Allow emulation of user gestures from Web Inspector console
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-15  Dean Jackson  <dino@apple.com>
2
3         Allow emulation of user gestures from Web Inspector console
4         https://bugs.webkit.org/show_bug.cgi?id=194725
5         <rdar://problem/48126604>
6
7         Reviewed by Joseph Pecoraro and Devin Rousso.
8
9         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
10         to the evaluate function, and mark the function as override so that PageRuntimeAgent
11         can change the behaviour.
12         (Inspector::InspectorRuntimeAgent::evaluate):
13         * inspector/agents/InspectorRuntimeAgent.h:
14         * inspector/protocol/Runtime.json:
15
16 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
17
18         [JSC] Do not initialize Wasm related data if Wasm is not enabled
19         https://bugs.webkit.org/show_bug.cgi?id=194728
20
21         Reviewed by Mark Lam.
22
23         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
24
25         * runtime/InitializeThreading.cpp:
26         (JSC::initializeThreading):
27         * runtime/JSLock.cpp:
28         (JSC::JSLock::didAcquireLock):
29
30 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
31
32         [WTF] Add environment variable helpers
33         https://bugs.webkit.org/show_bug.cgi?id=192405
34
35         Reviewed by Michael Catanzaro.
36
37         * inspector/remote/glib/RemoteInspectorGlib.cpp:
38         (Inspector::RemoteInspector::RemoteInspector):
39         (Inspector::RemoteInspector::start):
40         * jsc.cpp:
41         (startTimeoutThreadIfNeeded):
42         * runtime/Options.cpp:
43         (JSC::overrideOptionWithHeuristic):
44         (JSC::Options::overrideAliasedOptionWithHeuristic):
45         (JSC::Options::initialize):
46         * runtime/VM.cpp:
47         (JSC::enableAssembler):
48         (JSC::VM::VM):
49         * tools/CodeProfiling.cpp:
50         (JSC::CodeProfiling::notifyAllocator):
51         Utilize WTF::Environment where possible.
52
53 2019-02-15  Mark Lam  <mark.lam@apple.com>
54
55         SamplingProfiler::stackTracesAsJSON() should escape strings.
56         https://bugs.webkit.org/show_bug.cgi?id=194649
57         <rdar://problem/48072386>
58
59         Reviewed by Saam Barati.
60
61         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
62
63         * runtime/SamplingProfiler.cpp:
64         (JSC::SamplingProfiler::stackTracesAsJSON):
65         * runtime/TypeSet.cpp:
66         (JSC::TypeSet::toJSONString const):
67         (JSC::StructureShape::toJSONString const):
68
69 2019-02-15  Robin Morisset  <rmorisset@apple.com>
70
71         CodeBlock::jettison should clear related watchpoints
72         https://bugs.webkit.org/show_bug.cgi?id=194544
73
74         Reviewed by Mark Lam.
75
76         * bytecode/CodeBlock.cpp:
77         (JSC::CodeBlock::jettison):
78         * dfg/DFGCommonData.h:
79         (JSC::DFG::CommonData::clearWatchpoints): Added.
80         * dfg/CommonData.cpp:
81         (JSC::DFG::CommonData::clearWatchpoints): Added.
82
83 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
84
85         Move bytecode cache-related filesystem code out of CodeCache
86         https://bugs.webkit.org/show_bug.cgi?id=194675
87
88         Reviewed by Saam Barati.
89
90         That code is only used for the bytecode-cache tests, so it should live in
91         jsc.cpp rather than in the CodeCache.
92
93         * jsc.cpp:
94         (CliSourceProvider::create):
95         (CliSourceProvider::~CliSourceProvider):
96         (CliSourceProvider::cachePath const):
97         (CliSourceProvider::loadBytecode):
98         (CliSourceProvider::CliSourceProvider):
99         (jscSource):
100         (GlobalObject::moduleLoaderFetch):
101         (functionDollarEvalScript):
102         (runWithOptions):
103         * parser/SourceProvider.h:
104         (JSC::SourceProvider::cacheBytecode const):
105         * runtime/CodeCache.cpp:
106         (JSC::writeCodeBlock):
107         * runtime/CodeCache.h:
108         (JSC::CodeCacheMap::fetchFromDiskImpl):
109
110 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
113         https://bugs.webkit.org/show_bug.cgi?id=194714
114
115         Reviewed by Mark Lam.
116
117         Let's consider about the following extreme case.
118
119         1. VM (A) is created.
120         2. Another VM (B) is created on a different thread.
121         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
122         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
123         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
124         6. (A) sees the half-baked worklist, which may be in the middle of creation.
125
126         This patch puts store-store fence just before putting a pointer to a global variable.
127         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
128
129         * dfg/DFGWorklist.cpp:
130         (JSC::DFG::ensureGlobalDFGWorklist):
131         (JSC::DFG::ensureGlobalFTLWorklist):
132         * wasm/WasmWorklist.cpp:
133         (JSC::Wasm::ensureWorklist):
134
135 2019-02-15  Commit Queue  <commit-queue@webkit.org>
136
137         Unreviewed, rolling out r241559 and r241566.
138         https://bugs.webkit.org/show_bug.cgi?id=194710
139
140         Causes layout test crashes under GuardMalloc (Requested by
141         ryanhaddad on #webkit).
142
143         Reverted changesets:
144
145         "[WTF] Add environment variable helpers"
146         https://bugs.webkit.org/show_bug.cgi?id=192405
147         https://trac.webkit.org/changeset/241559
148
149         "Unreviewed build fix for WinCairo Debug after r241559."
150         https://trac.webkit.org/changeset/241566
151
152 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
153
154         [JSC] Do not even allocate JIT worklists in non-JIT mode
155         https://bugs.webkit.org/show_bug.cgi?id=194693
156
157         Reviewed by Mark Lam.
158
159         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
160         And we do not perform any GC operations that are only meaningful in JIT environment.
161
162         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
163         2. We remove DFG marking constraint in non-JIT mode.
164         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
165         4. We do not visit JITStubRoutineSet.
166         5. Align JITWorklist function names to the other worklists.
167
168         * dfg/DFGOSRExitPreparation.cpp:
169         (JSC::DFG::prepareCodeOriginForOSRExit):
170         * dfg/DFGPlan.h:
171         * dfg/DFGWorklist.cpp:
172         (JSC::DFG::markCodeBlocks): Deleted.
173         * dfg/DFGWorklist.h:
174         * heap/Heap.cpp:
175         (JSC::Heap::completeAllJITPlans):
176         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
177         (JSC::Heap::gatherScratchBufferRoots):
178         (JSC::Heap::removeDeadCompilerWorklistEntries):
179         (JSC::Heap::stopThePeriphery):
180         (JSC::Heap::suspendCompilerThreads):
181         (JSC::Heap::resumeCompilerThreads):
182         (JSC::Heap::addCoreConstraints):
183         * jit/JITWorklist.cpp:
184         (JSC::JITWorklist::existingGlobalWorklistOrNull):
185         (JSC::JITWorklist::ensureGlobalWorklist):
186         (JSC::JITWorklist::instance): Deleted.
187         * jit/JITWorklist.h:
188         * llint/LLIntSlowPaths.cpp:
189         (JSC::LLInt::jitCompileAndSetHeuristics):
190         * runtime/VM.cpp:
191         (JSC::VM::~VM):
192         (JSC::VM::gatherScratchBufferRoots):
193         (JSC::VM::gatherConservativeRoots): Deleted.
194         * runtime/VM.h:
195
196 2019-02-15  Saam barati  <sbarati@apple.com>
197
198         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
199         https://bugs.webkit.org/show_bug.cgi?id=194036
200
201         Reviewed by Yusuke Suzuki.
202
203         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
204         use linear scan for register allocation. Instead of linear scan, Air-O0 does
205         mostly block-local register allocation, and it does this as it's emitting
206         code directly. The register allocator uses liveness analysis to reduce
207         the number of spills. Doing register allocation as we're emitting code
208         allows us to skip editing the IR to insert spills, which saves a non trivial
209         amount of compile time. For stack allocation, we give each Tmp its own slot.
210         This is less than ideal. We probably want to do some trivial live range analysis
211         in the future. The reason this isn't a deal breaker for Wasm is that this patch
212         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
213         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
214         
215         This patch is another 25% Wasm startup time speedup. It seems to be worth
216         another 1% on JetStream2.
217
218         * JavaScriptCore.xcodeproj/project.pbxproj:
219         * Sources.txt:
220         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
221         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
222         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
223         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
224         (JSC::B3::Air::callFrameAddr):
225         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
226         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
227         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
228         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
229         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
230         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
231         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
232         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
233         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
234         * b3/air/AirCode.cpp:
235         * b3/air/AirCode.h:
236         * b3/air/AirGenerate.cpp:
237         (JSC::B3::Air::prepareForGeneration):
238         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
239         (JSC::B3::Air::generate):
240         * b3/air/AirHandleCalleeSaves.cpp:
241         (JSC::B3::Air::handleCalleeSaves):
242         * b3/air/AirHandleCalleeSaves.h:
243         * b3/air/AirTmpMap.h:
244         * runtime/Options.h:
245         * wasm/WasmAirIRGenerator.cpp:
246         (JSC::Wasm::AirIRGenerator::didKill):
247         (JSC::Wasm::AirIRGenerator::newTmp):
248         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
249         (JSC::Wasm::parseAndCompileAir):
250         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
251         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
252         * wasm/WasmAirIRGenerator.h:
253         * wasm/WasmB3IRGenerator.cpp:
254         (JSC::Wasm::B3IRGenerator::didKill):
255         * wasm/WasmBBQPlan.cpp:
256         (JSC::Wasm::BBQPlan::compileFunctions):
257         * wasm/WasmFunctionParser.h:
258         (JSC::Wasm::FunctionParser<Context>::parseBody):
259         (JSC::Wasm::FunctionParser<Context>::parseExpression):
260         * wasm/WasmValidate.cpp:
261         (JSC::Wasm::Validate::didKill):
262
263 2019-02-14  Saam barati  <sbarati@apple.com>
264
265         lowerStackArgs should lower Lea32/64 on ARM64 to Add
266         https://bugs.webkit.org/show_bug.cgi?id=194656
267
268         Reviewed by Yusuke Suzuki.
269
270         On arm64, Lea is just implemented as an add. However, Air treats it as an
271         address with a given width. Because of this width, we were incorrectly
272         computing whether or not this immediate could fit into the instruction itself
273         or it needed to be explicitly put into a register. This patch makes
274         AirLowerStackArgs lower Lea to Add on arm64.
275
276         * b3/air/AirLowerStackArgs.cpp:
277         (JSC::B3::Air::lowerStackArgs):
278         * b3/air/AirOpcode.opcodes:
279         * b3/air/testair.cpp:
280
281 2019-02-14  Saam Barati  <sbarati@apple.com>
282
283         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
284         https://bugs.webkit.org/show_bug.cgi?id=194583
285         <rdar://problem/48028140>
286
287         Reviewed by Yusuke Suzuki.
288
289         This patch makes it so that getVariablesUnderTDZ caches a result of
290         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
291         it's called in an environment where there are a lot of variables.
292         This patch makes it so we cache its results. This is profitable when
293         getVariablesUnderTDZ is called repeatedly with the same environment
294         state. This is common since we call this every time we encounter a
295         function definition/expression node.
296
297         * builtins/BuiltinExecutables.cpp:
298         (JSC::BuiltinExecutables::createExecutable):
299         * bytecode/UnlinkedFunctionExecutable.cpp:
300         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
301         * bytecode/UnlinkedFunctionExecutable.h:
302         * bytecompiler/BytecodeGenerator.cpp:
303         (JSC::BytecodeGenerator::popLexicalScopeInternal):
304         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
305         (JSC::BytecodeGenerator::pushTDZVariables):
306         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
307         (JSC::BytecodeGenerator::restoreTDZStack):
308         * bytecompiler/BytecodeGenerator.h:
309         (JSC::BytecodeGenerator::makeFunction):
310         * parser/VariableEnvironment.cpp:
311         (JSC::CompactVariableMap::Handle::Handle):
312         (JSC::CompactVariableMap::Handle::operator=):
313         * parser/VariableEnvironment.h:
314         (JSC::CompactVariableMap::Handle::operator bool const):
315         * runtime/CodeCache.cpp:
316         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
317
318 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
319
320         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
321         https://bugs.webkit.org/show_bug.cgi?id=194659
322
323         Reviewed by Mark Lam.
324
325         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
326         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
327         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
328
329         * dfg/DFGJITCode.h:
330         * dfg/DFGJITFinalizer.cpp:
331         (JSC::DFG::JITFinalizer::finalize):
332         (JSC::DFG::JITFinalizer::finalizeFunction):
333         * jit/JITCode.cpp:
334         (JSC::DirectJITCode::initializeCodeRefForDFG):
335         (JSC::DirectJITCode::initializeCodeRef): Deleted.
336         (JSC::NativeJITCode::initializeCodeRef): Deleted.
337         * jit/JITCode.h:
338         * llint/LLIntEntrypoint.cpp:
339         (JSC::LLInt::setFunctionEntrypoint):
340         (JSC::LLInt::setEvalEntrypoint):
341         (JSC::LLInt::setProgramEntrypoint):
342         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
343
344 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
345
346         [WTF] Add environment variable helpers
347         https://bugs.webkit.org/show_bug.cgi?id=192405
348
349         Reviewed by Michael Catanzaro.
350
351         * inspector/remote/glib/RemoteInspectorGlib.cpp:
352         (Inspector::RemoteInspector::RemoteInspector):
353         (Inspector::RemoteInspector::start):
354         * jsc.cpp:
355         (startTimeoutThreadIfNeeded):
356         * runtime/Options.cpp:
357         (JSC::overrideOptionWithHeuristic):
358         (JSC::Options::overrideAliasedOptionWithHeuristic):
359         (JSC::Options::initialize):
360         * runtime/VM.cpp:
361         (JSC::enableAssembler):
362         (JSC::VM::VM):
363         * tools/CodeProfiling.cpp:
364         (JSC::CodeProfiling::notifyAllocator):
365         Utilize WTF::Environment where possible.
366
367 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
368
369         [JSC] Should have default NativeJITCode
370         https://bugs.webkit.org/show_bug.cgi?id=194634
371
372         Reviewed by Mark Lam.
373
374         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
375         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
376         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
377         allocations, which takes 14KB.
378
379         * runtime/VM.cpp:
380         (JSC::jitCodeForCallTrampoline):
381         (JSC::jitCodeForConstructTrampoline):
382         (JSC::VM::getHostFunction):
383
384 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
385
386         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
387         https://bugs.webkit.org/show_bug.cgi?id=194576
388
389         Reviewed by Saam Barati.
390
391         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
392         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
393
394         * bytecode/UnlinkedFunctionExecutable.cpp:
395         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
396         (JSC::UnlinkedFunctionExecutable::link):
397         * bytecode/UnlinkedFunctionExecutable.h:
398         * runtime/CodeCache.cpp:
399         (JSC::generateUnlinkedCodeBlockForFunctions):
400
401 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
402
403         CachedBitVector's size must be converted from bits to bytes
404         https://bugs.webkit.org/show_bug.cgi?id=194441
405
406         Reviewed by Saam Barati.
407
408         CachedBitVector used its size in bits for memcpy. That didn't cause any
409         issues when encoding, since the size in bits was also used in the allocation,
410         but would overflow the actual BitVector buffer when decoding.
411
412         * runtime/CachedTypes.cpp:
413         (JSC::CachedBitVector::encode):
414         (JSC::CachedBitVector::decode const):
415
416 2019-02-13  Brian Burg  <bburg@apple.com>
417
418         Web Inspector: don't include accessibility role in DOM.Node object payloads
419         https://bugs.webkit.org/show_bug.cgi?id=194623
420         <rdar://problem/36384037>
421
422         Reviewed by Devin Rousso.
423
424         Remove property of DOM.Node that is no longer being sent.
425
426         * inspector/protocol/DOM.json:
427
428 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
429
430         We should only make rope strings when concatenating strings long enough.
431         https://bugs.webkit.org/show_bug.cgi?id=194465
432
433         Reviewed by Mark Lam.
434
435         This patch stops us from allocating a rope string if the resulting
436         rope would be smaller than the size of the JSRopeString object we
437         would need to allocate.
438
439         This patch also adds paths so that we don't unnecessarily allocate
440         JSString cells for primitives we are going to concatenate with a
441         string anyway.
442
443         The important change from the previous one is that we do not apply
444         the above rule to JSRopeStrings generated by JSStrings. If we convert
445         it to JSString, comparison of memory consumption becomes the following,
446         because JSRopeString does not have StringImpl until it is resolved.
447
448             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
449
450         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
451         resolving eagerly increases memory footprint. The point is that we need to
452         account newly created JSString and JSRopeString from the operands. This is the
453         reason why this patch adds different thresholds for each jsString functions.
454
455         This patch also avoids concatenation for ropes conservatively. Many ropes are
456         temporary cells. So we do not resolve eagerly if one of operands is already a
457         rope.
458
459         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
460
461             Before: 159.3778
462             After:  160.72340000000003
463
464         * dfg/DFGOperations.cpp:
465         * runtime/CommonSlowPaths.cpp:
466         (JSC::SLOW_PATH_DECL):
467         * runtime/JSString.h:
468         (JSC::JSString::isRope const):
469         * runtime/Operations.cpp:
470         (JSC::jsAddSlowCase):
471         * runtime/Operations.h:
472         (JSC::jsString):
473         (JSC::jsAddNonNumber):
474         (JSC::jsAdd):
475
476 2019-02-13  Saam Barati  <sbarati@apple.com>
477
478         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
479         https://bugs.webkit.org/show_bug.cgi?id=194610
480
481         Reviewed by Michael Saboff.
482
483         BinarySwitch might use the scratch register. We must model the
484         effects of that properly. This is already caught by our br-table
485         tests on arm64.
486
487         * wasm/WasmAirIRGenerator.cpp:
488         (JSC::Wasm::AirIRGenerator::addSwitch):
489
490 2019-02-13  Mark Lam  <mark.lam@apple.com>
491
492         Create a randomized free list for new StructureIDs on StructureIDTable resize.
493         https://bugs.webkit.org/show_bug.cgi?id=194566
494         <rdar://problem/47975502>
495
496         Reviewed by Michael Saboff.
497
498         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
499         implementation is a little easier to read.
500
501         This patch appears to be perf neutral on JetStream2 (as run from the command line).
502
503         * runtime/StructureIDTable.cpp:
504         (JSC::StructureIDTable::StructureIDTable):
505         (JSC::StructureIDTable::makeFreeListFromRange):
506         (JSC::StructureIDTable::resize):
507         (JSC::StructureIDTable::allocateID):
508         (JSC::StructureIDTable::deallocateID):
509         * runtime/StructureIDTable.h:
510         (JSC::StructureIDTable::get):
511         (JSC::StructureIDTable::deallocateID):
512         (JSC::StructureIDTable::allocateID):
513         (JSC::StructureIDTable::flushOldTables):
514
515 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
516
517         VariableLengthObject::allocate<T> should initialize objects
518         https://bugs.webkit.org/show_bug.cgi?id=194534
519
520         Reviewed by Michael Saboff.
521
522         `buffer()` should not be called for empty VariableLengthObjects, but
523         these cases were not being caught due to the objects not being properly
524         initialized. Fix it so that allocate calls the constructor and fix the
525         assertion failues.
526
527         * runtime/CachedTypes.cpp:
528         (JSC::CachedObject::operator new):
529         (JSC::VariableLengthObject::allocate):
530         (JSC::CachedVector::encode):
531         (JSC::CachedVector::decode const):
532         (JSC::CachedUniquedStringImpl::decode const):
533         (JSC::CachedBitVector::encode):
534         (JSC::CachedBitVector::decode const):
535         (JSC::CachedArray::encode):
536         (JSC::CachedArray::decode const):
537         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
538         (JSC::CachedBigInt::decode const):
539
540 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
541
542         CodeBlocks read from disk should not be re-written
543         https://bugs.webkit.org/show_bug.cgi?id=194535
544
545         Reviewed by Michael Saboff.
546
547         Keep track of which CodeBlocks have been read from disk or have already
548         been serialized in CodeCache.
549
550         * runtime/CodeCache.cpp:
551         (JSC::CodeCache::write):
552         * runtime/CodeCache.h:
553         (JSC::SourceCodeValue::SourceCodeValue):
554         (JSC::CodeCacheMap::fetchFromDiskImpl):
555
556 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
557
558         SourceCode should be copied when generating bytecode for functions
559         https://bugs.webkit.org/show_bug.cgi?id=194536
560
561         Reviewed by Saam Barati.
562
563         The FunctionExecutable might be collected while generating the bytecode
564         for nested functions, in which case the SourceCode reference would no
565         longer be valid.
566
567         * runtime/CodeCache.cpp:
568         (JSC::generateUnlinkedCodeBlockForFunctions):
569
570 2019-02-12  Saam barati  <sbarati@apple.com>
571
572         JSScript needs to retain its cache path NSURL*
573         https://bugs.webkit.org/show_bug.cgi?id=194577
574
575         Reviewed by Tim Horton.
576
577         * API/JSScript.mm:
578         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
579         (-[JSScript dealloc]):
580
581 2019-02-12  Robin Morisset  <rmorisset@apple.com>
582
583         Make B3Value::returnsBool() more precise
584         https://bugs.webkit.org/show_bug.cgi?id=194457
585
586         Reviewed by Saam Barati.
587
588         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
589         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
590         No new tests added as this should be indirectly tested by the already existing tests.
591
592         * b3/B3Value.cpp:
593         (JSC::B3::Value::returnsBool const):
594
595 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
596
597         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
598         https://bugs.webkit.org/show_bug.cgi?id=194399
599         <rdar://problem/47889777>
600
601         * dfg/DFGDoesGC.cpp:
602         (JSC::DFG::doesGC):
603
604 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
605
606         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
607         https://bugs.webkit.org/show_bug.cgi?id=194370
608
609         Reviewed by Darin Adler.
610
611         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
612         necessary, but it will make errors more visible.
613
614         * inspector/remote/glib/RemoteInspectorGlib.cpp:
615         (Inspector::RemoteInspector::start):
616         (Inspector::dbusConnectionCallAsyncReadyCallback):
617         * inspector/remote/glib/RemoteInspectorServer.cpp:
618         (Inspector::RemoteInspectorServer::start):
619
620 2019-02-12  Andy Estes  <aestes@apple.com>
621
622         [iOSMac] Enable Parental Controls Content Filtering
623         https://bugs.webkit.org/show_bug.cgi?id=194521
624         <rdar://39732376>
625
626         Reviewed by Tim Horton.
627
628         * Configurations/FeatureDefines.xcconfig:
629
630 2019-02-11  Mark Lam  <mark.lam@apple.com>
631
632         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
633         https://bugs.webkit.org/show_bug.cgi?id=194512
634         <rdar://problem/47975465>
635
636         Reviewed by Yusuke Suzuki.
637
638         * runtime/StructureIDTable.cpp:
639         (JSC::StructureIDTable::StructureIDTable):
640         (JSC::StructureIDTable::allocateID):
641         (JSC::StructureIDTable::deallocateID):
642         * runtime/StructureIDTable.h:
643
644 2019-02-10  Mark Lam  <mark.lam@apple.com>
645
646         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
647         https://bugs.webkit.org/show_bug.cgi?id=194493
648         <rdar://problem/36380852>
649
650         Reviewed by Yusuke Suzuki.
651
652         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
653         however not good for performance and memory usage.  As such, a debug ASSERT will
654         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
655         possible to be instantiated with duplicate cases in
656         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
657
658         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
659         see duplicate cases.
660
661         * jit/BinarySwitch.cpp:
662         (JSC::BinarySwitch::BinarySwitch):
663
664 2019-02-10  Darin Adler  <darin@apple.com>
665
666         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
667         https://bugs.webkit.org/show_bug.cgi?id=194485
668
669         Reviewed by Daniel Bates.
670
671         * heap/HeapSnapshotBuilder.cpp:
672         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
673         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
674
675         * runtime/JSGlobalObjectFunctions.cpp:
676         (JSC::encode): Removed some unneeded casts in StringBuilder code,
677         including one in a call to appendByteAsHex.
678         (JSC::globalFuncEscape): Ditto.
679
680 2019-02-10  Commit Queue  <commit-queue@webkit.org>
681
682         Unreviewed, rolling out r241230.
683         https://bugs.webkit.org/show_bug.cgi?id=194488
684
685         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
686         #webkit).
687
688         Reverted changeset:
689
690         "We should only make rope strings when concatenating strings
691         long enough."
692         https://bugs.webkit.org/show_bug.cgi?id=194465
693         https://trac.webkit.org/changeset/241230
694
695 2019-02-10  Saam barati  <sbarati@apple.com>
696
697         BBQ-Air: Emit better code for switch
698         https://bugs.webkit.org/show_bug.cgi?id=194053
699
700         Reviewed by Yusuke Suzuki.
701
702         Instead of emitting a linear set of jumps for Switch, this patch
703         makes the BBQ-Air backend emit a binary switch.
704
705         * wasm/WasmAirIRGenerator.cpp:
706         (JSC::Wasm::AirIRGenerator::addSwitch):
707
708 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
709
710         Unreviewed, Lexer should use isLatin1 implementation in WTF
711         https://bugs.webkit.org/show_bug.cgi?id=194466
712
713         Follow-up after r241233 pointed by Darin.
714
715         * parser/Lexer.cpp:
716         (JSC::isLatin1): Deleted.
717
718 2019-02-09  Darin Adler  <darin@apple.com>
719
720         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
721         https://bugs.webkit.org/show_bug.cgi?id=194021
722
723         Reviewed by Geoffrey Garen.
724
725         * inspector/agents/InspectorConsoleAgent.cpp:
726         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
727         makeString do the conversion without allocating/destroying a String.
728         * inspector/agents/InspectorDebuggerAgent.cpp:
729         (Inspector::objectGroupForBreakpointAction): Ditto.
730         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
731         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
732         * runtime/JSGenericTypedArrayViewInlines.h:
733         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
734         * runtime/NumberPrototype.cpp:
735         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
736         of calling numberToFixedWidthString to do the same thing.
737         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
738         numberToFixedPrecisionString to do the same thing.
739         * runtime/SamplingProfiler.cpp:
740         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
741
742 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
743
744         Unreviewed, rolling in r241237 again
745         https://bugs.webkit.org/show_bug.cgi?id=194469
746
747         * runtime/JSString.h:
748         (JSC::jsSubstring):
749
750 2019-02-09  Commit Queue  <commit-queue@webkit.org>
751
752         Unreviewed, rolling out r241237.
753         https://bugs.webkit.org/show_bug.cgi?id=194474
754
755         Shows significant memory increase in WSL (Requested by
756         yusukesuzuki on #webkit).
757
758         Reverted changeset:
759
760         "[WTF] Use BufferInternal StringImpl if substring StringImpl
761         takes more memory"
762         https://bugs.webkit.org/show_bug.cgi?id=194469
763         https://trac.webkit.org/changeset/241237
764
765 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
766
767         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
768         https://bugs.webkit.org/show_bug.cgi?id=194469
769
770         Reviewed by Geoffrey Garen.
771
772         * runtime/JSString.h:
773         (JSC::jsSubstring):
774
775 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
776
777         [JSC] CachedTypes should use jsString instead of JSString::create
778         https://bugs.webkit.org/show_bug.cgi?id=194471
779
780         Reviewed by Mark Lam.
781
782         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
783
784         * runtime/CachedTypes.cpp:
785         (JSC::CachedJSValue::decode const):
786
787 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
788
789         [JSC] Increase StructureIDTable initial capacity
790         https://bugs.webkit.org/show_bug.cgi?id=194468
791
792         Reviewed by Mark Lam.
793
794         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
795         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
796         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
797         more memory dirty. We also remove some structures that are no longer used.
798
799         * runtime/JSGlobalObject.h:
800         (JSC::JSGlobalObject::callbackObjectStructure const):
801         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
802         * runtime/StructureIDTable.h:
803         * runtime/VM.h:
804
805 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
806
807         [JSC] String.fromCharCode's slow path always generates 16bit string
808         https://bugs.webkit.org/show_bug.cgi?id=194466
809
810         Reviewed by Keith Miller.
811
812         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
813         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
814         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
815         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
816         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
817         as much as possible.
818
819         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
820
821         * runtime/StringConstructor.cpp:
822         (JSC::stringFromCharCode):
823
824 2019-02-08  Keith Miller  <keith_miller@apple.com>
825
826         We should only make rope strings when concatenating strings long enough.
827         https://bugs.webkit.org/show_bug.cgi?id=194465
828
829         Reviewed by Saam Barati.
830
831         This patch stops us from allocating a rope string if the resulting
832         rope would be smaller than the size of the JSRopeString object we
833         would need to allocate.
834
835         This patch also adds paths so that we don't unnecessarily allocate
836         JSString cells for primitives we are going to concatenate with a
837         string anyway.
838
839         * dfg/DFGOperations.cpp:
840         * runtime/CommonSlowPaths.cpp:
841         (JSC::SLOW_PATH_DECL):
842         * runtime/JSString.h:
843         * runtime/Operations.cpp:
844         (JSC::jsAddSlowCase):
845         * runtime/Operations.h:
846         (JSC::jsString):
847         (JSC::jsAdd):
848
849 2019-02-08  Saam barati  <sbarati@apple.com>
850
851         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
852         https://bugs.webkit.org/show_bug.cgi?id=194334
853         <rdar://problem/47844327>
854
855         Reviewed by Mark Lam.
856
857         * dfg/DFGAbstractInterpreterInlines.h:
858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
859         * dfg/DFGArgumentsEliminationPhase.cpp:
860         * dfg/DFGByteCodeParser.cpp:
861         (JSC::DFG::ByteCodeParser::parseBlock):
862         * dfg/DFGClobberize.h:
863         (JSC::DFG::clobberize):
864         * dfg/DFGConstantFoldingPhase.cpp:
865         (JSC::DFG::ConstantFoldingPhase::foldConstants):
866         * dfg/DFGFixupPhase.cpp:
867         (JSC::DFG::FixupPhase::fixupNode):
868         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
869         * dfg/DFGIntegerCheckCombiningPhase.cpp:
870         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
871         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
872         * dfg/DFGNodeType.h:
873         * dfg/DFGSSALoweringPhase.cpp:
874         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
875         * dfg/DFGSpeculativeJIT.cpp:
876         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
877         * ftl/FTLLowerDFGToB3.cpp:
878         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
879         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
880
881 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
882
883         [JSC] Shrink sizeof(CodeBlock) more
884         https://bugs.webkit.org/show_bug.cgi?id=194419
885
886         Reviewed by Mark Lam.
887
888         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
889
890         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
891         has the same information. These data is not touched in CodeBlock::~CodeBlock,
892         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
893
894         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
895         And we do not touch it in CodeBlock::~CodeBlock.
896
897         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
898         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
899         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
900
901         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
902
903         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
904
905         * bytecode/CodeBlock.cpp:
906         (JSC::CodeBlock::hash const):
907         (JSC::CodeBlock::sourceCodeForTools const):
908         (JSC::CodeBlock::dumpAssumingJITType const):
909         (JSC::CodeBlock::dumpSource):
910         (JSC::CodeBlock::CodeBlock):
911         (JSC::CodeBlock::finishCreation):
912         (JSC::CodeBlock::propagateTransitions):
913         (JSC::CodeBlock::finalizeLLIntInlineCaches):
914         (JSC::CodeBlock::setCalleeSaveRegisters):
915         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
916         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
917         (JSC::CodeBlock::lineNumberForBytecodeOffset):
918         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
919         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
920         (JSC::CodeBlock::newReplacement):
921         (JSC::CodeBlock::replacement):
922         (JSC::CodeBlock::computeCapabilityLevel):
923         (JSC::CodeBlock::jettison):
924         (JSC::CodeBlock::calleeSaveRegisters const):
925         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
926         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
927         (JSC::CodeBlock::getArrayProfile):
928         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
929         (JSC::CodeBlock::notifyLexicalBindingUpdate):
930         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
931         (JSC::CodeBlock::validate):
932         (JSC::CodeBlock::outOfLineJumpTarget):
933         (JSC::CodeBlock::arithProfileForBytecodeOffset):
934         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
935         * bytecode/CodeBlock.h:
936         (JSC::CodeBlock::specializationKind const):
937         (JSC::CodeBlock::isStrictMode const):
938         (JSC::CodeBlock::isConstructor const):
939         (JSC::CodeBlock::codeType const):
940         (JSC::CodeBlock::isKnownNotImmediate):
941         (JSC::CodeBlock::instructions const):
942         (JSC::CodeBlock::ownerExecutable const):
943         (JSC::CodeBlock::thisRegister const):
944         (JSC::CodeBlock::source const):
945         (JSC::CodeBlock::sourceOffset const):
946         (JSC::CodeBlock::firstLineColumnOffset const):
947         (JSC::CodeBlock::createRareDataIfNecessary):
948         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
949         (JSC::CodeBlock::setThisRegister): Deleted.
950         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
951         * bytecode/EvalCodeBlock.h:
952         * bytecode/FunctionCodeBlock.h:
953         * bytecode/GlobalCodeBlock.h:
954         (JSC::GlobalCodeBlock::GlobalCodeBlock):
955         * bytecode/ModuleProgramCodeBlock.h:
956         * bytecode/ProgramCodeBlock.h:
957         * debugger/Debugger.cpp:
958         (JSC::Debugger::toggleBreakpoint):
959         * debugger/DebuggerCallFrame.cpp:
960         (JSC::DebuggerCallFrame::sourceID const):
961         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
962         * debugger/DebuggerScope.cpp:
963         (JSC::DebuggerScope::location const):
964         * dfg/DFGByteCodeParser.cpp:
965         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
966         (JSC::DFG::ByteCodeParser::inliningCost):
967         (JSC::DFG::ByteCodeParser::parseCodeBlock):
968         * dfg/DFGCapabilities.cpp:
969         (JSC::DFG::isSupportedForInlining):
970         (JSC::DFG::mightCompileEval):
971         (JSC::DFG::mightCompileProgram):
972         (JSC::DFG::mightCompileFunctionForCall):
973         (JSC::DFG::mightCompileFunctionForConstruct):
974         (JSC::DFG::canUseOSRExitFuzzing):
975         * dfg/DFGGraph.h:
976         (JSC::DFG::Graph::executableFor):
977         * dfg/DFGJITCompiler.cpp:
978         (JSC::DFG::JITCompiler::compileFunction):
979         * dfg/DFGOSREntry.cpp:
980         (JSC::DFG::prepareOSREntry):
981         * dfg/DFGOSRExit.cpp:
982         (JSC::DFG::restoreCalleeSavesFor):
983         (JSC::DFG::saveCalleeSavesFor):
984         (JSC::DFG::saveOrCopyCalleeSavesFor):
985         * dfg/DFGOSRExitCompilerCommon.cpp:
986         (JSC::DFG::handleExitCounts):
987         * dfg/DFGOperations.cpp:
988         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
989         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
990         * ftl/FTLCapabilities.cpp:
991         (JSC::FTL::canCompile):
992         * ftl/FTLLink.cpp:
993         (JSC::FTL::link):
994         * ftl/FTLOSRExitCompiler.cpp:
995         (JSC::FTL::compileStub):
996         * interpreter/CallFrame.cpp:
997         (JSC::CallFrame::callerSourceOrigin):
998         * interpreter/Interpreter.cpp:
999         (JSC::eval):
1000         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1001         * interpreter/StackVisitor.cpp:
1002         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1003         (JSC::StackVisitor::Frame::sourceURL const):
1004         (JSC::StackVisitor::Frame::sourceID):
1005         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1006         * interpreter/StackVisitor.h:
1007         * jit/AssemblyHelpers.h:
1008         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1009         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1010         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1011         * jit/CallFrameShuffleData.cpp:
1012         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1013         * jit/JIT.cpp:
1014         (JSC::JIT::compileWithoutLinking):
1015         * jit/JITToDFGDeferredCompilationCallback.cpp:
1016         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1017         * jit/JITWorklist.cpp:
1018         (JSC::JITWorklist::Plan::finalize):
1019         (JSC::JITWorklist::compileNow):
1020         * jit/RegisterAtOffsetList.cpp:
1021         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1022         * jit/RegisterAtOffsetList.h:
1023         (JSC::RegisterAtOffsetList::at const):
1024         * runtime/ErrorInstance.cpp:
1025         (JSC::appendSourceToError):
1026         * runtime/ScriptExecutable.cpp:
1027         (JSC::ScriptExecutable::newCodeBlockFor):
1028         * runtime/StackFrame.cpp:
1029         (JSC::StackFrame::sourceID const):
1030         (JSC::StackFrame::sourceURL const):
1031         (JSC::StackFrame::computeLineAndColumn const):
1032
1033 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1034
1035         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1036         https://bugs.webkit.org/show_bug.cgi?id=194460
1037
1038         Reviewed by Mark Lam.
1039
1040         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1041
1042         * b3/B3LowerMacros.cpp:
1043
1044 2019-02-08  Mark Lam  <mark.lam@apple.com>
1045
1046         Use maxSingleCharacterString in comparisons instead of literal constants.
1047         https://bugs.webkit.org/show_bug.cgi?id=194452
1048
1049         Reviewed by Yusuke Suzuki.
1050
1051         This way, if we ever change maxSingleCharacterString, it won't break all this code
1052         that relies on it being 0xff implicitly.
1053
1054         * dfg/DFGSpeculativeJIT.cpp:
1055         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1056         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1057         * ftl/FTLLowerDFGToB3.cpp:
1058         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1059         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1060         * jit/ThunkGenerators.cpp:
1061         (JSC::stringGetByValGenerator):
1062         (JSC::charToString):
1063
1064 2019-02-08  Mark Lam  <mark.lam@apple.com>
1065
1066         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1067         https://bugs.webkit.org/show_bug.cgi?id=194446
1068         <rdar://problem/47926792>
1069
1070         Reviewed by Saam Barati.
1071
1072         Fix doesGC() for the following nodes:
1073
1074             CheckTierUpAtReturn:
1075                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1076                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1077
1078             CheckTierUpInLoop:
1079                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1080                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1081
1082             CheckTierUpAndOSREnter:
1083                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1084                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1085
1086             GetByVal:
1087                 case Array::String calls operationSingleCharacterString(), which calls
1088                 jsSingleCharacterString(), which can allocate a string.
1089
1090             PutByValDirect:
1091             PutByVal:
1092             PutByValAlias:
1093                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1094                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1095                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1096                 slow paths call putByValInternal(), which may create exception objects, or
1097                 call the generic JSValue::put() which may execute arbitrary code.
1098
1099             StringCharAt:
1100                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1101                 which can allocate a string.
1102
1103         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1104         to use the maxSingleCharacterString constant instead of a literal constant.
1105
1106         * dfg/DFGDoesGC.cpp:
1107         (JSC::DFG::doesGC):
1108         * dfg/DFGSpeculativeJIT.cpp:
1109         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1110         * dfg/DFGSpeculativeJIT64.cpp:
1111         (JSC::DFG::SpeculativeJIT::compile):
1112         * ftl/FTLLowerDFGToB3.cpp:
1113         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1114         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1115         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1116
1117 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1118
1119         [JSC] SourceProviderCacheItem should be small
1120         https://bugs.webkit.org/show_bug.cgi?id=194432
1121
1122         Reviewed by Saam Barati.
1123
1124         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1125         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1126         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1127
1128         * parser/Parser.cpp:
1129         (JSC::Parser<LexerType>::parseFunctionInfo):
1130         * parser/ParserModes.h:
1131         * parser/ParserTokens.h:
1132         * parser/SourceProviderCacheItem.h:
1133         (JSC::SourceProviderCacheItem::endFunctionToken const):
1134         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1135
1136 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1137
1138         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1139         https://bugs.webkit.org/show_bug.cgi?id=194420
1140
1141         Reviewed by Saam Barati.
1142
1143         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1144         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1145         This trivial patch fixes both.
1146
1147         * b3/B3ReduceStrength.cpp:
1148         * b3/testb3.cpp:
1149         (JSC::B3::testAbsNegArg):
1150
1151 2019-02-07  Keith Miller  <keith_miller@apple.com>
1152
1153         Better error messages for module loader SPI
1154         https://bugs.webkit.org/show_bug.cgi?id=194421
1155
1156         Reviewed by Saam Barati.
1157
1158         * API/JSAPIGlobalObject.mm:
1159         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1160
1161 2019-02-07  Mark Lam  <mark.lam@apple.com>
1162
1163         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1164         https://bugs.webkit.org/show_bug.cgi?id=194399
1165         <rdar://problem/47889777>
1166
1167         Reviewed by Yusuke Suzuki.
1168
1169         Fix doesGC() for the following nodes:
1170
1171             CheckTraps:
1172                 We normally will not emit this node because Options::usePollingTraps() is
1173                 false by default.  However, as it is implemented now, CheckTraps can GC
1174                 because it can allocate a TerminatedExecutionException.  If we make the
1175                 TerminatedExecutionException a singleton allocated at initialization time,
1176                 doesGC() can return false for CheckTraps.
1177                 https://bugs.webkit.org/show_bug.cgi?id=194323
1178
1179             GetMapBucket:
1180                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1181                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1182                 can resolve a rope.
1183
1184             Switch:
1185                 If switchData kind is SwitchChar, can call operationResolveRope() .
1186                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1187                     can call operationSwitchString() which resolves ropes.
1188
1189             DirectTailCall:
1190             ForceOSRExit:
1191             Return:
1192             TailCallForwardVarargs:
1193             TailCallVarargs:
1194             Throw:
1195                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1196                 for them, but following our conservative practice, unless we have a good
1197                 reason for doesGC() to return false, we should just return true.
1198
1199         * dfg/DFGDoesGC.cpp:
1200         (JSC::DFG::doesGC):
1201
1202 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1203
1204         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1205         https://bugs.webkit.org/show_bug.cgi?id=194250
1206
1207         Reviewed by Saam Barati.
1208
1209         Adds the following optimizations for integers:
1210         - Sub(x, x) => 0
1211             Already covered by the test testSubArg
1212         - Sub(x1, Neg(x2)) => Add (x1, x2)
1213             Added test: testSubNeg
1214         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1215             Added test: testNegSub
1216         - Add(Neg(x1), x2) => Sub(x2, x1)
1217             Added test: testAddNeg1
1218         - Add(x1, Neg(x2)) => Sub(x1, x2)
1219             Added test: testAddNeg2
1220         Adds the following optimization for floating point values:
1221         - Abs(Neg(x)) => Abs(x)
1222             Added test: testAbsNegArg
1223             Adds the following optimization:
1224
1225         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1226
1227         * b3/B3ReduceStrength.cpp:
1228         * b3/testb3.cpp:
1229         (JSC::B3::testAddNeg1):
1230         (JSC::B3::testAddNeg2):
1231         (JSC::B3::testSubNeg):
1232         (JSC::B3::testNegSub):
1233         (JSC::B3::testAbsAbsArg):
1234         (JSC::B3::testAbsNegArg):
1235         (JSC::B3::run):
1236
1237 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1238
1239         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1240         https://bugs.webkit.org/show_bug.cgi?id=194374
1241
1242         Reviewed by Geoffrey Garen.
1243
1244         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1245         But pointer is larger than single character. BufferInternal StringImpl with single character
1246         is more memory efficient.
1247
1248         * runtime/SmallStrings.cpp:
1249         (JSC::SmallStringsStorage::SmallStringsStorage):
1250         (JSC::SmallStrings::SmallStrings):
1251         * runtime/SmallStrings.h:
1252
1253 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1254
1255         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1256         https://bugs.webkit.org/show_bug.cgi?id=194369
1257         <rdar://problem/47813087>
1258
1259         Reviewed by Saam Barati.
1260
1261         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1262         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1263         constant folding phase.
1264
1265         * dfg/DFGAbstractInterpreterInlines.h:
1266         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1267
1268 2019-02-06  Devin Rousso  <drousso@apple.com>
1269
1270         Web Inspector: DOM: don't send the entire function string with each event listener
1271         https://bugs.webkit.org/show_bug.cgi?id=194293
1272         <rdar://problem/47822809>
1273
1274         Reviewed by Joseph Pecoraro.
1275
1276         * inspector/protocol/DOM.json:
1277
1278         * runtime/JSFunction.h:
1279         Export `calculatedDisplayName`.
1280
1281 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1282
1283         [JSC] PrivateName to PublicName hash table is wasteful
1284         https://bugs.webkit.org/show_bug.cgi?id=194277
1285
1286         Reviewed by Michael Saboff.
1287
1288         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1289         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1290         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1291         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1292
1293         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1294
1295         1. PrivateName's content should be the same to PublicName.
1296         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1297            the public name should be easily crafted from the given PrivateName.
1298
1299         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1300         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1301
1302         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1303         WebCore.
1304
1305         * builtins/BuiltinNames.cpp:
1306         (JSC::BuiltinNames::BuiltinNames):
1307         * builtins/BuiltinNames.h:
1308         (JSC::BuiltinNames::lookUpPrivateName const):
1309         (JSC::BuiltinNames::getPublicName const):
1310         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1311         (JSC::BuiltinNames::appendExternalName):
1312         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1313         * builtins/BuiltinUtils.h:
1314         * bytecode/BytecodeDumper.cpp:
1315         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1316         * bytecompiler/NodesCodegen.cpp:
1317         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1318         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1319         * parser/Lexer.cpp:
1320         (JSC::Lexer<LChar>::parseIdentifier):
1321         (JSC::Lexer<UChar>::parseIdentifier):
1322         * parser/Parser.cpp:
1323         (JSC::Parser<LexerType>::createGeneratorParameters):
1324         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1325         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1326         (JSC::Parser<LexerType>::parseClassDeclaration):
1327         (JSC::Parser<LexerType>::parseExportDeclaration):
1328         (JSC::Parser<LexerType>::parseMemberExpression):
1329         * parser/ParserArena.h:
1330         (JSC::IdentifierArena::makeIdentifier):
1331         * runtime/CachedTypes.cpp:
1332         (JSC::CachedUniquedStringImpl::encode):
1333         (JSC::CachedUniquedStringImpl::decode const):
1334         * runtime/CommonIdentifiers.cpp:
1335         (JSC::CommonIdentifiers::CommonIdentifiers):
1336         (JSC::CommonIdentifiers::lookUpPrivateName const):
1337         (JSC::CommonIdentifiers::getPublicName const):
1338         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1339         * runtime/CommonIdentifiers.h:
1340         * runtime/ExceptionHelpers.cpp:
1341         (JSC::createUndefinedVariableError):
1342         * runtime/Identifier.cpp:
1343         (JSC::Identifier::dump const):
1344         * runtime/Identifier.h:
1345         * runtime/IdentifierInlines.h:
1346         (JSC::Identifier::fromUid):
1347         * runtime/JSTypedArrayViewPrototype.cpp:
1348         (JSC::JSTypedArrayViewPrototype::finishCreation):
1349         * tools/JSDollarVM.cpp:
1350         (JSC::functionGetPrivateProperty):
1351
1352 2019-02-06  Keith Rollin  <krollin@apple.com>
1353
1354         Really enable the automatic checking and regenerations of .xcfilelists during builds
1355         https://bugs.webkit.org/show_bug.cgi?id=194357
1356         <rdar://problem/47861231>
1357
1358         Reviewed by Chris Dumez.
1359
1360         Bug 194124 was supposed to enable the automatic checking and
1361         regenerating of .xcfilelist files during the build. While related
1362         changes were included in that patch, the change to actually enable the
1363         operation somehow was omitted. This patch actually enables the
1364         operation. The check-xcfilelist.sh scripts now check
1365         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1366         from the checking.
1367
1368         * Scripts/check-xcfilelists.sh:
1369
1370 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1371
1372         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1373         https://bugs.webkit.org/show_bug.cgi?id=194339
1374
1375         Reviewed by Michael Saboff.
1376
1377         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1378         They have even the same structure. This patch unifies the subspaces for them.
1379
1380         * runtime/DirectEvalExecutable.h:
1381         * runtime/EvalExecutable.h:
1382         (JSC::EvalExecutable::subspaceFor):
1383         * runtime/IndirectEvalExecutable.h:
1384         * runtime/VM.cpp:
1385         * runtime/VM.h:
1386         (JSC::VM::forEachScriptExecutableSpace):
1387
1388 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1389
1390         [JSC] NativeExecutable should be smaller
1391         https://bugs.webkit.org/show_bug.cgi?id=194331
1392
1393         Reviewed by Michael Saboff.
1394
1395         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1396         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1397         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1398         only takes one MarkedBlock for NativeExecutable.
1399
1400         To make NativeExecutable smaller,
1401
1402         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1403            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1404
1405         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1406            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1407            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1408
1409         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1410            Intrinsic for NativeExecutable.
1411
1412         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1413
1414         * CMakeLists.txt:
1415         * JavaScriptCore.xcodeproj/project.pbxproj:
1416         * bytecode/CallVariant.h:
1417         * interpreter/Interpreter.cpp:
1418         * jit/JITCode.cpp:
1419         (JSC::DirectJITCode::DirectJITCode):
1420         (JSC::NativeJITCode::NativeJITCode):
1421         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1422         * jit/JITCode.h:
1423         (JSC::JITCode::signature const):
1424         (JSC::JITCode::intrinsic):
1425         * jit/JITOperations.cpp:
1426         * jit/JITThunks.cpp:
1427         (JSC::JITThunks::hostFunctionStub):
1428         * jit/Repatch.cpp:
1429         * llint/LLIntSlowPaths.cpp:
1430         * runtime/ExecutableBase.cpp:
1431         (JSC::ExecutableBase::dump const):
1432         (JSC::ExecutableBase::hashFor const):
1433         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1434         (JSC::ExecutableBase::clearCode): Deleted.
1435         * runtime/ExecutableBase.h:
1436         (JSC::ExecutableBase::ExecutableBase):
1437         (JSC::ExecutableBase::isModuleProgramExecutable):
1438         (JSC::ExecutableBase::isHostFunction const):
1439         (JSC::ExecutableBase::generatedJITCodeForCall const):
1440         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1441         (JSC::ExecutableBase::generatedJITCodeFor const):
1442         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1443         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1444         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1445         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1446         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1447         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1448         (JSC::ExecutableBase::intrinsic const): Deleted.
1449         * runtime/ExecutableBaseInlines.h: Added.
1450         (JSC::ExecutableBase::intrinsic const):
1451         (JSC::ExecutableBase::hasJITCodeForCall const):
1452         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1453         * runtime/JSBoundFunction.cpp:
1454         * runtime/JSType.cpp:
1455         (WTF::printInternal):
1456         * runtime/JSType.h:
1457         * runtime/NativeExecutable.cpp:
1458         (JSC::NativeExecutable::create):
1459         (JSC::NativeExecutable::createStructure):
1460         (JSC::NativeExecutable::NativeExecutable):
1461         (JSC::NativeExecutable::signatureFor const):
1462         (JSC::NativeExecutable::intrinsic const):
1463         * runtime/NativeExecutable.h:
1464         * runtime/ScriptExecutable.cpp:
1465         (JSC::ScriptExecutable::ScriptExecutable):
1466         (JSC::ScriptExecutable::clearCode):
1467         (JSC::ScriptExecutable::installCode):
1468         (JSC::ScriptExecutable::hasClearableCode const):
1469         * runtime/ScriptExecutable.h:
1470         (JSC::ScriptExecutable::intrinsic const):
1471         (JSC::ScriptExecutable::hasJITCodeForCall const):
1472         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1473         * runtime/VM.cpp:
1474         (JSC::VM::getHostFunction):
1475
1476 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1477
1478         Build failure after r240431
1479         https://bugs.webkit.org/show_bug.cgi?id=194330
1480
1481         Reviewed by Žan Doberšek.
1482
1483         * API/glib/JSCOptions.cpp:
1484
1485 2019-02-05  Mark Lam  <mark.lam@apple.com>
1486
1487         Fix DFG's doesGC() for a few more nodes.
1488         https://bugs.webkit.org/show_bug.cgi?id=194307
1489         <rdar://problem/47832956>
1490
1491         Reviewed by Yusuke Suzuki.
1492
1493         Fix doesGC() for the following nodes:
1494
1495             NumberToStringWithValidRadixConstant:
1496                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1497                 which can allocate a string.
1498                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1499                 which can allocate a string.
1500                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1501                 which can allocate a string.
1502
1503             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1504                 memory for all kinds of objects.
1505             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1506                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1507                 these allocates memory for the match result.
1508             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1509                 calls RegExpObject's collectMatches(), which allocates an array amongst
1510                 other objects.
1511
1512             StringFromCharCode:
1513                 If the uint32 code to convert is greater than maxSingleCharacterString,
1514                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1515                 which allocates a new string if the code is greater than maxSingleCharacterString.
1516
1517         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1518         to use maxSingleCharacterString instead of a literal constant.
1519
1520         * dfg/DFGDoesGC.cpp:
1521         (JSC::DFG::doesGC):
1522         * dfg/DFGSpeculativeJIT.cpp:
1523         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1524         * ftl/FTLLowerDFGToB3.cpp:
1525         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1526
1527 2019-02-05  Keith Rollin  <krollin@apple.com>
1528
1529         Enable the automatic checking and regenerations of .xcfilelists during builds
1530         https://bugs.webkit.org/show_bug.cgi?id=194124
1531         <rdar://problem/47721277>
1532
1533         Reviewed by Tim Horton.
1534
1535         Bug 193790 add a facility for checking -- during build time -- that
1536         any needed .xcfilelist files are up-to-date and for updating them if
1537         they are not. This facility was initially opt-in by setting
1538         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1539         the process seemed robust. Its now time to enable this facility and
1540         make it opt-out. If there is a need to disable this facility, set and
1541         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1542         running `make` or `build-webkit`, or before running Xcode from the
1543         command line.
1544
1545         Additionally, remove the step that generates a list of source files
1546         going into the UnifiedSources build step. It's only necessarily to
1547         specify Sources.txt and SourcesCocoa.txt as inputs.
1548
1549         * JavaScriptCore.xcodeproj/project.pbxproj:
1550         * UnifiedSources-input.xcfilelist: Removed.
1551
1552 2019-02-05  Keith Rollin  <krollin@apple.com>
1553
1554         Update .xcfilelist files
1555         https://bugs.webkit.org/show_bug.cgi?id=194121
1556         <rdar://problem/47720863>
1557
1558         Reviewed by Tim Horton.
1559
1560         Preparatory to enabling the facility for automatically updating the
1561         .xcfilelist files, check in a freshly-updated set so that not everyone
1562         runs up against having to regenerate them themselves.
1563
1564         * DerivedSources-input.xcfilelist:
1565         * DerivedSources-output.xcfilelist:
1566
1567 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1568
1569         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1570         https://bugs.webkit.org/show_bug.cgi?id=185557
1571
1572         Reviewed by Mark Lam.
1573
1574         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1575         where n is the number of characters in the formatted string.
1576         It may be less memory efficient than the previous impl, since the intermediate Vector
1577         is the length of the string, instead of the count of the fields.
1578
1579         * runtime/IntlNumberFormat.cpp:
1580         (JSC::IntlNumberFormat::formatToParts):
1581         * runtime/IntlNumberFormat.h:
1582
1583 2019-02-05  Mark Lam  <mark.lam@apple.com>
1584
1585         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1586         https://bugs.webkit.org/show_bug.cgi?id=194298
1587         <rdar://problem/47827555>
1588
1589         Reviewed by Saam Barati.
1590
1591         We do this for 3 reasons:
1592         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1593         2. If things change in the future where clobberize() no longer reports these nodes
1594            as write(Heap), each node should be vetted first to make sure that it can never
1595            GC before being moved back to the doesGC() list that returns false.
1596         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1597            correct in its claims about the nodes' GCing possibility.
1598
1599         The list of nodes moved are:
1600
1601             ArrayPush
1602             ArrayPop
1603             Call
1604             CallEval
1605             CallForwardVarargs
1606             CallVarargs
1607             Construct
1608             ConstructForwardVarargs
1609             ConstructVarargs
1610             DefineDataProperty
1611             DefineAccessorProperty
1612             DeleteById
1613             DeleteByVal
1614             DirectCall
1615             DirectConstruct
1616             DirectTailCallInlinedCaller
1617             GetById
1618             GetByIdDirect
1619             GetByIdDirectFlush
1620             GetByIdFlush
1621             GetByIdWithThis
1622             GetByValWithThis
1623             GetDirectPname
1624             GetDynamicVar
1625             HasGenericProperty
1626             HasOwnProperty
1627             HasStructureProperty
1628             InById
1629             InByVal
1630             InstanceOf
1631             InstanceOfCustom
1632             LoadVarargs
1633             NumberToStringWithRadix
1634             PutById
1635             PutByIdDirect
1636             PutByIdFlush
1637             PutByIdWithThis
1638             PutByOffset
1639             PutByValWithThis
1640             PutDynamicVar
1641             PutGetterById
1642             PutGetterByVal
1643             PutGetterSetterById
1644             PutSetterById
1645             PutSetterByVal
1646             PutStack
1647             PutToArguments
1648             RegExpExec
1649             RegExpTest
1650             ResolveScope
1651             ResolveScopeForHoistingFuncDeclInEval
1652             TailCall
1653             TailCallForwardVarargsInlinedCaller
1654             TailCallInlinedCaller
1655             TailCallVarargsInlinedCaller
1656             ToNumber
1657             ToPrimitive
1658             ValueNegate
1659
1660         * dfg/DFGDoesGC.cpp:
1661         (JSC::DFG::doesGC):
1662
1663 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1664
1665         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1666         https://bugs.webkit.org/show_bug.cgi?id=194281
1667
1668         Reviewed by Michael Saboff.
1669
1670         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1671         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1672
1673         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1674         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1675         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1676
1677         * bytecode/CodeBlock.cpp:
1678         (JSC::CodeBlock::finishCreation):
1679         * bytecode/CodeBlock.h:
1680         (JSC::CodeBlock::bitVectors const): Deleted.
1681         * bytecode/CodeType.h:
1682         * bytecode/UnlinkedCodeBlock.cpp:
1683         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1684         (JSC::UnlinkedCodeBlock::shrinkToFit):
1685         * bytecode/UnlinkedCodeBlock.h:
1686         (JSC::UnlinkedCodeBlock::bitVector):
1687         (JSC::UnlinkedCodeBlock::addBitVector):
1688         (JSC::UnlinkedCodeBlock::addSetConstant):
1689         (JSC::UnlinkedCodeBlock::constantRegisters):
1690         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1691         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1692         (JSC::UnlinkedCodeBlock::codeType const):
1693         (JSC::UnlinkedCodeBlock::didOptimize const):
1694         (JSC::UnlinkedCodeBlock::setDidOptimize):
1695         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1696         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1697         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1698         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1699         * bytecompiler/BytecodeGenerator.cpp:
1700         (JSC::BytecodeGenerator::emitLoad):
1701         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1702         * bytecompiler/BytecodeGenerator.h:
1703         * runtime/CachedTypes.cpp:
1704         (JSC::CachedCodeBlockRareData::encode):
1705         (JSC::CachedCodeBlockRareData::decode const):
1706         (JSC::CachedCodeBlock::scopeRegister const):
1707         (JSC::CachedCodeBlock::codeType const):
1708         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1709         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1710         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1711         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1712
1713 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1714
1715         Unreviewed, add missing exception checks after r240637
1716         https://bugs.webkit.org/show_bug.cgi?id=193546
1717
1718         * tools/JSDollarVM.cpp:
1719         (JSC::functionShadowChickenFunctionsOnStack):
1720
1721 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1722
1723         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1724         https://bugs.webkit.org/show_bug.cgi?id=193993
1725
1726         Reviewed by Keith Miller.
1727
1728         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1729         And some of them are rarely used. We should allocate it lazily.
1730
1731         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1732         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1733         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1734         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1735         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1736         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1737         by using WTF::storeStoreFence when lazily allocating it.
1738
1739         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1740         existence of the space before touching this. This is not racy because the main thread is stopped when
1741         the constraint solving is working.
1742
1743         This changes sizeof(VM) from 64736 to 56472.
1744
1745         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1746         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1747         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1748         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1749         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1750         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1751         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1752
1753         * API/JSCallbackFunction.h:
1754         * API/ObjCCallbackFunction.h:
1755         (JSC::ObjCCallbackFunction::subspaceFor):
1756         * API/glib/JSCCallbackFunction.h:
1757         * CMakeLists.txt:
1758         * JavaScriptCore.xcodeproj/project.pbxproj:
1759         * bytecode/CodeBlock.cpp:
1760         (JSC::CodeBlock::visitChildren):
1761         (JSC::CodeBlock::finalizeUnconditionally):
1762         * bytecode/CodeBlock.h:
1763         * bytecode/EvalCodeBlock.h:
1764         * bytecode/ExecutableToCodeBlockEdge.h:
1765         * bytecode/FunctionCodeBlock.h:
1766         * bytecode/ModuleProgramCodeBlock.h:
1767         * bytecode/ProgramCodeBlock.h:
1768         * bytecode/UnlinkedFunctionExecutable.cpp:
1769         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1770         * bytecode/UnlinkedFunctionExecutable.h:
1771         * dfg/DFGSpeculativeJIT.cpp:
1772         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1773         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1774         (JSC::DFG::SpeculativeJIT::compileNewObject):
1775         * ftl/FTLLowerDFGToB3.cpp:
1776         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1777         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1778         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1779         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1780         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1781         * heap/Heap.cpp:
1782         (JSC::Heap::finalizeUnconditionalFinalizers):
1783         (JSC::Heap::deleteAllCodeBlocks):
1784         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1785         (JSC::Heap::addCoreConstraints):
1786         * heap/Subspace.cpp:
1787         (JSC::Subspace::initialize):
1788         * jit/AssemblyHelpers.h:
1789         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1790         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1791         * jit/JITOpcodes.cpp:
1792         (JSC::JIT::emit_op_new_object):
1793         * jit/JITOpcodes32_64.cpp:
1794         (JSC::JIT::emit_op_new_object):
1795         * runtime/DirectArguments.h:
1796         * runtime/DirectEvalExecutable.h:
1797         * runtime/ErrorInstance.h:
1798         (JSC::ErrorInstance::subspaceFor):
1799         * runtime/ExecutableBase.h:
1800         * runtime/FunctionExecutable.h:
1801         * runtime/IndirectEvalExecutable.h:
1802         * runtime/InferredValue.cpp:
1803         (JSC::InferredValue::visitChildren):
1804         * runtime/InferredValue.h:
1805         * runtime/InferredValueInlines.h:
1806         (JSC::InferredValue::finalizeUnconditionally):
1807         * runtime/InternalFunction.h:
1808         * runtime/JSAsyncFunction.h:
1809         * runtime/JSAsyncGeneratorFunction.h:
1810         * runtime/JSBoundFunction.h:
1811         * runtime/JSCell.h:
1812         (JSC::subspaceFor):
1813         (JSC::subspaceForConcurrently):
1814         * runtime/JSCellInlines.h:
1815         (JSC::allocatorForNonVirtualConcurrently):
1816         * runtime/JSCustomGetterSetterFunction.h:
1817         * runtime/JSDestructibleObject.h:
1818         * runtime/JSFunction.h:
1819         * runtime/JSGeneratorFunction.h:
1820         * runtime/JSImmutableButterfly.h:
1821         * runtime/JSLexicalEnvironment.h:
1822         (JSC::JSLexicalEnvironment::subspaceFor):
1823         * runtime/JSNativeStdFunction.h:
1824         * runtime/JSSegmentedVariableObject.h:
1825         * runtime/JSString.h:
1826         * runtime/ModuleProgramExecutable.h:
1827         * runtime/NativeExecutable.h:
1828         * runtime/ProgramExecutable.h:
1829         * runtime/PropertyMapHashTable.h:
1830         * runtime/ProxyRevoke.h:
1831         * runtime/ScopedArguments.h:
1832         * runtime/ScriptExecutable.cpp:
1833         (JSC::ScriptExecutable::clearCode):
1834         (JSC::ScriptExecutable::installCode):
1835         * runtime/Structure.h:
1836         * runtime/StructureRareData.h:
1837         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1838         * runtime/VM.cpp:
1839         (JSC::VM::VM):
1840         * runtime/VM.h:
1841         (JSC::VM::SpaceAndSet::SpaceAndSet):
1842         (JSC::VM::SpaceAndSet::setFor):
1843         (JSC::VM::forEachScriptExecutableSpace):
1844         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1845         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1846         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
1847         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1848         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
1849         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
1850         * runtime/WeakMapImpl.h:
1851         (JSC::WeakMapImpl::subspaceFor):
1852         * wasm/js/JSWebAssemblyCodeBlock.h:
1853         * wasm/js/JSWebAssemblyMemory.h:
1854         * wasm/js/WebAssemblyFunction.h:
1855         * wasm/js/WebAssemblyWrapperFunction.h:
1856
1857 2019-02-04  Keith Miller  <keith_miller@apple.com>
1858
1859         Change llint operand macros to inline functions
1860         https://bugs.webkit.org/show_bug.cgi?id=194248
1861
1862         Reviewed by Mark Lam.
1863
1864         * llint/LLIntSlowPaths.cpp:
1865         (JSC::LLInt::getNonConstantOperand):
1866         (JSC::LLInt::getOperand):
1867         (JSC::LLInt::llint_trace_value):
1868         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1869         (JSC::LLInt::getByVal):
1870         (JSC::LLInt::genericCall):
1871         (JSC::LLInt::varargsSetup):
1872         (JSC::LLInt::commonCallEval):
1873
1874 2019-02-04  Robin Morisset  <rmorisset@apple.com>
1875
1876         when lowering AssertNotEmpty, create the value before creating the patchpoint
1877         https://bugs.webkit.org/show_bug.cgi?id=194231
1878
1879         Reviewed by Saam Barati.
1880
1881         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
1882         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
1883
1884         * ftl/FTLLowerDFGToB3.cpp:
1885         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
1886
1887 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1888
1889         [JSC] ExecutableToCodeBlockEdge should be smaller
1890         https://bugs.webkit.org/show_bug.cgi?id=194244
1891
1892         Reviewed by Michael Saboff.
1893
1894         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
1895         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
1896         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
1897         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
1898
1899         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
1900         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
1901         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
1902
1903         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
1904         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
1905         does not touch it if it is called in non-main threads).
1906
1907         * bytecode/ExecutableToCodeBlockEdge.cpp:
1908         (JSC::ExecutableToCodeBlockEdge::finishCreation):
1909         (JSC::ExecutableToCodeBlockEdge::visitChildren):
1910         (JSC::ExecutableToCodeBlockEdge::activate):
1911         (JSC::ExecutableToCodeBlockEdge::deactivate):
1912         (JSC::ExecutableToCodeBlockEdge::isActive const):
1913         * bytecode/ExecutableToCodeBlockEdge.h:
1914         * runtime/JSCell.h:
1915         * runtime/JSCellInlines.h:
1916         (JSC::JSCell::perCellBit const):
1917         (JSC::JSCell::setPerCellBit):
1918         (JSC::JSCell::mayBePrototype const): Deleted.
1919         (JSC::JSCell::didBecomePrototype): Deleted.
1920         * runtime/JSObject.cpp:
1921         (JSC::JSObject::setPrototypeDirect):
1922         * runtime/JSObject.h:
1923         * runtime/JSObjectInlines.h:
1924         (JSC::JSObject::mayBePrototype const):
1925         (JSC::JSObject::didBecomePrototype):
1926         * runtime/JSTypeInfo.h:
1927         (JSC::TypeInfo::perCellBit):
1928         (JSC::TypeInfo::mergeInlineTypeFlags):
1929         (JSC::TypeInfo::mayBePrototype): Deleted.
1930
1931 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1932
1933         [JSC] Shrink size of FunctionExecutable
1934         https://bugs.webkit.org/show_bug.cgi?id=194191
1935
1936         Reviewed by Michael Saboff.
1937
1938         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
1939         improves the allocation efficiency.
1940
1941         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
1942            We remove this from ScriptExecutable, and move it to FunctionExecutable.
1943
1944         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
1945            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
1946            the size of FunctionExecutable in the common case.
1947
1948         This patch changes the size of FunctionExecutable from 176 to 144.
1949
1950         * bytecode/CodeBlock.cpp:
1951         (JSC::CodeBlock::dumpSource):
1952         (JSC::CodeBlock::finishCreation):
1953         * dfg/DFGNode.h:
1954         (JSC::DFG::Node::OpInfoWrapper::as const):
1955         * interpreter/StackVisitor.cpp:
1956         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1957         * runtime/ExecutableBase.h:
1958         * runtime/FunctionExecutable.cpp:
1959         (JSC::FunctionExecutable::FunctionExecutable):
1960         (JSC::FunctionExecutable::ensureRareDataSlow):
1961         * runtime/FunctionExecutable.h:
1962         * runtime/Intrinsic.h:
1963         * runtime/ModuleProgramExecutable.cpp:
1964         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1965         * runtime/ProgramExecutable.cpp:
1966         (JSC::ProgramExecutable::ProgramExecutable):
1967         * runtime/ScriptExecutable.cpp:
1968         (JSC::ScriptExecutable::ScriptExecutable):
1969         (JSC::ScriptExecutable::overrideLineNumber const):
1970         (JSC::ScriptExecutable::typeProfilingStartOffset const):
1971         (JSC::ScriptExecutable::typeProfilingEndOffset const):
1972         * runtime/ScriptExecutable.h:
1973         (JSC::ScriptExecutable::firstLine const):
1974         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
1975         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
1976         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
1977         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
1978         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
1979         * runtime/StackFrame.cpp:
1980         (JSC::StackFrame::computeLineAndColumn const):
1981         * tools/JSDollarVM.cpp:
1982         (JSC::functionReturnTypeFor):
1983
1984 2019-02-04  Mark Lam  <mark.lam@apple.com>
1985
1986         DFG's doesGC() is incorrect about the SameValue node's behavior.
1987         https://bugs.webkit.org/show_bug.cgi?id=194211
1988         <rdar://problem/47608913>
1989
1990         Reviewed by Saam Barati.
1991
1992         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
1993         it calls operationSameValue() which may allocate memory for resolving ropes.
1994
1995         * dfg/DFGDoesGC.cpp:
1996         (JSC::DFG::doesGC):
1997
1998 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
1999
2000         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2001         https://bugs.webkit.org/show_bug.cgi?id=194031
2002
2003         Reviewed by Saam Barati.
2004
2005         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2006         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2007         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2008         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2009
2010         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2011         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2012
2013         * bytecode/MetadataTable.cpp:
2014         (JSC::MetadataTable::MetadataTable):
2015         (JSC::MetadataTable::~MetadataTable):
2016         * bytecode/UnlinkedCodeBlock.cpp:
2017         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2018         (JSC::UnlinkedCodeBlock::visitChildren):
2019         (JSC::UnlinkedCodeBlock::estimatedSize):
2020         (JSC::UnlinkedCodeBlock::setInstructions):
2021         * bytecode/UnlinkedCodeBlock.h:
2022         (JSC::UnlinkedCodeBlock::metadata):
2023         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2024         * bytecode/UnlinkedMetadataTable.h:
2025         (JSC::UnlinkedMetadataTable::create):
2026         * bytecode/UnlinkedMetadataTableInlines.h:
2027         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2028         * runtime/CachedTypes.cpp:
2029         (JSC::CachedMetadataTable::decode const):
2030         (JSC::CachedCodeBlock::metadata const):
2031         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2032         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2033         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2034
2035 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2036
2037         [JSC] Decouple JIT related data from CodeBlock
2038         https://bugs.webkit.org/show_bug.cgi?id=194187
2039
2040         Reviewed by Saam Barati.
2041
2042         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2043         We have three types of data in CodeBlock.
2044
2045         1. The data which is always used. CodeBlock needs to hold it.
2046         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2047         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2048
2049         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2050         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2051         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2052         in both non-JIT and *JIT* modes.
2053
2054         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2055         by the lock of CodeBlock.
2056
2057         The size of CodeBlock is reduced from 512 to 352.
2058
2059         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2060
2061             Footprint geomean: 36696503 (34.997 MB)
2062             Peak Footprint geomean: 38595988 (36.808 MB)
2063             Score: 37634263 (35.891 MB)
2064
2065             Footprint geomean: 37172768 (35.451 MB)
2066             Peak Footprint geomean: 38978288 (37.173 MB)
2067             Score: 38064824 (36.301 MB)
2068
2069         * bytecode/CodeBlock.cpp:
2070         (JSC::CodeBlock::~CodeBlock):
2071         (JSC::CodeBlock::propagateTransitions):
2072         (JSC::CodeBlock::ensureJITDataSlow):
2073         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2074         (JSC::CodeBlock::getICStatusMap):
2075         (JSC::CodeBlock::addStubInfo):
2076         (JSC::CodeBlock::addJITAddIC):
2077         (JSC::CodeBlock::addJITMulIC):
2078         (JSC::CodeBlock::addJITSubIC):
2079         (JSC::CodeBlock::addJITNegIC):
2080         (JSC::CodeBlock::findStubInfo):
2081         (JSC::CodeBlock::addByValInfo):
2082         (JSC::CodeBlock::addCallLinkInfo):
2083         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2084         (JSC::CodeBlock::addRareCaseProfile):
2085         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2086         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2087         (JSC::CodeBlock::resetJITData):
2088         (JSC::CodeBlock::stronglyVisitStrongReferences):
2089         (JSC::CodeBlock::shrinkToFit):
2090         (JSC::CodeBlock::linkIncomingCall):
2091         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2092         (JSC::CodeBlock::unlinkIncomingCalls):
2093         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2094         (JSC::CodeBlock::dumpValueProfiles):
2095         (JSC::CodeBlock::setPCToCodeOriginMap):
2096         (JSC::CodeBlock::findPC):
2097         (JSC::CodeBlock::dumpMathICStats):
2098         * bytecode/CodeBlock.h:
2099         (JSC::CodeBlock::ensureJITData):
2100         (JSC::CodeBlock::setJITCodeMap):
2101         (JSC::CodeBlock::jitCodeMap):
2102         (JSC::CodeBlock::likelyToTakeSlowCase):
2103         (JSC::CodeBlock::couldTakeSlowCase):
2104         (JSC::CodeBlock::lazyOperandValueProfiles):
2105         (JSC::CodeBlock::stubInfoBegin): Deleted.
2106         (JSC::CodeBlock::stubInfoEnd): Deleted.
2107         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2108         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2109         (JSC::CodeBlock::jitCodeMap const): Deleted.
2110         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2111         * bytecode/MethodOfGettingAValueProfile.cpp:
2112         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2113         (JSC::MethodOfGettingAValueProfile::reportValue):
2114         * dfg/DFGByteCodeParser.cpp:
2115         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2116         * jit/JIT.h:
2117         * jit/JITOperations.cpp:
2118         (JSC::tryGetByValOptimize):
2119         * jit/JITPropertyAccess.cpp:
2120         (JSC::JIT::privateCompileGetByVal):
2121         (JSC::JIT::privateCompilePutByVal):
2122
2123 2018-12-16  Darin Adler  <darin@apple.com>
2124
2125         Convert additional String::format clients to alternative approaches
2126         https://bugs.webkit.org/show_bug.cgi?id=192746
2127
2128         Reviewed by Alexey Proskuryakov.
2129
2130         * inspector/agents/InspectorConsoleAgent.cpp:
2131         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2132         and FormattedNumber::fixedWidth.
2133
2134 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2135
2136         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2137         https://bugs.webkit.org/show_bug.cgi?id=194177
2138
2139         Reviewed by Saam Barati.
2140
2141         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2142         We can share the IsoSubspace for JSFunction.
2143
2144         * runtime/JSAsyncFunction.h:
2145         * runtime/JSAsyncGeneratorFunction.h:
2146         * runtime/JSGeneratorFunction.h:
2147         * runtime/VM.cpp:
2148         (JSC::VM::VM):
2149         * runtime/VM.h:
2150
2151 2019-02-01  Mark Lam  <mark.lam@apple.com>
2152
2153         Remove invalid assertion in DFG's compileDoubleRep().
2154         https://bugs.webkit.org/show_bug.cgi?id=194130
2155         <rdar://problem/47699474>
2156
2157         Reviewed by Saam Barati.
2158
2159         * dfg/DFGSpeculativeJIT.cpp:
2160         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2161
2162 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2163
2164         [JSC] Unify CodeBlock IsoSubspaces
2165         https://bugs.webkit.org/show_bug.cgi?id=194167
2166
2167         Reviewed by Saam Barati.
2168
2169         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2170         But this is not necessary since,
2171
2172         1. They do not override the classInfo methods.
2173         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2174
2175         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2176         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2177         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2178
2179         This patch unifies these IsoSubspaces into one.
2180
2181         * bytecode/CodeBlock.cpp:
2182         (JSC::CodeBlock::destroy):
2183         * bytecode/CodeBlock.h:
2184         * bytecode/EvalCodeBlock.cpp:
2185         (JSC::EvalCodeBlock::destroy): Deleted.
2186         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2187         * bytecode/FunctionCodeBlock.cpp:
2188         (JSC::FunctionCodeBlock::destroy): Deleted.
2189         * bytecode/FunctionCodeBlock.h:
2190         * bytecode/GlobalCodeBlock.h:
2191         * bytecode/ModuleProgramCodeBlock.cpp:
2192         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2193         * bytecode/ModuleProgramCodeBlock.h:
2194         * bytecode/ProgramCodeBlock.cpp:
2195         (JSC::ProgramCodeBlock::destroy): Deleted.
2196         * bytecode/ProgramCodeBlock.h:
2197         * interpreter/Interpreter.cpp:
2198         (JSC::Interpreter::execute):
2199         * runtime/VM.cpp:
2200         (JSC::VM::VM):
2201         * runtime/VM.h:
2202         (JSC::VM::forEachCodeBlockSpace):
2203
2204 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2205
2206         Unreviewed, follow-up after r240859
2207         https://bugs.webkit.org/show_bug.cgi?id=194145
2208
2209         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2210         And rename cellDangerousBitsSpace back to cellSpace.
2211
2212         * runtime/JSCellInlines.h:
2213         (JSC::JSCell::subspaceFor):
2214         * runtime/VM.cpp:
2215         (JSC::VM::VM):
2216         * runtime/VM.h:
2217
2218 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2219
2220         [JSC] Remove cellJSValueOOBSpace
2221         https://bugs.webkit.org/show_bug.cgi?id=194145
2222
2223         Reviewed by Mark Lam.
2224
2225         * runtime/JSObject.h:
2226         (JSC::JSObject::subspaceFor): Deleted.
2227         * runtime/VM.cpp:
2228         (JSC::VM::VM):
2229         * runtime/VM.h:
2230
2231 2019-01-31  Mark Lam  <mark.lam@apple.com>
2232
2233         Remove poisoning from CodeBlock and LLInt code.
2234         https://bugs.webkit.org/show_bug.cgi?id=194113
2235
2236         Reviewed by Yusuke Suzuki.
2237
2238         * bytecode/CodeBlock.cpp:
2239         (JSC::CodeBlock::CodeBlock):
2240         (JSC::CodeBlock::~CodeBlock):
2241         (JSC::CodeBlock::setConstantRegisters):
2242         (JSC::CodeBlock::propagateTransitions):
2243         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2244         (JSC::CodeBlock::jettison):
2245         (JSC::CodeBlock::predictedMachineCodeSize):
2246         * bytecode/CodeBlock.h:
2247         (JSC::CodeBlock::vm const):
2248         (JSC::CodeBlock::addConstant):
2249         (JSC::CodeBlock::heap const):
2250         (JSC::CodeBlock::replaceConstant):
2251         * llint/LLIntOfflineAsmConfig.h:
2252         * llint/LLIntSlowPaths.cpp:
2253         (JSC::LLInt::handleHostCall):
2254         (JSC::LLInt::setUpCall):
2255         * llint/LowLevelInterpreter.asm:
2256         * llint/LowLevelInterpreter32_64.asm:
2257         * llint/LowLevelInterpreter64.asm:
2258
2259 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2260
2261         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2262         https://bugs.webkit.org/show_bug.cgi?id=194107
2263
2264         Reviewed by Saam Barati.
2265
2266         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2267         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2268
2269         * CMakeLists.txt:
2270         * DerivedSources.make:
2271         * JavaScriptCore.xcodeproj/project.pbxproj:
2272         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2273         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2274         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2275         (JSC::AsyncFromSyncIteratorPrototype::create):
2276         * runtime/AsyncFromSyncIteratorPrototype.h:
2277
2278 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2279
2280         Fix `runJITThreadLimitTests` in testapi
2281         https://bugs.webkit.org/show_bug.cgi?id=194064
2282         <rdar://problem/46139147>
2283
2284         Reviewed by Mark Lam.
2285
2286         Fix typo where `targetNumberOfThreads` was not being used.
2287
2288         * API/tests/testapi.mm:
2289         (runJITThreadLimitTests):
2290
2291 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2292
2293         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2294         https://bugs.webkit.org/show_bug.cgi?id=194112
2295
2296         Reviewed by Mark Lam.
2297
2298         `testBytecodeCache` does not populate the bytecode cache for the global
2299         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2300
2301         * API/tests/testapi.mm:
2302         (testBytecodeCache):
2303
2304 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2305
2306         Unreviewed, follow-up after r240796
2307
2308         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2309         when allocating InferredValue in FunctionExecutable::finishCreation.
2310
2311         * runtime/FunctionExecutable.cpp:
2312         (JSC::FunctionExecutable::FunctionExecutable):
2313         (JSC::FunctionExecutable::finishCreation):
2314
2315 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2316
2317         [JSC] Do not use InferredValue in non-JIT configuration
2318         https://bugs.webkit.org/show_bug.cgi?id=194084
2319
2320         Reviewed by Saam Barati.
2321
2322         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2323         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2324         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2325         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2326         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2327         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2328         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2329         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2330
2331         * bytecode/ObjectAllocationProfileInlines.h:
2332         (JSC::ObjectAllocationProfile::initializeProfile):
2333         * runtime/FunctionExecutable.cpp:
2334         (JSC::FunctionExecutable::finishCreation):
2335         (JSC::FunctionExecutable::visitChildren):
2336         * runtime/FunctionExecutable.h:
2337         * runtime/InferredValue.cpp:
2338         (JSC::InferredValue::create):
2339         * runtime/JSAsyncFunction.cpp:
2340         (JSC::JSAsyncFunction::create):
2341         * runtime/JSAsyncGeneratorFunction.cpp:
2342         (JSC::JSAsyncGeneratorFunction::create):
2343         * runtime/JSFunction.cpp:
2344         (JSC::JSFunction::create):
2345         * runtime/JSFunctionInlines.h:
2346         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2347         * runtime/JSGeneratorFunction.cpp:
2348         (JSC::JSGeneratorFunction::create):
2349         * runtime/JSSymbolTableObject.h:
2350         (JSC::JSSymbolTableObject::setSymbolTable):
2351         * runtime/SymbolTable.cpp:
2352         (JSC::SymbolTable::finishCreation):
2353         * runtime/VM.cpp:
2354         (JSC::VM::VM):
2355
2356 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2357
2358         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2359         https://bugs.webkit.org/show_bug.cgi?id=194085
2360
2361         Reviewed by Yusuke Suzuki.
2362
2363         r240730 changed ud_itab.py and caused incremental build failures
2364         for Ninja builds.
2365
2366         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2367
2368 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2369
2370         [JSC] Symbol should be in destructibleCellSpace
2371         https://bugs.webkit.org/show_bug.cgi?id=194082
2372
2373         Reviewed by Saam Barati.
2374
2375         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2376         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2377         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2378         Symbol's space destructibleCellSpace to appropriately call the destructor.
2379
2380         * runtime/Symbol.h:
2381
2382 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2383
2384         Unreviewed, rolling out r240755.
2385
2386         This was not correct
2387
2388         Reverted changeset:
2389
2390         "Unreviewed, fix GCC build after r240730"
2391         https://bugs.webkit.org/show_bug.cgi?id=194041
2392         https://trac.webkit.org/changeset/240755
2393
2394 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2395
2396         Unreviewed, fix GCC build after r240730
2397         https://bugs.webkit.org/show_bug.cgi?id=194041
2398         <rdar://problem/47680981>
2399
2400         * disassembler/udis86/ud_itab.py:
2401         (UdItabGenerator.genOpcodeTablesLookupIndex):
2402
2403 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2404
2405         testapi's `testBytecodeCache` does not need to run the code twice
2406         https://bugs.webkit.org/show_bug.cgi?id=194046
2407
2408         Reviewed by Mark Lam.
2409
2410         Since we populate the cache eagerly (unlike the stress tests) we don't
2411         need to run the code twice.
2412
2413         * API/tests/testapi.mm:
2414         (testBytecodeCache):
2415
2416 2019-01-30  Saam barati  <sbarati@apple.com>
2417
2418         [WebAssembly] Change BBQ to generate Air IR
2419         https://bugs.webkit.org/show_bug.cgi?id=191802
2420         <rdar://problem/47651718>
2421
2422         Reviewed by Keith Miller.
2423
2424         This patch adds a new Wasm compiler for the BBQ tier. Instead
2425         of compiling using  B3-01, we now generate Air code directly.
2426         The goal of doing this was to speed up compile times for Wasm
2427         programs.
2428         
2429         This patch provides us with a 20-30% compile time speedup. However, I
2430         have ideas on how to improve compile times even further. For example,
2431         we should probably implement a faster running register allocator:
2432         https://bugs.webkit.org/show_bug.cgi?id=194036
2433         
2434         We can also improve on the code we generate.
2435         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2436         And we should do better instruction selection in various
2437         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2438
2439         * JavaScriptCore.xcodeproj/project.pbxproj:
2440         * Sources.txt:
2441         * b3/B3LowerToAir.cpp:
2442         * b3/B3StackmapSpecial.h:
2443         * b3/air/AirCode.cpp:
2444         (JSC::B3::Air::Code::emitDefaultPrologue):
2445         * b3/air/AirCode.h:
2446         * b3/air/AirTmp.h:
2447         (JSC::B3::Air::Tmp::Tmp):
2448         * runtime/Options.h:
2449         * wasm/WasmAirIRGenerator.cpp: Added.
2450         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2451         (JSC::Wasm::TypedTmp::TypedTmp):
2452         (JSC::Wasm::TypedTmp::operator== const):
2453         (JSC::Wasm::TypedTmp::operator!= const):
2454         (JSC::Wasm::TypedTmp::operator bool const):
2455         (JSC::Wasm::TypedTmp::operator Tmp const):
2456         (JSC::Wasm::TypedTmp::operator Arg const):
2457         (JSC::Wasm::TypedTmp::tmp const):
2458         (JSC::Wasm::TypedTmp::type const):
2459         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2460         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2461         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2462         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2463         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2464         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2465         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2466         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2467         (JSC::Wasm::AirIRGenerator::emptyExpression):
2468         (JSC::Wasm::AirIRGenerator::fail const):
2469         (JSC::Wasm::AirIRGenerator::setParser):
2470         (JSC::Wasm::AirIRGenerator::toTmpVector):
2471         (JSC::Wasm::AirIRGenerator::validateInst):
2472         (JSC::Wasm::AirIRGenerator::extractArg):
2473         (JSC::Wasm::AirIRGenerator::append):
2474         (JSC::Wasm::AirIRGenerator::appendEffectful):
2475         (JSC::Wasm::AirIRGenerator::newTmp):
2476         (JSC::Wasm::AirIRGenerator::g32):
2477         (JSC::Wasm::AirIRGenerator::g64):
2478         (JSC::Wasm::AirIRGenerator::f32):
2479         (JSC::Wasm::AirIRGenerator::f64):
2480         (JSC::Wasm::AirIRGenerator::tmpForType):
2481         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2482         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2483         (JSC::Wasm::AirIRGenerator::emitCheck):
2484         (JSC::Wasm::AirIRGenerator::emitCCall):
2485         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2486         (JSC::Wasm::AirIRGenerator::instanceValue):
2487         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2488         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2489         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2490         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2491         (JSC::Wasm::AirIRGenerator::emitThrowException):
2492         (JSC::Wasm::AirIRGenerator::addLocal):
2493         (JSC::Wasm::AirIRGenerator::addConstant):
2494         (JSC::Wasm::AirIRGenerator::addArguments):
2495         (JSC::Wasm::AirIRGenerator::getLocal):
2496         (JSC::Wasm::AirIRGenerator::addUnreachable):
2497         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2498         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2499         (JSC::Wasm::AirIRGenerator::setLocal):
2500         (JSC::Wasm::AirIRGenerator::getGlobal):
2501         (JSC::Wasm::AirIRGenerator::setGlobal):
2502         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2503         (JSC::Wasm::sizeOfLoadOp):
2504         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2505         (JSC::Wasm::AirIRGenerator::load):
2506         (JSC::Wasm::sizeOfStoreOp):
2507         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2508         (JSC::Wasm::AirIRGenerator::store):
2509         (JSC::Wasm::AirIRGenerator::addSelect):
2510         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2511         (JSC::Wasm::AirIRGenerator::addLoop):
2512         (JSC::Wasm::AirIRGenerator::addTopLevel):
2513         (JSC::Wasm::AirIRGenerator::addBlock):
2514         (JSC::Wasm::AirIRGenerator::addIf):
2515         (JSC::Wasm::AirIRGenerator::addElse):
2516         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2517         (JSC::Wasm::AirIRGenerator::addReturn):
2518         (JSC::Wasm::AirIRGenerator::addBranch):
2519         (JSC::Wasm::AirIRGenerator::addSwitch):
2520         (JSC::Wasm::AirIRGenerator::endBlock):
2521         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2522         (JSC::Wasm::AirIRGenerator::addCall):
2523         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2524         (JSC::Wasm::AirIRGenerator::unify):
2525         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2526         (JSC::Wasm::AirIRGenerator::dump):
2527         (JSC::Wasm::AirIRGenerator::origin):
2528         (JSC::Wasm::parseAndCompileAir):
2529         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2530         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2531         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2532         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2533         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2534         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2535         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2536         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2537         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2538         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2539         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2540         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2541         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2542         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2543         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2544         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2545         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2546         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2547         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2548         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2549         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2550         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2551         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2552         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2553         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2554         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2555         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2556         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2557         (JSC::Wasm::AirIRGenerator::addShift):
2558         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2559         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2560         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2561         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2562         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2563         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2564         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2565         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2566         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2567         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2568         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2569         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2570         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2571         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2572         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2573         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2574         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2575         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2576         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2577         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2578         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2579         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2580         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2581         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2582         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2583         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2584         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2585         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2586         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2587         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2588         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2589         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2590         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2591         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2592         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2593         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2594         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2595         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2596         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2597         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2598         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2599         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2600         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2601         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2602         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2603         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2604         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2605         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2606         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2607         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2608         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2609         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2610         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2611         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2612         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2613         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2614         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2615         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2616         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2617         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2618         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2619         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2620         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2621         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2622         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2623         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2624         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2625         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2626         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2627         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2628         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2629         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2630         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2631         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2632         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2633         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2634         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2635         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2636         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2637         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2638         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2639         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2640         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2641         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2642         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2643         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2644         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2645         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2646         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2647         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2648         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2649         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2650         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2651         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2652         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2653         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2654         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2655         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2656         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2657         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2658         * wasm/WasmAirIRGenerator.h: Added.
2659         * wasm/WasmB3IRGenerator.cpp:
2660         (JSC::Wasm::B3IRGenerator::emptyExpression):
2661         * wasm/WasmBBQPlan.cpp:
2662         (JSC::Wasm::BBQPlan::compileFunctions):
2663         * wasm/WasmCallingConvention.cpp:
2664         (JSC::Wasm::jscCallingConventionAir):
2665         (JSC::Wasm::wasmCallingConventionAir):
2666         * wasm/WasmCallingConvention.h:
2667         (JSC::Wasm::CallingConvention::CallingConvention):
2668         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2669         (JSC::Wasm::CallingConvention::marshallArgument const):
2670         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2671         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2672         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2673         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2674         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2675         (JSC::Wasm::CallingConventionAir::loadArguments const):
2676         (JSC::Wasm::CallingConventionAir::setupCall const):
2677         (JSC::Wasm::nextJSCOffset):
2678         * wasm/WasmFunctionParser.h:
2679         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2680         * wasm/WasmValidate.cpp:
2681         (JSC::Wasm::Validate::emptyExpression):
2682
2683 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2684
2685         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2686         https://bugs.webkit.org/show_bug.cgi?id=194050
2687         <rdar://problem/47595592>
2688
2689         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2690         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2691
2692         Reviewed by Yusuke Suzuki.
2693
2694         * ftl/FTLOperations.cpp:
2695         (JSC::FTL::operationMaterializeObjectInOSR):
2696
2697 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2698
2699         Remove assertion that CachedSymbolTables should have no RareData
2700         https://bugs.webkit.org/show_bug.cgi?id=194037
2701
2702         Reviewed by Mark Lam.
2703
2704         It turns out that we don't need to cache the SymbolTableRareData and
2705         we should not assert that it's empty.
2706
2707         * runtime/CachedTypes.cpp:
2708         (JSC::CachedSymbolTable::encode):
2709
2710 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2711
2712         CachedBytecode's move constructor should not call `freeDataIfOwned`
2713         https://bugs.webkit.org/show_bug.cgi?id=194045
2714
2715         Reviewed by Mark Lam.
2716
2717         That might result in freeing a garbage value
2718
2719         * parser/SourceProvider.h:
2720         (JSC::CachedBytecode::CachedBytecode):
2721
2722 2019-01-30  Keith Miller  <keith_miller@apple.com>
2723
2724         mul32 should convert powers of 2 to an lshift
2725         https://bugs.webkit.org/show_bug.cgi?id=193957
2726
2727         Reviewed by Yusuke Suzuki.
2728
2729         * assembler/MacroAssembler.h:
2730         (JSC::MacroAssembler::mul32):
2731         * assembler/testmasm.cpp:
2732         (JSC::int32Operands):
2733         (JSC::testMul32WithImmediates):
2734         (JSC::run):
2735
2736 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2737
2738         [JSC] Make disassembler data structures constant read-only data
2739         https://bugs.webkit.org/show_bug.cgi?id=194041
2740
2741         Reviewed by Mark Lam.
2742
2743         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2744         This patch makes them "const".
2745
2746         * disassembler/ARM64/A64DOpcode.cpp:
2747         * disassembler/udis86/ud_itab.py:
2748         (UdItabGenerator.genOpcodeTablesLookupIndex):
2749         (UdItabGenerator.genInsnTable):
2750         (UdItabGenerator.genMnemonicsList):
2751         (genItabH):
2752         * disassembler/udis86/udis86_decode.h:
2753         * disassembler/udis86/udis86_syn.c:
2754         * disassembler/udis86/udis86_syn.h:
2755         * disassembler/udis86/udis86_types.h:
2756
2757 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2758
2759         Unreviewed, update the builtin test results
2760         https://bugs.webkit.org/show_bug.cgi?id=194015
2761
2762         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2763         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2764         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2765         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2766         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2767         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2768         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2769         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2770         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2771         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2772         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2773         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2774         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2775
2776 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2777
2778         [JSC] Make global static variables "const" as much as possible
2779         https://bugs.webkit.org/show_bug.cgi?id=194015
2780
2781         Reviewed by Mark Lam.
2782
2783         Some of global static variables are not "const". For example, `static const char* name = ...`
2784         is not constant variable. We should make it `static const char* const name = ...`.
2785
2786         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2787         (generate_externs_for_object):
2788         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2789         (generate_externs_for_object):
2790         * Scripts/wkbuiltins/builtins_generator.py:
2791         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2792         * assembler/MacroAssembler.h:
2793         (JSC::MacroAssembler::additionBlindedConstant):
2794         * b3/air/AirFormTable.h:
2795         * b3/air/opcode_generator.rb:
2796         * runtime/JSObject.cpp:
2797         (JSC::JSObject::visitButterfly):
2798         * tools/CodeProfile.cpp:
2799         * tools/CodeProfile.h:
2800
2801 2019-01-29  Keith Miller  <keith_miller@apple.com>
2802
2803         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2804         https://bugs.webkit.org/show_bug.cgi?id=194000
2805         <rdar://problem/47642894>
2806
2807         Reviewed by Mark Lam.
2808
2809         default constructor is unused and
2810         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2811         data member which causes sadness.
2812
2813         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2814
2815 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2816
2817         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2818
2819         Rubber-stamped by Yusuke Suzuki.
2820
2821         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2822
2823         * parser/Parser.h:
2824         (JSC::Parser::declareHoistedVariable):
2825
2826 2019-01-29  Mark Lam  <mark.lam@apple.com>
2827
2828         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2829         https://bugs.webkit.org/show_bug.cgi?id=132333
2830
2831         Reviewed by Yusuke Suzuki.
2832
2833         * bytecode/InstructionStream.h:
2834         (JSC::InstructionStreamWriter::write):
2835         - The 32-bit write() function need not invert the order of the bytes written to
2836           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2837           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2838
2839         * llint/LLIntOfflineAsmConfig.h:
2840         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2841
2842 2019-01-29  Mark Lam  <mark.lam@apple.com>
2843
2844         ValueRecovery::recover() should purify NaN values it recovers.
2845         https://bugs.webkit.org/show_bug.cgi?id=193978
2846         <rdar://problem/47625488>
2847
2848         Reviewed by Saam Barati.
2849
2850         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
2851         recovered DoubleDisplacedInJSStack values need to be purified.
2852         ValueRecovery::recover() should do the same.
2853
2854         * bytecode/ValueRecovery.cpp:
2855         (JSC::ValueRecovery::recover const):
2856
2857 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
2858
2859         [JSC] FTL should handle LocalAllocator*
2860         https://bugs.webkit.org/show_bug.cgi?id=193980
2861
2862         Reviewed by Saam Barati.
2863
2864         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
2865         because the FTL still use the incoming value as 32bit integer there.
2866
2867         * ftl/FTLLowerDFGToB3.cpp:
2868         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2869
2870 2019-01-29  Keith Rollin  <krollin@apple.com>
2871
2872         Add .xcfilelists to Run Script build phases
2873         https://bugs.webkit.org/show_bug.cgi?id=193792
2874         <rdar://problem/47201785>
2875
2876         Reviewed by Alex Christensen.
2877
2878         As part of supporting XCBuild, update the necessary Run Script build
2879         phases in their Xcode projects to refer to their associated
2880         .xcfilelist files.
2881
2882         Note that the addition of these files bumps the Xcode project version
2883         number to something that's Xcode 10 compatible. This change means that
2884         older versions of the Xcode IDE can't read these projects. Nor can it
2885         fully load workspaces that refer to these projects (the updated
2886         projects are shown as non-expandable placeholders). `xcodebuild` can
2887         still build these projects; it's just that the IDE can't open them.
2888
2889         * JavaScriptCore.xcodeproj/project.pbxproj:
2890
2891 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
2892
2893         [ARM] Check for negative zero instead of just zero
2894         https://bugs.webkit.org/show_bug.cgi?id=193689
2895
2896         Reviewed by Mark Lam.
2897
2898         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
2899         of just bailing out for zero.
2900
2901         * assembler/MacroAssemblerARMv7.h:
2902         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
2903
2904 2019-01-28  Devin Rousso  <drousso@apple.com>
2905
2906         Web Inspector: provide a way to edit page WebRTC settings on a remote target
2907         https://bugs.webkit.org/show_bug.cgi?id=193863
2908         <rdar://problem/47572764>
2909
2910         Reviewed by Joseph Pecoraro.
2911
2912         * inspector/protocol/Page.json:
2913         Add more values to the `Setting` enum type:
2914          - `ICECandidateFilteringEnabled`
2915          - `MediaCaptureRequiresSecureConnection`
2916          - `MockCaptureDevicesEnabled`
2917
2918 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
2919
2920         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
2921         https://bugs.webkit.org/show_bug.cgi?id=193941
2922
2923         Reviewed by Alex Christensen.
2924
2925         * API/JSWeakObjectMapRefPrivate.cpp:
2926         * bytecompiler/NodesCodegen.cpp:
2927         * heap/MachineStackMarker.cpp:
2928         * jit/ExecutableAllocator.cpp:
2929         * jsc.cpp:
2930         * parser/Nodes.cpp:
2931         * runtime/DateConstructor.cpp:
2932         * runtime/DateConversion.cpp:
2933         * runtime/DateInstance.cpp:
2934         * runtime/DatePrototype.cpp:
2935         * runtime/InitializeThreading.cpp:
2936         * runtime/IteratorOperations.cpp:
2937         * runtime/JSDateMath.cpp:
2938         * runtime/JSGlobalObjectFunctions.cpp:
2939         * runtime/StringPrototype.cpp:
2940         * runtime/VM.cpp:
2941         * testRegExp.cpp:
2942         * tools/JSDollarVM.cpp:
2943         * yarr/YarrInterpreter.cpp:
2944         * yarr/YarrJIT.cpp:
2945         * yarr/YarrPattern.cpp:
2946         * yarr/YarrUnicodeProperties.cpp:
2947
2948 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
2949
2950         [JSC] Reduce size of memory used for ShadowChicken
2951         https://bugs.webkit.org/show_bug.cgi?id=193546
2952
2953         Reviewed by Mark Lam.
2954
2955         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
2956         The removal of ShadowChicken saves 55KB memory.
2957
2958         * debugger/DebuggerCallFrame.cpp:
2959         (JSC::DebuggerCallFrame::create):
2960         * ftl/FTLLowerDFGToB3.cpp:
2961         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
2962         * heap/Heap.cpp:
2963         (JSC::Heap::stopThePeriphery):
2964         (JSC::Heap::addCoreConstraints):
2965         * jit/CCallHelpers.cpp:
2966         (JSC::CCallHelpers::ensureShadowChickenPacket):
2967         * jit/JITExceptions.cpp:
2968         (JSC::genericUnwind):
2969         * jit/JITOpcodes.cpp:
2970         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2971         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2972         * jit/JITOpcodes32_64.cpp:
2973         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
2974         (JSC::JIT::emit_op_log_shadow_chicken_tail):
2975         * jit/JITOperations.cpp:
2976         * llint/LLIntSlowPaths.cpp:
2977         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2978         * runtime/JSGlobalObject.cpp:
2979         (JSC::JSGlobalObject::setDebugger):
2980         * runtime/JSGlobalObject.h:
2981         (JSC::JSGlobalObject::setDebugger): Deleted.
2982         * runtime/VM.cpp:
2983         (JSC::VM::VM):
2984         (JSC::VM::ensureShadowChicken):
2985         * runtime/VM.h:
2986         (JSC::VM::shadowChicken):
2987         * tools/JSDollarVM.cpp:
2988         (JSC::functionShadowChickenFunctionsOnStack):
2989         (JSC::changeDebuggerModeWhenIdle):
2990
2991 2019-01-28  Andy Estes  <aestes@apple.com>
2992
2993         [watchOS] Enable Parental Controls content filtering
2994         https://bugs.webkit.org/show_bug.cgi?id=193939
2995         <rdar://problem/46641912>
2996
2997         Reviewed by Ryosuke Niwa.
2998
2999         * Configurations/FeatureDefines.xcconfig:
3000
3001 2019-01-28  Mark Lam  <mark.lam@apple.com>
3002
3003         ToString node actually does GC.
3004         https://bugs.webkit.org/show_bug.cgi?id=193920
3005         <rdar://problem/46695900>
3006
3007         Reviewed by Yusuke Suzuki.
3008
3009         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3010         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3011
3012         * dfg/DFGDoesGC.cpp:
3013         (JSC::DFG::doesGC):
3014
3015 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3016
3017         [JSC] RegExpConstructor should not have own IsoSubspace
3018         https://bugs.webkit.org/show_bug.cgi?id=193801
3019
3020         Reviewed by Mark Lam.
3021
3022         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3023         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3024         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3025         it from RegExpConstructor members.
3026
3027         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3028         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3029         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3030
3031         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3032
3033         * CMakeLists.txt:
3034         * JavaScriptCore.xcodeproj/project.pbxproj:
3035         * Sources.txt:
3036         * dfg/DFGOperations.cpp:
3037         * dfg/DFGSpeculativeJIT.cpp:
3038         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3039         * dfg/DFGStrengthReductionPhase.cpp:
3040         (JSC::DFG::StrengthReductionPhase::handleNode):
3041         * ftl/FTLAbstractHeapRepository.cpp:
3042         * ftl/FTLAbstractHeapRepository.h:
3043         * ftl/FTLLowerDFGToB3.cpp:
3044         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3045         * runtime/JSGlobalObject.cpp:
3046         (JSC::JSGlobalObject::init):
3047         (JSC::JSGlobalObject::visitChildren):
3048         * runtime/JSGlobalObject.h:
3049         (JSC::JSGlobalObject::regExpGlobalData):
3050         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3051         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3052         * runtime/RegExpCache.cpp:
3053         (JSC::RegExpCache::initialize):
3054         * runtime/RegExpCache.h:
3055         (JSC::RegExpCache::emptyRegExp const):
3056         * runtime/RegExpCachedResult.cpp:
3057         (JSC::RegExpCachedResult::visitAggregate):
3058         (JSC::RegExpCachedResult::visitChildren): Deleted.
3059         * runtime/RegExpCachedResult.h:
3060         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3061         * runtime/RegExpConstructor.cpp:
3062         (JSC::RegExpConstructor::RegExpConstructor):
3063         (JSC::regExpConstructorDollar):
3064         (JSC::regExpConstructorInput):
3065         (JSC::regExpConstructorMultiline):
3066         (JSC::regExpConstructorLastMatch):
3067         (JSC::regExpConstructorLastParen):
3068         (JSC::regExpConstructorLeftContext):
3069         (JSC::regExpConstructorRightContext):
3070         (JSC::setRegExpConstructorInput):
3071         (JSC::setRegExpConstructorMultiline):
3072         (JSC::RegExpConstructor::destroy): Deleted.
3073         (JSC::RegExpConstructor::visitChildren): Deleted.
3074         (JSC::RegExpConstructor::getBackref): Deleted.
3075         (JSC::RegExpConstructor::getLastParen): Deleted.
3076         (JSC::RegExpConstructor::getLeftContext): Deleted.
3077         (JSC::RegExpConstructor::getRightContext): Deleted.
3078         * runtime/RegExpConstructor.h:
3079         (JSC::RegExpConstructor::performMatch): Deleted.
3080         (JSC::RegExpConstructor::recordMatch): Deleted.
3081         * runtime/RegExpGlobalData.cpp: Added.
3082         (JSC::RegExpGlobalData::visitAggregate):
3083         (JSC::RegExpGlobalData::getBackref):
3084         (JSC::RegExpGlobalData::getLastParen):
3085         (JSC::RegExpGlobalData::getLeftContext):
3086         (JSC::RegExpGlobalData::getRightContext):
3087         * runtime/RegExpGlobalData.h: Added.
3088         (JSC::RegExpGlobalData::cachedResult):
3089         (JSC::RegExpGlobalData::setMultiline):
3090         (JSC::RegExpGlobalData::multiline const):
3091         (JSC::RegExpGlobalData::input):
3092         (JSC::RegExpGlobalData::offsetOfCachedResult):
3093         * runtime/RegExpGlobalDataInlines.h: Added.
3094         (JSC::RegExpGlobalData::setInput):
3095         (JSC::RegExpGlobalData::performMatch):
3096         (JSC::RegExpGlobalData::recordMatch):
3097         * runtime/RegExpObject.cpp:
3098         (JSC::RegExpObject::matchGlobal):
3099         * runtime/RegExpObjectInlines.h:
3100         (JSC::RegExpObject::execInline):
3101         (JSC::RegExpObject::matchInline):
3102         (JSC::collectMatches):
3103         * runtime/RegExpPrototype.cpp:
3104         (JSC::RegExpPrototype::finishCreation):
3105         (JSC::regExpProtoFuncSearchFast):
3106         (JSC::RegExpPrototype::visitChildren): Deleted.
3107         * runtime/RegExpPrototype.h:
3108         * runtime/StringPrototype.cpp:
3109         (JSC::removeUsingRegExpSearch):
3110         (JSC::replaceUsingRegExpSearch):
3111         * runtime/VM.cpp:
3112         (JSC::VM::VM):
3113         * runtime/VM.h:
3114
3115 2018-12-15  Darin Adler  <darin@apple.com>
3116
3117         Replace many uses of String::format with more type-safe alternatives
3118         https://bugs.webkit.org/show_bug.cgi?id=192742
3119
3120         Reviewed by Mark Lam.
3121
3122         * inspector/InjectedScriptBase.cpp:
3123         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3124         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3125         * inspector/InspectorBackendDispatcher.cpp:
3126         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3127         * inspector/agents/InspectorConsoleAgent.cpp:
3128         (Inspector::InspectorConsoleAgent::enable): Ditto.
3129         * jsc.cpp:
3130         (FunctionJSCStackFunctor::operator() const): Ditto.
3131
3132         * runtime/CodeCache.cpp:
3133         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3134         using String::number.
3135
3136         * runtime/IntlDateTimeFormat.cpp:
3137         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3138         * runtime/IntlObject.cpp:
3139         (JSC::canonicalizeLocaleList): Ditto.
3140
3141 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3142
3143         AX: Introduce a static accessibility tree
3144         https://bugs.webkit.org/show_bug.cgi?id=193348
3145         <rdar://problem/47203295>
3146
3147         Reviewed by Ryosuke Niwa.
3148
3149         * Configurations/FeatureDefines.xcconfig:
3150
3151 2019-01-26  Devin Rousso  <drousso@apple.com>
3152
3153         Web Inspector: provide a way to edit the user agent of a remote target
3154         https://bugs.webkit.org/show_bug.cgi?id=193862
3155         <rdar://problem/47359292>
3156
3157         Reviewed by Joseph Pecoraro.
3158
3159         * inspector/protocol/Page.json:
3160         Add `overrideUserAgent` command.
3161
3162 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3163
3164         [JSC] NativeErrorConstructor should not have own IsoSubspace
3165         https://bugs.webkit.org/show_bug.cgi?id=193713
3166
3167         Reviewed by Saam Barati.
3168
3169         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3170         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3171         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3172         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3173         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3174         referenced.
3175
3176         * CMakeLists.txt:
3177         * JavaScriptCore.xcodeproj/project.pbxproj:
3178         * Sources.txt:
3179         * builtins/BuiltinNames.h:
3180         * interpreter/Interpreter.h:
3181         * runtime/Error.cpp:
3182         (JSC::createEvalError):
3183         (JSC::createRangeError):
3184         (JSC::createReferenceError):
3185         (JSC::createSyntaxError):
3186         (JSC::createTypeError):
3187         (JSC::createURIError):
3188         (WTF::printInternal): Deleted.
3189         * runtime/Error.h:
3190         * runtime/ErrorPrototype.cpp:
3191         (JSC::ErrorPrototype::create):
3192         (JSC::ErrorPrototype::finishCreation):
3193         * runtime/ErrorPrototype.h:
3194         (JSC::ErrorPrototype::create): Deleted.
3195         * runtime/ErrorType.cpp: Added.
3196         (JSC::errorTypeName):
3197         (WTF::printInternal):
3198         * runtime/ErrorType.h: Added.
3199         * runtime/JSGlobalObject.cpp:
3200         (JSC::JSGlobalObject::initializeErrorConstructor):
3201         (JSC::JSGlobalObject::init):
3202         (JSC::JSGlobalObject::visitChildren):
3203         * runtime/JSGlobalObject.h:
3204         (JSC::JSGlobalObject::internalPromiseConstructor const):
3205         (JSC::JSGlobalObject::errorStructure const):
3206         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3207         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3208         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3209         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3210         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3211         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3212         * runtime/NativeErrorConstructor.cpp:
3213         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3214         (JSC::NativeErrorConstructorBase::finishCreation):
3215         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3216         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3217         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3218         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3219         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3220         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3221         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3222         * runtime/NativeErrorConstructor.h:
3223         (JSC::NativeErrorConstructorBase::createStructure):
3224         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3225         * runtime/NativeErrorPrototype.cpp:
3226         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3227         * runtime/NativeErrorPrototype.h:
3228         * runtime/VM.cpp:
3229         (JSC::VM::VM):
3230         * runtime/VM.h:
3231         * wasm/js/WasmToJS.cpp:
3232         (JSC::Wasm::handleBadI64Use):
3233
3234 2019-01-25  Devin Rousso  <drousso@apple.com>
3235
3236         Web Inspector: provide a way to edit page settings on a remote target
3237         https://bugs.webkit.org/show_bug.cgi?id=193813
3238         <rdar://problem/47359510>
3239
3240         Reviewed by Joseph Pecoraro.
3241
3242         * inspector/protocol/Page.json:
3243         Add `overrideSetting` command with supporting `Setting` enum type.
3244
3245 2019-01-25  Keith Rollin  <krollin@apple.com>
3246
3247         Update Xcode projects with "Check .xcfilelists" build phase
3248         https://bugs.webkit.org/show_bug.cgi?id=193790
3249         <rdar://problem/47201374>
3250
3251         Reviewed by Alex Christensen.
3252
3253         Support for XCBuild includes specifying inputs and outputs to various
3254         Run Script build phases. These inputs and outputs are specified as
3255         .xcfilelist files. Once created, these .xcfilelist files need to be
3256         kept up-to-date. In order to check that they are up-to-date or not,
3257         add an Xcode build step that invokes an external script that performs
3258         the checking. If the .xcfilelists are found to be out-of-date, update
3259         them, halt the build, and instruct the developer to restart the build
3260         with up-to-date files.
3261
3262         At this time, the checking and regenerating is performed only if the
3263         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3264         who want to use this facility can set this variable and test out the
3265         checking/regenerating. Once it seems like there are no egregious
3266         issues that upset a developer's workflow, we'll unconditionally enable
3267         this facility.
3268
3269         * JavaScriptCore.xcodeproj/project.pbxproj:
3270         * Scripts/check-xcfilelists.sh: Added.
3271
3272 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3273
3274         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3275         https://bugs.webkit.org/show_bug.cgi?id=193796
3276         <rdar://problem/47532910>
3277
3278         Reviewed by Devin Rousso.
3279
3280         * runtime/SamplingProfiler.cpp:
3281         (JSC::SamplingProfiler::machThread):
3282         * runtime/SamplingProfiler.h:
3283         Expose the mach_port_t of the SamplingProfiler thread
3284         so it can be tested against later.
3285
3286 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3287
3288         Fix Windows build after r240511
3289
3290         * bytecode/UnlinkedFunctionExecutable.cpp:
3291         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3292
3293 2019-01-25  Keith Rollin  <krollin@apple.com>
3294
3295         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3296         https://bugs.webkit.org/show_bug.cgi?id=193781
3297         <rdar://problem/47201153>
3298
3299         Reviewed by Alex Christensen.
3300
3301         Part of generating the .xcfilelists used as part of adopting XCBuild
3302         includes running `make DerivedSources.make` from a standalone script.
3303         It’s important for this invocation to have the same environment as
3304         when the actual build invokes `make DerivedSources.make`. If the
3305         environments are different, then the two invocations will provide
3306         different results. In order to get the same environment in the
3307         standalone script, have the script launch xcodebuild targeting the
3308         "Apply Configuration to XCFileLists" build target, which will then
3309         re-invoke our standalone script. The script is now running again, this
3310         time in an environment with all workspace, project, target, xcconfig
3311         and other environment variables established.
3312
3313         The "Apply Configuration to XCFileLists" build target accomplishes
3314         this task via a small embedded shell script that consists only of:
3315
3316             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3317
3318         The process that invokes "Apply Configuration to XCFileLists" first
3319         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3320         evaluated and exports it into the shell environment. When xcodebuild
3321         is invoked, it inherits the value of this variable and can `eval` the
3322         contents of that variable. Our external standalone script can then set
3323         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3324         of command-line parameters needed to restart itself in the appropriate
3325         state.
3326
3327         * JavaScriptCore.xcodeproj/project.pbxproj:
3328
3329 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3330
3331         Add API to generate and consume cached bytecode
3332         https://bugs.webkit.org/show_bug.cgi?id=193401
3333         <rdar://problem/47514099>
3334
3335         Reviewed by Keith Miller.
3336
3337         Add the `generateBytecode` and `generateModuleBytecode` functions to
3338         generate serialized bytecode for a given `SourceCode`. These functions
3339         will eagerly generate code for all the nested functions.
3340
3341         Additionally, update the API methods in JSScript to generate and use the
3342         bytecode when the bytecodeCache path is provided.
3343
3344         * API/JSAPIGlobalObject.mm:
3345         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3346         * API/JSContext.mm:
3347         (-[JSContext wrapperMap]):
3348         * API/JSContextInternal.h:
3349         * API/JSScript.mm:
3350         (+[JSScript scriptWithSource:inVirtualMachine:]):
3351         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3352         (-[JSScript dealloc]):
3353         (-[JSScript readCache]):
3354         (-[JSScript writeCache]):
3355         (-[JSScript hash]):
3356         (-[JSScript source]):
3357         (-[JSScript cachedBytecode]):
3358         (-[JSScript jsSourceCode:]):
3359         * API/JSScriptInternal.h:
3360         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3361         (JSScriptSourceProvider::create):
3362         (JSScriptSourceProvider::JSScriptSourceProvider):
3363         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3364         (JSScriptSourceProvider::hash const):
3365         (JSScriptSourceProvider::source const):
3366         (JSScriptSourceProvider::cachedBytecode const):
3367         * API/JSVirtualMachine.mm:
3368         (-[JSVirtualMachine vm]):
3369         * API/JSVirtualMachineInternal.h:
3370         * API/tests/testapi.mm:
3371         (testBytecodeCache):
3372         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3373         (testObjectiveCAPI):
3374         * JavaScriptCore.xcodeproj/project.pbxproj:
3375         * SourcesCocoa.txt:
3376         * bytecode/UnlinkedFunctionExecutable.cpp:
3377         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3378         * bytecode/UnlinkedFunctionExecutable.h:
3379         * parser/SourceCodeKey.h:
3380         (JSC::SourceCodeKey::source const):
3381         * parser/SourceProvider.h:
3382         (JSC::CachedBytecode::CachedBytecode):
3383         (JSC::CachedBytecode::operator=):
3384         (JSC::CachedBytecode::data const):
3385         (JSC::CachedBytecode::size const):
3386         (JSC::CachedBytecode::owned const):
3387         (JSC::CachedBytecode::~CachedBytecode):
3388         (JSC::CachedBytecode::freeDataIfOwned):
3389         (JSC::SourceProvider::cachedBytecode const):
3390         * parser/UnlinkedSourceCode.h:
3391         (JSC::UnlinkedSourceCode::provider const):
3392         * runtime/CodeCache.cpp:
3393         (JSC::generateUnlinkedCodeBlockForFunctions):
3394         (JSC::writeCodeBlock):
3395         (JSC::serializeBytecode):
3396         * runtime/CodeCache.h:
3397         (JSC::CodeCacheMap::fetchFromDiskImpl):
3398         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3399         (JSC::generateUnlinkedCodeBlockImpl):
3400         (JSC::generateUnlinkedCodeBlock):
3401         * runtime/Completion.cpp:
3402         (JSC::generateBytecode):
3403         (JSC::generateModuleBytecode):
3404         * runtime/Completion.h:
3405         * runtime/Options.cpp:
3406         (JSC::recomputeDependentOptions):
3407
3408 2019-01-25  Keith Rollin  <krollin@apple.com>
3409
3410         Update WebKitAdditions.xcconfig with correct order of variable definitions
3411         https://bugs.webkit.org/show_bug.cgi?id=193793
3412         <rdar://problem/47532439>
3413
3414         Reviewed by Alex Christensen.
3415
3416         XCBuild changes the way xcconfig variables are evaluated. In short,
3417         all config file assignments are now considered in part of the
3418         evaluation. When using the new build system and an .xcconfig file
3419         contains multiple assignments of the same build setting:
3420
3421         - Later assignments using $(inherited) will inherit from earlier
3422           assignments in the xcconfig file.
3423         - Later assignments not using $(inherited) will take precedence over
3424           earlier assignments. An assignment to a more general setting will
3425           mask an earlier assignment to a less general setting. For example,
3426           an assignment without a condition ('FOO = bar') will completely mask
3427           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3428
3429         This affects some of our .xcconfig files, in that sometimes platform-
3430         or sdk-specific definitions appear before the general definitions.
3431         Under the new evaluations rules, the general definitions alway take
3432         effect because they always overwrite the more-specific definitions. The
3433         solution is to swap the order, so that the general definitions are
3434         established first, and then conditionally overwritten by the
3435         more-specific definitions.
3436
3437         * Configurations/Version.xcconfig:
3438
3439 2019-01-25  Keith Rollin  <krollin@apple.com>
3440
3441         Update existing .xcfilelists
3442         https://bugs.webkit.org/show_bug.cgi?id=193791
3443         <rdar://problem/47201706>
3444
3445         Reviewed by Alex Christensen.
3446
3447         Many .xcfilelist files were added in r238824 in order to support
3448         XCBuild. Update these with recent changes to the set of build files
3449         and with the current generate-xcfilelist script.
3450
3451         * DerivedSources-input.xcfilelist:
3452         * DerivedSources-output.xcfilelist:
3453         * UnifiedSources-input.xcfilelist:
3454         * UnifiedSources-output.xcfilelist:
3455
3456 2019-01-25  Jon Davis  <jond@apple.com>
3457
3458         Update JavaScriptCore feature status entries.
3459         https://bugs.webkit.org/show_bug.cgi?id=193797
3460
3461         Reviewed by Mark Lam.
3462         
3463         Updated feature status for Async Iteration, and Object rest/spread.
3464
3465         * features.json:
3466
3467 2019-01-24  Keith Miller  <keith_miller@apple.com>
3468
3469         Remove usage of internal macro from private header
3470         https://bugs.webkit.org/show_bug.cgi?id=193809
3471
3472         Reviewed by Saam Barati.
3473
3474         Also, add a new file to include all of our API headers to make sure
3475         they don't accidentally include C++ or internal values.
3476
3477         * API/JSScript.h:
3478         * API/tests/testIncludes.m: Added.
3479         * JavaScriptCore.xcodeproj/project.pbxproj:
3480
3481 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3482
3483         [JSC] ErrorConstructor should not have own IsoSubspace
3484         https://bugs.webkit.org/show_bug.cgi?id=193800
3485
3486         Reviewed by Saam Barati.
3487
3488         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3489         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3490         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3491         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3492         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3493         into IsoSubspaces) described,
3494
3495             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3496             appear to just override methods, which are called dynamically via the structure or class of the object.
3497             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3498
3499         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3500         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3501         This reduces the memory usage.
3502
3503         * interpreter/Interpreter.h:
3504         * runtime/Error.cpp:
3505         (JSC::getStackTrace):
3506         * runtime/ErrorConstructor.cpp:
3507         (JSC::ErrorConstructor::ErrorConstructor):
3508         (JSC::ErrorConstructor::finishCreation):
3509         (JSC::constructErrorConstructor):
3510         (JSC::callErrorConstructor):
3511         (JSC::ErrorConstructor::put):
3512         (JSC::ErrorConstructor::deleteProperty):
3513         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3514         (JSC::Interpreter::callErrorConstructor): Deleted.
3515         * runtime/ErrorConstructor.h:
3516         * runtime/JSGlobalObject.cpp:
3517         (JSC::JSGlobalObject::JSGlobalObject):
3518         (JSC::JSGlobalObject::init):
3519         (JSC::JSGlobalObject::visitChildren):
3520         * runtime/JSGlobalObject.h:
3521         (JSC::JSGlobalObject::stackTraceLimit const):
3522         (JSC::JSGlobalObject::setStackTraceLimit):
3523         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3524         * runtime/VM.cpp:
3525         (JSC::VM::VM):
3526         * runtime/VM.h:
3527
3528 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3529
3530         Web Inspector: CPU Usage Timeline
3531         https://bugs.webkit.org/show_bug.cgi?id=193730
3532         <rdar://problem/46797201>
3533
3534         Reviewed by Devin Rousso.
3535
3536         * CMakeLists.txt:
3537         * DerivedSources-input.xcfilelist:
3538         * DerivedSources.make:
3539         New files.
3540
3541         * inspector/protocol/CPUProfiler.json: Added.
3542         New domain that follows the pattern of Memory/ScriptProfiler.
3543
3544         * inspector/protocol/Timeline.json:
3545         New enum to auto-start a CPU instrument in the backend.
3546
3547 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3548
3549         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3550         https://bugs.webkit.org/show_bug.cgi?id=193774
3551
3552         Reviewed by Mark Lam.
3553
3554         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3555         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3556         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3557         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3558         for these two constructor instances. They are only two instances per JSGlobalObject.
3559
3560         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3561         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3562         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3563         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3564         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3565         for ArrayBufferConstructors, and reduces the memory usage.
3566
3567         * runtime/JSArrayBufferConstructor.cpp:
3568         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3569         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3570         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3571         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
3572         (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
3573         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
3574         (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
3575         (JSC::JSArrayBufferConstructor::create): Deleted.
3576         (JSC::JSArrayBufferConstructor::createStructure): Deleted.
3577         (JSC::constructArrayBuffer): Deleted.
3578         * runtime/JSArrayBufferConstructor.h:
3579         * runtime/JSGlobalObject.cpp:
3580         (JSC::JSGlobalObject::init):
3581         * runtime/JSGlobalObject.h:
3582         * runtime/VM.cpp:
3583         (JSC::VM::VM):
3584         * runtime/VM.h:
3585
3586 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3587
3588         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
3589         https://bugs.webkit.org/show_bug.cgi?id=190693
3590
3591         Reviewed by Michael Saboff.
3592
3593         JITStubRoutine's fields are marked only when JITStubRoutine::m_mayBeExecuting is true.
3594         This becomes true when we find the executable address in our conservative roots, which
3595         means that we could be executing it right now. This means that object liveness in
3596         JITStubRoutine depends on the information gathered in ConservativeRoots. However, our
3597         constraints are separated, "Conservative Scan" and "JIT Stub Routines". They can even
3598         be executed concurrently, so that "JIT Stub Routines" may miss to mark the actually
3599         executing JITStubRoutine because "Conservative Scan" finds it later.
3600         When finalizing the GC, we delete the dead JITStubRoutines. At that time, since
3601         "Conservative Scan" already finishes, we do not delete some JITStubRoutines which do not
3602         mark the depending objects. Then, in the next cycle, we find JITStubRoutines still live,
3603         attempt to mark the depending objects, and encounter the dead objects which are collected
3604         in the previous cycles.
3605
3606         This patch removes "JIT Stub Routines" and merge it to "Conservative Scan". Since
3607         "Conservative Scan" and "JIT Stub Routines" need to be executed only when the execution
3608         happens (ensured by GreyedByExecution and CollectionPhase check), this change is OK for
3609         GC stop time.
3610
3611         * heap/ConservativeRoots.h:
3612         (JSC::ConservativeRoots::roots const):
3613         (JSC::ConservativeRoots::roots): Deleted.
3614         * heap/Heap.cpp:
3615         (JSC::Heap::addCoreConstraints):
3616         * heap/SlotVisitor.cpp:
3617         (JSC::SlotVisitor::append):
3618         * heap/SlotVisitor.h:
3619         * jit/GCAwareJITStubRoutine.cpp:
3620         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3621         * jit/GCAwareJITStubRoutine.h:
3622
3623 2019-01-24  Saam Barati  <sbarati@apple.com>
3624
3625         Update ARM64EHash
3626         https://bugs.webkit.org/show_bug.cgi?id=193776
3627         <rdar://problem/47526457>
3628
3629         Reviewed by Mark Lam.
3630
3631         See radar for details.
3632
3633         * assembler/AssemblerBuffer.h:
3634         (JSC::ARM64EHash::update):
3635         (JSC::ARM64EHash::finalHash const):
3636
3637 2019-01-24  Saam Barati  <sbarati@apple.com>
3638
3639         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
3640         https://bugs.webkit.org/show_bug.cgi?id=193751
3641         <rdar://problem/47280215>
3642
3643         Reviewed by Michael Saboff.
3644
3645         The Object Allocation Sinking phase may move allocations around inside
3646         of the program. However, it was not ensuring that it's still possible 
3647         to walk the stack at the point in the program that it moved the allocation to.
3648         Certain InlineCallFrames rely on data in the stack when taking a stack trace.
3649         All allocation sites can do a stack walk (we do a stack walk when we GC).
3650         Conservatively, this patch says we're ok to move this allocation if we are
3651         moving within the same InlineCallFrame. We could be more precise and do an
3652         analysis of stack writes. However, this scenario is so rare that we just
3653         take the conservative-and-straight-forward approach of checking that the place
3654         we're moving to is the same InlineCallFrame as the allocation site.
3655         
3656         In general, this issue arises anytime we do any kind of code motion.
3657         Interestingly, LICM gets this right. It gets it right because the only
3658         InlineCallFrames we can't move out of are the InlineCallFrames that
3659         have metadata stored on the stack (callee for closure calls and argument
3660         count for varargs calls). LICM doesn't have this issue because it relies
3661         on Clobberize for doing its effects analysis. In clobberize, we model every
3662         node within an InlineCallFrame that meets the above criteria as reading
3663         from those stack fields. Consequently, LICM won't hoist any node in that
3664         InlineCallFrame past the beginning of the InlineCallFrame since the IR
3665         we generate to set up such an InlineCallFrame contains writes to that
3666         stack location.
3667
3668         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3669
3670 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
3671
3672         [JSC] Reenable baseline JIT on mips
3673         https://bugs.webkit.org/show_bug.cgi?id=192983
3674
3675         Reviewed by Mark Lam.
3676
3677         Use $s0 as metadata register and make sure it's properly saved and
3678         restored.
3679
3680         * jit/GPRInfo.h:
3681         * jit/RegisterSet.cpp:
3682         (JSC::RegisterSet::vmCalleeSaveRegisters):
3683         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
3684         * llint/LowLevelInterpreter.asm:
3685         * offlineasm/mips.rb:
3686
3687 2019-01-24  Carlos Garcia Campos  <cgarcia@igalia.com>
3688
3689         [GLIB] Expose JavaScriptCore options in GLib public API
3690         https://bugs.webkit.org/show_bug.cgi?id=188742
3691
3692         Reviewed by Michael Catanzaro.
3693
3694         Add new API to set, get and iterate JSC options.
3695
3696         * API/glib/JSCOptions.cpp: Added.
3697         (valueFromGValue):
3698         (valueToGValue):
3699         (jscOptionsSetValue):
3700         (jscOptionsGetValue):
3701         (jsc_options_set_boolean):
3702         (jsc_options_get_boolean):
3703         (jsc_options_set_int):
3704         (jsc_options_get_int):
3705         (jsc_options_set_uint):
3706         (jsc_options_get_uint):
3707         (jsc_options_set_size):
3708         (jsc_options_get_size):
3709         (jsc_options_set_double):
3710         (jsc_options_get_double):
3711         (jsc_options_set_string):
3712         (jsc_options_get_string):
3713         (jsc_options_set_range_string):
3714         (jsc_options_get_range_string):
3715         (jscOptionsType):
3716         (jsc_options_foreach):
3717         (setOptionEntry):
3718         (jsc_options_get_option_group):
3719         * API/glib/JSCOptions.h: Added.
3720         * API/glib/docs/jsc-glib-4.0-sections.txt:
3721         * API/glib/docs/jsc-glib-docs.sgml:
3722         * API/glib/jsc.h:
3723         * GLib.cmake:
3724
3725 2019-01-23  Mark Lam  <mark.lam@apple.com>
3726
3727         ARM64E should not ENABLE(SEPARATED_WX_HEAP).
3728         https://bugs.webkit.org/show_bug.cgi?id=193744
3729         <rdar://problem/46262952>
3730
3731         Reviewed by Saam Barati.
3732
3733         * assembler/LinkBuffer.cpp:
3734         (JSC::LinkBuffer::copyCompactAndLinkCode):
3735
3736 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
3737
3738         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
3739         https://bugs.webkit.org/show_bug.cgi?id=193711
3740         <rdar://problem/47250262>
3741
3742         Reviewed by Saam Barati.
3743
3744         When pruning OSR Availability based on bytecode liveness, we accidentally clear the Availability (making it DeadFlush) instead of
3745         making it Availability::unavailable() (Making it ConflictingFlush). In OSRAvailabilityAnalysisPhase, we perform forward analysis.
3746         We first clear all the availability of basic blocks DeadFlush, which is an empty set. And then, we set operands in the root block
3747         ConflictingFlush. In this forward analysis, DeadFlush is BOTTOM, and ConflictingFlush is TOP. Then, we propagate information by
3748         merging availability until we reach to the fixed-point. As an optimization, we perform "pruning" of the availability in the head
3749         of the basic blocks. We remove availabilities of operands which are not live in the bytecode liveness at the head of the basic block.
3750         The problem is, when removing availabilities, we set DeadFlush for them instead of ConflictingFlush. Basically, it means that we set
3751         BOTTOM (an empty set) instead of TOP. Let's consider the following simple example. We have 6 basic blocks, and they are connected
3752         as follows.
3753
3754             BB0 -> BB1 -> BB2 -> BB4
3755              |        \        ^
3756              v          > BB3 /
3757             BB5
3758
3759         And consider about loc1 in FTL, which is required to be recovered in BB4's OSR exit.
3760
3761             BB0 does nothing
3762                 head: loc1 is dead
3763                 tail: loc1 is dead
3764
3765             BB1 has MovHint @1, loc1
3766                 head: loc1 is dead
3767                 tail: loc1 is live
3768
3769             BB2 does nothing
3770                 head: loc1 is live
3771                 tail: loc1 is live
3772
3773             BB3 has PutStack @1, loc1
3774                 head: loc1 is live
3775                 tail: loc1 is live
3776
3777             BB4 has OSR exit using loc1
3778                 head: loc1 is live
3779                 tail: loc1 is live (in bytecode)
3780
3781             BB5 does nothing
3782                 head: loc1 is dead
3783                 tail: loc1 is dead
3784
3785         In our OSR Availability analysis, we always prune loc1 result in BB1's head since its head says "loc1 is dead".
3786         But at that time, we clear the availability for loc1, which makes it DeadFlush, instead of making it ConflictingFlush.
3787
3788         So, the flush format of loc1 in each tail of BB is like this.
3789
3790             BB0
3791                 ConflictingFlush (because all the local operands are initialized with ConflictingFlush)
3792             BB1
3793                 DeadFlush+@1 (pruning clears it)
3794             BB2
3795                 DeadFlush+@1 (since it is propagated from BB1)
3796             BB3
3797                 FlushedJSValue+@1 with loc1 (since it has PutStack)
3798             BB4
3799                 FlushedJSValue+@1 with loc1 (since MERGE(DeadFlush, FlushedJSValue) = FlushedJSValue)
3800             BB5
3801                 DeadFlush (pruning clears it)
3802
3803         Then, if we go the path BB0->BB1->BB2->BB4, we read the value from the stack while it is not flushed.
3804         The correct fix is making availability "unavailable" when pruning based on bytecode liveness.
3805
3806         * dfg/DFGAvailabilityMap.cpp:
3807         (JSC::DFG::AvailabilityMap::pruneByLiveness): When pruning availability, we first set all the operands Availability::unavailable(),
3808         and copy the calculated value from the current availability map.
3809         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3810         (JSC::DFG::OSRAvailabilityAnalysisPhase::run): Add logging things for debugging.
3811
3812 2019-01-23  David Kilzer  <ddkilzer@apple.com>
3813
3814         [JSC] Duplicate global variables: JSC::opcodeLengths
3815         <https://webkit.org/b/193714>
3816         <rdar://problem/47340200>
3817
3818         Reviewed by Mark Lam.
3819
3820         * bytecode/Opcode.cpp:
3821         (JSC::opcodeLengths): Move array implementation here and mark
3822         const.
3823         * bytecode/Opcode.h:
3824         (JSC::opcodeLengths): Change to extern declaration.
3825
3826 2019-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>
3827
3828         [GLIB] Remote Inspector: no data displayed
3829         https://bugs.webkit.org/show_bug.cgi?id=193569
3830
3831         Reviewed by Michael Catanzaro.
3832
3833         Release the remote inspector mutex before using RemoteConnectionToTarget in RemoteInspector::setup() to avoid a
3834         deadlock.
3835
3836         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3837         (Inspector::RemoteInspector::receivedSetupMessage):
3838         (Inspector::RemoteInspector::setup):
3839
3840 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3841
3842         Unreviewed, fix initial global lexical binding epoch
3843         https://bugs.webkit.org/show_bug.cgi?id=193603
3844         <rdar://problem/47380869>
3845
3846         * bytecode/CodeBlock.cpp:
3847         (JSC::CodeBlock::finishCreation):
3848
3849 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
3850
3851         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
3852         https://bugs.webkit.org/show_bug.cgi?id=193709
3853         <rdar://problem/47363838>
3854
3855         Unreviewed, rollout to watch the tests.
3856
3857         * JavaScriptCore.xcodeproj/project.pbxproj:
3858         * dfg/DFGAbstractInterpreterInlines.h:
3859         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3860         * dfg/DFGByteCodeParser.cpp:
3861         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3862         * dfg/DFGClobberize.h:
3863         (JSC::DFG::clobberize):
3864         * dfg/DFGDoesGC.cpp:
3865         (JSC::DFG::doesGC):
3866         * dfg/DFGFixupPhase.cpp:
3867         (JSC::DFG::FixupPhase::fixupNode):
3868         (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
3869         * dfg/DFGNodeType.h:
3870         * dfg/DFGOperations.cpp:
3871         * dfg/DFGOperations.h:
3872         * dfg/DFGPredictionPropagationPhase.cpp:
3873         * dfg/DFGSafeToExecute.h:
3874         (JSC::DFG::safeToExecute):
3875         * dfg/DFGSpeculativeJIT.cpp:
3876         (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
3877         * dfg/DFGSpeculativeJIT.h:
3878         * dfg/DFGSpeculativeJIT32_64.cpp:
3879         (JSC::DFG::SpeculativeJIT::compile):
3880         * dfg/DFGSpeculativeJIT64.cpp:
3881         (JSC::DFG::SpeculativeJIT::compile):
3882         * ftl/FTLAbstractHeapRepository.h:
3883         * ftl/FTLCapabilities.cpp:
3884         (JSC::FTL::canCompile):
3885         * ftl/FTLLowerDFGToB3.cpp:
3886         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3887         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
3888         (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
3889         * runtime/Intrinsic.cpp:
3890         (JSC::intrinsicName):
3891         * runtime/Intrinsic.h:
3892         * runtime/ObjectPrototype.cpp:
3893         (JSC::ObjectPrototype::finishCreation):
3894         (JSC::objectProtoFuncToString):
3895 &n