WSL (Requested by
1181         yusukesuzuki on #webkit).
1182
1183         Reverted changeset:
1184
1185         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1186         takes more memory"
1187         https://bugs.webkit.org/show_bug.cgi?id=194469
1188         https://trac.webkit.org/changeset/241237
1189
1190 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1191
1192         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1193         https://bugs.webkit.org/show_bug.cgi?id=194469
1194
1195         Reviewed by Geoffrey Garen.
1196
1197         * runtime/JSString.h:
1198         (JSC::jsSubstring):
1199
1200 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1201
1202         [JSC] CachedTypes should use jsString instead of JSString::create
1203         https://bugs.webkit.org/show_bug.cgi?id=194471
1204
1205         Reviewed by Mark Lam.
1206
1207         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1208
1209         * runtime/CachedTypes.cpp:
1210         (JSC::CachedJSValue::decode const):
1211
1212 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1213
1214         [JSC] Increase StructureIDTable initial capacity
1215         https://bugs.webkit.org/show_bug.cgi?id=194468
1216
1217         Reviewed by Mark Lam.
1218
1219         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1220         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1221         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1222         more memory dirty. We also remove some structures that are no longer used.
1223
1224         * runtime/JSGlobalObject.h:
1225         (JSC::JSGlobalObject::callbackObjectStructure const):
1226         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1227         * runtime/StructureIDTable.h:
1228         * runtime/VM.h:
1229
1230 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1231
1232         [JSC] String.fromCharCode's slow path always generates 16bit string
1233         https://bugs.webkit.org/show_bug.cgi?id=194466
1234
1235         Reviewed by Keith Miller.
1236
1237         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1238         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1239         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1240         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1241         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1242         as much as possible.
1243
1244         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1245
1246         * runtime/StringConstructor.cpp:
1247         (JSC::stringFromCharCode):
1248
1249 2019-02-08  Keith Miller  <keith_miller@apple.com>
1250
1251         We should only make rope strings when concatenating strings long enough.
1252         https://bugs.webkit.org/show_bug.cgi?id=194465
1253
1254         Reviewed by Saam Barati.
1255
1256         This patch stops us from allocating a rope string if the resulting
1257         rope would be smaller than the size of the JSRopeString object we
1258         would need to allocate.
1259
1260         This patch also adds paths so that we don't unnecessarily allocate
1261         JSString cells for primitives we are going to concatenate with a
1262         string anyway.
1263
1264         * dfg/DFGOperations.cpp:
1265         * runtime/CommonSlowPaths.cpp:
1266         (JSC::SLOW_PATH_DECL):
1267         * runtime/JSString.h:
1268         * runtime/Operations.cpp:
1269         (JSC::jsAddSlowCase):
1270         * runtime/Operations.h:
1271         (JSC::jsString):
1272         (JSC::jsAdd):
1273
1274 2019-02-08  Saam barati  <sbarati@apple.com>
1275
1276         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1277         https://bugs.webkit.org/show_bug.cgi?id=194334
1278         <rdar://problem/47844327>
1279
1280         Reviewed by Mark Lam.
1281
1282         * dfg/DFGAbstractInterpreterInlines.h:
1283         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1284         * dfg/DFGArgumentsEliminationPhase.cpp:
1285         * dfg/DFGByteCodeParser.cpp:
1286         (JSC::DFG::ByteCodeParser::parseBlock):
1287         * dfg/DFGClobberize.h:
1288         (JSC::DFG::clobberize):
1289         * dfg/DFGConstantFoldingPhase.cpp:
1290         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1291         * dfg/DFGFixupPhase.cpp:
1292         (JSC::DFG::FixupPhase::fixupNode):
1293         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1294         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1295         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1296         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1297         * dfg/DFGNodeType.h:
1298         * dfg/DFGSSALoweringPhase.cpp:
1299         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1300         * dfg/DFGSpeculativeJIT.cpp:
1301         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1302         * ftl/FTLLowerDFGToB3.cpp:
1303         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1304         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1305
1306 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1307
1308         [JSC] Shrink sizeof(CodeBlock) more
1309         https://bugs.webkit.org/show_bug.cgi?id=194419
1310
1311         Reviewed by Mark Lam.
1312
1313         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1314
1315         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1316         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1317         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1318
1319         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1320         And we do not touch it in CodeBlock::~CodeBlock.
1321
1322         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1323         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1324         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1325
1326         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1327
1328         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1329
1330         * bytecode/CodeBlock.cpp:
1331         (JSC::CodeBlock::hash const):
1332         (JSC::CodeBlock::sourceCodeForTools const):
1333         (JSC::CodeBlock::dumpAssumingJITType const):
1334         (JSC::CodeBlock::dumpSource):
1335         (JSC::CodeBlock::CodeBlock):
1336         (JSC::CodeBlock::finishCreation):
1337         (JSC::CodeBlock::propagateTransitions):
1338         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1339         (JSC::CodeBlock::setCalleeSaveRegisters):
1340         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1341         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1342         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1343         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1344         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1345         (JSC::CodeBlock::newReplacement):
1346         (JSC::CodeBlock::replacement):
1347         (JSC::CodeBlock::computeCapabilityLevel):
1348         (JSC::CodeBlock::jettison):
1349         (JSC::CodeBlock::calleeSaveRegisters const):
1350         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1351         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1352         (JSC::CodeBlock::getArrayProfile):
1353         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1354         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1355         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1356         (JSC::CodeBlock::validate):
1357         (JSC::CodeBlock::outOfLineJumpTarget):
1358         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1359         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1360         * bytecode/CodeBlock.h:
1361         (JSC::CodeBlock::specializationKind const):
1362         (JSC::CodeBlock::isStrictMode const):
1363         (JSC::CodeBlock::isConstructor const):
1364         (JSC::CodeBlock::codeType const):
1365         (JSC::CodeBlock::isKnownNotImmediate):
1366         (JSC::CodeBlock::instructions const):
1367         (JSC::CodeBlock::ownerExecutable const):
1368         (JSC::CodeBlock::thisRegister const):
1369         (JSC::CodeBlock::source const):
1370         (JSC::CodeBlock::sourceOffset const):
1371         (JSC::CodeBlock::firstLineColumnOffset const):
1372         (JSC::CodeBlock::createRareDataIfNecessary):
1373         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1374         (JSC::CodeBlock::setThisRegister): Deleted.
1375         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1376         * bytecode/EvalCodeBlock.h:
1377         * bytecode/FunctionCodeBlock.h:
1378         * bytecode/GlobalCodeBlock.h:
1379         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1380         * bytecode/ModuleProgramCodeBlock.h:
1381         * bytecode/ProgramCodeBlock.h:
1382         * debugger/Debugger.cpp:
1383         (JSC::Debugger::toggleBreakpoint):
1384         * debugger/DebuggerCallFrame.cpp:
1385         (JSC::DebuggerCallFrame::sourceID const):
1386         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1387         * debugger/DebuggerScope.cpp:
1388         (JSC::DebuggerScope::location const):
1389         * dfg/DFGByteCodeParser.cpp:
1390         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1391         (JSC::DFG::ByteCodeParser::inliningCost):
1392         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1393         * dfg/DFGCapabilities.cpp:
1394         (JSC::DFG::isSupportedForInlining):
1395         (JSC::DFG::mightCompileEval):
1396         (JSC::DFG::mightCompileProgram):
1397         (JSC::DFG::mightCompileFunctionForCall):
1398         (JSC::DFG::mightCompileFunctionForConstruct):
1399         (JSC::DFG::canUseOSRExitFuzzing):
1400         * dfg/DFGGraph.h:
1401         (JSC::DFG::Graph::executableFor):
1402         * dfg/DFGJITCompiler.cpp:
1403         (JSC::DFG::JITCompiler::compileFunction):
1404         * dfg/DFGOSREntry.cpp:
1405         (JSC::DFG::prepareOSREntry):
1406         * dfg/DFGOSRExit.cpp:
1407         (JSC::DFG::restoreCalleeSavesFor):
1408         (JSC::DFG::saveCalleeSavesFor):
1409         (JSC::DFG::saveOrCopyCalleeSavesFor):
1410         * dfg/DFGOSRExitCompilerCommon.cpp:
1411         (JSC::DFG::handleExitCounts):
1412         * dfg/DFGOperations.cpp:
1413         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1414         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1415         * ftl/FTLCapabilities.cpp:
1416         (JSC::FTL::canCompile):
1417         * ftl/FTLLink.cpp:
1418         (JSC::FTL::link):
1419         * ftl/FTLOSRExitCompiler.cpp:
1420         (JSC::FTL::compileStub):
1421         * interpreter/CallFrame.cpp:
1422         (JSC::CallFrame::callerSourceOrigin):
1423         * interpreter/Interpreter.cpp:
1424         (JSC::eval):
1425         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1426         * interpreter/StackVisitor.cpp:
1427         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1428         (JSC::StackVisitor::Frame::sourceURL const):
1429         (JSC::StackVisitor::Frame::sourceID):
1430         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1431         * interpreter/StackVisitor.h:
1432         * jit/AssemblyHelpers.h:
1433         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1434         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1435         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1436         * jit/CallFrameShuffleData.cpp:
1437         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1438         * jit/JIT.cpp:
1439         (JSC::JIT::compileWithoutLinking):
1440         * jit/JITToDFGDeferredCompilationCallback.cpp:
1441         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1442         * jit/JITWorklist.cpp:
1443         (JSC::JITWorklist::Plan::finalize):
1444         (JSC::JITWorklist::compileNow):
1445         * jit/RegisterAtOffsetList.cpp:
1446         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1447         * jit/RegisterAtOffsetList.h:
1448         (JSC::RegisterAtOffsetList::at const):
1449         * runtime/ErrorInstance.cpp:
1450         (JSC::appendSourceToError):
1451         * runtime/ScriptExecutable.cpp:
1452         (JSC::ScriptExecutable::newCodeBlockFor):
1453         * runtime/StackFrame.cpp:
1454         (JSC::StackFrame::sourceID const):
1455         (JSC::StackFrame::sourceURL const):
1456         (JSC::StackFrame::computeLineAndColumn const):
1457
1458 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1459
1460         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1461         https://bugs.webkit.org/show_bug.cgi?id=194460
1462
1463         Reviewed by Mark Lam.
1464
1465         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1466
1467         * b3/B3LowerMacros.cpp:
1468
1469 2019-02-08  Mark Lam  <mark.lam@apple.com>
1470
1471         Use maxSingleCharacterString in comparisons instead of literal constants.
1472         https://bugs.webkit.org/show_bug.cgi?id=194452
1473
1474         Reviewed by Yusuke Suzuki.
1475
1476         This way, if we ever change maxSingleCharacterString, it won't break all this code
1477         that relies on it being 0xff implicitly.
1478
1479         * dfg/DFGSpeculativeJIT.cpp:
1480         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1481         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1482         * ftl/FTLLowerDFGToB3.cpp:
1483         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1484         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1485         * jit/ThunkGenerators.cpp:
1486         (JSC::stringGetByValGenerator):
1487         (JSC::charToString):
1488
1489 2019-02-08  Mark Lam  <mark.lam@apple.com>
1490
1491         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1492         https://bugs.webkit.org/show_bug.cgi?id=194446
1493         <rdar://problem/47926792>
1494
1495         Reviewed by Saam Barati.
1496
1497         Fix doesGC() for the following nodes:
1498
1499             CheckTierUpAtReturn:
1500                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1501                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1502
1503             CheckTierUpInLoop:
1504                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1505                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1506
1507             CheckTierUpAndOSREnter:
1508                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1509                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1510
1511             GetByVal:
1512                 case Array::String calls operationSingleCharacterString(), which calls
1513                 jsSingleCharacterString(), which can allocate a string.
1514
1515             PutByValDirect:
1516             PutByVal:
1517             PutByValAlias:
1518                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1519                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1520                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1521                 slow paths call putByValInternal(), which may create exception objects, or
1522                 call the generic JSValue::put() which may execute arbitrary code.
1523
1524             StringCharAt:
1525                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1526                 which can allocate a string.
1527
1528         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1529         to use the maxSingleCharacterString constant instead of a literal constant.
1530
1531         * dfg/DFGDoesGC.cpp:
1532         (JSC::DFG::doesGC):
1533         * dfg/DFGSpeculativeJIT.cpp:
1534         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1535         * dfg/DFGSpeculativeJIT64.cpp:
1536         (JSC::DFG::SpeculativeJIT::compile):
1537         * ftl/FTLLowerDFGToB3.cpp:
1538         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1539         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1540         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1541
1542 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1543
1544         [JSC] SourceProviderCacheItem should be small
1545         https://bugs.webkit.org/show_bug.cgi?id=194432
1546
1547         Reviewed by Saam Barati.
1548
1549         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1550         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1551         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1552
1553         * parser/Parser.cpp:
1554         (JSC::Parser<LexerType>::parseFunctionInfo):
1555         * parser/ParserModes.h:
1556         * parser/ParserTokens.h:
1557         * parser/SourceProviderCacheItem.h:
1558         (JSC::SourceProviderCacheItem::endFunctionToken const):
1559         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1560
1561 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1562
1563         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1564         https://bugs.webkit.org/show_bug.cgi?id=194420
1565
1566         Reviewed by Saam Barati.
1567
1568         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1569         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1570         This trivial patch fixes both.
1571
1572         * b3/B3ReduceStrength.cpp:
1573         * b3/testb3.cpp:
1574         (JSC::B3::testAbsNegArg):
1575
1576 2019-02-07  Keith Miller  <keith_miller@apple.com>
1577
1578         Better error messages for module loader SPI
1579         https://bugs.webkit.org/show_bug.cgi?id=194421
1580
1581         Reviewed by Saam Barati.
1582
1583         * API/JSAPIGlobalObject.mm:
1584         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1585
1586 2019-02-07  Mark Lam  <mark.lam@apple.com>
1587
1588         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1589         https://bugs.webkit.org/show_bug.cgi?id=194399
1590         <rdar://problem/47889777>
1591
1592         Reviewed by Yusuke Suzuki.
1593
1594         Fix doesGC() for the following nodes:
1595
1596             CheckTraps:
1597                 We normally will not emit this node because Options::usePollingTraps() is
1598                 false by default.  However, as it is implemented now, CheckTraps can GC
1599                 because it can allocate a TerminatedExecutionException.  If we make the
1600                 TerminatedExecutionException a singleton allocated at initialization time,
1601                 doesGC() can return false for CheckTraps.
1602                 https://bugs.webkit.org/show_bug.cgi?id=194323
1603
1604             GetMapBucket:
1605                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1606                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1607                 can resolve a rope.
1608
1609             Switch:
1610                 If switchData kind is SwitchChar, can call operationResolveRope() .
1611                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1612                     can call operationSwitchString() which resolves ropes.
1613
1614             DirectTailCall:
1615             ForceOSRExit:
1616             Return:
1617             TailCallForwardVarargs:
1618             TailCallVarargs:
1619             Throw:
1620                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1621                 for them, but following our conservative practice, unless we have a good
1622                 reason for doesGC() to return false, we should just return true.
1623
1624         * dfg/DFGDoesGC.cpp:
1625         (JSC::DFG::doesGC):
1626
1627 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1628
1629         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1630         https://bugs.webkit.org/show_bug.cgi?id=194250
1631
1632         Reviewed by Saam Barati.
1633
1634         Adds the following optimizations for integers:
1635         - Sub(x, x) => 0
1636             Already covered by the test testSubArg
1637         - Sub(x1, Neg(x2)) => Add (x1, x2)
1638             Added test: testSubNeg
1639         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1640             Added test: testNegSub
1641         - Add(Neg(x1), x2) => Sub(x2, x1)
1642             Added test: testAddNeg1
1643         - Add(x1, Neg(x2)) => Sub(x1, x2)
1644             Added test: testAddNeg2
1645         Adds the following optimization for floating point values:
1646         - Abs(Neg(x)) => Abs(x)
1647             Added test: testAbsNegArg
1648             Adds the following optimization:
1649
1650         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1651
1652         * b3/B3ReduceStrength.cpp:
1653         * b3/testb3.cpp:
1654         (JSC::B3::testAddNeg1):
1655         (JSC::B3::testAddNeg2):
1656         (JSC::B3::testSubNeg):
1657         (JSC::B3::testNegSub):
1658         (JSC::B3::testAbsAbsArg):
1659         (JSC::B3::testAbsNegArg):
1660         (JSC::B3::run):
1661
1662 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1663
1664         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1665         https://bugs.webkit.org/show_bug.cgi?id=194374
1666
1667         Reviewed by Geoffrey Garen.
1668
1669         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1670         But pointer is larger than single character. BufferInternal StringImpl with single character
1671         is more memory efficient.
1672
1673         * runtime/SmallStrings.cpp:
1674         (JSC::SmallStringsStorage::SmallStringsStorage):
1675         (JSC::SmallStrings::SmallStrings):
1676         * runtime/SmallStrings.h:
1677
1678 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1679
1680         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1681         https://bugs.webkit.org/show_bug.cgi?id=194369
1682         <rdar://problem/47813087>
1683
1684         Reviewed by Saam Barati.
1685
1686         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1687         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1688         constant folding phase.
1689
1690         * dfg/DFGAbstractInterpreterInlines.h:
1691         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1692
1693 2019-02-06  Devin Rousso  <drousso@apple.com>
1694
1695         Web Inspector: DOM: don't send the entire function string with each event listener
1696         https://bugs.webkit.org/show_bug.cgi?id=194293
1697         <rdar://problem/47822809>
1698
1699         Reviewed by Joseph Pecoraro.
1700
1701         * inspector/protocol/DOM.json:
1702
1703         * runtime/JSFunction.h:
1704         Export `calculatedDisplayName`.
1705
1706 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1707
1708         [JSC] PrivateName to PublicName hash table is wasteful
1709         https://bugs.webkit.org/show_bug.cgi?id=194277
1710
1711         Reviewed by Michael Saboff.
1712
1713         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1714         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1715         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1716         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1717
1718         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1719
1720         1. PrivateName's content should be the same to PublicName.
1721         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1722            the public name should be easily crafted from the given PrivateName.
1723
1724         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1725         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1726
1727         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1728         WebCore.
1729
1730         * builtins/BuiltinNames.cpp:
1731         (JSC::BuiltinNames::BuiltinNames):
1732         * builtins/BuiltinNames.h:
1733         (JSC::BuiltinNames::lookUpPrivateName const):
1734         (JSC::BuiltinNames::getPublicName const):
1735         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1736         (JSC::BuiltinNames::appendExternalName):
1737         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1738         * builtins/BuiltinUtils.h:
1739         * bytecode/BytecodeDumper.cpp:
1740         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1741         * bytecompiler/NodesCodegen.cpp:
1742         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1743         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1744         * parser/Lexer.cpp:
1745         (JSC::Lexer<LChar>::parseIdentifier):
1746         (JSC::Lexer<UChar>::parseIdentifier):
1747         * parser/Parser.cpp:
1748         (JSC::Parser<LexerType>::createGeneratorParameters):
1749         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1750         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1751         (JSC::Parser<LexerType>::parseClassDeclaration):
1752         (JSC::Parser<LexerType>::parseExportDeclaration):
1753         (JSC::Parser<LexerType>::parseMemberExpression):
1754         * parser/ParserArena.h:
1755         (JSC::IdentifierArena::makeIdentifier):
1756         * runtime/CachedTypes.cpp:
1757         (JSC::CachedUniquedStringImpl::encode):
1758         (JSC::CachedUniquedStringImpl::decode const):
1759         * runtime/CommonIdentifiers.cpp:
1760         (JSC::CommonIdentifiers::CommonIdentifiers):
1761         (JSC::CommonIdentifiers::lookUpPrivateName const):
1762         (JSC::CommonIdentifiers::getPublicName const):
1763         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1764         * runtime/CommonIdentifiers.h:
1765         * runtime/ExceptionHelpers.cpp:
1766         (JSC::createUndefinedVariableError):
1767         * runtime/Identifier.cpp:
1768         (JSC::Identifier::dump const):
1769         * runtime/Identifier.h:
1770         * runtime/IdentifierInlines.h:
1771         (JSC::Identifier::fromUid):
1772         * runtime/JSTypedArrayViewPrototype.cpp:
1773         (JSC::JSTypedArrayViewPrototype::finishCreation):
1774         * tools/JSDollarVM.cpp:
1775         (JSC::functionGetPrivateProperty):
1776
1777 2019-02-06  Keith Rollin  <krollin@apple.com>
1778
1779         Really enable the automatic checking and regenerations of .xcfilelists during builds
1780         https://bugs.webkit.org/show_bug.cgi?id=194357
1781         <rdar://problem/47861231>
1782
1783         Reviewed by Chris Dumez.
1784
1785         Bug 194124 was supposed to enable the automatic checking and
1786         regenerating of .xcfilelist files during the build. While related
1787         changes were included in that patch, the change to actually enable the
1788         operation somehow was omitted. This patch actually enables the
1789         operation. The check-xcfilelist.sh scripts now check
1790         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1791         from the checking.
1792
1793         * Scripts/check-xcfilelists.sh:
1794
1795 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1796
1797         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1798         https://bugs.webkit.org/show_bug.cgi?id=194339
1799
1800         Reviewed by Michael Saboff.
1801
1802         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1803         They have even the same structure. This patch unifies the subspaces for them.
1804
1805         * runtime/DirectEvalExecutable.h:
1806         * runtime/EvalExecutable.h:
1807         (JSC::EvalExecutable::subspaceFor):
1808         * runtime/IndirectEvalExecutable.h:
1809         * runtime/VM.cpp:
1810         * runtime/VM.h:
1811         (JSC::VM::forEachScriptExecutableSpace):
1812
1813 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1814
1815         [JSC] NativeExecutable should be smaller
1816         https://bugs.webkit.org/show_bug.cgi?id=194331
1817
1818         Reviewed by Michael Saboff.
1819
1820         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1821         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1822         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1823         only takes one MarkedBlock for NativeExecutable.
1824
1825         To make NativeExecutable smaller,
1826
1827         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1828            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1829
1830         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1831            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1832            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1833
1834         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1835            Intrinsic for NativeExecutable.
1836
1837         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1838
1839         * CMakeLists.txt:
1840         * JavaScriptCore.xcodeproj/project.pbxproj:
1841         * bytecode/CallVariant.h:
1842         * interpreter/Interpreter.cpp:
1843         * jit/JITCode.cpp:
1844         (JSC::DirectJITCode::DirectJITCode):
1845         (JSC::NativeJITCode::NativeJITCode):
1846         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1847         * jit/JITCode.h:
1848         (JSC::JITCode::signature const):
1849         (JSC::JITCode::intrinsic):
1850         * jit/JITOperations.cpp:
1851         * jit/JITThunks.cpp:
1852         (JSC::JITThunks::hostFunctionStub):
1853         * jit/Repatch.cpp:
1854         * llint/LLIntSlowPaths.cpp:
1855         * runtime/ExecutableBase.cpp:
1856         (JSC::ExecutableBase::dump const):
1857         (JSC::ExecutableBase::hashFor const):
1858         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1859         (JSC::ExecutableBase::clearCode): Deleted.
1860         * runtime/ExecutableBase.h:
1861         (JSC::ExecutableBase::ExecutableBase):
1862         (JSC::ExecutableBase::isModuleProgramExecutable):
1863         (JSC::ExecutableBase::isHostFunction const):
1864         (JSC::ExecutableBase::generatedJITCodeForCall const):
1865         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1866         (JSC::ExecutableBase::generatedJITCodeFor const):
1867         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1868         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1869         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1870         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1871         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1872         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1873         (JSC::ExecutableBase::intrinsic const): Deleted.
1874         * runtime/ExecutableBaseInlines.h: Added.
1875         (JSC::ExecutableBase::intrinsic const):
1876         (JSC::ExecutableBase::hasJITCodeForCall const):
1877         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1878         * runtime/JSBoundFunction.cpp:
1879         * runtime/JSType.cpp:
1880         (WTF::printInternal):
1881         * runtime/JSType.h:
1882         * runtime/NativeExecutable.cpp:
1883         (JSC::NativeExecutable::create):
1884         (JSC::NativeExecutable::createStructure):
1885         (JSC::NativeExecutable::NativeExecutable):
1886         (JSC::NativeExecutable::signatureFor const):
1887         (JSC::NativeExecutable::intrinsic const):
1888         * runtime/NativeExecutable.h:
1889         * runtime/ScriptExecutable.cpp:
1890         (JSC::ScriptExecutable::ScriptExecutable):
1891         (JSC::ScriptExecutable::clearCode):
1892         (JSC::ScriptExecutable::installCode):
1893         (JSC::ScriptExecutable::hasClearableCode const):
1894         * runtime/ScriptExecutable.h:
1895         (JSC::ScriptExecutable::intrinsic const):
1896         (JSC::ScriptExecutable::hasJITCodeForCall const):
1897         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1898         * runtime/VM.cpp:
1899         (JSC::VM::getHostFunction):
1900
1901 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1902
1903         Build failure after r240431
1904         https://bugs.webkit.org/show_bug.cgi?id=194330
1905
1906         Reviewed by Žan Doberšek.
1907
1908         * API/glib/JSCOptions.cpp:
1909
1910 2019-02-05  Mark Lam  <mark.lam@apple.com>
1911
1912         Fix DFG's doesGC() for a few more nodes.
1913         https://bugs.webkit.org/show_bug.cgi?id=194307
1914         <rdar://problem/47832956>
1915
1916         Reviewed by Yusuke Suzuki.
1917
1918         Fix doesGC() for the following nodes:
1919
1920             NumberToStringWithValidRadixConstant:
1921                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1922                 which can allocate a string.
1923                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1924                 which can allocate a string.
1925                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1926                 which can allocate a string.
1927
1928             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1929                 memory for all kinds of objects.
1930             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1931                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1932                 these allocates memory for the match result.
1933             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1934                 calls RegExpObject's collectMatches(), which allocates an array amongst
1935                 other objects.
1936
1937             StringFromCharCode:
1938                 If the uint32 code to convert is greater than maxSingleCharacterString,
1939                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1940                 which allocates a new string if the code is greater than maxSingleCharacterString.
1941
1942         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1943         to use maxSingleCharacterString instead of a literal constant.
1944
1945         * dfg/DFGDoesGC.cpp:
1946         (JSC::DFG::doesGC):
1947         * dfg/DFGSpeculativeJIT.cpp:
1948         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1949         * ftl/FTLLowerDFGToB3.cpp:
1950         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1951
1952 2019-02-05  Keith Rollin  <krollin@apple.com>
1953
1954         Enable the automatic checking and regenerations of .xcfilelists during builds
1955         https://bugs.webkit.org/show_bug.cgi?id=194124
1956         <rdar://problem/47721277>
1957
1958         Reviewed by Tim Horton.
1959
1960         Bug 193790 add a facility for checking -- during build time -- that
1961         any needed .xcfilelist files are up-to-date and for updating them if
1962         they are not. This facility was initially opt-in by setting
1963         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1964         the process seemed robust. Its now time to enable this facility and
1965         make it opt-out. If there is a need to disable this facility, set and
1966         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1967         running `make` or `build-webkit`, or before running Xcode from the
1968         command line.
1969
1970         Additionally, remove the step that generates a list of source files
1971         going into the UnifiedSources build step. It's only necessarily to
1972         specify Sources.txt and SourcesCocoa.txt as inputs.
1973
1974         * JavaScriptCore.xcodeproj/project.pbxproj:
1975         * UnifiedSources-input.xcfilelist: Removed.
1976
1977 2019-02-05  Keith Rollin  <krollin@apple.com>
1978
1979         Update .xcfilelist files
1980         https://bugs.webkit.org/show_bug.cgi?id=194121
1981         <rdar://problem/47720863>
1982
1983         Reviewed by Tim Horton.
1984
1985         Preparatory to enabling the facility for automatically updating the
1986         .xcfilelist files, check in a freshly-updated set so that not everyone
1987         runs up against having to regenerate them themselves.
1988
1989         * DerivedSources-input.xcfilelist:
1990         * DerivedSources-output.xcfilelist:
1991
1992 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1993
1994         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1995         https://bugs.webkit.org/show_bug.cgi?id=185557
1996
1997         Reviewed by Mark Lam.
1998
1999         Since field nesting depth is minimal, this algorithm should be effectively O(n),
2000         where n is the number of characters in the formatted string.
2001         It may be less memory efficient than the previous impl, since the intermediate Vector
2002         is the length of the string, instead of the count of the fields.
2003
2004         * runtime/IntlNumberFormat.cpp:
2005         (JSC::IntlNumberFormat::formatToParts):
2006         * runtime/IntlNumberFormat.h:
2007
2008 2019-02-05  Mark Lam  <mark.lam@apple.com>
2009
2010         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
2011         https://bugs.webkit.org/show_bug.cgi?id=194298
2012         <rdar://problem/47827555>
2013
2014         Reviewed by Saam Barati.
2015
2016         We do this for 3 reasons:
2017         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2018         2. If things change in the future where clobberize() no longer reports these nodes
2019            as write(Heap), each node should be vetted first to make sure that it can never
2020            GC before being moved back to the doesGC() list that returns false.
2021         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2022            correct in its claims about the nodes' GCing possibility.
2023
2024         The list of nodes moved are:
2025
2026             ArrayPush
2027             ArrayPop
2028             Call
2029             CallEval
2030             CallForwardVarargs
2031             CallVarargs
2032             Construct
2033             ConstructForwardVarargs
2034             ConstructVarargs
2035             DefineDataProperty
2036             DefineAccessorProperty
2037             DeleteById
2038             DeleteByVal
2039             DirectCall
2040             DirectConstruct
2041             DirectTailCallInlinedCaller
2042             GetById
2043             GetByIdDirect
2044             GetByIdDirectFlush
2045             GetByIdFlush
2046             GetByIdWithThis
2047             GetByValWithThis
2048             GetDirectPname
2049             GetDynamicVar
2050             HasGenericProperty
2051             HasOwnProperty
2052             HasStructureProperty
2053             InById
2054             InByVal
2055             InstanceOf
2056             InstanceOfCustom
2057             LoadVarargs
2058             NumberToStringWithRadix
2059             PutById
2060             PutByIdDirect
2061             PutByIdFlush
2062             PutByIdWithThis
2063             PutByOffset
2064             PutByValWithThis
2065             PutDynamicVar
2066             PutGetterById
2067             PutGetterByVal
2068             PutGetterSetterById
2069             PutSetterById
2070             PutSetterByVal
2071             PutStack
2072             PutToArguments
2073             RegExpExec
2074             RegExpTest
2075             ResolveScope
2076             ResolveScopeForHoistingFuncDeclInEval
2077             TailCall
2078             TailCallForwardVarargsInlinedCaller
2079             TailCallInlinedCaller
2080             TailCallVarargsInlinedCaller
2081             ToNumber
2082             ToPrimitive
2083             ValueNegate
2084
2085         * dfg/DFGDoesGC.cpp:
2086         (JSC::DFG::doesGC):
2087
2088 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2089
2090         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2091         https://bugs.webkit.org/show_bug.cgi?id=194281
2092
2093         Reviewed by Michael Saboff.
2094
2095         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2096         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2097
2098         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2099         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2100         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2101
2102         * bytecode/CodeBlock.cpp:
2103         (JSC::CodeBlock::finishCreation):
2104         * bytecode/CodeBlock.h:
2105         (JSC::CodeBlock::bitVectors const): Deleted.
2106         * bytecode/CodeType.h:
2107         * bytecode/UnlinkedCodeBlock.cpp:
2108         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2109         (JSC::UnlinkedCodeBlock::shrinkToFit):
2110         * bytecode/UnlinkedCodeBlock.h:
2111         (JSC::UnlinkedCodeBlock::bitVector):
2112         (JSC::UnlinkedCodeBlock::addBitVector):
2113         (JSC::UnlinkedCodeBlock::addSetConstant):
2114         (JSC::UnlinkedCodeBlock::constantRegisters):
2115         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2116         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2117         (JSC::UnlinkedCodeBlock::codeType const):
2118         (JSC::UnlinkedCodeBlock::didOptimize const):
2119         (JSC::UnlinkedCodeBlock::setDidOptimize):
2120         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2121         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2122         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2123         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2124         * bytecompiler/BytecodeGenerator.cpp:
2125         (JSC::BytecodeGenerator::emitLoad):
2126         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2127         * bytecompiler/BytecodeGenerator.h:
2128         * runtime/CachedTypes.cpp:
2129         (JSC::CachedCodeBlockRareData::encode):
2130         (JSC::CachedCodeBlockRareData::decode const):
2131         (JSC::CachedCodeBlock::scopeRegister const):
2132         (JSC::CachedCodeBlock::codeType const):
2133         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2134         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2135         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2136         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2137
2138 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2139
2140         Unreviewed, add missing exception checks after r240637
2141         https://bugs.webkit.org/show_bug.cgi?id=193546
2142
2143         * tools/JSDollarVM.cpp:
2144         (JSC::functionShadowChickenFunctionsOnStack):
2145
2146 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2147
2148         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2149         https://bugs.webkit.org/show_bug.cgi?id=193993
2150
2151         Reviewed by Keith Miller.
2152
2153         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2154         And some of them are rarely used. We should allocate it lazily.
2155
2156         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2157         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2158         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2159         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2160         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2161         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2162         by using WTF::storeStoreFence when lazily allocating it.
2163
2164         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2165         existence of the space before touching this. This is not racy because the main thread is stopped when
2166         the constraint solving is working.
2167
2168         This changes sizeof(VM) from 64736 to 56472.
2169
2170         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2171         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2172         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2173         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2174         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2175         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2176         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2177
2178         * API/JSCallbackFunction.h:
2179         * API/ObjCCallbackFunction.h:
2180         (JSC::ObjCCallbackFunction::subspaceFor):
2181         * API/glib/JSCCallbackFunction.h:
2182         * CMakeLists.txt:
2183         * JavaScriptCore.xcodeproj/project.pbxproj:
2184         * bytecode/CodeBlock.cpp:
2185         (JSC::CodeBlock::visitChildren):
2186         (JSC::CodeBlock::finalizeUnconditionally):
2187         * bytecode/CodeBlock.h:
2188         * bytecode/EvalCodeBlock.h:
2189         * bytecode/ExecutableToCodeBlockEdge.h:
2190         * bytecode/FunctionCodeBlock.h:
2191         * bytecode/ModuleProgramCodeBlock.h:
2192         * bytecode/ProgramCodeBlock.h:
2193         * bytecode/UnlinkedFunctionExecutable.cpp:
2194         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2195         * bytecode/UnlinkedFunctionExecutable.h:
2196         * dfg/DFGSpeculativeJIT.cpp:
2197         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2198         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2199         (JSC::DFG::SpeculativeJIT::compileNewObject):
2200         * ftl/FTLLowerDFGToB3.cpp:
2201         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2202         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2203         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2204         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2205         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2206         * heap/Heap.cpp:
2207         (JSC::Heap::finalizeUnconditionalFinalizers):
2208         (JSC::Heap::deleteAllCodeBlocks):
2209         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2210         (JSC::Heap::addCoreConstraints):
2211         * heap/Subspace.cpp:
2212         (JSC::Subspace::initialize):
2213         * jit/AssemblyHelpers.h:
2214         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2215         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2216         * jit/JITOpcodes.cpp:
2217         (JSC::JIT::emit_op_new_object):
2218         * jit/JITOpcodes32_64.cpp:
2219         (JSC::JIT::emit_op_new_object):
2220         * runtime/DirectArguments.h:
2221         * runtime/DirectEvalExecutable.h:
2222         * runtime/ErrorInstance.h:
2223         (JSC::ErrorInstance::subspaceFor):
2224         * runtime/ExecutableBase.h:
2225         * runtime/FunctionExecutable.h:
2226         * runtime/IndirectEvalExecutable.h:
2227         * runtime/InferredValue.cpp:
2228         (JSC::InferredValue::visitChildren):
2229         * runtime/InferredValue.h:
2230         * runtime/InferredValueInlines.h:
2231         (JSC::InferredValue::finalizeUnconditionally):
2232         * runtime/InternalFunction.h:
2233         * runtime/JSAsyncFunction.h:
2234         * runtime/JSAsyncGeneratorFunction.h:
2235         * runtime/JSBoundFunction.h:
2236         * runtime/JSCell.h:
2237         (JSC::subspaceFor):
2238         (JSC::subspaceForConcurrently):
2239         * runtime/JSCellInlines.h:
2240         (JSC::allocatorForNonVirtualConcurrently):
2241         * runtime/JSCustomGetterSetterFunction.h:
2242         * runtime/JSDestructibleObject.h:
2243         * runtime/JSFunction.h:
2244         * runtime/JSGeneratorFunction.h:
2245         * runtime/JSImmutableButterfly.h:
2246         * runtime/JSLexicalEnvironment.h:
2247         (JSC::JSLexicalEnvironment::subspaceFor):
2248         * runtime/JSNativeStdFunction.h:
2249         * runtime/JSSegmentedVariableObject.h:
2250         * runtime/JSString.h:
2251         * runtime/ModuleProgramExecutable.h:
2252         * runtime/NativeExecutable.h:
2253         * runtime/ProgramExecutable.h:
2254         * runtime/PropertyMapHashTable.h:
2255         * runtime/ProxyRevoke.h:
2256         * runtime/ScopedArguments.h:
2257         * runtime/ScriptExecutable.cpp:
2258         (JSC::ScriptExecutable::clearCode):
2259         (JSC::ScriptExecutable::installCode):
2260         * runtime/Structure.h:
2261         * runtime/StructureRareData.h:
2262         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2263         * runtime/VM.cpp:
2264         (JSC::VM::VM):
2265         * runtime/VM.h:
2266         (JSC::VM::SpaceAndSet::SpaceAndSet):
2267         (JSC::VM::SpaceAndSet::setFor):
2268         (JSC::VM::forEachScriptExecutableSpace):
2269         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2270         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2271         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2272         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2273         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2274         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2275         * runtime/WeakMapImpl.h:
2276         (JSC::WeakMapImpl::subspaceFor):
2277         * wasm/js/JSWebAssemblyCodeBlock.h:
2278         * wasm/js/JSWebAssemblyMemory.h:
2279         * wasm/js/WebAssemblyFunction.h:
2280         * wasm/js/WebAssemblyWrapperFunction.h:
2281
2282 2019-02-04  Keith Miller  <keith_miller@apple.com>
2283
2284         Change llint operand macros to inline functions
2285         https://bugs.webkit.org/show_bug.cgi?id=194248
2286
2287         Reviewed by Mark Lam.
2288
2289         * llint/LLIntSlowPaths.cpp:
2290         (JSC::LLInt::getNonConstantOperand):
2291         (JSC::LLInt::getOperand):
2292         (JSC::LLInt::llint_trace_value):
2293         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2294         (JSC::LLInt::getByVal):
2295         (JSC::LLInt::genericCall):
2296         (JSC::LLInt::varargsSetup):
2297         (JSC::LLInt::commonCallEval):
2298
2299 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2300
2301         when lowering AssertNotEmpty, create the value before creating the patchpoint
2302         https://bugs.webkit.org/show_bug.cgi?id=194231
2303
2304         Reviewed by Saam Barati.
2305
2306         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2307         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2308
2309         * ftl/FTLLowerDFGToB3.cpp:
2310         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2311
2312 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2313
2314         [JSC] ExecutableToCodeBlockEdge should be smaller
2315         https://bugs.webkit.org/show_bug.cgi?id=194244
2316
2317         Reviewed by Michael Saboff.
2318
2319         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2320         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2321         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2322         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2323
2324         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2325         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2326         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2327
2328         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2329         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2330         does not touch it if it is called in non-main threads).
2331
2332         * bytecode/ExecutableToCodeBlockEdge.cpp:
2333         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2334         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2335         (JSC::ExecutableToCodeBlockEdge::activate):
2336         (JSC::ExecutableToCodeBlockEdge::deactivate):
2337         (JSC::ExecutableToCodeBlockEdge::isActive const):
2338         * bytecode/ExecutableToCodeBlockEdge.h:
2339         * runtime/JSCell.h:
2340         * runtime/JSCellInlines.h:
2341         (JSC::JSCell::perCellBit const):
2342         (JSC::JSCell::setPerCellBit):
2343         (JSC::JSCell::mayBePrototype const): Deleted.
2344         (JSC::JSCell::didBecomePrototype): Deleted.
2345         * runtime/JSObject.cpp:
2346         (JSC::JSObject::setPrototypeDirect):
2347         * runtime/JSObject.h:
2348         * runtime/JSObjectInlines.h:
2349         (JSC::JSObject::mayBePrototype const):
2350         (JSC::JSObject::didBecomePrototype):
2351         * runtime/JSTypeInfo.h:
2352         (JSC::TypeInfo::perCellBit):
2353         (JSC::TypeInfo::mergeInlineTypeFlags):
2354         (JSC::TypeInfo::mayBePrototype): Deleted.
2355
2356 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2357
2358         [JSC] Shrink size of FunctionExecutable
2359         https://bugs.webkit.org/show_bug.cgi?id=194191
2360
2361         Reviewed by Michael Saboff.
2362
2363         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2364         improves the allocation efficiency.
2365
2366         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2367            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2368
2369         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2370            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2371            the size of FunctionExecutable in the common case.
2372
2373         This patch changes the size of FunctionExecutable from 176 to 144.
2374
2375         * bytecode/CodeBlock.cpp:
2376         (JSC::CodeBlock::dumpSource):
2377         (JSC::CodeBlock::finishCreation):
2378         * dfg/DFGNode.h:
2379         (JSC::DFG::Node::OpInfoWrapper::as const):
2380         * interpreter/StackVisitor.cpp:
2381         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2382         * runtime/ExecutableBase.h:
2383         * runtime/FunctionExecutable.cpp:
2384         (JSC::FunctionExecutable::FunctionExecutable):
2385         (JSC::FunctionExecutable::ensureRareDataSlow):
2386         * runtime/FunctionExecutable.h:
2387         * runtime/Intrinsic.h:
2388         * runtime/ModuleProgramExecutable.cpp:
2389         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2390         * runtime/ProgramExecutable.cpp:
2391         (JSC::ProgramExecutable::ProgramExecutable):
2392         * runtime/ScriptExecutable.cpp:
2393         (JSC::ScriptExecutable::ScriptExecutable):
2394         (JSC::ScriptExecutable::overrideLineNumber const):
2395         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2396         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2397         * runtime/ScriptExecutable.h:
2398         (JSC::ScriptExecutable::firstLine const):
2399         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2400         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2401         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2402         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2403         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2404         * runtime/StackFrame.cpp:
2405         (JSC::StackFrame::computeLineAndColumn const):
2406         * tools/JSDollarVM.cpp:
2407         (JSC::functionReturnTypeFor):
2408
2409 2019-02-04  Mark Lam  <mark.lam@apple.com>
2410
2411         DFG's doesGC() is incorrect about the SameValue node's behavior.
2412         https://bugs.webkit.org/show_bug.cgi?id=194211
2413         <rdar://problem/47608913>
2414
2415         Reviewed by Saam Barati.
2416
2417         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2418         it calls operationSameValue() which may allocate memory for resolving ropes.
2419
2420         * dfg/DFGDoesGC.cpp:
2421         (JSC::DFG::doesGC):
2422
2423 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2424
2425         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2426         https://bugs.webkit.org/show_bug.cgi?id=194031
2427
2428         Reviewed by Saam Barati.
2429
2430         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2431         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2432         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2433         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2434
2435         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2436         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2437
2438         * bytecode/MetadataTable.cpp:
2439         (JSC::MetadataTable::MetadataTable):
2440         (JSC::MetadataTable::~MetadataTable):
2441         * bytecode/UnlinkedCodeBlock.cpp:
2442         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2443         (JSC::UnlinkedCodeBlock::visitChildren):
2444         (JSC::UnlinkedCodeBlock::estimatedSize):
2445         (JSC::UnlinkedCodeBlock::setInstructions):
2446         * bytecode/UnlinkedCodeBlock.h:
2447         (JSC::UnlinkedCodeBlock::metadata):
2448         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2449         * bytecode/UnlinkedMetadataTable.h:
2450         (JSC::UnlinkedMetadataTable::create):
2451         * bytecode/UnlinkedMetadataTableInlines.h:
2452         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2453         * runtime/CachedTypes.cpp:
2454         (JSC::CachedMetadataTable::decode const):
2455         (JSC::CachedCodeBlock::metadata const):
2456         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2457         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2458         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2459
2460 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2461
2462         [JSC] Decouple JIT related data from CodeBlock
2463         https://bugs.webkit.org/show_bug.cgi?id=194187
2464
2465         Reviewed by Saam Barati.
2466
2467         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2468         We have three types of data in CodeBlock.
2469
2470         1. The data which is always used. CodeBlock needs to hold it.
2471         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2472         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2473
2474         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2475         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2476         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2477         in both non-JIT and *JIT* modes.
2478
2479         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2480         by the lock of CodeBlock.
2481
2482         The size of CodeBlock is reduced from 512 to 352.
2483
2484         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2485
2486             Footprint geomean: 36696503 (34.997 MB)
2487             Peak Footprint geomean: 38595988 (36.808 MB)
2488             Score: 37634263 (35.891 MB)
2489
2490             Footprint geomean: 37172768 (35.451 MB)
2491             Peak Footprint geomean: 38978288 (37.173 MB)
2492             Score: 38064824 (36.301 MB)
2493
2494         * bytecode/CodeBlock.cpp:
2495         (JSC::CodeBlock::~CodeBlock):
2496         (JSC::CodeBlock::propagateTransitions):
2497         (JSC::CodeBlock::ensureJITDataSlow):
2498         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2499         (JSC::CodeBlock::getICStatusMap):
2500         (JSC::CodeBlock::addStubInfo):
2501         (JSC::CodeBlock::addJITAddIC):
2502         (JSC::CodeBlock::addJITMulIC):
2503         (JSC::CodeBlock::addJITSubIC):
2504         (JSC::CodeBlock::addJITNegIC):
2505         (JSC::CodeBlock::findStubInfo):
2506         (JSC::CodeBlock::addByValInfo):
2507         (JSC::CodeBlock::addCallLinkInfo):
2508         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2509         (JSC::CodeBlock::addRareCaseProfile):
2510         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2511         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2512         (JSC::CodeBlock::resetJITData):
2513         (JSC::CodeBlock::stronglyVisitStrongReferences):
2514         (JSC::CodeBlock::shrinkToFit):
2515         (JSC::CodeBlock::linkIncomingCall):
2516         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2517         (JSC::CodeBlock::unlinkIncomingCalls):
2518         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2519         (JSC::CodeBlock::dumpValueProfiles):
2520         (JSC::CodeBlock::setPCToCodeOriginMap):
2521         (JSC::CodeBlock::findPC):
2522         (JSC::CodeBlock::dumpMathICStats):
2523         * bytecode/CodeBlock.h:
2524         (JSC::CodeBlock::ensureJITData):
2525         (JSC::CodeBlock::setJITCodeMap):
2526         (JSC::CodeBlock::jitCodeMap):
2527         (JSC::CodeBlock::likelyToTakeSlowCase):
2528         (JSC::CodeBlock::couldTakeSlowCase):
2529         (JSC::CodeBlock::lazyOperandValueProfiles):
2530         (JSC::CodeBlock::stubInfoBegin): Deleted.
2531         (JSC::CodeBlock::stubInfoEnd): Deleted.
2532         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2533         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2534         (JSC::CodeBlock::jitCodeMap const): Deleted.
2535         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2536         * bytecode/MethodOfGettingAValueProfile.cpp:
2537         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2538         (JSC::MethodOfGettingAValueProfile::reportValue):
2539         * dfg/DFGByteCodeParser.cpp:
2540         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2541         * jit/JIT.h:
2542         * jit/JITOperations.cpp:
2543         (JSC::tryGetByValOptimize):
2544         * jit/JITPropertyAccess.cpp:
2545         (JSC::JIT::privateCompileGetByVal):
2546         (JSC::JIT::privateCompilePutByVal):
2547
2548 2018-12-16  Darin Adler  <darin@apple.com>
2549
2550         Convert additional String::format clients to alternative approaches
2551         https://bugs.webkit.org/show_bug.cgi?id=192746
2552
2553         Reviewed by Alexey Proskuryakov.
2554
2555         * inspector/agents/InspectorConsoleAgent.cpp:
2556         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2557         and FormattedNumber::fixedWidth.
2558
2559 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2560
2561         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2562         https://bugs.webkit.org/show_bug.cgi?id=194177
2563
2564         Reviewed by Saam Barati.
2565
2566         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2567         We can share the IsoSubspace for JSFunction.
2568
2569         * runtime/JSAsyncFunction.h:
2570         * runtime/JSAsyncGeneratorFunction.h:
2571         * runtime/JSGeneratorFunction.h:
2572         * runtime/VM.cpp:
2573         (JSC::VM::VM):
2574         * runtime/VM.h:
2575
2576 2019-02-01  Mark Lam  <mark.lam@apple.com>
2577
2578         Remove invalid assertion in DFG's compileDoubleRep().
2579         https://bugs.webkit.org/show_bug.cgi?id=194130
2580         <rdar://problem/47699474>
2581
2582         Reviewed by Saam Barati.
2583
2584         * dfg/DFGSpeculativeJIT.cpp:
2585         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2586
2587 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2588
2589         [JSC] Unify CodeBlock IsoSubspaces
2590         https://bugs.webkit.org/show_bug.cgi?id=194167
2591
2592         Reviewed by Saam Barati.
2593
2594         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2595         But this is not necessary since,
2596
2597         1. They do not override the classInfo methods.
2598         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2599
2600         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2601         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2602         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2603
2604         This patch unifies these IsoSubspaces into one.
2605
2606         * bytecode/CodeBlock.cpp:
2607         (JSC::CodeBlock::destroy):
2608         * bytecode/CodeBlock.h:
2609         * bytecode/EvalCodeBlock.cpp:
2610         (JSC::EvalCodeBlock::destroy): Deleted.
2611         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2612         * bytecode/FunctionCodeBlock.cpp:
2613         (JSC::FunctionCodeBlock::destroy): Deleted.
2614         * bytecode/FunctionCodeBlock.h:
2615         * bytecode/GlobalCodeBlock.h:
2616         * bytecode/ModuleProgramCodeBlock.cpp:
2617         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2618         * bytecode/ModuleProgramCodeBlock.h:
2619         * bytecode/ProgramCodeBlock.cpp:
2620         (JSC::ProgramCodeBlock::destroy): Deleted.
2621         * bytecode/ProgramCodeBlock.h:
2622         * interpreter/Interpreter.cpp:
2623         (JSC::Interpreter::execute):
2624         * runtime/VM.cpp:
2625         (JSC::VM::VM):
2626         * runtime/VM.h:
2627         (JSC::VM::forEachCodeBlockSpace):
2628
2629 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2630
2631         Unreviewed, follow-up after r240859
2632         https://bugs.webkit.org/show_bug.cgi?id=194145
2633
2634         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2635         And rename cellDangerousBitsSpace back to cellSpace.
2636
2637         * runtime/JSCellInlines.h:
2638         (JSC::JSCell::subspaceFor):
2639         * runtime/VM.cpp:
2640         (JSC::VM::VM):
2641         * runtime/VM.h:
2642
2643 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2644
2645         [JSC] Remove cellJSValueOOBSpace
2646         https://bugs.webkit.org/show_bug.cgi?id=194145
2647
2648         Reviewed by Mark Lam.
2649
2650         * runtime/JSObject.h:
2651         (JSC::JSObject::subspaceFor): Deleted.
2652         * runtime/VM.cpp:
2653         (JSC::VM::VM):
2654         * runtime/VM.h:
2655
2656 2019-01-31  Mark Lam  <mark.lam@apple.com>
2657
2658         Remove poisoning from CodeBlock and LLInt code.
2659         https://bugs.webkit.org/show_bug.cgi?id=194113
2660
2661         Reviewed by Yusuke Suzuki.
2662
2663         * bytecode/CodeBlock.cpp:
2664         (JSC::CodeBlock::CodeBlock):
2665         (JSC::CodeBlock::~CodeBlock):
2666         (JSC::CodeBlock::setConstantRegisters):
2667         (JSC::CodeBlock::propagateTransitions):
2668         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2669         (JSC::CodeBlock::jettison):
2670         (JSC::CodeBlock::predictedMachineCodeSize):
2671         * bytecode/CodeBlock.h:
2672         (JSC::CodeBlock::vm const):
2673         (JSC::CodeBlock::addConstant):
2674         (JSC::CodeBlock::heap const):
2675         (JSC::CodeBlock::replaceConstant):
2676         * llint/LLIntOfflineAsmConfig.h:
2677         * llint/LLIntSlowPaths.cpp:
2678         (JSC::LLInt::handleHostCall):
2679         (JSC::LLInt::setUpCall):
2680         * llint/LowLevelInterpreter.asm:
2681         * llint/LowLevelInterpreter32_64.asm:
2682         * llint/LowLevelInterpreter64.asm:
2683
2684 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2685
2686         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2687         https://bugs.webkit.org/show_bug.cgi?id=194107
2688
2689         Reviewed by Saam Barati.
2690
2691         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2692         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2693
2694         * CMakeLists.txt:
2695         * DerivedSources.make:
2696         * JavaScriptCore.xcodeproj/project.pbxproj:
2697         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2698         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2699         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2700         (JSC::AsyncFromSyncIteratorPrototype::create):
2701         * runtime/AsyncFromSyncIteratorPrototype.h:
2702
2703 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2704
2705         Fix `runJITThreadLimitTests` in testapi
2706         https://bugs.webkit.org/show_bug.cgi?id=194064
2707         <rdar://problem/46139147>
2708
2709         Reviewed by Mark Lam.
2710
2711         Fix typo where `targetNumberOfThreads` was not being used.
2712
2713         * API/tests/testapi.mm:
2714         (runJITThreadLimitTests):
2715
2716 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2717
2718         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2719         https://bugs.webkit.org/show_bug.cgi?id=194112
2720
2721         Reviewed by Mark Lam.
2722
2723         `testBytecodeCache` does not populate the bytecode cache for the global
2724         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2725
2726         * API/tests/testapi.mm:
2727         (testBytecodeCache):
2728
2729 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2730
2731         Unreviewed, follow-up after r240796
2732
2733         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2734         when allocating InferredValue in FunctionExecutable::finishCreation.
2735
2736         * runtime/FunctionExecutable.cpp:
2737         (JSC::FunctionExecutable::FunctionExecutable):
2738         (JSC::FunctionExecutable::finishCreation):
2739
2740 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2741
2742         [JSC] Do not use InferredValue in non-JIT configuration
2743         https://bugs.webkit.org/show_bug.cgi?id=194084
2744
2745         Reviewed by Saam Barati.
2746
2747         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2748         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2749         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2750         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2751         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2752         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2753         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2754         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2755
2756         * bytecode/ObjectAllocationProfileInlines.h:
2757         (JSC::ObjectAllocationProfile::initializeProfile):
2758         * runtime/FunctionExecutable.cpp:
2759         (JSC::FunctionExecutable::finishCreation):
2760         (JSC::FunctionExecutable::visitChildren):
2761         * runtime/FunctionExecutable.h:
2762         * runtime/InferredValue.cpp:
2763         (JSC::InferredValue::create):
2764         * runtime/JSAsyncFunction.cpp:
2765         (JSC::JSAsyncFunction::create):
2766         * runtime/JSAsyncGeneratorFunction.cpp:
2767         (JSC::JSAsyncGeneratorFunction::create):
2768         * runtime/JSFunction.cpp:
2769         (JSC::JSFunction::create):
2770         * runtime/JSFunctionInlines.h:
2771         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2772         * runtime/JSGeneratorFunction.cpp:
2773         (JSC::JSGeneratorFunction::create):
2774         * runtime/JSSymbolTableObject.h:
2775         (JSC::JSSymbolTableObject::setSymbolTable):
2776         * runtime/SymbolTable.cpp:
2777         (JSC::SymbolTable::finishCreation):
2778         * runtime/VM.cpp:
2779         (JSC::VM::VM):
2780
2781 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2782
2783         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2784         https://bugs.webkit.org/show_bug.cgi?id=194085
2785
2786         Reviewed by Yusuke Suzuki.
2787
2788         r240730 changed ud_itab.py and caused incremental build failures
2789         for Ninja builds.
2790
2791         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2792
2793 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2794
2795         [JSC] Symbol should be in destructibleCellSpace
2796         https://bugs.webkit.org/show_bug.cgi?id=194082
2797
2798         Reviewed by Saam Barati.
2799
2800         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2801         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2802         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2803         Symbol's space destructibleCellSpace to appropriately call the destructor.
2804
2805         * runtime/Symbol.h:
2806
2807 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2808
2809         Unreviewed, rolling out r240755.
2810
2811         This was not correct
2812
2813         Reverted changeset:
2814
2815         "Unreviewed, fix GCC build after r240730"
2816         https://bugs.webkit.org/show_bug.cgi?id=194041
2817         https://trac.webkit.org/changeset/240755
2818
2819 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2820
2821         Unreviewed, fix GCC build after r240730
2822         https://bugs.webkit.org/show_bug.cgi?id=194041
2823         <rdar://problem/47680981>
2824
2825         * disassembler/udis86/ud_itab.py:
2826         (UdItabGenerator.genOpcodeTablesLookupIndex):
2827
2828 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2829
2830         testapi's `testBytecodeCache` does not need to run the code twice
2831         https://bugs.webkit.org/show_bug.cgi?id=194046
2832
2833         Reviewed by Mark Lam.
2834
2835         Since we populate the cache eagerly (unlike the stress tests) we don't
2836         need to run the code twice.
2837
2838         * API/tests/testapi.mm:
2839         (testBytecodeCache):
2840
2841 2019-01-30  Saam barati  <sbarati@apple.com>
2842
2843         [WebAssembly] Change BBQ to generate Air IR
2844         https://bugs.webkit.org/show_bug.cgi?id=191802
2845         <rdar://problem/47651718>
2846
2847         Reviewed by Keith Miller.
2848
2849         This patch adds a new Wasm compiler for the BBQ tier. Instead
2850         of compiling using  B3-01, we now generate Air code directly.
2851         The goal of doing this was to speed up compile times for Wasm
2852         programs.
2853         
2854         This patch provides us with a 20-30% compile time speedup. However, I
2855         have ideas on how to improve compile times even further. For example,
2856         we should probably implement a faster running register allocator:
2857         https://bugs.webkit.org/show_bug.cgi?id=194036
2858         
2859         We can also improve on the code we generate.
2860         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2861         And we should do better instruction selection in various
2862         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2863
2864         * JavaScriptCore.xcodeproj/project.pbxproj:
2865         * Sources.txt:
2866         * b3/B3LowerToAir.cpp:
2867         * b3/B3StackmapSpecial.h:
2868         * b3/air/AirCode.cpp:
2869         (JSC::B3::Air::Code::emitDefaultPrologue):
2870         * b3/air/AirCode.h:
2871         * b3/air/AirTmp.h:
2872         (JSC::B3::Air::Tmp::Tmp):
2873         * runtime/Options.h:
2874         * wasm/WasmAirIRGenerator.cpp: Added.
2875         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2876         (JSC::Wasm::TypedTmp::TypedTmp):
2877         (JSC::Wasm::TypedTmp::operator== const):
2878         (JSC::Wasm::TypedTmp::operator!= const):
2879         (JSC::Wasm::TypedTmp::operator bool const):
2880         (JSC::Wasm::TypedTmp::operator Tmp const):
2881         (JSC::Wasm::TypedTmp::operator Arg const):
2882         (JSC::Wasm::TypedTmp::tmp const):
2883         (JSC::Wasm::TypedTmp::type const):
2884         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2885         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2886         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2887         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2888         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2889         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2890         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2891         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2892         (JSC::Wasm::AirIRGenerator::emptyExpression):
2893         (JSC::Wasm::AirIRGenerator::fail const):
2894         (JSC::Wasm::AirIRGenerator::setParser):
2895         (JSC::Wasm::AirIRGenerator::toTmpVector):
2896         (JSC::Wasm::AirIRGenerator::validateInst):
2897         (JSC::Wasm::AirIRGenerator::extractArg):
2898         (JSC::Wasm::AirIRGenerator::append):
2899         (JSC::Wasm::AirIRGenerator::appendEffectful):
2900         (JSC::Wasm::AirIRGenerator::newTmp):
2901         (JSC::Wasm::AirIRGenerator::g32):
2902         (JSC::Wasm::AirIRGenerator::g64):
2903         (JSC::Wasm::AirIRGenerator::f32):
2904         (JSC::Wasm::AirIRGenerator::f64):
2905         (JSC::Wasm::AirIRGenerator::tmpForType):
2906         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2907         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2908         (JSC::Wasm::AirIRGenerator::emitCheck):
2909         (JSC::Wasm::AirIRGenerator::emitCCall):
2910         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2911         (JSC::Wasm::AirIRGenerator::instanceValue):
2912         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2913         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2914         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2915         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2916         (JSC::Wasm::AirIRGenerator::emitThrowException):
2917         (JSC::Wasm::AirIRGenerator::addLocal):
2918         (JSC::Wasm::AirIRGenerator::addConstant):
2919         (JSC::Wasm::AirIRGenerator::addArguments):
2920         (JSC::Wasm::AirIRGenerator::getLocal):
2921         (JSC::Wasm::AirIRGenerator::addUnreachable):
2922         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2923         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2924         (JSC::Wasm::AirIRGenerator::setLocal):
2925         (JSC::Wasm::AirIRGenerator::getGlobal):
2926         (JSC::Wasm::AirIRGenerator::setGlobal):
2927         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2928         (JSC::Wasm::sizeOfLoadOp):
2929         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2930         (JSC::Wasm::AirIRGenerator::load):
2931         (JSC::Wasm::sizeOfStoreOp):
2932         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2933         (JSC::Wasm::AirIRGenerator::store):
2934         (JSC::Wasm::AirIRGenerator::addSelect):
2935         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2936         (JSC::Wasm::AirIRGenerator::addLoop):
2937         (JSC::Wasm::AirIRGenerator::addTopLevel):
2938         (JSC::Wasm::AirIRGenerator::addBlock):
2939         (JSC::Wasm::AirIRGenerator::addIf):
2940         (JSC::Wasm::AirIRGenerator::addElse):
2941         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2942         (JSC::Wasm::AirIRGenerator::addReturn):
2943         (JSC::Wasm::AirIRGenerator::addBranch):
2944         (JSC::Wasm::AirIRGenerator::addSwitch):
2945         (JSC::Wasm::AirIRGenerator::endBlock):
2946         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2947         (JSC::Wasm::AirIRGenerator::addCall):
2948         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2949         (JSC::Wasm::AirIRGenerator::unify):
2950         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2951         (JSC::Wasm::AirIRGenerator::dump):
2952         (JSC::Wasm::AirIRGenerator::origin):
2953         (JSC::Wasm::parseAndCompileAir):
2954         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2955         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2962         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2963         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2964         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2965         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2966         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2967         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2968         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2969         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2970         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2971         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2972         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2973         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2974         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2975         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2976         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2977         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2978         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2979         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2980         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2981         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2982         (JSC::Wasm::AirIRGenerator::addShift):
2983         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2984         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2985         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2992         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2993         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2994         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2995         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2996         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2997         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2998         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2999         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
3000         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
3001         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
3002         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
3003         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
3004         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
3005         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
3006         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
3007         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
3011         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
3012         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
3013         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
3014         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3020         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3026         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3027         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3028         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3029         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3030         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3031         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3032         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3033         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3034         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3035         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3036         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3037         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3038         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3039         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3040         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3041         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3042         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3043         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3044         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3045         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3046         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3047         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3048         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3049         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3050         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3051         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3052         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3053         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3054         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3055         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3056         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3057         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3058         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3059         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3060         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3061         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3062         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3063         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3064         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3065         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3066         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3067         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3068         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3069         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3070         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3071         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3072         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3073         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3074         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3075         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3076         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3077         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3078         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3079         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3080         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3081         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3082         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3083         * wasm/WasmAirIRGenerator.h: Added.
3084         * wasm/WasmB3IRGenerator.cpp:
3085         (JSC::Wasm::B3IRGenerator::emptyExpression):
3086         * wasm/WasmBBQPlan.cpp:
3087         (JSC::Wasm::BBQPlan::compileFunctions):
3088         * wasm/WasmCallingConvention.cpp:
3089         (JSC::Wasm::jscCallingConventionAir):
3090         (JSC::Wasm::wasmCallingConventionAir):
3091         * wasm/WasmCallingConvention.h:
3092         (JSC::Wasm::CallingConvention::CallingConvention):
3093         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3094         (JSC::Wasm::CallingConvention::marshallArgument const):
3095         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3096         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3097         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3098         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3099         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3100         (JSC::Wasm::CallingConventionAir::loadArguments const):
3101         (JSC::Wasm::CallingConventionAir::setupCall const):
3102         (JSC::Wasm::nextJSCOffset):
3103         * wasm/WasmFunctionParser.h:
3104         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3105         * wasm/WasmValidate.cpp:
3106         (JSC::Wasm::Validate::emptyExpression):
3107
3108 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3109
3110         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3111         https://bugs.webkit.org/show_bug.cgi?id=194050
3112         <rdar://problem/47595592>
3113
3114         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3115         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3116
3117         Reviewed by Yusuke Suzuki.
3118
3119         * ftl/FTLOperations.cpp:
3120         (JSC::FTL::operationMaterializeObjectInOSR):
3121
3122 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3123
3124         Remove assertion that CachedSymbolTables should have no RareData
3125         https://bugs.webkit.org/show_bug.cgi?id=194037
3126
3127         Reviewed by Mark Lam.
3128
3129         It turns out that we don't need to cache the SymbolTableRareData and
3130         we should not assert that it's empty.
3131
3132         * runtime/CachedTypes.cpp:
3133         (JSC::CachedSymbolTable::encode):
3134
3135 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3136
3137         CachedBytecode's move constructor should not call `freeDataIfOwned`
3138         https://bugs.webkit.org/show_bug.cgi?id=194045
3139
3140         Reviewed by Mark Lam.
3141
3142         That might result in freeing a garbage value
3143
3144         * parser/SourceProvider.h:
3145         (JSC::CachedBytecode::CachedBytecode):
3146
3147 2019-01-30  Keith Miller  <keith_miller@apple.com>
3148
3149         mul32 should convert powers of 2 to an lshift
3150         https://bugs.webkit.org/show_bug.cgi?id=193957
3151
3152         Reviewed by Yusuke Suzuki.
3153
3154         * assembler/MacroAssembler.h:
3155         (JSC::MacroAssembler::mul32):
3156         * assembler/testmasm.cpp:
3157         (JSC::int32Operands):
3158         (JSC::testMul32WithImmediates):
3159         (JSC::run):
3160
3161 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3162
3163         [JSC] Make disassembler data structures constant read-only data
3164         https://bugs.webkit.org/show_bug.cgi?id=194041
3165
3166         Reviewed by Mark Lam.
3167
3168         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3169         This patch makes them "const".
3170
3171         * disassembler/ARM64/A64DOpcode.cpp:
3172         * disassembler/udis86/ud_itab.py:
3173         (UdItabGenerator.genOpcodeTablesLookupIndex):
3174         (UdItabGenerator.genInsnTable):
3175         (UdItabGenerator.genMnemonicsList):
3176         (genItabH):
3177         * disassembler/udis86/udis86_decode.h:
3178         * disassembler/udis86/udis86_syn.c:
3179         * disassembler/udis86/udis86_syn.h:
3180         * disassembler/udis86/udis86_types.h:
3181
3182 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3183
3184         Unreviewed, update the builtin test results
3185         https://bugs.webkit.org/show_bug.cgi?id=194015
3186
3187         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3188         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3189         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3190         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3191         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3192         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3193         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3194         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3195         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3196         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3197         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3198         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3199         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3200
3201 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3202
3203         [JSC] Make global static variables "const" as much as possible
3204         https://bugs.webkit.org/show_bug.cgi?id=194015
3205
3206         Reviewed by Mark Lam.
3207
3208         Some of global static variables are not "const". For example, `static const char* name = ...`
3209         is not constant variable. We should make it `static const char* const name = ...`.
3210
3211         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3212         (generate_externs_for_object):
3213         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3214         (generate_externs_for_object):
3215         * Scripts/wkbuiltins/builtins_generator.py:
3216         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3217         * assembler/MacroAssembler.h:
3218         (JSC::MacroAssembler::additionBlindedConstant):
3219         * b3/air/AirFormTable.h:
3220         * b3/air/opcode_generator.rb:
3221         * runtime/JSObject.cpp:
3222         (JSC::JSObject::visitButterfly):
3223         * tools/CodeProfile.cpp:
3224         * tools/CodeProfile.h:
3225
3226 2019-01-29  Keith Miller  <keith_miller@apple.com>
3227
3228         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3229         https://bugs.webkit.org/show_bug.cgi?id=194000
3230         <rdar://problem/47642894>
3231
3232         Reviewed by Mark Lam.
3233
3234         default constructor is unused and
3235         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3236         data member which causes sadness.
3237
3238         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3239
3240 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3241
3242         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3243
3244         Rubber-stamped by Yusuke Suzuki.
3245
3246         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3247
3248         * parser/Parser.h:
3249         (JSC::Parser::declareHoistedVariable):
3250
3251 2019-01-29  Mark Lam  <mark.lam@apple.com>
3252
3253         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3254         https://bugs.webkit.org/show_bug.cgi?id=132333
3255
3256         Reviewed by Yusuke Suzuki.
3257
3258         * bytecode/InstructionStream.h:
3259         (JSC::InstructionStreamWriter::write):
3260         - The 32-bit write() function need not invert the order of the bytes written to
3261           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3262           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3263
3264         * llint/LLIntOfflineAsmConfig.h:
3265         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3266
3267 2019-01-29  Mark Lam  <mark.lam@apple.com>
3268
3269         ValueRecovery::recover() should purify NaN values it recovers.
3270         https://bugs.webkit.org/show_bug.cgi?id=193978
3271         <rdar://problem/47625488>
3272
3273         Reviewed by Saam Barati.
3274
3275         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3276         recovered DoubleDisplacedInJSStack values need to be purified.
3277         ValueRecovery::recover() should do the same.
3278
3279         * bytecode/ValueRecovery.cpp:
3280         (JSC::ValueRecovery::recover const):
3281
3282 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3283
3284         [JSC] FTL should handle LocalAllocator*
3285         https://bugs.webkit.org/show_bug.cgi?id=193980
3286
3287         Reviewed by Saam Barati.
3288
3289         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3290         because the FTL still use the incoming value as 32bit integer there.
3291
3292         * ftl/FTLLowerDFGToB3.cpp:
3293         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3294
3295 2019-01-29  Keith Rollin  <krollin@apple.com>
3296
3297         Add .xcfilelists to Run Script build phases
3298         https://bugs.webkit.org/show_bug.cgi?id=193792
3299         <rdar://problem/47201785>
3300
3301         Reviewed by Alex Christensen.
3302
3303         As part of supporting XCBuild, update the necessary Run Script build
3304         phases in their Xcode projects to refer to their associated
3305         .xcfilelist files.
3306
3307         Note that the addition of these files bumps the Xcode project version
3308         number to something that's Xcode 10 compatible. This change means that
3309         older versions of the Xcode IDE can't read these projects. Nor can it
3310         fully load workspaces that refer to these projects (the updated
3311         projects are shown as non-expandable placeholders). `xcodebuild` can
3312         still build these projects; it's just that the IDE can't open them.
3313
3314         * JavaScriptCore.xcodeproj/project.pbxproj:
3315
3316 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3317
3318         [ARM] Check for negative zero instead of just zero
3319         https://bugs.webkit.org/show_bug.cgi?id=193689
3320
3321         Reviewed by Mark Lam.
3322
3323         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3324         of just bailing out for zero.
3325
3326         * assembler/MacroAssemblerARMv7.h:
3327         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3328
3329 2019-01-28  Devin Rousso  <drousso@apple.com>
3330
3331         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3332         https://bugs.webkit.org/show_bug.cgi?id=193863
3333         <rdar://problem/47572764>
3334
3335         Reviewed by Joseph Pecoraro.
3336
3337         * inspector/protocol/Page.json:
3338         Add more values to the `Setting` enum type:
3339          - `ICECandidateFilteringEnabled`
3340          - `MediaCaptureRequiresSecureConnection`
3341          - `MockCaptureDevicesEnabled`
3342
3343 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3344
3345         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3346         https://bugs.webkit.org/show_bug.cgi?id=193941
3347
3348         Reviewed by Alex Christensen.
3349
3350         * API/JSWeakObjectMapRefPrivate.cpp:
3351         * bytecompiler/NodesCodegen.cpp:
3352         * heap/MachineStackMarker.cpp:
3353         * jit/ExecutableAllocator.cpp:
3354         * jsc.cpp:
3355         * parser/Nodes.cpp:
3356         * runtime/DateConstructor.cpp:
3357         * runtime/DateConversion.cpp:
3358         * runtime/DateInstance.cpp:
3359         * runtime/DatePrototype.cpp:
3360         * runtime/InitializeThreading.cpp:
3361         * runtime/IteratorOperations.cpp:
3362         * runtime/JSDateMath.cpp:
3363         * runtime/JSGlobalObjectFunctions.cpp:
3364         * runtime/StringPrototype.cpp:
3365         * runtime/VM.cpp:
3366         * testRegExp.cpp:
3367         * tools/JSDollarVM.cpp:
3368         * yarr/YarrInterpreter.cpp:
3369         * yarr/YarrJIT.cpp:
3370         * yarr/YarrPattern.cpp:
3371         * yarr/YarrUnicodeProperties.cpp:
3372
3373 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3374
3375         [JSC] Reduce size of memory used for ShadowChicken
3376         https://bugs.webkit.org/show_bug.cgi?id=193546
3377
3378         Reviewed by Mark Lam.
3379
3380         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3381         The removal of ShadowChicken saves 55KB memory.
3382
3383         * debugger/DebuggerCallFrame.cpp:
3384         (JSC::DebuggerCallFrame::create):
3385         * ftl/FTLLowerDFGToB3.cpp:
3386         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3387         * heap/Heap.cpp:
3388         (JSC::Heap::stopThePeriphery):
3389         (JSC::Heap::addCoreConstraints):
3390         * jit/CCallHelpers.cpp:
3391         (JSC::CCallHelpers::ensureShadowChickenPacket):
3392         * jit/JITExceptions.cpp:
3393         (JSC::genericUnwind):
3394         * jit/JITOpcodes.cpp:
3395         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3396         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3397         * jit/JITOpcodes32_64.cpp:
3398         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3399         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3400         * jit/JITOperations.cpp:
3401         * llint/LLIntSlowPaths.cpp:
3402         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3403         * runtime/JSGlobalObject.cpp:
3404         (JSC::JSGlobalObject::setDebugger):
3405         * runtime/JSGlobalObject.h:
3406         (JSC::JSGlobalObject::setDebugger): Deleted.
3407         * runtime/VM.cpp:
3408         (JSC::VM::VM):
3409         (JSC::VM::ensureShadowChicken):
3410         * runtime/VM.h:
3411         (JSC::VM::shadowChicken):
3412         * tools/JSDollarVM.cpp:
3413         (JSC::functionShadowChickenFunctionsOnStack):
3414         (JSC::changeDebuggerModeWhenIdle):
3415
3416 2019-01-28  Andy Estes  <aestes@apple.com>
3417
3418         [watchOS] Enable Parental Controls content filtering
3419         https://bugs.webkit.org/show_bug.cgi?id=193939
3420         <rdar://problem/46641912>
3421
3422         Reviewed by Ryosuke Niwa.
3423
3424         * Configurations/FeatureDefines.xcconfig:
3425
3426 2019-01-28  Mark Lam  <mark.lam@apple.com>
3427
3428         ToString node actually does GC.
3429         https://bugs.webkit.org/show_bug.cgi?id=193920
3430         <rdar://problem/46695900>
3431
3432         Reviewed by Yusuke Suzuki.
3433
3434         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3435         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3436
3437         * dfg/DFGDoesGC.cpp:
3438         (JSC::DFG::doesGC):
3439
3440 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3441
3442         [JSC] RegExpConstructor should not have own IsoSubspace
3443         https://bugs.webkit.org/show_bug.cgi?id=193801
3444
3445         Reviewed by Mark Lam.
3446
3447         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3448         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3449         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3450         it from RegExpConstructor members.
3451
3452         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3453         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3454         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3455
3456         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3457
3458         * CMakeLists.txt:
3459         * JavaScriptCore.xcodeproj/project.pbxproj:
3460         * Sources.txt:
3461         * dfg/DFGOperations.cpp:
3462         * dfg/DFGSpeculativeJIT.cpp:
3463         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3464         * dfg/DFGStrengthReductionPhase.cpp:
3465         (JSC::DFG::StrengthReductionPhase::handleNode):
3466         * ftl/FTLAbstractHeapRepository.cpp:
3467         * ftl/FTLAbstractHeapRepository.h:
3468         * ftl/FTLLowerDFGToB3.cpp:
3469         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3470         * runtime/JSGlobalObject.cpp:
3471         (JSC::JSGlobalObject::init):
3472         (JSC::JSGlobalObject::visitChildren):
3473         * runtime/JSGlobalObject.h:
3474         (JSC::JSGlobalObject::regExpGlobalData):
3475         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3476         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3477         * runtime/RegExpCache.cpp:
3478         (JSC::RegExpCache::initialize):
3479         * runtime/RegExpCache.h:
3480         (JSC::RegExpCache::emptyRegExp const):
3481         * runtime/RegExpCachedResult.cpp:
3482         (JSC::RegExpCachedResult::visitAggregate):
3483         (JSC::RegExpCachedResult::visitChildren): Deleted.
3484         * runtime/RegExpCachedResult.h:
3485         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3486         * runtime/RegExpConstructor.cpp:
3487         (JSC::RegExpConstructor::RegExpConstructor):
3488         (JSC::regExpConstructorDollar):
3489         (JSC::regExpConstructorInput):
3490         (JSC::regExpConstructorMultiline):
3491         (JSC::regExpConstructorLastMatch):
3492         (JSC::regExpConstructorLastParen):
3493         (JSC::regExpConstructorLeftContext):
3494         (JSC::regExpConstructorRightContext):
3495         (JSC::setRegExpConstructorInput):
3496         (JSC::setRegExpConstructorMultiline):
3497         (JSC::RegExpConstructor::destroy): Deleted.
3498         (JSC::RegExpConstructor::visitChildren): Deleted.
3499         (JSC::RegExpConstructor::getBackref): Deleted.
3500         (JSC::RegExpConstructor::getLastParen): Deleted.
3501         (JSC::RegExpConstructor::getLeftContext): Deleted.
3502         (JSC::RegExpConstructor::getRightContext): Deleted.
3503         * runtime/RegExpConstructor.h:
3504         (JSC::RegExpConstructor::performMatch): Deleted.
3505         (JSC::RegExpConstructor::recordMatch): Deleted.
3506         * runtime/RegExpGlobalData.cpp: Added.
3507         (JSC::RegExpGlobalData::visitAggregate):
3508         (JSC::RegExpGlobalData::getBackref):
3509         (JSC::RegExpGlobalData::getLastParen):
3510         (JSC::RegExpGlobalData::getLeftContext):
3511         (JSC::RegExpGlobalData::getRightContext):
3512         * runtime/RegExpGlobalData.h: Added.
3513         (JSC::RegExpGlobalData::cachedResult):
3514         (JSC::RegExpGlobalData::setMultiline):
3515         (JSC::RegExpGlobalData::multiline const):
3516         (JSC::RegExpGlobalData::input):
3517         (JSC::RegExpGlobalData::offsetOfCachedResult):
3518         * runtime/RegExpGlobalDataInlines.h: Added.
3519         (JSC::RegExpGlobalData::setInput):
3520         (JSC::RegExpGlobalData::performMatch):
3521         (JSC::RegExpGlobalData::recordMatch):
3522         * runtime/RegExpObject.cpp:
3523         (JSC::RegExpObject::matchGlobal):
3524         * runtime/RegExpObjectInlines.h:
3525         (JSC::RegExpObject::execInline):
3526         (JSC::RegExpObject::matchInline):
3527         (JSC::collectMatches):
3528         * runtime/RegExpPrototype.cpp:
3529         (JSC::RegExpPrototype::finishCreation):
3530         (JSC::regExpProtoFuncSearchFast):
3531         (JSC::RegExpPrototype::visitChildren): Deleted.
3532         * runtime/RegExpPrototype.h:
3533         * runtime/StringPrototype.cpp:
3534         (JSC::removeUsingRegExpSearch):
3535         (JSC::replaceUsingRegExpSearch):
3536         * runtime/VM.cpp:
3537         (JSC::VM::VM):
3538         * runtime/VM.h:
3539
3540 2018-12-15  Darin Adler  <darin@apple.com>
3541
3542         Replace many uses of String::format with more type-safe alternatives
3543         https://bugs.webkit.org/show_bug.cgi?id=192742
3544
3545         Reviewed by Mark Lam.
3546
3547         * inspector/InjectedScriptBase.cpp:
3548         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3549         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3550         * inspector/InspectorBackendDispatcher.cpp:
3551         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3552         * inspector/agents/InspectorConsoleAgent.cpp:
3553         (Inspector::InspectorConsoleAgent::enable): Ditto.
3554         * jsc.cpp:
3555         (FunctionJSCStackFunctor::operator() const): Ditto.
3556
3557         * runtime/CodeCache.cpp:
3558         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3559         using String::number.
3560
3561         * runtime/IntlDateTimeFormat.cpp:
3562         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3563         * runtime/IntlObject.cpp:
3564         (JSC::canonicalizeLocaleList): Ditto.
3565
3566 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3567
3568         AX: Introduce a static accessibility tree
3569         https://bugs.webkit.org/show_bug.cgi?id=193348
3570         <rdar://problem/47203295>
3571
3572         Reviewed by Ryosuke Niwa.
3573
3574         * Configurations/FeatureDefines.xcconfig:
3575
3576 2019-01-26  Devin Rousso  <drousso@apple.com>
3577
3578         Web Inspector: provide a way to edit the user agent of a remote target
3579         https://bugs.webkit.org/show_bug.cgi?id=193862
3580         <rdar://problem/47359292>
3581
3582         Reviewed by Joseph Pecoraro.
3583
3584         * inspector/protocol/Page.json:
3585         Add `overrideUserAgent` command.
3586
3587 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3588
3589         [JSC] NativeErrorConstructor should not have own IsoSubspace
3590         https://bugs.webkit.org/show_bug.cgi?id=193713
3591
3592         Reviewed by Saam Barati.
3593
3594         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3595         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3596         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3597         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3598         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3599         referenced.
3600
3601         * CMakeLists.txt:
3602         * JavaScriptCore.xcodeproj/project.pbxproj:
3603         * Sources.txt:
3604         * builtins/BuiltinNames.h:
3605         * interpreter/Interpreter.h:
3606         * runtime/Error.cpp:
3607         (JSC::createEvalError):
3608         (JSC::createRangeError):
3609         (JSC::createReferenceError):
3610         (JSC::createSyntaxError):
3611         (JSC::createTypeError):
3612         (JSC::createURIError):
3613         (WTF::printInternal): Deleted.
3614         * runtime/Error.h:
3615         * runtime/ErrorPrototype.cpp:
3616         (JSC::ErrorPrototype::create):
3617         (JSC::ErrorPrototype::finishCreation):
3618         * runtime/ErrorPrototype.h:
3619         (JSC::ErrorPrototype::create): Deleted.
3620         * runtime/ErrorType.cpp: Added.
3621         (JSC::errorTypeName):
3622         (WTF::printInternal):
3623         * runtime/ErrorType.h: Added.
3624         * runtime/JSGlobalObject.cpp:
3625         (JSC::JSGlobalObject::initializeErrorConstructor):
3626         (JSC::JSGlobalObject::init):
3627         (JSC::JSGlobalObject::visitChildren):
3628         * runtime/JSGlobalObject.h:
3629         (JSC::JSGlobalObject::internalPromiseConstructor const):
3630         (JSC::JSGlobalObject::errorStructure const):
3631         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3632         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3633         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3634         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3635         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3636         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3637         * runtime/NativeErrorConstructor.cpp:
3638         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3639         (JSC::NativeErrorConstructorBase::finishCreation):
3640         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3641         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3642         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3643         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3644         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3645         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3646         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3647         * runtime/NativeErrorConstructor.h:
3648         (JSC::NativeErrorConstructorBase::createStructure):
3649         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3650         * runtime/NativeErrorPrototype.cpp:
3651         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3652         * runtime/NativeErrorPrototype.h:
3653         * runtime/VM.cpp:
3654         (JSC::VM::VM):
3655         * runtime/VM.h:
3656         * wasm/js/WasmToJS.cpp:
3657         (JSC::Wasm::handleBadI64Use):
3658
3659 2019-01-25  Devin Rousso  <drousso@apple.com>
3660
3661         Web Inspector: provide a way to edit page settings on a remote target
3662         https://bugs.webkit.org/show_bug.cgi?id=193813
3663         <rdar://problem/47359510>
3664
3665         Reviewed by Joseph Pecoraro.
3666
3667         * inspector/protocol/Page.json:
3668         Add `overrideSetting` command with supporting `Setting` enum type.
3669
3670 2019-01-25  Keith Rollin  <krollin@apple.com>
3671
3672         Update Xcode projects with "Check .xcfilelists" build phase
3673         https://bugs.webkit.org/show_bug.cgi?id=193790
3674         <rdar://problem/47201374>
3675
3676         Reviewed by Alex Christensen.
3677
3678         Support for XCBuild includes specifying inputs and outputs to various
3679         Run Script build phases. These inputs and outputs are specified as
3680         .xcfilelist files. Once created, these .xcfilelist files need to be
3681         kept up-to-date. In order to check that they are up-to-date or not,
3682         add an Xcode build step that invokes an external script that performs
3683         the checking. If the .xcfilelists are found to be out-of-date, update
3684         them, halt the build, and instruct the developer to restart the build
3685         with up-to-date files.
3686
3687         At this time, the checking and regenerating is performed only if the
3688         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3689         who want to use this facility can set this variable and test out the
3690         checking/regenerating. Once it seems like there are no egregious
3691         issues that upset a developer's workflow, we'll unconditionally enable
3692         this facility.
3693
3694         * JavaScriptCore.xcodeproj/project.pbxproj:
3695         * Scripts/check-xcfilelists.sh: Added.
3696
3697 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3698
3699         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3700         https://bugs.webkit.org/show_bug.cgi?id=193796
3701         <rdar://problem/47532910>
3702
3703         Reviewed by Devin Rousso.
3704
3705         * runtime/SamplingProfiler.cpp:
3706         (JSC::SamplingProfiler::machThread):
3707         * runtime/SamplingProfiler.h:
3708         Expose the mach_port_t of the SamplingProfiler thread
3709         so it can be tested against later.
3710
3711 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3712
3713         Fix Windows build after r240511
3714
3715         * bytecode/UnlinkedFunctionExecutable.cpp:
3716         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3717
3718 2019-01-25  Keith Rollin  <krollin@apple.com>
3719
3720         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3721         https://bugs.webkit.org/show_bug.cgi?id=193781
3722         <rdar://problem/47201153>
3723
3724         Reviewed by Alex Christensen.
3725
3726         Part of generating the .xcfilelists used as part of adopting XCBuild
3727         includes running `make DerivedSources.make` from a standalone script.
3728         It’s important for this invocation to have the same environment as
3729         when the actual build invokes `make DerivedSources.make`. If the
3730         environments are different, then the two invocations will provide
3731         different results. In order to get the same environment in the
3732         standalone script, have the script launch xcodebuild targeting the
3733         "Apply Configuration to XCFileLists" build target, which will then
3734         re-invoke our standalone script. The script is now running again, this
3735         time in an environment with all workspace, project, target, xcconfig
3736         and other environment variables established.
3737
3738         The "Apply Configuration to XCFileLists" build target accomplishes
3739         this task via a small embedded shell script that consists only of:
3740
3741             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3742
3743         The process that invokes "Apply Configuration to XCFileLists" first
3744         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3745         evaluated and exports it into the shell environment. When xcodebuild
3746         is invoked, it inherits the value of this variable and can `eval` the
3747         contents of that variable. Our external standalone script can then set
3748         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3749         of command-line parameters needed to restart itself in the appropriate
3750         state.
3751
3752         * JavaScriptCore.xcodeproj/project.pbxproj:
3753
3754 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3755
3756         Add API to generate and consume cached bytecode
3757         https://bugs.webkit.org/show_bug.cgi?id=193401
3758         <rdar://problem/47514099>
3759
3760         Reviewed by Keith Miller.
3761
3762         Add the `generateBytecode` and `generateModuleBytecode` functions to
3763         generate serialized bytecode for a given `SourceCode`. These functions
3764         will eagerly generate code for all the nested functions.
3765
3766         Additionally, update the API methods in JSScript to generate and use the
3767         bytecode when the bytecodeCache path is provided.
3768
3769         * API/JSAPIGlobalObject.mm:
3770         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3771         * API/JSContext.mm:
3772         (-[JSContext wrapperMap]):
3773         * API/JSContextInternal.h:
3774         * API/JSScript.mm:
3775         (+[JSScript scriptWithSource:inVirtualMachine:]):
3776         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3777         (-[JSScript dealloc]):
3778         (-[JSScript readCache]):
3779         (-[JSScript writeCache]):
3780         (-[JSScript hash]):
3781         (-[JSScript source]):
3782         (-[JSScript cachedBytecode]):
3783         (-[JSScript jsSourceCode:]):
3784         * API/JSScriptInternal.h:
3785         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3786         (JSScriptSourceProvider::create):
3787         (JSScriptSourceProvider::JSScriptSourceProvider):
3788         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3789         (JSScriptSourceProvider::hash const):
3790         (JSScriptSourceProvider::source const):
3791         (JSScriptSourceProvider::cachedBytecode const):
3792         * API/JSVirtualMachine.mm:
3793         (-[JSVirtualMachine vm]):
3794         * API/JSVirtualMachineInternal.h:
3795         * API/tests/testapi.mm:
3796         (testBytecodeCache):
3797         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3798         (testObjectiveCAPI):
3799         * JavaScriptCore.xcodeproj/project.pbxproj:
3800         * SourcesCocoa.txt:
3801         * bytecode/UnlinkedFunctionExecutable.cpp:
3802         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3803         * bytecode/UnlinkedFunctionExecutable.h:
3804         * parser/SourceCodeKey.h:
3805         (JSC::SourceCodeKey::source const):
3806         * parser/SourceProvider.h:
3807         (JSC::CachedBytecode::CachedBytecode):
3808         (JSC::CachedBytecode::operator=):
3809         (JSC::CachedBytecode::data const):
3810         (JSC::CachedBytecode::size const):
3811         (JSC::CachedBytecode::owned const):
3812         (JSC::CachedBytecode::~CachedBytecode):
3813         (JSC::CachedBytecode::freeDataIfOwned):
3814         (JSC::SourceProvider::cachedBytecode const):
3815         * parser/UnlinkedSourceCode.h:
3816         (JSC::UnlinkedSourceCode::provider const):
3817         * runtime/CodeCache.cpp:
3818         (JSC::generateUnlinkedCodeBlockForFunctions):
3819         (JSC::writeCodeBlock):
3820         (JSC::serializeBytecode):
3821         * runtime/CodeCache.h:
3822         (JSC::CodeCacheMap::fetchFromDiskImpl):
3823         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3824         (JSC::generateUnlinkedCodeBlockImpl):
3825         (JSC::generateUnlinkedCodeBlock):
3826         * runtime/Completion.cpp:
3827         (JSC::generateBytecode):
3828         (JSC::generateModuleBytecode):
3829         * runtime/Completion.h:
3830         * runtime/Options.cpp:
3831         (JSC::recomputeDependentOptions):
3832
3833 2019-01-25  Keith Rollin  <krollin@apple.com>
3834
3835         Update WebKitAdditions.xcconfig with correct order of variable definitions
3836         https://bugs.webkit.org/show_bug.cgi?id=193793
3837         <rdar://problem/47532439>
3838
3839         Reviewed by Alex Christensen.
3840
3841         XCBuild changes the way xcconfig variables are evaluated. In short,
3842         all config file assignments are now considered in part of the
3843         evaluation. When using the new build system and an .xcconfig file
3844         contains multiple assignments of the same build setting:
3845
3846         - Later assignments using $(inherited) will inherit from earlier
3847           assignments in the xcconfig file.
3848         - Later assignments not using $(inherited) will take precedence over
3849           earlier assignments. An assignment to a more general setting will
3850           mask an earlier assignment to a less general setting. For example,
3851           an assignment without a condition ('FOO = bar') will completely mask
3852           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3853
3854         This affects some of our .xcconfig files, in that sometimes platform-
3855         or sdk-specific definitions appear before the general definitions.
3856         Under the new evaluations rules, the general definitions alway take
3857         effect because they always overwrite the more-specific definitions. The
3858         solution is to swap the order, so that the general definitions are
3859         established first, and then conditionally overwritten by the
3860         more-specific definitions.
3861
3862         * Configurations/Version.xcconfig:
3863
3864 2019-01-25  Keith Rollin  <krollin@apple.com>
3865
3866         Update existing .xcfilelists
3867         https://bugs.webkit.org/show_bug.cgi?id=193791
3868         <rdar://problem/47201706>
3869
3870         Reviewed by Alex Christensen.
3871
3872         Many .xcfilelist files were added in r238824 in order to support
3873         XCBuild. Update these with recent changes to the set of build files
3874         and with the current generate-xcfilelist script.
3875
3876         * DerivedSources-input.xcfilelist:
3877         * DerivedSources-output.xcfilelist:
3878         * UnifiedSources-input.xcfilelist:
3879         * UnifiedSources-output.xcfilelist:
3880
3881 2019-01-25  Jon Davis  <jond@apple.com>
3882
3883         Update JavaScriptCore feature status entries.
3884         https://bugs.webkit.org/show_bug.cgi?id=193797
3885
3886         Reviewed by Mark Lam.
3887         
3888         Updated feature status for Async Iteration, and Object rest/spread.
3889
3890         * features.json:
3891
3892 2019-01-24  Keith Miller  <keith_miller@apple.com>
3893
3894         Remove usage of internal macro from private header
3895         https://bugs.webkit.org/show_bug.cgi?id=193809
3896
3897         Reviewed by Saam Barati.
3898
3899         Also, add a new file to include all of our API headers to make sure
3900         they don't accidentally include C++ or internal values.
3901
3902         * API/JSScript.h: