Web Inspector: Better categorize CPU usage per-thread / worker
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: Better categorize CPU usage per-thread / worker
4         https://bugs.webkit.org/show_bug.cgi?id=194564
5
6         Reviewed by Devin Rousso.
7
8         * inspector/protocol/CPUProfiler.json:
9         Add additional properties per-Event, and new per-Thread object info.
10
11 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
12
13         Bytecode cache should a have a boot-specific validation
14         https://bugs.webkit.org/show_bug.cgi?id=194769
15         <rdar://problem/48149509>
16
17         Reviewed by Keith Miller.
18
19         Add the boot UUID to the cached bytecode to enforce that it is not reused
20         across reboots.
21
22         * runtime/CachedTypes.cpp:
23         (JSC::Encoder::malloc):
24         (JSC::GenericCacheEntry::GenericCacheEntry):
25         (JSC::GenericCacheEntry::tag const):
26         (JSC::CacheEntry::CacheEntry):
27         (JSC::CacheEntry::decode const):
28         (JSC::GenericCacheEntry::decode const):
29         (JSC::encodeCodeBlock):
30
31 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
32
33         Add MSE logging configuration
34         https://bugs.webkit.org/show_bug.cgi?id=194719
35         <rdar://problem/48122151>
36
37         Reviewed by Joseph Pecoraro.
38
39         * inspector/ConsoleMessage.cpp:
40         (Inspector::messageSourceValue):
41         * inspector/protocol/Console.json:
42         * inspector/scripts/codegen/generator.py:
43         * runtime/ConsoleTypes.h:
44
45 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
46
47         Add version number to cached bytecode
48         https://bugs.webkit.org/show_bug.cgi?id=194768
49         <rdar://problem/48147968>
50
51         Reviewed by Saam Barati.
52
53         Add a version number to the bytecode cache that should be unique per build.
54
55         * CMakeLists.txt:
56         * DerivedSources-output.xcfilelist:
57         * DerivedSources.make:
58         * runtime/CachedTypes.cpp:
59         (JSC::Encoder::malloc):
60         (JSC::GenericCacheEntry::GenericCacheEntry):
61         (JSC::CacheEntry::CacheEntry):
62         (JSC::CacheEntry::encode):
63         (JSC::CacheEntry::decode const):
64         (JSC::GenericCacheEntry::decode const):
65         (JSC::decodeCodeBlockImpl):
66         * runtime/CodeCache.h:
67         (JSC::CodeCacheMap::fetchFromDiskImpl):
68
69 2019-02-17  Saam Barati  <sbarati@apple.com>
70
71         WasmB3IRGenerator models some effects incorrectly
72         https://bugs.webkit.org/show_bug.cgi?id=194038
73
74         Reviewed by Keith Miller.
75
76         * wasm/WasmB3IRGenerator.cpp:
77         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
78         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
79         These two functions were using global state instead of the
80         arguments passed into the function.
81
82         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
83         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
84         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
85         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
86         Any patchpoint that allows scratch register usage must
87         also say that it clobbers the scratch registers.
88
89 2019-02-17  Saam Barati  <sbarati@apple.com>
90
91         Deadlock when adding a Structure property transition and then doing incremental marking
92         https://bugs.webkit.org/show_bug.cgi?id=194767
93
94         Reviewed by Mark Lam.
95
96         This can happen in the following scenario:
97         
98         You have a Structure S. S is on the mark stack. Then:
99         1. S grabs its lock
100         2. S adds a new property transition
101         3. We find out we need to do some incremental marking
102         4. We mark S
103         5. visitChildren on S will try to grab its lock
104         6. We are now in a deadlock
105
106         * heap/Heap.cpp:
107         (JSC::Heap::performIncrement):
108         * runtime/Structure.cpp:
109         (JSC::Structure::addNewPropertyTransition):
110
111 2019-02-17  David Kilzer  <ddkilzer@apple.com>
112
113         Unreviewed, rolling out r241620.
114
115         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
116         (Requested by ddkilzer on #webkit.)
117
118         Reverted changeset:
119
120         "[WTF] Add environment variable helpers"
121         https://bugs.webkit.org/show_bug.cgi?id=192405
122         https://trac.webkit.org/changeset/241620
123
124 2019-02-17  Commit Queue  <commit-queue@webkit.org>
125
126         Unreviewed, rolling out r241612.
127         https://bugs.webkit.org/show_bug.cgi?id=194762
128
129         "It regressed JetStream2 parsing tests by ~40%" (Requested by
130         saamyjoon on #webkit).
131
132         Reverted changeset:
133
134         "Move bytecode cache-related filesystem code out of CodeCache"
135         https://bugs.webkit.org/show_bug.cgi?id=194675
136         https://trac.webkit.org/changeset/241612
137
138 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
139
140         [JSC] JSWrapperObject should not be destructible
141         https://bugs.webkit.org/show_bug.cgi?id=194743
142
143         Reviewed by Saam Barati.
144
145         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
146         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
147         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
148
149         * runtime/BigIntObject.cpp:
150         (JSC::BigIntObject::BigIntObject):
151         * runtime/BooleanConstructor.cpp:
152         (JSC::BooleanConstructor::finishCreation):
153         * runtime/BooleanObject.cpp:
154         (JSC::BooleanObject::BooleanObject):
155         * runtime/BooleanObject.h:
156         * runtime/DateInstance.cpp:
157         (JSC::DateInstance::DateInstance):
158         (JSC::DateInstance::finishCreation):
159         * runtime/DateInstance.h:
160         * runtime/DatePrototype.cpp:
161         (JSC::dateProtoFuncGetTime):
162         (JSC::dateProtoFuncSetTime):
163         (JSC::setNewValueFromTimeArgs):
164         (JSC::setNewValueFromDateArgs):
165         (JSC::dateProtoFuncSetYear):
166         * runtime/JSCPoison.h:
167         * runtime/JSWrapperObject.h:
168         (JSC::JSWrapperObject::JSWrapperObject):
169         * runtime/NumberObject.cpp:
170         (JSC::NumberObject::NumberObject):
171         * runtime/NumberObject.h:
172         * runtime/StringConstructor.cpp:
173         (JSC::StringConstructor::finishCreation):
174         * runtime/StringObject.cpp:
175         (JSC::StringObject::StringObject):
176         * runtime/StringObject.h:
177         (JSC::StringObject::internalValue const):
178         * runtime/SymbolObject.cpp:
179         (JSC::SymbolObject::SymbolObject):
180         * runtime/SymbolObject.h:
181
182 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
183
184         [JSC] Shrink UnlinkedFunctionExecutable
185         https://bugs.webkit.org/show_bug.cgi?id=194733
186
187         Reviewed by Mark Lam.
188
189         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
190         directives can be found in the comment of non typical function's source code (Program,
191         Eval code, and Global function from function constructor etc.), and tricky thing is that
192         SourceProvider's directives are updated by Parser. The reason why we have these fields in
193         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
194         if we skip parsing by using CodeCache. These fields are effective only if (1)
195         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
196         or sourceMappingURLDirective. This is rare enough to purge them to a separated
197         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
198         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
199         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
200         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
201         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
202         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
203         one of size class.
204
205         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
206         And kill one MarkedBlock allocation in JSC initialization phase.
207
208         * bytecode/UnlinkedFunctionExecutable.cpp:
209         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
210         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
211         * bytecode/UnlinkedFunctionExecutable.h:
212         * debugger/DebuggerLocation.cpp:
213         (JSC::DebuggerLocation::DebuggerLocation):
214         * inspector/ScriptDebugServer.cpp:
215         (Inspector::ScriptDebugServer::dispatchDidParseSource):
216         * parser/Lexer.h:
217         (JSC::Lexer::sourceURLDirective const):
218         (JSC::Lexer::sourceMappingURLDirective const):
219         (JSC::Lexer::sourceURL const): Deleted.
220         (JSC::Lexer::sourceMappingURL const): Deleted.
221         * parser/Parser.h:
222         (JSC::Parser<LexerType>::parse):
223         * parser/SourceProvider.h:
224         (JSC::SourceProvider::sourceURLDirective const):
225         (JSC::SourceProvider::sourceMappingURLDirective const):
226         (JSC::SourceProvider::setSourceURLDirective):
227         (JSC::SourceProvider::setSourceMappingURLDirective):
228         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
229         since it is the correct name.
230         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
231         sourceMappingURLDirective since it is the correct name.
232         * runtime/CachedTypes.cpp:
233         (JSC::CachedSourceProviderShape::encode):
234         (JSC::CachedFunctionExecutableRareData::encode):
235         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
236         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
237         (JSC::CachedFunctionExecutable::rareData const):
238         (JSC::CachedFunctionExecutable::encode):
239         (JSC::CachedFunctionExecutable::decode const):
240         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
241         * runtime/CodeCache.cpp:
242         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
243         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
244         * runtime/CodeCache.h:
245         (JSC::generateUnlinkedCodeBlockImpl):
246         * runtime/FunctionExecutable.h:
247         * runtime/SamplingProfiler.cpp:
248         (JSC::SamplingProfiler::StackFrame::url):
249
250 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
251
252         [JSC] Remove unused global private variables
253         https://bugs.webkit.org/show_bug.cgi?id=194741
254
255         Reviewed by Joseph Pecoraro.
256
257         There are some private functions and constants that are no longer referenced from builtin JS code.
258         This patch cleans up them.
259
260         * builtins/BuiltinNames.h:
261         * builtins/ObjectConstructor.js:
262         (entries):
263         * runtime/JSGlobalObject.cpp:
264         (JSC::JSGlobalObject::init):
265
266 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
267
268         [JSC] Lazily create empty RegExp
269         https://bugs.webkit.org/show_bug.cgi?id=194735
270
271         Reviewed by Keith Miller.
272
273         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
274         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
275         one MarkedBlock.
276
277         * runtime/JSGlobalObject.cpp:
278         (JSC::JSGlobalObject::init):
279         * runtime/RegExpCache.cpp:
280         (JSC::RegExpCache::ensureEmptyRegExpSlow):
281         (JSC::RegExpCache::initialize): Deleted.
282         * runtime/RegExpCache.h:
283         (JSC::RegExpCache::ensureEmptyRegExp):
284         (JSC::RegExpCache::emptyRegExp const): Deleted.
285         * runtime/RegExpCachedResult.cpp:
286         (JSC::RegExpCachedResult::lastResult):
287         * runtime/RegExpCachedResult.h:
288         * runtime/VM.cpp:
289         (JSC::VM::VM):
290
291 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
292
293         [JSC] Make builtin objects more lazily initialized under non-JIT mode
294         https://bugs.webkit.org/show_bug.cgi?id=194727
295
296         Reviewed by Saam Barati.
297
298         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
299         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
300         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
301         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
302         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
303         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
304         MarkedBlock allocation just for Symbols.
305
306         * runtime/JSGlobalObject.cpp:
307         (JSC::JSGlobalObject::init):
308         (JSC::JSGlobalObject::visitChildren):
309         * runtime/JSGlobalObject.h:
310         (JSC::JSGlobalObject::numberToStringWatchpoint):
311         (JSC::JSGlobalObject::booleanPrototype const):
312         (JSC::JSGlobalObject::numberPrototype const):
313         (JSC::JSGlobalObject::symbolPrototype const):
314         (JSC::JSGlobalObject::booleanObjectStructure const):
315         (JSC::JSGlobalObject::symbolObjectStructure const):
316         (JSC::JSGlobalObject::numberObjectStructure const):
317         (JSC::JSGlobalObject::stringObjectStructure const):
318
319 2019-02-15  Michael Saboff  <msaboff@apple.com>
320
321         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
322         https://bugs.webkit.org/show_bug.cgi?id=194558
323
324         Reviewed by Saam Barati.
325
326         Added an in bounds check before the read of the next character for Unicode regular expressions
327         for pattern generation that didn't already have such checks.
328
329         * yarr/YarrJIT.cpp:
330         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
331         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
332         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
333         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
334
335 2019-02-15  Dean Jackson  <dino@apple.com>
336
337         Allow emulation of user gestures from Web Inspector console
338         https://bugs.webkit.org/show_bug.cgi?id=194725
339         <rdar://problem/48126604>
340
341         Reviewed by Joseph Pecoraro and Devin Rousso.
342
343         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
344         to the evaluate function, and mark the function as override so that PageRuntimeAgent
345         can change the behaviour.
346         (Inspector::InspectorRuntimeAgent::evaluate):
347         * inspector/agents/InspectorRuntimeAgent.h:
348         * inspector/protocol/Runtime.json:
349
350 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
351
352         [JSC] Do not initialize Wasm related data if Wasm is not enabled
353         https://bugs.webkit.org/show_bug.cgi?id=194728
354
355         Reviewed by Mark Lam.
356
357         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
358
359         * runtime/InitializeThreading.cpp:
360         (JSC::initializeThreading):
361         * runtime/JSLock.cpp:
362         (JSC::JSLock::didAcquireLock):
363
364 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
365
366         [WTF] Add environment variable helpers
367         https://bugs.webkit.org/show_bug.cgi?id=192405
368
369         Reviewed by Michael Catanzaro.
370
371         * inspector/remote/glib/RemoteInspectorGlib.cpp:
372         (Inspector::RemoteInspector::RemoteInspector):
373         (Inspector::RemoteInspector::start):
374         * jsc.cpp:
375         (startTimeoutThreadIfNeeded):
376         * runtime/Options.cpp:
377         (JSC::overrideOptionWithHeuristic):
378         (JSC::Options::overrideAliasedOptionWithHeuristic):
379         (JSC::Options::initialize):
380         * runtime/VM.cpp:
381         (JSC::enableAssembler):
382         (JSC::VM::VM):
383         * tools/CodeProfiling.cpp:
384         (JSC::CodeProfiling::notifyAllocator):
385         Utilize WTF::Environment where possible.
386
387 2019-02-15  Mark Lam  <mark.lam@apple.com>
388
389         SamplingProfiler::stackTracesAsJSON() should escape strings.
390         https://bugs.webkit.org/show_bug.cgi?id=194649
391         <rdar://problem/48072386>
392
393         Reviewed by Saam Barati.
394
395         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
396
397         * runtime/SamplingProfiler.cpp:
398         (JSC::SamplingProfiler::stackTracesAsJSON):
399         * runtime/TypeSet.cpp:
400         (JSC::TypeSet::toJSONString const):
401         (JSC::StructureShape::toJSONString const):
402
403 2019-02-15  Robin Morisset  <rmorisset@apple.com>
404
405         CodeBlock::jettison should clear related watchpoints
406         https://bugs.webkit.org/show_bug.cgi?id=194544
407
408         Reviewed by Mark Lam.
409
410         * bytecode/CodeBlock.cpp:
411         (JSC::CodeBlock::jettison):
412         * dfg/DFGCommonData.h:
413         (JSC::DFG::CommonData::clearWatchpoints): Added.
414         * dfg/CommonData.cpp:
415         (JSC::DFG::CommonData::clearWatchpoints): Added.
416
417 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
418
419         Move bytecode cache-related filesystem code out of CodeCache
420         https://bugs.webkit.org/show_bug.cgi?id=194675
421
422         Reviewed by Saam Barati.
423
424         That code is only used for the bytecode-cache tests, so it should live in
425         jsc.cpp rather than in the CodeCache.
426
427         * jsc.cpp:
428         (CliSourceProvider::create):
429         (CliSourceProvider::~CliSourceProvider):
430         (CliSourceProvider::cachePath const):
431         (CliSourceProvider::loadBytecode):
432         (CliSourceProvider::CliSourceProvider):
433         (jscSource):
434         (GlobalObject::moduleLoaderFetch):
435         (functionDollarEvalScript):
436         (runWithOptions):
437         * parser/SourceProvider.h:
438         (JSC::SourceProvider::cacheBytecode const):
439         * runtime/CodeCache.cpp:
440         (JSC::writeCodeBlock):
441         * runtime/CodeCache.h:
442         (JSC::CodeCacheMap::fetchFromDiskImpl):
443
444 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
445
446         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
447         https://bugs.webkit.org/show_bug.cgi?id=194714
448
449         Reviewed by Mark Lam.
450
451         Let's consider about the following extreme case.
452
453         1. VM (A) is created.
454         2. Another VM (B) is created on a different thread.
455         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
456         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
457         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
458         6. (A) sees the half-baked worklist, which may be in the middle of creation.
459
460         This patch puts store-store fence just before putting a pointer to a global variable.
461         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
462
463         * dfg/DFGWorklist.cpp:
464         (JSC::DFG::ensureGlobalDFGWorklist):
465         (JSC::DFG::ensureGlobalFTLWorklist):
466         * wasm/WasmWorklist.cpp:
467         (JSC::Wasm::ensureWorklist):
468
469 2019-02-15  Commit Queue  <commit-queue@webkit.org>
470
471         Unreviewed, rolling out r241559 and r241566.
472         https://bugs.webkit.org/show_bug.cgi?id=194710
473
474         Causes layout test crashes under GuardMalloc (Requested by
475         ryanhaddad on #webkit).
476
477         Reverted changesets:
478
479         "[WTF] Add environment variable helpers"
480         https://bugs.webkit.org/show_bug.cgi?id=192405
481         https://trac.webkit.org/changeset/241559
482
483         "Unreviewed build fix for WinCairo Debug after r241559."
484         https://trac.webkit.org/changeset/241566
485
486 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
487
488         [JSC] Do not even allocate JIT worklists in non-JIT mode
489         https://bugs.webkit.org/show_bug.cgi?id=194693
490
491         Reviewed by Mark Lam.
492
493         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
494         And we do not perform any GC operations that are only meaningful in JIT environment.
495
496         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
497         2. We remove DFG marking constraint in non-JIT mode.
498         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
499         4. We do not visit JITStubRoutineSet.
500         5. Align JITWorklist function names to the other worklists.
501
502         * dfg/DFGOSRExitPreparation.cpp:
503         (JSC::DFG::prepareCodeOriginForOSRExit):
504         * dfg/DFGPlan.h:
505         * dfg/DFGWorklist.cpp:
506         (JSC::DFG::markCodeBlocks): Deleted.
507         * dfg/DFGWorklist.h:
508         * heap/Heap.cpp:
509         (JSC::Heap::completeAllJITPlans):
510         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
511         (JSC::Heap::gatherScratchBufferRoots):
512         (JSC::Heap::removeDeadCompilerWorklistEntries):
513         (JSC::Heap::stopThePeriphery):
514         (JSC::Heap::suspendCompilerThreads):
515         (JSC::Heap::resumeCompilerThreads):
516         (JSC::Heap::addCoreConstraints):
517         * jit/JITWorklist.cpp:
518         (JSC::JITWorklist::existingGlobalWorklistOrNull):
519         (JSC::JITWorklist::ensureGlobalWorklist):
520         (JSC::JITWorklist::instance): Deleted.
521         * jit/JITWorklist.h:
522         * llint/LLIntSlowPaths.cpp:
523         (JSC::LLInt::jitCompileAndSetHeuristics):
524         * runtime/VM.cpp:
525         (JSC::VM::~VM):
526         (JSC::VM::gatherScratchBufferRoots):
527         (JSC::VM::gatherConservativeRoots): Deleted.
528         * runtime/VM.h:
529
530 2019-02-15  Saam barati  <sbarati@apple.com>
531
532         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
533         https://bugs.webkit.org/show_bug.cgi?id=194036
534
535         Reviewed by Yusuke Suzuki.
536
537         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
538         use linear scan for register allocation. Instead of linear scan, Air-O0 does
539         mostly block-local register allocation, and it does this as it's emitting
540         code directly. The register allocator uses liveness analysis to reduce
541         the number of spills. Doing register allocation as we're emitting code
542         allows us to skip editing the IR to insert spills, which saves a non trivial
543         amount of compile time. For stack allocation, we give each Tmp its own slot.
544         This is less than ideal. We probably want to do some trivial live range analysis
545         in the future. The reason this isn't a deal breaker for Wasm is that this patch
546         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
547         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
548         
549         This patch is another 25% Wasm startup time speedup. It seems to be worth
550         another 1% on JetStream2.
551
552         * JavaScriptCore.xcodeproj/project.pbxproj:
553         * Sources.txt:
554         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
555         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
556         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
557         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
558         (JSC::B3::Air::callFrameAddr):
559         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
560         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
561         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
562         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
563         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
564         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
565         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
566         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
567         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
568         * b3/air/AirCode.cpp:
569         * b3/air/AirCode.h:
570         * b3/air/AirGenerate.cpp:
571         (JSC::B3::Air::prepareForGeneration):
572         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
573         (JSC::B3::Air::generate):
574         * b3/air/AirHandleCalleeSaves.cpp:
575         (JSC::B3::Air::handleCalleeSaves):
576         * b3/air/AirHandleCalleeSaves.h:
577         * b3/air/AirTmpMap.h:
578         * runtime/Options.h:
579         * wasm/WasmAirIRGenerator.cpp:
580         (JSC::Wasm::AirIRGenerator::didKill):
581         (JSC::Wasm::AirIRGenerator::newTmp):
582         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
583         (JSC::Wasm::parseAndCompileAir):
584         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
585         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
586         * wasm/WasmAirIRGenerator.h:
587         * wasm/WasmB3IRGenerator.cpp:
588         (JSC::Wasm::B3IRGenerator::didKill):
589         * wasm/WasmBBQPlan.cpp:
590         (JSC::Wasm::BBQPlan::compileFunctions):
591         * wasm/WasmFunctionParser.h:
592         (JSC::Wasm::FunctionParser<Context>::parseBody):
593         (JSC::Wasm::FunctionParser<Context>::parseExpression):
594         * wasm/WasmValidate.cpp:
595         (JSC::Wasm::Validate::didKill):
596
597 2019-02-14  Saam barati  <sbarati@apple.com>
598
599         lowerStackArgs should lower Lea32/64 on ARM64 to Add
600         https://bugs.webkit.org/show_bug.cgi?id=194656
601
602         Reviewed by Yusuke Suzuki.
603
604         On arm64, Lea is just implemented as an add. However, Air treats it as an
605         address with a given width. Because of this width, we were incorrectly
606         computing whether or not this immediate could fit into the instruction itself
607         or it needed to be explicitly put into a register. This patch makes
608         AirLowerStackArgs lower Lea to Add on arm64.
609
610         * b3/air/AirLowerStackArgs.cpp:
611         (JSC::B3::Air::lowerStackArgs):
612         * b3/air/AirOpcode.opcodes:
613         * b3/air/testair.cpp:
614
615 2019-02-14  Saam Barati  <sbarati@apple.com>
616
617         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
618         https://bugs.webkit.org/show_bug.cgi?id=194583
619         <rdar://problem/48028140>
620
621         Reviewed by Yusuke Suzuki.
622
623         This patch makes it so that getVariablesUnderTDZ caches a result of
624         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
625         it's called in an environment where there are a lot of variables.
626         This patch makes it so we cache its results. This is profitable when
627         getVariablesUnderTDZ is called repeatedly with the same environment
628         state. This is common since we call this every time we encounter a
629         function definition/expression node.
630
631         * builtins/BuiltinExecutables.cpp:
632         (JSC::BuiltinExecutables::createExecutable):
633         * bytecode/UnlinkedFunctionExecutable.cpp:
634         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
635         * bytecode/UnlinkedFunctionExecutable.h:
636         * bytecompiler/BytecodeGenerator.cpp:
637         (JSC::BytecodeGenerator::popLexicalScopeInternal):
638         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
639         (JSC::BytecodeGenerator::pushTDZVariables):
640         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
641         (JSC::BytecodeGenerator::restoreTDZStack):
642         * bytecompiler/BytecodeGenerator.h:
643         (JSC::BytecodeGenerator::makeFunction):
644         * parser/VariableEnvironment.cpp:
645         (JSC::CompactVariableMap::Handle::Handle):
646         (JSC::CompactVariableMap::Handle::operator=):
647         * parser/VariableEnvironment.h:
648         (JSC::CompactVariableMap::Handle::operator bool const):
649         * runtime/CodeCache.cpp:
650         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
651
652 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
653
654         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
655         https://bugs.webkit.org/show_bug.cgi?id=194659
656
657         Reviewed by Mark Lam.
658
659         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
660         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
661         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
662
663         * dfg/DFGJITCode.h:
664         * dfg/DFGJITFinalizer.cpp:
665         (JSC::DFG::JITFinalizer::finalize):
666         (JSC::DFG::JITFinalizer::finalizeFunction):
667         * jit/JITCode.cpp:
668         (JSC::DirectJITCode::initializeCodeRefForDFG):
669         (JSC::DirectJITCode::initializeCodeRef): Deleted.
670         (JSC::NativeJITCode::initializeCodeRef): Deleted.
671         * jit/JITCode.h:
672         * llint/LLIntEntrypoint.cpp:
673         (JSC::LLInt::setFunctionEntrypoint):
674         (JSC::LLInt::setEvalEntrypoint):
675         (JSC::LLInt::setProgramEntrypoint):
676         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
677
678 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
679
680         [WTF] Add environment variable helpers
681         https://bugs.webkit.org/show_bug.cgi?id=192405
682
683         Reviewed by Michael Catanzaro.
684
685         * inspector/remote/glib/RemoteInspectorGlib.cpp:
686         (Inspector::RemoteInspector::RemoteInspector):
687         (Inspector::RemoteInspector::start):
688         * jsc.cpp:
689         (startTimeoutThreadIfNeeded):
690         * runtime/Options.cpp:
691         (JSC::overrideOptionWithHeuristic):
692         (JSC::Options::overrideAliasedOptionWithHeuristic):
693         (JSC::Options::initialize):
694         * runtime/VM.cpp:
695         (JSC::enableAssembler):
696         (JSC::VM::VM):
697         * tools/CodeProfiling.cpp:
698         (JSC::CodeProfiling::notifyAllocator):
699         Utilize WTF::Environment where possible.
700
701 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
702
703         [JSC] Should have default NativeJITCode
704         https://bugs.webkit.org/show_bug.cgi?id=194634
705
706         Reviewed by Mark Lam.
707
708         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
709         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
710         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
711         allocations, which takes 14KB.
712
713         * runtime/VM.cpp:
714         (JSC::jitCodeForCallTrampoline):
715         (JSC::jitCodeForConstructTrampoline):
716         (JSC::VM::getHostFunction):
717
718 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
719
720         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
721         https://bugs.webkit.org/show_bug.cgi?id=194576
722
723         Reviewed by Saam Barati.
724
725         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
726         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
727
728         * bytecode/UnlinkedFunctionExecutable.cpp:
729         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
730         (JSC::UnlinkedFunctionExecutable::link):
731         * bytecode/UnlinkedFunctionExecutable.h:
732         * runtime/CodeCache.cpp:
733         (JSC::generateUnlinkedCodeBlockForFunctions):
734
735 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
736
737         CachedBitVector's size must be converted from bits to bytes
738         https://bugs.webkit.org/show_bug.cgi?id=194441
739
740         Reviewed by Saam Barati.
741
742         CachedBitVector used its size in bits for memcpy. That didn't cause any
743         issues when encoding, since the size in bits was also used in the allocation,
744         but would overflow the actual BitVector buffer when decoding.
745
746         * runtime/CachedTypes.cpp:
747         (JSC::CachedBitVector::encode):
748         (JSC::CachedBitVector::decode const):
749
750 2019-02-13  Brian Burg  <bburg@apple.com>
751
752         Web Inspector: don't include accessibility role in DOM.Node object payloads
753         https://bugs.webkit.org/show_bug.cgi?id=194623
754         <rdar://problem/36384037>
755
756         Reviewed by Devin Rousso.
757
758         Remove property of DOM.Node that is no longer being sent.
759
760         * inspector/protocol/DOM.json:
761
762 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
763
764         We should only make rope strings when concatenating strings long enough.
765         https://bugs.webkit.org/show_bug.cgi?id=194465
766
767         Reviewed by Mark Lam.
768
769         This patch stops us from allocating a rope string if the resulting
770         rope would be smaller than the size of the JSRopeString object we
771         would need to allocate.
772
773         This patch also adds paths so that we don't unnecessarily allocate
774         JSString cells for primitives we are going to concatenate with a
775         string anyway.
776
777         The important change from the previous one is that we do not apply
778         the above rule to JSRopeStrings generated by JSStrings. If we convert
779         it to JSString, comparison of memory consumption becomes the following,
780         because JSRopeString does not have StringImpl until it is resolved.
781
782             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
783
784         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
785         resolving eagerly increases memory footprint. The point is that we need to
786         account newly created JSString and JSRopeString from the operands. This is the
787         reason why this patch adds different thresholds for each jsString functions.
788
789         This patch also avoids concatenation for ropes conservatively. Many ropes are
790         temporary cells. So we do not resolve eagerly if one of operands is already a
791         rope.
792
793         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
794
795             Before: 159.3778
796             After:  160.72340000000003
797
798         * dfg/DFGOperations.cpp:
799         * runtime/CommonSlowPaths.cpp:
800         (JSC::SLOW_PATH_DECL):
801         * runtime/JSString.h:
802         (JSC::JSString::isRope const):
803         * runtime/Operations.cpp:
804         (JSC::jsAddSlowCase):
805         * runtime/Operations.h:
806         (JSC::jsString):
807         (JSC::jsAddNonNumber):
808         (JSC::jsAdd):
809
810 2019-02-13  Saam Barati  <sbarati@apple.com>
811
812         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
813         https://bugs.webkit.org/show_bug.cgi?id=194610
814
815         Reviewed by Michael Saboff.
816
817         BinarySwitch might use the scratch register. We must model the
818         effects of that properly. This is already caught by our br-table
819         tests on arm64.
820
821         * wasm/WasmAirIRGenerator.cpp:
822         (JSC::Wasm::AirIRGenerator::addSwitch):
823
824 2019-02-13  Mark Lam  <mark.lam@apple.com>
825
826         Create a randomized free list for new StructureIDs on StructureIDTable resize.
827         https://bugs.webkit.org/show_bug.cgi?id=194566
828         <rdar://problem/47975502>
829
830         Reviewed by Michael Saboff.
831
832         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
833         implementation is a little easier to read.
834
835         This patch appears to be perf neutral on JetStream2 (as run from the command line).
836
837         * runtime/StructureIDTable.cpp:
838         (JSC::StructureIDTable::StructureIDTable):
839         (JSC::StructureIDTable::makeFreeListFromRange):
840         (JSC::StructureIDTable::resize):
841         (JSC::StructureIDTable::allocateID):
842         (JSC::StructureIDTable::deallocateID):
843         * runtime/StructureIDTable.h:
844         (JSC::StructureIDTable::get):
845         (JSC::StructureIDTable::deallocateID):
846         (JSC::StructureIDTable::allocateID):
847         (JSC::StructureIDTable::flushOldTables):
848
849 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
850
851         VariableLengthObject::allocate<T> should initialize objects
852         https://bugs.webkit.org/show_bug.cgi?id=194534
853
854         Reviewed by Michael Saboff.
855
856         `buffer()` should not be called for empty VariableLengthObjects, but
857         these cases were not being caught due to the objects not being properly
858         initialized. Fix it so that allocate calls the constructor and fix the
859         assertion failues.
860
861         * runtime/CachedTypes.cpp:
862         (JSC::CachedObject::operator new):
863         (JSC::VariableLengthObject::allocate):
864         (JSC::CachedVector::encode):
865         (JSC::CachedVector::decode const):
866         (JSC::CachedUniquedStringImpl::decode const):
867         (JSC::CachedBitVector::encode):
868         (JSC::CachedBitVector::decode const):
869         (JSC::CachedArray::encode):
870         (JSC::CachedArray::decode const):
871         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
872         (JSC::CachedBigInt::decode const):
873
874 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
875
876         CodeBlocks read from disk should not be re-written
877         https://bugs.webkit.org/show_bug.cgi?id=194535
878
879         Reviewed by Michael Saboff.
880
881         Keep track of which CodeBlocks have been read from disk or have already
882         been serialized in CodeCache.
883
884         * runtime/CodeCache.cpp:
885         (JSC::CodeCache::write):
886         * runtime/CodeCache.h:
887         (JSC::SourceCodeValue::SourceCodeValue):
888         (JSC::CodeCacheMap::fetchFromDiskImpl):
889
890 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
891
892         SourceCode should be copied when generating bytecode for functions
893         https://bugs.webkit.org/show_bug.cgi?id=194536
894
895         Reviewed by Saam Barati.
896
897         The FunctionExecutable might be collected while generating the bytecode
898         for nested functions, in which case the SourceCode reference would no
899         longer be valid.
900
901         * runtime/CodeCache.cpp:
902         (JSC::generateUnlinkedCodeBlockForFunctions):
903
904 2019-02-12  Saam barati  <sbarati@apple.com>
905
906         JSScript needs to retain its cache path NSURL*
907         https://bugs.webkit.org/show_bug.cgi?id=194577
908
909         Reviewed by Tim Horton.
910
911         * API/JSScript.mm:
912         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
913         (-[JSScript dealloc]):
914
915 2019-02-12  Robin Morisset  <rmorisset@apple.com>
916
917         Make B3Value::returnsBool() more precise
918         https://bugs.webkit.org/show_bug.cgi?id=194457
919
920         Reviewed by Saam Barati.
921
922         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
923         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
924         No new tests added as this should be indirectly tested by the already existing tests.
925
926         * b3/B3Value.cpp:
927         (JSC::B3::Value::returnsBool const):
928
929 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
930
931         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
932         https://bugs.webkit.org/show_bug.cgi?id=194399
933         <rdar://problem/47889777>
934
935         * dfg/DFGDoesGC.cpp:
936         (JSC::DFG::doesGC):
937
938 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
939
940         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
941         https://bugs.webkit.org/show_bug.cgi?id=194370
942
943         Reviewed by Darin Adler.
944
945         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
946         necessary, but it will make errors more visible.
947
948         * inspector/remote/glib/RemoteInspectorGlib.cpp:
949         (Inspector::RemoteInspector::start):
950         (Inspector::dbusConnectionCallAsyncReadyCallback):
951         * inspector/remote/glib/RemoteInspectorServer.cpp:
952         (Inspector::RemoteInspectorServer::start):
953
954 2019-02-12  Andy Estes  <aestes@apple.com>
955
956         [iOSMac] Enable Parental Controls Content Filtering
957         https://bugs.webkit.org/show_bug.cgi?id=194521
958         <rdar://39732376>
959
960         Reviewed by Tim Horton.
961
962         * Configurations/FeatureDefines.xcconfig:
963
964 2019-02-11  Mark Lam  <mark.lam@apple.com>
965
966         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
967         https://bugs.webkit.org/show_bug.cgi?id=194512
968         <rdar://problem/47975465>
969
970         Reviewed by Yusuke Suzuki.
971
972         * runtime/StructureIDTable.cpp:
973         (JSC::StructureIDTable::StructureIDTable):
974         (JSC::StructureIDTable::allocateID):
975         (JSC::StructureIDTable::deallocateID):
976         * runtime/StructureIDTable.h:
977
978 2019-02-10  Mark Lam  <mark.lam@apple.com>
979
980         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
981         https://bugs.webkit.org/show_bug.cgi?id=194493
982         <rdar://problem/36380852>
983
984         Reviewed by Yusuke Suzuki.
985
986         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
987         however not good for performance and memory usage.  As such, a debug ASSERT will
988         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
989         possible to be instantiated with duplicate cases in
990         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
991
992         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
993         see duplicate cases.
994
995         * jit/BinarySwitch.cpp:
996         (JSC::BinarySwitch::BinarySwitch):
997
998 2019-02-10  Darin Adler  <darin@apple.com>
999
1000         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1001         https://bugs.webkit.org/show_bug.cgi?id=194485
1002
1003         Reviewed by Daniel Bates.
1004
1005         * heap/HeapSnapshotBuilder.cpp:
1006         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1007         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1008
1009         * runtime/JSGlobalObjectFunctions.cpp:
1010         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1011         including one in a call to appendByteAsHex.
1012         (JSC::globalFuncEscape): Ditto.
1013
1014 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1015
1016         Unreviewed, rolling out r241230.
1017         https://bugs.webkit.org/show_bug.cgi?id=194488
1018
1019         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1020         #webkit).
1021
1022         Reverted changeset:
1023
1024         "We should only make rope strings when concatenating strings
1025         long enough."
1026         https://bugs.webkit.org/show_bug.cgi?id=194465
1027         https://trac.webkit.org/changeset/241230
1028
1029 2019-02-10  Saam barati  <sbarati@apple.com>
1030
1031         BBQ-Air: Emit better code for switch
1032         https://bugs.webkit.org/show_bug.cgi?id=194053
1033
1034         Reviewed by Yusuke Suzuki.
1035
1036         Instead of emitting a linear set of jumps for Switch, this patch
1037         makes the BBQ-Air backend emit a binary switch.
1038
1039         * wasm/WasmAirIRGenerator.cpp:
1040         (JSC::Wasm::AirIRGenerator::addSwitch):
1041
1042 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1043
1044         Unreviewed, Lexer should use isLatin1 implementation in WTF
1045         https://bugs.webkit.org/show_bug.cgi?id=194466
1046
1047         Follow-up after r241233 pointed by Darin.
1048
1049         * parser/Lexer.cpp:
1050         (JSC::isLatin1): Deleted.
1051
1052 2019-02-09  Darin Adler  <darin@apple.com>
1053
1054         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1055         https://bugs.webkit.org/show_bug.cgi?id=194021
1056
1057         Reviewed by Geoffrey Garen.
1058
1059         * inspector/agents/InspectorConsoleAgent.cpp:
1060         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1061         makeString do the conversion without allocating/destroying a String.
1062         * inspector/agents/InspectorDebuggerAgent.cpp:
1063         (Inspector::objectGroupForBreakpointAction): Ditto.
1064         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1065         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1066         * runtime/JSGenericTypedArrayViewInlines.h:
1067         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1068         * runtime/NumberPrototype.cpp:
1069         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1070         of calling numberToFixedWidthString to do the same thing.
1071         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1072         numberToFixedPrecisionString to do the same thing.
1073         * runtime/SamplingProfiler.cpp:
1074         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1075
1076 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1077
1078         Unreviewed, rolling in r241237 again
1079         https://bugs.webkit.org/show_bug.cgi?id=194469
1080
1081         * runtime/JSString.h:
1082         (JSC::jsSubstring):
1083
1084 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1085
1086         Unreviewed, rolling out r241237.
1087         https://bugs.webkit.org/show_bug.cgi?id=194474
1088
1089         Shows significant memory increase in WSL (Requested by
1090         yusukesuzuki on #webkit).
1091
1092         Reverted changeset:
1093
1094         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1095         takes more memory"
1096         https://bugs.webkit.org/show_bug.cgi?id=194469
1097         https://trac.webkit.org/changeset/241237
1098
1099 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1100
1101         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1102         https://bugs.webkit.org/show_bug.cgi?id=194469
1103
1104         Reviewed by Geoffrey Garen.
1105
1106         * runtime/JSString.h:
1107         (JSC::jsSubstring):
1108
1109 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1110
1111         [JSC] CachedTypes should use jsString instead of JSString::create
1112         https://bugs.webkit.org/show_bug.cgi?id=194471
1113
1114         Reviewed by Mark Lam.
1115
1116         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1117
1118         * runtime/CachedTypes.cpp:
1119         (JSC::CachedJSValue::decode const):
1120
1121 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1122
1123         [JSC] Increase StructureIDTable initial capacity
1124         https://bugs.webkit.org/show_bug.cgi?id=194468
1125
1126         Reviewed by Mark Lam.
1127
1128         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1129         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1130         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1131         more memory dirty. We also remove some structures that are no longer used.
1132
1133         * runtime/JSGlobalObject.h:
1134         (JSC::JSGlobalObject::callbackObjectStructure const):
1135         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1136         * runtime/StructureIDTable.h:
1137         * runtime/VM.h:
1138
1139 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1140
1141         [JSC] String.fromCharCode's slow path always generates 16bit string
1142         https://bugs.webkit.org/show_bug.cgi?id=194466
1143
1144         Reviewed by Keith Miller.
1145
1146         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1147         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1148         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1149         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1150         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1151         as much as possible.
1152
1153         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1154
1155         * runtime/StringConstructor.cpp:
1156         (JSC::stringFromCharCode):
1157
1158 2019-02-08  Keith Miller  <keith_miller@apple.com>
1159
1160         We should only make rope strings when concatenating strings long enough.
1161         https://bugs.webkit.org/show_bug.cgi?id=194465
1162
1163         Reviewed by Saam Barati.
1164
1165         This patch stops us from allocating a rope string if the resulting
1166         rope would be smaller than the size of the JSRopeString object we
1167         would need to allocate.
1168
1169         This patch also adds paths so that we don't unnecessarily allocate
1170         JSString cells for primitives we are going to concatenate with a
1171         string anyway.
1172
1173         * dfg/DFGOperations.cpp:
1174         * runtime/CommonSlowPaths.cpp:
1175         (JSC::SLOW_PATH_DECL):
1176         * runtime/JSString.h:
1177         * runtime/Operations.cpp:
1178         (JSC::jsAddSlowCase):
1179         * runtime/Operations.h:
1180         (JSC::jsString):
1181         (JSC::jsAdd):
1182
1183 2019-02-08  Saam barati  <sbarati@apple.com>
1184
1185         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1186         https://bugs.webkit.org/show_bug.cgi?id=194334
1187         <rdar://problem/47844327>
1188
1189         Reviewed by Mark Lam.
1190
1191         * dfg/DFGAbstractInterpreterInlines.h:
1192         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1193         * dfg/DFGArgumentsEliminationPhase.cpp:
1194         * dfg/DFGByteCodeParser.cpp:
1195         (JSC::DFG::ByteCodeParser::parseBlock):
1196         * dfg/DFGClobberize.h:
1197         (JSC::DFG::clobberize):
1198         * dfg/DFGConstantFoldingPhase.cpp:
1199         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1200         * dfg/DFGFixupPhase.cpp:
1201         (JSC::DFG::FixupPhase::fixupNode):
1202         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1203         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1204         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1205         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1206         * dfg/DFGNodeType.h:
1207         * dfg/DFGSSALoweringPhase.cpp:
1208         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1209         * dfg/DFGSpeculativeJIT.cpp:
1210         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1211         * ftl/FTLLowerDFGToB3.cpp:
1212         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1213         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1214
1215 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1216
1217         [JSC] Shrink sizeof(CodeBlock) more
1218         https://bugs.webkit.org/show_bug.cgi?id=194419
1219
1220         Reviewed by Mark Lam.
1221
1222         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1223
1224         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1225         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1226         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1227
1228         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1229         And we do not touch it in CodeBlock::~CodeBlock.
1230
1231         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1232         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1233         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1234
1235         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1236
1237         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1238
1239         * bytecode/CodeBlock.cpp:
1240         (JSC::CodeBlock::hash const):
1241         (JSC::CodeBlock::sourceCodeForTools const):
1242         (JSC::CodeBlock::dumpAssumingJITType const):
1243         (JSC::CodeBlock::dumpSource):
1244         (JSC::CodeBlock::CodeBlock):
1245         (JSC::CodeBlock::finishCreation):
1246         (JSC::CodeBlock::propagateTransitions):
1247         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1248         (JSC::CodeBlock::setCalleeSaveRegisters):
1249         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1250         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1251         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1252         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1253         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1254         (JSC::CodeBlock::newReplacement):
1255         (JSC::CodeBlock::replacement):
1256         (JSC::CodeBlock::computeCapabilityLevel):
1257         (JSC::CodeBlock::jettison):
1258         (JSC::CodeBlock::calleeSaveRegisters const):
1259         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1260         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1261         (JSC::CodeBlock::getArrayProfile):
1262         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1263         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1264         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1265         (JSC::CodeBlock::validate):
1266         (JSC::CodeBlock::outOfLineJumpTarget):
1267         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1268         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1269         * bytecode/CodeBlock.h:
1270         (JSC::CodeBlock::specializationKind const):
1271         (JSC::CodeBlock::isStrictMode const):
1272         (JSC::CodeBlock::isConstructor const):
1273         (JSC::CodeBlock::codeType const):
1274         (JSC::CodeBlock::isKnownNotImmediate):
1275         (JSC::CodeBlock::instructions const):
1276         (JSC::CodeBlock::ownerExecutable const):
1277         (JSC::CodeBlock::thisRegister const):
1278         (JSC::CodeBlock::source const):
1279         (JSC::CodeBlock::sourceOffset const):
1280         (JSC::CodeBlock::firstLineColumnOffset const):
1281         (JSC::CodeBlock::createRareDataIfNecessary):
1282         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1283         (JSC::CodeBlock::setThisRegister): Deleted.
1284         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1285         * bytecode/EvalCodeBlock.h:
1286         * bytecode/FunctionCodeBlock.h:
1287         * bytecode/GlobalCodeBlock.h:
1288         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1289         * bytecode/ModuleProgramCodeBlock.h:
1290         * bytecode/ProgramCodeBlock.h:
1291         * debugger/Debugger.cpp:
1292         (JSC::Debugger::toggleBreakpoint):
1293         * debugger/DebuggerCallFrame.cpp:
1294         (JSC::DebuggerCallFrame::sourceID const):
1295         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1296         * debugger/DebuggerScope.cpp:
1297         (JSC::DebuggerScope::location const):
1298         * dfg/DFGByteCodeParser.cpp:
1299         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1300         (JSC::DFG::ByteCodeParser::inliningCost):
1301         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1302         * dfg/DFGCapabilities.cpp:
1303         (JSC::DFG::isSupportedForInlining):
1304         (JSC::DFG::mightCompileEval):
1305         (JSC::DFG::mightCompileProgram):
1306         (JSC::DFG::mightCompileFunctionForCall):
1307         (JSC::DFG::mightCompileFunctionForConstruct):
1308         (JSC::DFG::canUseOSRExitFuzzing):
1309         * dfg/DFGGraph.h:
1310         (JSC::DFG::Graph::executableFor):
1311         * dfg/DFGJITCompiler.cpp:
1312         (JSC::DFG::JITCompiler::compileFunction):
1313         * dfg/DFGOSREntry.cpp:
1314         (JSC::DFG::prepareOSREntry):
1315         * dfg/DFGOSRExit.cpp:
1316         (JSC::DFG::restoreCalleeSavesFor):
1317         (JSC::DFG::saveCalleeSavesFor):
1318         (JSC::DFG::saveOrCopyCalleeSavesFor):
1319         * dfg/DFGOSRExitCompilerCommon.cpp:
1320         (JSC::DFG::handleExitCounts):
1321         * dfg/DFGOperations.cpp:
1322         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1323         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1324         * ftl/FTLCapabilities.cpp:
1325         (JSC::FTL::canCompile):
1326         * ftl/FTLLink.cpp:
1327         (JSC::FTL::link):
1328         * ftl/FTLOSRExitCompiler.cpp:
1329         (JSC::FTL::compileStub):
1330         * interpreter/CallFrame.cpp:
1331         (JSC::CallFrame::callerSourceOrigin):
1332         * interpreter/Interpreter.cpp:
1333         (JSC::eval):
1334         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1335         * interpreter/StackVisitor.cpp:
1336         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1337         (JSC::StackVisitor::Frame::sourceURL const):
1338         (JSC::StackVisitor::Frame::sourceID):
1339         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1340         * interpreter/StackVisitor.h:
1341         * jit/AssemblyHelpers.h:
1342         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1343         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1344         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1345         * jit/CallFrameShuffleData.cpp:
1346         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1347         * jit/JIT.cpp:
1348         (JSC::JIT::compileWithoutLinking):
1349         * jit/JITToDFGDeferredCompilationCallback.cpp:
1350         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1351         * jit/JITWorklist.cpp:
1352         (JSC::JITWorklist::Plan::finalize):
1353         (JSC::JITWorklist::compileNow):
1354         * jit/RegisterAtOffsetList.cpp:
1355         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1356         * jit/RegisterAtOffsetList.h:
1357         (JSC::RegisterAtOffsetList::at const):
1358         * runtime/ErrorInstance.cpp:
1359         (JSC::appendSourceToError):
1360         * runtime/ScriptExecutable.cpp:
1361         (JSC::ScriptExecutable::newCodeBlockFor):
1362         * runtime/StackFrame.cpp:
1363         (JSC::StackFrame::sourceID const):
1364         (JSC::StackFrame::sourceURL const):
1365         (JSC::StackFrame::computeLineAndColumn const):
1366
1367 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1368
1369         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1370         https://bugs.webkit.org/show_bug.cgi?id=194460
1371
1372         Reviewed by Mark Lam.
1373
1374         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1375
1376         * b3/B3LowerMacros.cpp:
1377
1378 2019-02-08  Mark Lam  <mark.lam@apple.com>
1379
1380         Use maxSingleCharacterString in comparisons instead of literal constants.
1381         https://bugs.webkit.org/show_bug.cgi?id=194452
1382
1383         Reviewed by Yusuke Suzuki.
1384
1385         This way, if we ever change maxSingleCharacterString, it won't break all this code
1386         that relies on it being 0xff implicitly.
1387
1388         * dfg/DFGSpeculativeJIT.cpp:
1389         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1390         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1391         * ftl/FTLLowerDFGToB3.cpp:
1392         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1393         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1394         * jit/ThunkGenerators.cpp:
1395         (JSC::stringGetByValGenerator):
1396         (JSC::charToString):
1397
1398 2019-02-08  Mark Lam  <mark.lam@apple.com>
1399
1400         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1401         https://bugs.webkit.org/show_bug.cgi?id=194446
1402         <rdar://problem/47926792>
1403
1404         Reviewed by Saam Barati.
1405
1406         Fix doesGC() for the following nodes:
1407
1408             CheckTierUpAtReturn:
1409                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1410                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1411
1412             CheckTierUpInLoop:
1413                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1414                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1415
1416             CheckTierUpAndOSREnter:
1417                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1418                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1419
1420             GetByVal:
1421                 case Array::String calls operationSingleCharacterString(), which calls
1422                 jsSingleCharacterString(), which can allocate a string.
1423
1424             PutByValDirect:
1425             PutByVal:
1426             PutByValAlias:
1427                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1428                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1429                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1430                 slow paths call putByValInternal(), which may create exception objects, or
1431                 call the generic JSValue::put() which may execute arbitrary code.
1432
1433             StringCharAt:
1434                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1435                 which can allocate a string.
1436
1437         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1438         to use the maxSingleCharacterString constant instead of a literal constant.
1439
1440         * dfg/DFGDoesGC.cpp:
1441         (JSC::DFG::doesGC):
1442         * dfg/DFGSpeculativeJIT.cpp:
1443         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1444         * dfg/DFGSpeculativeJIT64.cpp:
1445         (JSC::DFG::SpeculativeJIT::compile):
1446         * ftl/FTLLowerDFGToB3.cpp:
1447         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1448         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1449         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1450
1451 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1452
1453         [JSC] SourceProviderCacheItem should be small
1454         https://bugs.webkit.org/show_bug.cgi?id=194432
1455
1456         Reviewed by Saam Barati.
1457
1458         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1459         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1460         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1461
1462         * parser/Parser.cpp:
1463         (JSC::Parser<LexerType>::parseFunctionInfo):
1464         * parser/ParserModes.h:
1465         * parser/ParserTokens.h:
1466         * parser/SourceProviderCacheItem.h:
1467         (JSC::SourceProviderCacheItem::endFunctionToken const):
1468         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1469
1470 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1471
1472         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1473         https://bugs.webkit.org/show_bug.cgi?id=194420
1474
1475         Reviewed by Saam Barati.
1476
1477         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1478         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1479         This trivial patch fixes both.
1480
1481         * b3/B3ReduceStrength.cpp:
1482         * b3/testb3.cpp:
1483         (JSC::B3::testAbsNegArg):
1484
1485 2019-02-07  Keith Miller  <keith_miller@apple.com>
1486
1487         Better error messages for module loader SPI
1488         https://bugs.webkit.org/show_bug.cgi?id=194421
1489
1490         Reviewed by Saam Barati.
1491
1492         * API/JSAPIGlobalObject.mm:
1493         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1494
1495 2019-02-07  Mark Lam  <mark.lam@apple.com>
1496
1497         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1498         https://bugs.webkit.org/show_bug.cgi?id=194399
1499         <rdar://problem/47889777>
1500
1501         Reviewed by Yusuke Suzuki.
1502
1503         Fix doesGC() for the following nodes:
1504
1505             CheckTraps:
1506                 We normally will not emit this node because Options::usePollingTraps() is
1507                 false by default.  However, as it is implemented now, CheckTraps can GC
1508                 because it can allocate a TerminatedExecutionException.  If we make the
1509                 TerminatedExecutionException a singleton allocated at initialization time,
1510                 doesGC() can return false for CheckTraps.
1511                 https://bugs.webkit.org/show_bug.cgi?id=194323
1512
1513             GetMapBucket:
1514                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1515                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1516                 can resolve a rope.
1517
1518             Switch:
1519                 If switchData kind is SwitchChar, can call operationResolveRope() .
1520                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1521                     can call operationSwitchString() which resolves ropes.
1522
1523             DirectTailCall:
1524             ForceOSRExit:
1525             Return:
1526             TailCallForwardVarargs:
1527             TailCallVarargs:
1528             Throw:
1529                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1530                 for them, but following our conservative practice, unless we have a good
1531                 reason for doesGC() to return false, we should just return true.
1532
1533         * dfg/DFGDoesGC.cpp:
1534         (JSC::DFG::doesGC):
1535
1536 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1537
1538         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1539         https://bugs.webkit.org/show_bug.cgi?id=194250
1540
1541         Reviewed by Saam Barati.
1542
1543         Adds the following optimizations for integers:
1544         - Sub(x, x) => 0
1545             Already covered by the test testSubArg
1546         - Sub(x1, Neg(x2)) => Add (x1, x2)
1547             Added test: testSubNeg
1548         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1549             Added test: testNegSub
1550         - Add(Neg(x1), x2) => Sub(x2, x1)
1551             Added test: testAddNeg1
1552         - Add(x1, Neg(x2)) => Sub(x1, x2)
1553             Added test: testAddNeg2
1554         Adds the following optimization for floating point values:
1555         - Abs(Neg(x)) => Abs(x)
1556             Added test: testAbsNegArg
1557             Adds the following optimization:
1558
1559         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1560
1561         * b3/B3ReduceStrength.cpp:
1562         * b3/testb3.cpp:
1563         (JSC::B3::testAddNeg1):
1564         (JSC::B3::testAddNeg2):
1565         (JSC::B3::testSubNeg):
1566         (JSC::B3::testNegSub):
1567         (JSC::B3::testAbsAbsArg):
1568         (JSC::B3::testAbsNegArg):
1569         (JSC::B3::run):
1570
1571 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1572
1573         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1574         https://bugs.webkit.org/show_bug.cgi?id=194374
1575
1576         Reviewed by Geoffrey Garen.
1577
1578         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1579         But pointer is larger than single character. BufferInternal StringImpl with single character
1580         is more memory efficient.
1581
1582         * runtime/SmallStrings.cpp:
1583         (JSC::SmallStringsStorage::SmallStringsStorage):
1584         (JSC::SmallStrings::SmallStrings):
1585         * runtime/SmallStrings.h:
1586
1587 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1588
1589         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1590         https://bugs.webkit.org/show_bug.cgi?id=194369
1591         <rdar://problem/47813087>
1592
1593         Reviewed by Saam Barati.
1594
1595         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1596         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1597         constant folding phase.
1598
1599         * dfg/DFGAbstractInterpreterInlines.h:
1600         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1601
1602 2019-02-06  Devin Rousso  <drousso@apple.com>
1603
1604         Web Inspector: DOM: don't send the entire function string with each event listener
1605         https://bugs.webkit.org/show_bug.cgi?id=194293
1606         <rdar://problem/47822809>
1607
1608         Reviewed by Joseph Pecoraro.
1609
1610         * inspector/protocol/DOM.json:
1611
1612         * runtime/JSFunction.h:
1613         Export `calculatedDisplayName`.
1614
1615 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1616
1617         [JSC] PrivateName to PublicName hash table is wasteful
1618         https://bugs.webkit.org/show_bug.cgi?id=194277
1619
1620         Reviewed by Michael Saboff.
1621
1622         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1623         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1624         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1625         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1626
1627         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1628
1629         1. PrivateName's content should be the same to PublicName.
1630         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1631            the public name should be easily crafted from the given PrivateName.
1632
1633         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1634         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1635
1636         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1637         WebCore.
1638
1639         * builtins/BuiltinNames.cpp:
1640         (JSC::BuiltinNames::BuiltinNames):
1641         * builtins/BuiltinNames.h:
1642         (JSC::BuiltinNames::lookUpPrivateName const):
1643         (JSC::BuiltinNames::getPublicName const):
1644         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1645         (JSC::BuiltinNames::appendExternalName):
1646         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1647         * builtins/BuiltinUtils.h:
1648         * bytecode/BytecodeDumper.cpp:
1649         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1650         * bytecompiler/NodesCodegen.cpp:
1651         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1652         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1653         * parser/Lexer.cpp:
1654         (JSC::Lexer<LChar>::parseIdentifier):
1655         (JSC::Lexer<UChar>::parseIdentifier):
1656         * parser/Parser.cpp:
1657         (JSC::Parser<LexerType>::createGeneratorParameters):
1658         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1659         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1660         (JSC::Parser<LexerType>::parseClassDeclaration):
1661         (JSC::Parser<LexerType>::parseExportDeclaration):
1662         (JSC::Parser<LexerType>::parseMemberExpression):
1663         * parser/ParserArena.h:
1664         (JSC::IdentifierArena::makeIdentifier):
1665         * runtime/CachedTypes.cpp:
1666         (JSC::CachedUniquedStringImpl::encode):
1667         (JSC::CachedUniquedStringImpl::decode const):
1668         * runtime/CommonIdentifiers.cpp:
1669         (JSC::CommonIdentifiers::CommonIdentifiers):
1670         (JSC::CommonIdentifiers::lookUpPrivateName const):
1671         (JSC::CommonIdentifiers::getPublicName const):
1672         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1673         * runtime/CommonIdentifiers.h:
1674         * runtime/ExceptionHelpers.cpp:
1675         (JSC::createUndefinedVariableError):
1676         * runtime/Identifier.cpp:
1677         (JSC::Identifier::dump const):
1678         * runtime/Identifier.h:
1679         * runtime/IdentifierInlines.h:
1680         (JSC::Identifier::fromUid):
1681         * runtime/JSTypedArrayViewPrototype.cpp:
1682         (JSC::JSTypedArrayViewPrototype::finishCreation):
1683         * tools/JSDollarVM.cpp:
1684         (JSC::functionGetPrivateProperty):
1685
1686 2019-02-06  Keith Rollin  <krollin@apple.com>
1687
1688         Really enable the automatic checking and regenerations of .xcfilelists during builds
1689         https://bugs.webkit.org/show_bug.cgi?id=194357
1690         <rdar://problem/47861231>
1691
1692         Reviewed by Chris Dumez.
1693
1694         Bug 194124 was supposed to enable the automatic checking and
1695         regenerating of .xcfilelist files during the build. While related
1696         changes were included in that patch, the change to actually enable the
1697         operation somehow was omitted. This patch actually enables the
1698         operation. The check-xcfilelist.sh scripts now check
1699         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1700         from the checking.
1701
1702         * Scripts/check-xcfilelists.sh:
1703
1704 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1705
1706         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1707         https://bugs.webkit.org/show_bug.cgi?id=194339
1708
1709         Reviewed by Michael Saboff.
1710
1711         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1712         They have even the same structure. This patch unifies the subspaces for them.
1713
1714         * runtime/DirectEvalExecutable.h:
1715         * runtime/EvalExecutable.h:
1716         (JSC::EvalExecutable::subspaceFor):
1717         * runtime/IndirectEvalExecutable.h:
1718         * runtime/VM.cpp:
1719         * runtime/VM.h:
1720         (JSC::VM::forEachScriptExecutableSpace):
1721
1722 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1723
1724         [JSC] NativeExecutable should be smaller
1725         https://bugs.webkit.org/show_bug.cgi?id=194331
1726
1727         Reviewed by Michael Saboff.
1728
1729         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1730         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1731         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1732         only takes one MarkedBlock for NativeExecutable.
1733
1734         To make NativeExecutable smaller,
1735
1736         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1737            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1738
1739         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1740            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1741            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1742
1743         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1744            Intrinsic for NativeExecutable.
1745
1746         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1747
1748         * CMakeLists.txt:
1749         * JavaScriptCore.xcodeproj/project.pbxproj:
1750         * bytecode/CallVariant.h:
1751         * interpreter/Interpreter.cpp:
1752         * jit/JITCode.cpp:
1753         (JSC::DirectJITCode::DirectJITCode):
1754         (JSC::NativeJITCode::NativeJITCode):
1755         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1756         * jit/JITCode.h:
1757         (JSC::JITCode::signature const):
1758         (JSC::JITCode::intrinsic):
1759         * jit/JITOperations.cpp:
1760         * jit/JITThunks.cpp:
1761         (JSC::JITThunks::hostFunctionStub):
1762         * jit/Repatch.cpp:
1763         * llint/LLIntSlowPaths.cpp:
1764         * runtime/ExecutableBase.cpp:
1765         (JSC::ExecutableBase::dump const):
1766         (JSC::ExecutableBase::hashFor const):
1767         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1768         (JSC::ExecutableBase::clearCode): Deleted.
1769         * runtime/ExecutableBase.h:
1770         (JSC::ExecutableBase::ExecutableBase):
1771         (JSC::ExecutableBase::isModuleProgramExecutable):
1772         (JSC::ExecutableBase::isHostFunction const):
1773         (JSC::ExecutableBase::generatedJITCodeForCall const):
1774         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1775         (JSC::ExecutableBase::generatedJITCodeFor const):
1776         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1777         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1778         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1779         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1780         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1781         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1782         (JSC::ExecutableBase::intrinsic const): Deleted.
1783         * runtime/ExecutableBaseInlines.h: Added.
1784         (JSC::ExecutableBase::intrinsic const):
1785         (JSC::ExecutableBase::hasJITCodeForCall const):
1786         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1787         * runtime/JSBoundFunction.cpp:
1788         * runtime/JSType.cpp:
1789         (WTF::printInternal):
1790         * runtime/JSType.h:
1791         * runtime/NativeExecutable.cpp:
1792         (JSC::NativeExecutable::create):
1793         (JSC::NativeExecutable::createStructure):
1794         (JSC::NativeExecutable::NativeExecutable):
1795         (JSC::NativeExecutable::signatureFor const):
1796         (JSC::NativeExecutable::intrinsic const):
1797         * runtime/NativeExecutable.h:
1798         * runtime/ScriptExecutable.cpp:
1799         (JSC::ScriptExecutable::ScriptExecutable):
1800         (JSC::ScriptExecutable::clearCode):
1801         (JSC::ScriptExecutable::installCode):
1802         (JSC::ScriptExecutable::hasClearableCode const):
1803         * runtime/ScriptExecutable.h:
1804         (JSC::ScriptExecutable::intrinsic const):
1805         (JSC::ScriptExecutable::hasJITCodeForCall const):
1806         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1807         * runtime/VM.cpp:
1808         (JSC::VM::getHostFunction):
1809
1810 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1811
1812         Build failure after r240431
1813         https://bugs.webkit.org/show_bug.cgi?id=194330
1814
1815         Reviewed by Žan Doberšek.
1816
1817         * API/glib/JSCOptions.cpp:
1818
1819 2019-02-05  Mark Lam  <mark.lam@apple.com>
1820
1821         Fix DFG's doesGC() for a few more nodes.
1822         https://bugs.webkit.org/show_bug.cgi?id=194307
1823         <rdar://problem/47832956>
1824
1825         Reviewed by Yusuke Suzuki.
1826
1827         Fix doesGC() for the following nodes:
1828
1829             NumberToStringWithValidRadixConstant:
1830                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1831                 which can allocate a string.
1832                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1833                 which can allocate a string.
1834                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1835                 which can allocate a string.
1836
1837             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1838                 memory for all kinds of objects.
1839             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1840                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1841                 these allocates memory for the match result.
1842             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1843                 calls RegExpObject's collectMatches(), which allocates an array amongst
1844                 other objects.
1845
1846             StringFromCharCode:
1847                 If the uint32 code to convert is greater than maxSingleCharacterString,
1848                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1849                 which allocates a new string if the code is greater than maxSingleCharacterString.
1850
1851         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1852         to use maxSingleCharacterString instead of a literal constant.
1853
1854         * dfg/DFGDoesGC.cpp:
1855         (JSC::DFG::doesGC):
1856         * dfg/DFGSpeculativeJIT.cpp:
1857         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1858         * ftl/FTLLowerDFGToB3.cpp:
1859         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1860
1861 2019-02-05  Keith Rollin  <krollin@apple.com>
1862
1863         Enable the automatic checking and regenerations of .xcfilelists during builds
1864         https://bugs.webkit.org/show_bug.cgi?id=194124
1865         <rdar://problem/47721277>
1866
1867         Reviewed by Tim Horton.
1868
1869         Bug 193790 add a facility for checking -- during build time -- that
1870         any needed .xcfilelist files are up-to-date and for updating them if
1871         they are not. This facility was initially opt-in by setting
1872         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1873         the process seemed robust. Its now time to enable this facility and
1874         make it opt-out. If there is a need to disable this facility, set and
1875         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1876         running `make` or `build-webkit`, or before running Xcode from the
1877         command line.
1878
1879         Additionally, remove the step that generates a list of source files
1880         going into the UnifiedSources build step. It's only necessarily to
1881         specify Sources.txt and SourcesCocoa.txt as inputs.
1882
1883         * JavaScriptCore.xcodeproj/project.pbxproj:
1884         * UnifiedSources-input.xcfilelist: Removed.
1885
1886 2019-02-05  Keith Rollin  <krollin@apple.com>
1887
1888         Update .xcfilelist files
1889         https://bugs.webkit.org/show_bug.cgi?id=194121
1890         <rdar://problem/47720863>
1891
1892         Reviewed by Tim Horton.
1893
1894         Preparatory to enabling the facility for automatically updating the
1895         .xcfilelist files, check in a freshly-updated set so that not everyone
1896         runs up against having to regenerate them themselves.
1897
1898         * DerivedSources-input.xcfilelist:
1899         * DerivedSources-output.xcfilelist:
1900
1901 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1902
1903         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1904         https://bugs.webkit.org/show_bug.cgi?id=185557
1905
1906         Reviewed by Mark Lam.
1907
1908         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1909         where n is the number of characters in the formatted string.
1910         It may be less memory efficient than the previous impl, since the intermediate Vector
1911         is the length of the string, instead of the count of the fields.
1912
1913         * runtime/IntlNumberFormat.cpp:
1914         (JSC::IntlNumberFormat::formatToParts):
1915         * runtime/IntlNumberFormat.h:
1916
1917 2019-02-05  Mark Lam  <mark.lam@apple.com>
1918
1919         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1920         https://bugs.webkit.org/show_bug.cgi?id=194298
1921         <rdar://problem/47827555>
1922
1923         Reviewed by Saam Barati.
1924
1925         We do this for 3 reasons:
1926         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1927         2. If things change in the future where clobberize() no longer reports these nodes
1928            as write(Heap), each node should be vetted first to make sure that it can never
1929            GC before being moved back to the doesGC() list that returns false.
1930         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1931            correct in its claims about the nodes' GCing possibility.
1932
1933         The list of nodes moved are:
1934
1935             ArrayPush
1936             ArrayPop
1937             Call
1938             CallEval
1939             CallForwardVarargs
1940             CallVarargs
1941             Construct
1942             ConstructForwardVarargs
1943             ConstructVarargs
1944             DefineDataProperty
1945             DefineAccessorProperty
1946             DeleteById
1947             DeleteByVal
1948             DirectCall
1949             DirectConstruct
1950             DirectTailCallInlinedCaller
1951             GetById
1952             GetByIdDirect
1953             GetByIdDirectFlush
1954             GetByIdFlush
1955             GetByIdWithThis
1956             GetByValWithThis
1957             GetDirectPname
1958             GetDynamicVar
1959             HasGenericProperty
1960             HasOwnProperty
1961             HasStructureProperty
1962             InById
1963             InByVal
1964             InstanceOf
1965             InstanceOfCustom
1966             LoadVarargs
1967             NumberToStringWithRadix
1968             PutById
1969             PutByIdDirect
1970             PutByIdFlush
1971             PutByIdWithThis
1972             PutByOffset
1973             PutByValWithThis
1974             PutDynamicVar
1975             PutGetterById
1976             PutGetterByVal
1977             PutGetterSetterById
1978             PutSetterById
1979             PutSetterByVal
1980             PutStack
1981             PutToArguments
1982             RegExpExec
1983             RegExpTest
1984             ResolveScope
1985             ResolveScopeForHoistingFuncDeclInEval
1986             TailCall
1987             TailCallForwardVarargsInlinedCaller
1988             TailCallInlinedCaller
1989             TailCallVarargsInlinedCaller
1990             ToNumber
1991             ToPrimitive
1992             ValueNegate
1993
1994         * dfg/DFGDoesGC.cpp:
1995         (JSC::DFG::doesGC):
1996
1997 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1998
1999         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2000         https://bugs.webkit.org/show_bug.cgi?id=194281
2001
2002         Reviewed by Michael Saboff.
2003
2004         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2005         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2006
2007         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2008         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2009         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2010
2011         * bytecode/CodeBlock.cpp:
2012         (JSC::CodeBlock::finishCreation):
2013         * bytecode/CodeBlock.h:
2014         (JSC::CodeBlock::bitVectors const): Deleted.
2015         * bytecode/CodeType.h:
2016         * bytecode/UnlinkedCodeBlock.cpp:
2017         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2018         (JSC::UnlinkedCodeBlock::shrinkToFit):
2019         * bytecode/UnlinkedCodeBlock.h:
2020         (JSC::UnlinkedCodeBlock::bitVector):
2021         (JSC::UnlinkedCodeBlock::addBitVector):
2022         (JSC::UnlinkedCodeBlock::addSetConstant):
2023         (JSC::UnlinkedCodeBlock::constantRegisters):
2024         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2025         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2026         (JSC::UnlinkedCodeBlock::codeType const):
2027         (JSC::UnlinkedCodeBlock::didOptimize const):
2028         (JSC::UnlinkedCodeBlock::setDidOptimize):
2029         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2030         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2031         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2032         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2033         * bytecompiler/BytecodeGenerator.cpp:
2034         (JSC::BytecodeGenerator::emitLoad):
2035         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2036         * bytecompiler/BytecodeGenerator.h:
2037         * runtime/CachedTypes.cpp:
2038         (JSC::CachedCodeBlockRareData::encode):
2039         (JSC::CachedCodeBlockRareData::decode const):
2040         (JSC::CachedCodeBlock::scopeRegister const):
2041         (JSC::CachedCodeBlock::codeType const):
2042         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2043         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2044         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2045         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2046
2047 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2048
2049         Unreviewed, add missing exception checks after r240637
2050         https://bugs.webkit.org/show_bug.cgi?id=193546
2051
2052         * tools/JSDollarVM.cpp:
2053         (JSC::functionShadowChickenFunctionsOnStack):
2054
2055 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2056
2057         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2058         https://bugs.webkit.org/show_bug.cgi?id=193993
2059
2060         Reviewed by Keith Miller.
2061
2062         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2063         And some of them are rarely used. We should allocate it lazily.
2064
2065         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2066         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2067         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2068         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2069         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2070         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2071         by using WTF::storeStoreFence when lazily allocating it.
2072
2073         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2074         existence of the space before touching this. This is not racy because the main thread is stopped when
2075         the constraint solving is working.
2076
2077         This changes sizeof(VM) from 64736 to 56472.
2078
2079         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2080         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2081         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2082         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2083         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2084         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2085         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2086
2087         * API/JSCallbackFunction.h:
2088         * API/ObjCCallbackFunction.h:
2089         (JSC::ObjCCallbackFunction::subspaceFor):
2090         * API/glib/JSCCallbackFunction.h:
2091         * CMakeLists.txt:
2092         * JavaScriptCore.xcodeproj/project.pbxproj:
2093         * bytecode/CodeBlock.cpp:
2094         (JSC::CodeBlock::visitChildren):
2095         (JSC::CodeBlock::finalizeUnconditionally):
2096         * bytecode/CodeBlock.h:
2097         * bytecode/EvalCodeBlock.h:
2098         * bytecode/ExecutableToCodeBlockEdge.h:
2099         * bytecode/FunctionCodeBlock.h:
2100         * bytecode/ModuleProgramCodeBlock.h:
2101         * bytecode/ProgramCodeBlock.h:
2102         * bytecode/UnlinkedFunctionExecutable.cpp:
2103         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2104         * bytecode/UnlinkedFunctionExecutable.h:
2105         * dfg/DFGSpeculativeJIT.cpp:
2106         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2107         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2108         (JSC::DFG::SpeculativeJIT::compileNewObject):
2109         * ftl/FTLLowerDFGToB3.cpp:
2110         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2111         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2112         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2113         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2114         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2115         * heap/Heap.cpp:
2116         (JSC::Heap::finalizeUnconditionalFinalizers):
2117         (JSC::Heap::deleteAllCodeBlocks):
2118         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2119         (JSC::Heap::addCoreConstraints):
2120         * heap/Subspace.cpp:
2121         (JSC::Subspace::initialize):
2122         * jit/AssemblyHelpers.h:
2123         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2124         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2125         * jit/JITOpcodes.cpp:
2126         (JSC::JIT::emit_op_new_object):
2127         * jit/JITOpcodes32_64.cpp:
2128         (JSC::JIT::emit_op_new_object):
2129         * runtime/DirectArguments.h:
2130         * runtime/DirectEvalExecutable.h:
2131         * runtime/ErrorInstance.h:
2132         (JSC::ErrorInstance::subspaceFor):
2133         * runtime/ExecutableBase.h:
2134         * runtime/FunctionExecutable.h:
2135         * runtime/IndirectEvalExecutable.h:
2136         * runtime/InferredValue.cpp:
2137         (JSC::InferredValue::visitChildren):
2138         * runtime/InferredValue.h:
2139         * runtime/InferredValueInlines.h:
2140         (JSC::InferredValue::finalizeUnconditionally):
2141         * runtime/InternalFunction.h:
2142         * runtime/JSAsyncFunction.h:
2143         * runtime/JSAsyncGeneratorFunction.h:
2144         * runtime/JSBoundFunction.h:
2145         * runtime/JSCell.h:
2146         (JSC::subspaceFor):
2147         (JSC::subspaceForConcurrently):
2148         * runtime/JSCellInlines.h:
2149         (JSC::allocatorForNonVirtualConcurrently):
2150         * runtime/JSCustomGetterSetterFunction.h:
2151         * runtime/JSDestructibleObject.h:
2152         * runtime/JSFunction.h:
2153         * runtime/JSGeneratorFunction.h:
2154         * runtime/JSImmutableButterfly.h:
2155         * runtime/JSLexicalEnvironment.h:
2156         (JSC::JSLexicalEnvironment::subspaceFor):
2157         * runtime/JSNativeStdFunction.h:
2158         * runtime/JSSegmentedVariableObject.h:
2159         * runtime/JSString.h:
2160         * runtime/ModuleProgramExecutable.h:
2161         * runtime/NativeExecutable.h:
2162         * runtime/ProgramExecutable.h:
2163         * runtime/PropertyMapHashTable.h:
2164         * runtime/ProxyRevoke.h:
2165         * runtime/ScopedArguments.h:
2166         * runtime/ScriptExecutable.cpp:
2167         (JSC::ScriptExecutable::clearCode):
2168         (JSC::ScriptExecutable::installCode):
2169         * runtime/Structure.h:
2170         * runtime/StructureRareData.h:
2171         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2172         * runtime/VM.cpp:
2173         (JSC::VM::VM):
2174         * runtime/VM.h:
2175         (JSC::VM::SpaceAndSet::SpaceAndSet):
2176         (JSC::VM::SpaceAndSet::setFor):
2177         (JSC::VM::forEachScriptExecutableSpace):
2178         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2179         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2180         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2181         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2182         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2183         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2184         * runtime/WeakMapImpl.h:
2185         (JSC::WeakMapImpl::subspaceFor):
2186         * wasm/js/JSWebAssemblyCodeBlock.h:
2187         * wasm/js/JSWebAssemblyMemory.h:
2188         * wasm/js/WebAssemblyFunction.h:
2189         * wasm/js/WebAssemblyWrapperFunction.h:
2190
2191 2019-02-04  Keith Miller  <keith_miller@apple.com>
2192
2193         Change llint operand macros to inline functions
2194         https://bugs.webkit.org/show_bug.cgi?id=194248
2195
2196         Reviewed by Mark Lam.
2197
2198         * llint/LLIntSlowPaths.cpp:
2199         (JSC::LLInt::getNonConstantOperand):
2200         (JSC::LLInt::getOperand):
2201         (JSC::LLInt::llint_trace_value):
2202         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2203         (JSC::LLInt::getByVal):
2204         (JSC::LLInt::genericCall):
2205         (JSC::LLInt::varargsSetup):
2206         (JSC::LLInt::commonCallEval):
2207
2208 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2209
2210         when lowering AssertNotEmpty, create the value before creating the patchpoint
2211         https://bugs.webkit.org/show_bug.cgi?id=194231
2212
2213         Reviewed by Saam Barati.
2214
2215         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2216         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2217
2218         * ftl/FTLLowerDFGToB3.cpp:
2219         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2220
2221 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2222
2223         [JSC] ExecutableToCodeBlockEdge should be smaller
2224         https://bugs.webkit.org/show_bug.cgi?id=194244
2225
2226         Reviewed by Michael Saboff.
2227
2228         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2229         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2230         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2231         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2232
2233         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2234         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2235         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2236
2237         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2238         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2239         does not touch it if it is called in non-main threads).
2240
2241         * bytecode/ExecutableToCodeBlockEdge.cpp:
2242         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2243         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2244         (JSC::ExecutableToCodeBlockEdge::activate):
2245         (JSC::ExecutableToCodeBlockEdge::deactivate):
2246         (JSC::ExecutableToCodeBlockEdge::isActive const):
2247         * bytecode/ExecutableToCodeBlockEdge.h:
2248         * runtime/JSCell.h:
2249         * runtime/JSCellInlines.h:
2250         (JSC::JSCell::perCellBit const):
2251         (JSC::JSCell::setPerCellBit):
2252         (JSC::JSCell::mayBePrototype const): Deleted.
2253         (JSC::JSCell::didBecomePrototype): Deleted.
2254         * runtime/JSObject.cpp:
2255         (JSC::JSObject::setPrototypeDirect):
2256         * runtime/JSObject.h:
2257         * runtime/JSObjectInlines.h:
2258         (JSC::JSObject::mayBePrototype const):
2259         (JSC::JSObject::didBecomePrototype):
2260         * runtime/JSTypeInfo.h:
2261         (JSC::TypeInfo::perCellBit):
2262         (JSC::TypeInfo::mergeInlineTypeFlags):
2263         (JSC::TypeInfo::mayBePrototype): Deleted.
2264
2265 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2266
2267         [JSC] Shrink size of FunctionExecutable
2268         https://bugs.webkit.org/show_bug.cgi?id=194191
2269
2270         Reviewed by Michael Saboff.
2271
2272         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2273         improves the allocation efficiency.
2274
2275         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2276            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2277
2278         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2279            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2280            the size of FunctionExecutable in the common case.
2281
2282         This patch changes the size of FunctionExecutable from 176 to 144.
2283
2284         * bytecode/CodeBlock.cpp:
2285         (JSC::CodeBlock::dumpSource):
2286         (JSC::CodeBlock::finishCreation):
2287         * dfg/DFGNode.h:
2288         (JSC::DFG::Node::OpInfoWrapper::as const):
2289         * interpreter/StackVisitor.cpp:
2290         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2291         * runtime/ExecutableBase.h:
2292         * runtime/FunctionExecutable.cpp:
2293         (JSC::FunctionExecutable::FunctionExecutable):
2294         (JSC::FunctionExecutable::ensureRareDataSlow):
2295         * runtime/FunctionExecutable.h:
2296         * runtime/Intrinsic.h:
2297         * runtime/ModuleProgramExecutable.cpp:
2298         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2299         * runtime/ProgramExecutable.cpp:
2300         (JSC::ProgramExecutable::ProgramExecutable):
2301         * runtime/ScriptExecutable.cpp:
2302         (JSC::ScriptExecutable::ScriptExecutable):
2303         (JSC::ScriptExecutable::overrideLineNumber const):
2304         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2305         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2306         * runtime/ScriptExecutable.h:
2307         (JSC::ScriptExecutable::firstLine const):
2308         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2309         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2310         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2311         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2312         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2313         * runtime/StackFrame.cpp:
2314         (JSC::StackFrame::computeLineAndColumn const):
2315         * tools/JSDollarVM.cpp:
2316         (JSC::functionReturnTypeFor):
2317
2318 2019-02-04  Mark Lam  <mark.lam@apple.com>
2319
2320         DFG's doesGC() is incorrect about the SameValue node's behavior.
2321         https://bugs.webkit.org/show_bug.cgi?id=194211
2322         <rdar://problem/47608913>
2323
2324         Reviewed by Saam Barati.
2325
2326         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2327         it calls operationSameValue() which may allocate memory for resolving ropes.
2328
2329         * dfg/DFGDoesGC.cpp:
2330         (JSC::DFG::doesGC):
2331
2332 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2333
2334         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2335         https://bugs.webkit.org/show_bug.cgi?id=194031
2336
2337         Reviewed by Saam Barati.
2338
2339         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2340         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2341         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2342         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2343
2344         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2345         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2346
2347         * bytecode/MetadataTable.cpp:
2348         (JSC::MetadataTable::MetadataTable):
2349         (JSC::MetadataTable::~MetadataTable):
2350         * bytecode/UnlinkedCodeBlock.cpp:
2351         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2352         (JSC::UnlinkedCodeBlock::visitChildren):
2353         (JSC::UnlinkedCodeBlock::estimatedSize):
2354         (JSC::UnlinkedCodeBlock::setInstructions):
2355         * bytecode/UnlinkedCodeBlock.h:
2356         (JSC::UnlinkedCodeBlock::metadata):
2357         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2358         * bytecode/UnlinkedMetadataTable.h:
2359         (JSC::UnlinkedMetadataTable::create):
2360         * bytecode/UnlinkedMetadataTableInlines.h:
2361         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2362         * runtime/CachedTypes.cpp:
2363         (JSC::CachedMetadataTable::decode const):
2364         (JSC::CachedCodeBlock::metadata const):
2365         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2366         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2367         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2368
2369 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2370
2371         [JSC] Decouple JIT related data from CodeBlock
2372         https://bugs.webkit.org/show_bug.cgi?id=194187
2373
2374         Reviewed by Saam Barati.
2375
2376         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2377         We have three types of data in CodeBlock.
2378
2379         1. The data which is always used. CodeBlock needs to hold it.
2380         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2381         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2382
2383         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2384         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2385         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2386         in both non-JIT and *JIT* modes.
2387
2388         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2389         by the lock of CodeBlock.
2390
2391         The size of CodeBlock is reduced from 512 to 352.
2392
2393         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2394
2395             Footprint geomean: 36696503 (34.997 MB)
2396             Peak Footprint geomean: 38595988 (36.808 MB)
2397             Score: 37634263 (35.891 MB)
2398
2399             Footprint geomean: 37172768 (35.451 MB)
2400             Peak Footprint geomean: 38978288 (37.173 MB)
2401             Score: 38064824 (36.301 MB)
2402
2403         * bytecode/CodeBlock.cpp:
2404         (JSC::CodeBlock::~CodeBlock):
2405         (JSC::CodeBlock::propagateTransitions):
2406         (JSC::CodeBlock::ensureJITDataSlow):
2407         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2408         (JSC::CodeBlock::getICStatusMap):
2409         (JSC::CodeBlock::addStubInfo):
2410         (JSC::CodeBlock::addJITAddIC):
2411         (JSC::CodeBlock::addJITMulIC):
2412         (JSC::CodeBlock::addJITSubIC):
2413         (JSC::CodeBlock::addJITNegIC):
2414         (JSC::CodeBlock::findStubInfo):
2415         (JSC::CodeBlock::addByValInfo):
2416         (JSC::CodeBlock::addCallLinkInfo):
2417         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2418         (JSC::CodeBlock::addRareCaseProfile):
2419         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2420         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2421         (JSC::CodeBlock::resetJITData):
2422         (JSC::CodeBlock::stronglyVisitStrongReferences):
2423         (JSC::CodeBlock::shrinkToFit):
2424         (JSC::CodeBlock::linkIncomingCall):
2425         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2426         (JSC::CodeBlock::unlinkIncomingCalls):
2427         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2428         (JSC::CodeBlock::dumpValueProfiles):
2429         (JSC::CodeBlock::setPCToCodeOriginMap):
2430         (JSC::CodeBlock::findPC):
2431         (JSC::CodeBlock::dumpMathICStats):
2432         * bytecode/CodeBlock.h:
2433         (JSC::CodeBlock::ensureJITData):
2434         (JSC::CodeBlock::setJITCodeMap):
2435         (JSC::CodeBlock::jitCodeMap):
2436         (JSC::CodeBlock::likelyToTakeSlowCase):
2437         (JSC::CodeBlock::couldTakeSlowCase):
2438         (JSC::CodeBlock::lazyOperandValueProfiles):
2439         (JSC::CodeBlock::stubInfoBegin): Deleted.
2440         (JSC::CodeBlock::stubInfoEnd): Deleted.
2441         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2442         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2443         (JSC::CodeBlock::jitCodeMap const): Deleted.
2444         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2445         * bytecode/MethodOfGettingAValueProfile.cpp:
2446         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2447         (JSC::MethodOfGettingAValueProfile::reportValue):
2448         * dfg/DFGByteCodeParser.cpp:
2449         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2450         * jit/JIT.h:
2451         * jit/JITOperations.cpp:
2452         (JSC::tryGetByValOptimize):
2453         * jit/JITPropertyAccess.cpp:
2454         (JSC::JIT::privateCompileGetByVal):
2455         (JSC::JIT::privateCompilePutByVal):
2456
2457 2018-12-16  Darin Adler  <darin@apple.com>
2458
2459         Convert additional String::format clients to alternative approaches
2460         https://bugs.webkit.org/show_bug.cgi?id=192746
2461
2462         Reviewed by Alexey Proskuryakov.
2463
2464         * inspector/agents/InspectorConsoleAgent.cpp:
2465         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2466         and FormattedNumber::fixedWidth.
2467
2468 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2469
2470         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2471         https://bugs.webkit.org/show_bug.cgi?id=194177
2472
2473         Reviewed by Saam Barati.
2474
2475         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2476         We can share the IsoSubspace for JSFunction.
2477
2478         * runtime/JSAsyncFunction.h:
2479         * runtime/JSAsyncGeneratorFunction.h:
2480         * runtime/JSGeneratorFunction.h:
2481         * runtime/VM.cpp:
2482         (JSC::VM::VM):
2483         * runtime/VM.h:
2484
2485 2019-02-01  Mark Lam  <mark.lam@apple.com>
2486
2487         Remove invalid assertion in DFG's compileDoubleRep().
2488         https://bugs.webkit.org/show_bug.cgi?id=194130
2489         <rdar://problem/47699474>
2490
2491         Reviewed by Saam Barati.
2492
2493         * dfg/DFGSpeculativeJIT.cpp:
2494         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2495
2496 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2497
2498         [JSC] Unify CodeBlock IsoSubspaces
2499         https://bugs.webkit.org/show_bug.cgi?id=194167
2500
2501         Reviewed by Saam Barati.
2502
2503         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2504         But this is not necessary since,
2505
2506         1. They do not override the classInfo methods.
2507         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2508
2509         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2510         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2511         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2512
2513         This patch unifies these IsoSubspaces into one.
2514
2515         * bytecode/CodeBlock.cpp:
2516         (JSC::CodeBlock::destroy):
2517         * bytecode/CodeBlock.h:
2518         * bytecode/EvalCodeBlock.cpp:
2519         (JSC::EvalCodeBlock::destroy): Deleted.
2520         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2521         * bytecode/FunctionCodeBlock.cpp:
2522         (JSC::FunctionCodeBlock::destroy): Deleted.
2523         * bytecode/FunctionCodeBlock.h:
2524         * bytecode/GlobalCodeBlock.h:
2525         * bytecode/ModuleProgramCodeBlock.cpp:
2526         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2527         * bytecode/ModuleProgramCodeBlock.h:
2528         * bytecode/ProgramCodeBlock.cpp:
2529         (JSC::ProgramCodeBlock::destroy): Deleted.
2530         * bytecode/ProgramCodeBlock.h:
2531         * interpreter/Interpreter.cpp:
2532         (JSC::Interpreter::execute):
2533         * runtime/VM.cpp:
2534         (JSC::VM::VM):
2535         * runtime/VM.h:
2536         (JSC::VM::forEachCodeBlockSpace):
2537
2538 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2539
2540         Unreviewed, follow-up after r240859
2541         https://bugs.webkit.org/show_bug.cgi?id=194145
2542
2543         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2544         And rename cellDangerousBitsSpace back to cellSpace.
2545
2546         * runtime/JSCellInlines.h:
2547         (JSC::JSCell::subspaceFor):
2548         * runtime/VM.cpp:
2549         (JSC::VM::VM):
2550         * runtime/VM.h:
2551
2552 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2553
2554         [JSC] Remove cellJSValueOOBSpace
2555         https://bugs.webkit.org/show_bug.cgi?id=194145
2556
2557         Reviewed by Mark Lam.
2558
2559         * runtime/JSObject.h:
2560         (JSC::JSObject::subspaceFor): Deleted.
2561         * runtime/VM.cpp:
2562         (JSC::VM::VM):
2563         * runtime/VM.h:
2564
2565 2019-01-31  Mark Lam  <mark.lam@apple.com>
2566
2567         Remove poisoning from CodeBlock and LLInt code.
2568         https://bugs.webkit.org/show_bug.cgi?id=194113
2569
2570         Reviewed by Yusuke Suzuki.
2571
2572         * bytecode/CodeBlock.cpp:
2573         (JSC::CodeBlock::CodeBlock):
2574         (JSC::CodeBlock::~CodeBlock):
2575         (JSC::CodeBlock::setConstantRegisters):
2576         (JSC::CodeBlock::propagateTransitions):
2577         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2578         (JSC::CodeBlock::jettison):
2579         (JSC::CodeBlock::predictedMachineCodeSize):
2580         * bytecode/CodeBlock.h:
2581         (JSC::CodeBlock::vm const):
2582         (JSC::CodeBlock::addConstant):
2583         (JSC::CodeBlock::heap const):
2584         (JSC::CodeBlock::replaceConstant):
2585         * llint/LLIntOfflineAsmConfig.h:
2586         * llint/LLIntSlowPaths.cpp:
2587         (JSC::LLInt::handleHostCall):
2588         (JSC::LLInt::setUpCall):
2589         * llint/LowLevelInterpreter.asm:
2590         * llint/LowLevelInterpreter32_64.asm:
2591         * llint/LowLevelInterpreter64.asm:
2592
2593 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2594
2595         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2596         https://bugs.webkit.org/show_bug.cgi?id=194107
2597
2598         Reviewed by Saam Barati.
2599
2600         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2601         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2602
2603         * CMakeLists.txt:
2604         * DerivedSources.make:
2605         * JavaScriptCore.xcodeproj/project.pbxproj:
2606         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2607         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2608         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2609         (JSC::AsyncFromSyncIteratorPrototype::create):
2610         * runtime/AsyncFromSyncIteratorPrototype.h:
2611
2612 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2613
2614         Fix `runJITThreadLimitTests` in testapi
2615         https://bugs.webkit.org/show_bug.cgi?id=194064
2616         <rdar://problem/46139147>
2617
2618         Reviewed by Mark Lam.
2619
2620         Fix typo where `targetNumberOfThreads` was not being used.
2621
2622         * API/tests/testapi.mm:
2623         (runJITThreadLimitTests):
2624
2625 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2626
2627         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2628         https://bugs.webkit.org/show_bug.cgi?id=194112
2629
2630         Reviewed by Mark Lam.
2631
2632         `testBytecodeCache` does not populate the bytecode cache for the global
2633         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2634
2635         * API/tests/testapi.mm:
2636         (testBytecodeCache):
2637
2638 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2639
2640         Unreviewed, follow-up after r240796
2641
2642         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2643         when allocating InferredValue in FunctionExecutable::finishCreation.
2644
2645         * runtime/FunctionExecutable.cpp:
2646         (JSC::FunctionExecutable::FunctionExecutable):
2647         (JSC::FunctionExecutable::finishCreation):
2648
2649 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2650
2651         [JSC] Do not use InferredValue in non-JIT configuration
2652         https://bugs.webkit.org/show_bug.cgi?id=194084
2653
2654         Reviewed by Saam Barati.
2655
2656         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2657         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2658         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2659         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2660         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2661         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2662         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2663         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2664
2665         * bytecode/ObjectAllocationProfileInlines.h:
2666         (JSC::ObjectAllocationProfile::initializeProfile):
2667         * runtime/FunctionExecutable.cpp:
2668         (JSC::FunctionExecutable::finishCreation):
2669         (JSC::FunctionExecutable::visitChildren):
2670         * runtime/FunctionExecutable.h:
2671         * runtime/InferredValue.cpp:
2672         (JSC::InferredValue::create):
2673         * runtime/JSAsyncFunction.cpp:
2674         (JSC::JSAsyncFunction::create):
2675         * runtime/JSAsyncGeneratorFunction.cpp:
2676         (JSC::JSAsyncGeneratorFunction::create):
2677         * runtime/JSFunction.cpp:
2678         (JSC::JSFunction::create):
2679         * runtime/JSFunctionInlines.h:
2680         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2681         * runtime/JSGeneratorFunction.cpp:
2682         (JSC::JSGeneratorFunction::create):
2683         * runtime/JSSymbolTableObject.h:
2684         (JSC::JSSymbolTableObject::setSymbolTable):
2685         * runtime/SymbolTable.cpp:
2686         (JSC::SymbolTable::finishCreation):
2687         * runtime/VM.cpp:
2688         (JSC::VM::VM):
2689
2690 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2691
2692         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2693         https://bugs.webkit.org/show_bug.cgi?id=194085
2694
2695         Reviewed by Yusuke Suzuki.
2696
2697         r240730 changed ud_itab.py and caused incremental build failures
2698         for Ninja builds.
2699
2700         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2701
2702 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2703
2704         [JSC] Symbol should be in destructibleCellSpace
2705         https://bugs.webkit.org/show_bug.cgi?id=194082
2706
2707         Reviewed by Saam Barati.
2708
2709         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2710         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2711         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2712         Symbol's space destructibleCellSpace to appropriately call the destructor.
2713
2714         * runtime/Symbol.h:
2715
2716 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2717
2718         Unreviewed, rolling out r240755.
2719
2720         This was not correct
2721
2722         Reverted changeset:
2723
2724         "Unreviewed, fix GCC build after r240730"
2725         https://bugs.webkit.org/show_bug.cgi?id=194041
2726         https://trac.webkit.org/changeset/240755
2727
2728 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2729
2730         Unreviewed, fix GCC build after r240730
2731         https://bugs.webkit.org/show_bug.cgi?id=194041
2732         <rdar://problem/47680981>
2733
2734         * disassembler/udis86/ud_itab.py:
2735         (UdItabGenerator.genOpcodeTablesLookupIndex):
2736
2737 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2738
2739         testapi's `testBytecodeCache` does not need to run the code twice
2740         https://bugs.webkit.org/show_bug.cgi?id=194046
2741
2742         Reviewed by Mark Lam.
2743
2744         Since we populate the cache eagerly (unlike the stress tests) we don't
2745         need to run the code twice.
2746
2747         * API/tests/testapi.mm:
2748         (testBytecodeCache):
2749
2750 2019-01-30  Saam barati  <sbarati@apple.com>
2751
2752         [WebAssembly] Change BBQ to generate Air IR
2753         https://bugs.webkit.org/show_bug.cgi?id=191802
2754         <rdar://problem/47651718>
2755
2756         Reviewed by Keith Miller.
2757
2758         This patch adds a new Wasm compiler for the BBQ tier. Instead
2759         of compiling using  B3-01, we now generate Air code directly.
2760         The goal of doing this was to speed up compile times for Wasm
2761         programs.
2762         
2763         This patch provides us with a 20-30% compile time speedup. However, I
2764         have ideas on how to improve compile times even further. For example,
2765         we should probably implement a faster running register allocator:
2766         https://bugs.webkit.org/show_bug.cgi?id=194036
2767         
2768         We can also improve on the code we generate.
2769         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2770         And we should do better instruction selection in various
2771         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2772
2773         * JavaScriptCore.xcodeproj/project.pbxproj:
2774         * Sources.txt:
2775         * b3/B3LowerToAir.cpp:
2776         * b3/B3StackmapSpecial.h:
2777         * b3/air/AirCode.cpp:
2778         (JSC::B3::Air::Code::emitDefaultPrologue):
2779         * b3/air/AirCode.h:
2780         * b3/air/AirTmp.h:
2781         (JSC::B3::Air::Tmp::Tmp):
2782         * runtime/Options.h:
2783         * wasm/WasmAirIRGenerator.cpp: Added.
2784         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2785         (JSC::Wasm::TypedTmp::TypedTmp):
2786         (JSC::Wasm::TypedTmp::operator== const):
2787         (JSC::Wasm::TypedTmp::operator!= const):
2788         (JSC::Wasm::TypedTmp::operator bool const):
2789         (JSC::Wasm::TypedTmp::operator Tmp const):
2790         (JSC::Wasm::TypedTmp::operator Arg const):
2791         (JSC::Wasm::TypedTmp::tmp const):
2792         (JSC::Wasm::TypedTmp::type const):
2793         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2794         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2795         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2796         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2797         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2798         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2799         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2800         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2801         (JSC::Wasm::AirIRGenerator::emptyExpression):
2802         (JSC::Wasm::AirIRGenerator::fail const):
2803         (JSC::Wasm::AirIRGenerator::setParser):
2804         (JSC::Wasm::AirIRGenerator::toTmpVector):
2805         (JSC::Wasm::AirIRGenerator::validateInst):
2806         (JSC::Wasm::AirIRGenerator::extractArg):
2807         (JSC::Wasm::AirIRGenerator::append):
2808         (JSC::Wasm::AirIRGenerator::appendEffectful):
2809         (JSC::Wasm::AirIRGenerator::newTmp):
2810         (JSC::Wasm::AirIRGenerator::g32):
2811         (JSC::Wasm::AirIRGenerator::g64):
2812         (JSC::Wasm::AirIRGenerator::f32):
2813         (JSC::Wasm::AirIRGenerator::f64):
2814         (JSC::Wasm::AirIRGenerator::tmpForType):
2815         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2816         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2817         (JSC::Wasm::AirIRGenerator::emitCheck):
2818         (JSC::Wasm::AirIRGenerator::emitCCall):
2819         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2820         (JSC::Wasm::AirIRGenerator::instanceValue):
2821         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2822         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2823         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2824         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2825         (JSC::Wasm::AirIRGenerator::emitThrowException):
2826         (JSC::Wasm::AirIRGenerator::addLocal):
2827         (JSC::Wasm::AirIRGenerator::addConstant):
2828         (JSC::Wasm::AirIRGenerator::addArguments):
2829         (JSC::Wasm::AirIRGenerator::getLocal):
2830         (JSC::Wasm::AirIRGenerator::addUnreachable):
2831         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2832         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2833         (JSC::Wasm::AirIRGenerator::setLocal):
2834         (JSC::Wasm::AirIRGenerator::getGlobal):
2835         (JSC::Wasm::AirIRGenerator::setGlobal):
2836         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2837         (JSC::Wasm::sizeOfLoadOp):
2838         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2839         (JSC::Wasm::AirIRGenerator::load):
2840         (JSC::Wasm::sizeOfStoreOp):
2841         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2842         (JSC::Wasm::AirIRGenerator::store):
2843         (JSC::Wasm::AirIRGenerator::addSelect):
2844         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2845         (JSC::Wasm::AirIRGenerator::addLoop):
2846         (JSC::Wasm::AirIRGenerator::addTopLevel):
2847         (JSC::Wasm::AirIRGenerator::addBlock):
2848         (JSC::Wasm::AirIRGenerator::addIf):
2849         (JSC::Wasm::AirIRGenerator::addElse):
2850         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2851         (JSC::Wasm::AirIRGenerator::addReturn):
2852         (JSC::Wasm::AirIRGenerator::addBranch):
2853         (JSC::Wasm::AirIRGenerator::addSwitch):
2854         (JSC::Wasm::AirIRGenerator::endBlock):
2855         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2856         (JSC::Wasm::AirIRGenerator::addCall):
2857         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2858         (JSC::Wasm::AirIRGenerator::unify):
2859         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2860         (JSC::Wasm::AirIRGenerator::dump):
2861         (JSC::Wasm::AirIRGenerator::origin):
2862         (JSC::Wasm::parseAndCompileAir):
2863         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2864         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2865         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2866         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2867         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2868         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2869         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2870         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2871         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2872         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2873         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2874         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2875         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2876         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2877         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2878         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2879         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2880         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2881         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2882         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2883         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2884         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2885         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2886         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2887         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2888         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2889         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2890         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2891         (JSC::Wasm::AirIRGenerator::addShift):
2892         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2893         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2894         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2895         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2896         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2897         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2898         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2899         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2900         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2901         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2902         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2903         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2904         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2905         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2906         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2907         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2908         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2909         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2910         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2911         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2912         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2913         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2914         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2915         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2916         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2917         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2918         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2919         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2920         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2921         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2922         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2923         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2924         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2925         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2926         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2927         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2928         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2929         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2930         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2931         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2932         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2933         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2934         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2935         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2936         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2937         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2941         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2942         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2943         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2944         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2948         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2949         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2950         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2951         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2952         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2953         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2954         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2955         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2962         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2963         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2964         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2965         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2966         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2967         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2968         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2969         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2970         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2971         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2972         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2973         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2974         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2975         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2976         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2977         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2978         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2979         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2980         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2981         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2982         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2983         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2984         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2985         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2992         * wasm/WasmAirIRGenerator.h: Added.
2993         * wasm/WasmB3IRGenerator.cpp:
2994         (JSC::Wasm::B3IRGenerator::emptyExpression):
2995         * wasm/WasmBBQPlan.cpp:
2996         (JSC::Wasm::BBQPlan::compileFunctions):
2997         * wasm/WasmCallingConvention.cpp:
2998         (JSC::Wasm::jscCallingConventionAir):
2999         (JSC::Wasm::wasmCallingConventionAir):
3000         * wasm/WasmCallingConvention.h:
3001         (JSC::Wasm::CallingConvention::CallingConvention):
3002         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3003         (JSC::Wasm::CallingConvention::marshallArgument const):
3004         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3005         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3006         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3007         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3008         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3009         (JSC::Wasm::CallingConventionAir::loadArguments const):
3010         (JSC::Wasm::CallingConventionAir::setupCall const):
3011         (JSC::Wasm::nextJSCOffset):
3012         * wasm/WasmFunctionParser.h:
3013         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3014         * wasm/WasmValidate.cpp:
3015         (JSC::Wasm::Validate::emptyExpression):
3016
3017 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3018
3019         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3020         https://bugs.webkit.org/show_bug.cgi?id=194050
3021         <rdar://problem/47595592>
3022
3023         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3024         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3025
3026         Reviewed by Yusuke Suzuki.
3027
3028         * ftl/FTLOperations.cpp:
3029         (JSC::FTL::operationMaterializeObjectInOSR):
3030
3031 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3032
3033         Remove assertion that CachedSymbolTables should have no RareData
3034         https://bugs.webkit.org/show_bug.cgi?id=194037
3035
3036         Reviewed by Mark Lam.
3037
3038         It turns out that we don't need to cache the SymbolTableRareData and
3039         we should not assert that it's empty.
3040
3041         * runtime/CachedTypes.cpp:
3042         (JSC::CachedSymbolTable::encode):
3043
3044 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3045
3046         CachedBytecode's move constructor should not call `freeDataIfOwned`
3047         https://bugs.webkit.org/show_bug.cgi?id=194045
3048
3049         Reviewed by Mark Lam.
3050
3051         That might result in freeing a garbage value
3052
3053         * parser/SourceProvider.h:
3054         (JSC::CachedBytecode::CachedBytecode):
3055
3056 2019-01-30  Keith Miller  <keith_miller@apple.com>
3057
3058         mul32 should convert powers of 2 to an lshift
3059         https://bugs.webkit.org/show_bug.cgi?id=193957
3060
3061         Reviewed by Yusuke Suzuki.
3062
3063         * assembler/MacroAssembler.h:
3064         (JSC::MacroAssembler::mul32):
3065         * assembler/testmasm.cpp:
3066         (JSC::int32Operands):
3067         (JSC::testMul32WithImmediates):
3068         (JSC::run):
3069
3070 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3071
3072         [JSC] Make disassembler data structures constant read-only data
3073         https://bugs.webkit.org/show_bug.cgi?id=194041
3074
3075         Reviewed by Mark Lam.
3076
3077         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3078         This patch makes them "const".
3079
3080         * disassembler/ARM64/A64DOpcode.cpp:
3081         * disassembler/udis86/ud_itab.py:
3082         (UdItabGenerator.genOpcodeTablesLookupIndex):
3083         (UdItabGenerator.genInsnTable):
3084         (UdItabGenerator.genMnemonicsList):
3085         (genItabH):
3086         * disassembler/udis86/udis86_decode.h:
3087         * disassembler/udis86/udis86_syn.c:
3088         * disassembler/udis86/udis86_syn.h:
3089         * disassembler/udis86/udis86_types.h:
3090
3091 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3092
3093         Unreviewed, update the builtin test results
3094         https://bugs.webkit.org/show_bug.cgi?id=194015
3095
3096         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3097         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3098         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3099         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3100         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3101         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3102         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3103         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3104         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3105         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3106         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3107         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3108         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3109
3110 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3111
3112         [JSC] Make global static variables "const" as much as possible
3113         https://bugs.webkit.org/show_bug.cgi?id=194015
3114
3115         Reviewed by Mark Lam.
3116
3117         Some of global static variables are not "const". For example, `static const char* name = ...`
3118         is not constant variable. We should make it `static const char* const name = ...`.
3119
3120         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3121         (generate_externs_for_object):
3122         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3123         (generate_externs_for_object):
3124         * Scripts/wkbuiltins/builtins_generator.py:
3125         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3126         * assembler/MacroAssembler.h:
3127         (JSC::MacroAssembler::additionBlindedConstant):
3128         * b3/air/AirFormTable.h:
3129         * b3/air/opcode_generator.rb:
3130         * runtime/JSObject.cpp:
3131         (JSC::JSObject::visitButterfly):
3132         * tools/CodeProfile.cpp:
3133         * tools/CodeProfile.h:
3134
3135 2019-01-29  Keith Miller  <keith_miller@apple.com>
3136
3137         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3138         https://bugs.webkit.org/show_bug.cgi?id=194000
3139         <rdar://problem/47642894>
3140
3141         Reviewed by Mark Lam.
3142
3143         default constructor is unused and
3144         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3145         data member which causes sadness.
3146
3147         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3148
3149 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3150
3151         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3152
3153         Rubber-stamped by Yusuke Suzuki.
3154
3155         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3156
3157         * parser/Parser.h:
3158         (JSC::Parser::declareHoistedVariable):
3159
3160 2019-01-29  Mark Lam  <mark.lam@apple.com>
3161
3162         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3163         https://bugs.webkit.org/show_bug.cgi?id=132333
3164
3165         Reviewed by Yusuke Suzuki.
3166
3167         * bytecode/InstructionStream.h:
3168         (JSC::InstructionStreamWriter::write):
3169         - The 32-bit write() function need not invert the order of the bytes written to
3170           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3171           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3172
3173         * llint/LLIntOfflineAsmConfig.h:
3174         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3175
3176 2019-01-29  Mark Lam  <mark.lam@apple.com>
3177
3178         ValueRecovery::recover() should purify NaN values it recovers.
3179         https://bugs.webkit.org/show_bug.cgi?id=193978
3180         <rdar://problem/47625488>
3181
3182         Reviewed by Saam Barati.
3183
3184         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3185         recovered DoubleDisplacedInJSStack values need to be purified.
3186         ValueRecovery::recover() should do the same.
3187
3188         * bytecode/ValueRecovery.cpp:
3189         (JSC::ValueRecovery::recover const):
3190
3191 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3192
3193         [JSC] FTL should handle LocalAllocator*
3194         https://bugs.webkit.org/show_bug.cgi?id=193980
3195
3196         Reviewed by Saam Barati.
3197
3198         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3199         because the FTL still use the incoming value as 32bit integer there.
3200
3201         * ftl/FTLLowerDFGToB3.cpp:
3202         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3203
3204 2019-01-29  Keith Rollin  <krollin@apple.com>
3205
3206         Add .xcfilelists to Run Script build phases
3207         https://bugs.webkit.org/show_bug.cgi?id=193792
3208         <rdar://problem/47201785>
3209
3210         Reviewed by Alex Christensen.
3211
3212         As part of supporting XCBuild, update the necessary Run Script build
3213         phases in their Xcode projects to refer to their associated
3214         .xcfilelist files.
3215
3216         Note that the addition of these files bumps the Xcode project version
3217         number to something that's Xcode 10 compatible. This change means that
3218         older versions of the Xcode IDE can't read these projects. Nor can it
3219         fully load workspaces that refer to these projects (the updated
3220         projects are shown as non-expandable placeholders). `xcodebuild` can
3221         still build these projects; it's just that the IDE can't open them.
3222
3223         * JavaScriptCore.xcodeproj/project.pbxproj:
3224
3225 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3226
3227         [ARM] Check for negative zero instead of just zero
3228         https://bugs.webkit.org/show_bug.cgi?id=193689
3229
3230         Reviewed by Mark Lam.
3231
3232         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3233         of just bailing out for zero.
3234
3235         * assembler/MacroAssemblerARMv7.h:
3236         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3237
3238 2019-01-28  Devin Rousso  <drousso@apple.com>
3239
3240         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3241         https://bugs.webkit.org/show_bug.cgi?id=193863
3242         <rdar://problem/47572764>
3243
3244         Reviewed by Joseph Pecoraro.
3245
3246         * inspector/protocol/Page.json:
3247         Add more values to the `Setting` enum type:
3248          - `ICECandidateFilteringEnabled`
3249          - `MediaCaptureRequiresSecureConnection`
3250          - `MockCaptureDevicesEnabled`
3251
3252 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3253
3254         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3255         https://bugs.webkit.org/show_bug.cgi?id=193941
3256
3257         Reviewed by Alex Christensen.
3258
3259         * API/JSWeakObjectMapRefPrivate.cpp:
3260         * bytecompiler/NodesCodegen.cpp:
3261         * heap/MachineStackMarker.cpp:
3262         * jit/ExecutableAllocator.cpp:
3263         * jsc.cpp:
3264         * parser/Nodes.cpp:
3265         * runtime/DateConstructor.cpp:
3266         * runtime/DateConversion.cpp:
3267         * runtime/DateInstance.cpp:
3268         * runtime/DatePrototype.cpp:
3269         * runtime/InitializeThreading.cpp:
3270         * runtime/IteratorOperations.cpp:
3271         * runtime/JSDateMath.cpp:
3272         * runtime/JSGlobalObjectFunctions.cpp:
3273         * runtime/StringPrototype.cpp:
3274         * runtime/VM.cpp:
3275         * testRegExp.cpp:
3276         * tools/JSDollarVM.cpp:
3277         * yarr/YarrInterpreter.cpp:
3278         * yarr/YarrJIT.cpp:
3279         * yarr/YarrPattern.cpp:
3280         * yarr/YarrUnicodeProperties.cpp:
3281
3282 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3283
3284         [JSC] Reduce size of memory used for ShadowChicken
3285         https://bugs.webkit.org/show_bug.cgi?id=193546
3286
3287         Reviewed by Mark Lam.
3288
3289         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3290         The removal of ShadowChicken saves 55KB memory.
3291
3292         * debugger/DebuggerCallFrame.cpp:
3293         (JSC::DebuggerCallFrame::create):
3294         * ftl/FTLLowerDFGToB3.cpp:
3295         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3296         * heap/Heap.cpp:
3297         (JSC::Heap::stopThePeriphery):
3298         (JSC::Heap::addCoreConstraints):
3299         * jit/CCallHelpers.cpp:
3300         (JSC::CCallHelpers::ensureShadowChickenPacket):
3301         * jit/JITExceptions.cpp:
3302         (JSC::genericUnwind):
3303         * jit/JITOpcodes.cpp:
3304         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3305         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3306         * jit/JITOpcodes32_64.cpp:
3307         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3308         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3309         * jit/JITOperations.cpp:
3310         * llint/LLIntSlowPaths.cpp:
3311         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3312         * runtime/JSGlobalObject.cpp:
3313         (JSC::JSGlobalObject::setDebugger):
3314         * runtime/JSGlobalObject.h:
3315         (JSC::JSGlobalObject::setDebugger): Deleted.
3316         * runtime/VM.cpp:
3317         (JSC::VM::VM):
3318         (JSC::VM::ensureShadowChicken):
3319         * runtime/VM.h:
3320         (JSC::VM::shadowChicken):
3321         * tools/JSDollarVM.cpp:
3322         (JSC::functionShadowChickenFunctionsOnStack):
3323         (JSC::changeDebuggerModeWhenIdle):
3324
3325 2019-01-28  Andy Estes  <aestes@apple.com>
3326
3327         [watchOS] Enable Parental Controls content filtering
3328         https://bugs.webkit.org/show_bug.cgi?id=193939
3329         <rdar://problem/46641912>
3330
3331         Reviewed by Ryosuke Niwa.
3332
3333         * Configurations/FeatureDefines.xcconfig:
3334
3335 2019-01-28  Mark Lam  <mark.lam@apple.com>
3336
3337         ToString node actually does GC.
3338         https://bugs.webkit.org/show_bug.cgi?id=193920
3339         <rdar://problem/46695900>
3340
3341         Reviewed by Yusuke Suzuki.
3342
3343         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3344         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3345
3346         * dfg/DFGDoesGC.cpp:
3347         (JSC::DFG::doesGC):
3348
3349 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3350
3351         [JSC] RegExpConstructor should not have own IsoSubspace
3352         https://bugs.webkit.org/show_bug.cgi?id=193801
3353
3354         Reviewed by Mark Lam.
3355
3356         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3357         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3358         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3359         it from RegExpConstructor members.
3360
3361         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3362         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3363         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3364
3365         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3366
3367         * CMakeLists.txt:
3368         * JavaScriptCore.xcodeproj/project.pbxproj:
3369         * Sources.txt:
3370         * dfg/DFGOperations.cpp:
3371         * dfg/DFGSpeculativeJIT.cpp:
3372         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3373         * dfg/DFGStrengthReductionPhase.cpp:
3374         (JSC::DFG::StrengthReductionPhase::handleNode):
3375         * ftl/FTLAbstractHeapRepository.cpp:
3376         * ftl/FTLAbstractHeapRepository.h:
3377         * ftl/FTLLowerDFGToB3.cpp:
3378         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3379         * runtime/JSGlobalObject.cpp:
3380         (JSC::JSGlobalObject::init):
3381         (JSC::JSGlobalObject::visitChildren):
3382         * runtime/JSGlobalObject.h:
3383         (JSC::JSGlobalObject::regExpGlobalData):
3384         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3385         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3386         * runtime/RegExpCache.cpp:
3387         (JSC::RegExpCache::initialize):
3388         * runtime/RegExpCache.h:
3389         (JSC::RegExpCache::emptyRegExp const):
3390         * runtime/RegExpCachedResult.cpp:
3391         (JSC::RegExpCachedResult::visitAggregate):
3392         (JSC::RegExpCachedResult::visitChildren): Deleted.
3393         * runtime/RegExpCachedResult.h:
3394         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3395         * runtime/RegExpConstructor.cpp:
3396         (JSC::RegExpConstructor::RegExpConstructor):
3397         (JSC::regExpConstructorDollar):
3398         (JSC::regExpConstructorInput):
3399         (JSC::regExpConstructorMultiline):
3400         (JSC::regExpConstructorLastMatch):
3401         (JSC::regExpConstructorLastParen):
3402         (JSC::regExpConstructorLeftContext):
3403         (JSC::regExpConstructorRightContext):
3404         (JSC::setRegExpConstructorInput):
3405         (JSC::setRegExpConstructorMultiline):
3406         (JSC::RegExpConstructor::destroy): Deleted.
3407         (JSC::RegExpConstructor::visitChildren): Deleted.
3408         (JSC::RegExpConstructor::getBackref): Deleted.
3409         (JSC::RegExpConstructor::getLastParen): Deleted.
3410         (JSC::RegExpConstructor::getLeftContext): Deleted.
3411         (JSC::RegExpConstructor::getRightContext): Deleted.
3412         * runtime/RegExpConstructor.h:
3413         (JSC::RegExpConstructor::performMatch): Deleted.
3414         (JSC::RegExpConstructor::recordMatch): Deleted.
3415         * runtime/RegExpGlobalData.cpp: Added.
3416         (JSC::RegExpGlobalData::visitAggregate):
3417         (JSC::RegExpGlobalData::getBackref):
3418         (JSC::RegExpGlobalData::getLastParen):
3419         (JSC::RegExpGlobalData::getLeftContext):
3420         (JSC::RegExpGlobalData::getRightContext):
3421         * runtime/RegExpGlobalData.h: Added.
3422         (JSC::RegExpGlobalData::cachedResult):
3423         (JSC::RegExpGlobalData::setMultiline):
3424         (JSC::RegExpGlobalData::multiline const):
3425         (JSC::RegExpGlobalData::input):
3426         (JSC::RegExpGlobalData::offsetOfCachedResult):
3427         * runtime/RegExpGlobalDataInlines.h: Added.
3428         (JSC::RegExpGlobalData::setInput):
3429         (JSC::RegExpGlobalData::performMatch):
3430         (JSC::RegExpGlobalData::recordMatch):
3431         * runtime/RegExpObject.cpp:
3432         (JSC::RegExpObject::matchGlobal):
3433         * runtime/RegExpObjectInlines.h:
3434         (JSC::RegExpObject::execInline):
3435         (JSC::RegExpObject::matchInline):
3436         (JSC::collectMatches):
3437         * runtime/RegExpPrototype.cpp:
3438         (JSC::RegExpPrototype::finishCreation):
3439         (JSC::regExpProtoFuncSearchFast):
3440         (JSC::RegExpPrototype::visitChildren): Deleted.
3441         * runtime/RegExpPrototype.h:
3442         * runtime/StringPrototype.cpp:
3443         (JSC::removeUsingRegExpSearch):
3444         (JSC::replaceUsingRegExpSearch):
3445         * runtime/VM.cpp:
3446         (JSC::VM::VM):
3447         * runtime/VM.h:
3448
3449 2018-12-15  Darin Adler  <darin@apple.com>
3450
3451         Replace many uses of String::format with more type-safe alternatives
3452         https://bugs.webkit.org/show_bug.cgi?id=192742
3453
3454         Reviewed by Mark Lam.
3455
3456         * inspector/InjectedScriptBase.cpp:
3457         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3458         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3459         * inspector/InspectorBackendDispatcher.cpp:
3460         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3461         * inspector/agents/InspectorConsoleAgent.cpp:
3462         (Inspector::InspectorConsoleAgent::enable): Ditto.
3463         * jsc.cpp:
3464         (FunctionJSCStackFunctor::operator() const): Ditto.
3465
3466         * runtime/CodeCache.cpp:
3467         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3468         using String::number.
3469
3470         * runtime/IntlDateTimeFormat.cpp:
3471         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3472         * runtime/IntlObject.cpp:
3473         (JSC::canonicalizeLocaleList): Ditto.
3474
3475 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3476
3477         AX: Introduce a static accessibility tree
3478         https://bugs.webkit.org/show_bug.cgi?id=193348
3479         <rdar://problem/47203295>
3480
3481         Reviewed by Ryosuke Niwa.
3482
3483         * Configurations/FeatureDefines.xcconfig:
3484
3485 2019-01-26  Devin Rousso  <drousso@apple.com>
3486
3487         Web Inspector: provide a way to edit the user agent of a remote target
3488         https://bugs.webkit.org/show_bug.cgi?id=193862
3489         <rdar://problem/47359292>
3490
3491         Reviewed by Joseph Pecoraro.
3492
3493         * inspector/protocol/Page.json:
3494         Add `overrideUserAgent` command.
3495
3496 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3497
3498         [JSC] NativeErrorConstructor should not have own IsoSubspace
3499         https://bugs.webkit.org/show_bug.cgi?id=193713
3500
3501         Reviewed by Saam Barati.
3502
3503         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3504         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3505         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3506         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3507         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3508         referenced.
3509
3510         * CMakeLists.txt:
3511         * JavaScriptCore.xcodeproj/project.pbxproj:
3512         * Sources.txt:
3513         * builtins/BuiltinNames.h:
3514         * interpreter/Interpreter.h:
3515         * runtime/Error.cpp:
3516         (JSC::createEvalError):
3517         (JSC::createRangeError):
3518         (JSC::createReferenceError):
3519         (JSC::createSyntaxError):
3520         (JSC::createTypeError):
3521         (JSC::createURIError):
3522         (WTF::printInternal): Deleted.
3523         * runtime/Error.h:
3524         * runtime/ErrorPrototype.cpp:
3525         (JSC::ErrorPrototype::create):
3526         (JSC::ErrorPrototype::finishCreation):
3527         * runtime/ErrorPrototype.h:
3528         (JSC::ErrorPrototype::create): Deleted.
3529         * runtime/ErrorType.cpp: Added.
3530         (JSC::errorTypeName):
3531         (WTF::printInternal):
3532         * runtime/ErrorType.h: Added.
3533         * runtime/JSGlobalObject.cpp:
3534         (JSC::JSGlobalObject::initializeErrorConstructor):
3535         (JSC::JSGlobalObject::init):
3536         (JSC::JSGlobalObject::visitChildren):
3537         * runtime/JSGlobalObject.h:
3538         (JSC::JSGlobalObject::internalPromiseConstructor const):
3539         (JSC::JSGlobalObject::errorStructure const):
3540         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3541         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3542         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3543         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3544         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3545         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3546         * runtime/NativeErrorConstructor.cpp:
3547         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3548         (JSC::NativeErrorConstructorBase::finishCreation):
3549         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3550         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3551         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3552         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3553         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3554         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3555         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3556         * runtime/NativeErrorConstructor.h:
3557         (JSC::NativeErrorConstructorBase::createStructure):
3558         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3559         * runtime/NativeErrorPrototype.cpp:
3560         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3561         * runtime/NativeErrorPrototype.h:
3562         * runtime/VM.cpp:
3563         (JSC::VM::VM):
3564         * runtime/VM.h:
3565         * wasm/js/WasmToJS.cpp:
3566         (JSC::Wasm::handleBadI64Use):
3567
3568 2019-01-25  Devin Rousso  <drousso@apple.com>
3569
3570         Web Inspector: provide a way to edit page settings on a remote target
3571         https://bugs.webkit.org/show_bug.cgi?id=193813
3572         <rdar://problem/47359510>
3573
3574         Reviewed by Joseph Pecoraro.
3575
3576         * inspector/protocol/Page.json:
3577         Add `overrideSetting` command with supporting `Setting` enum type.
3578
3579 2019-01-25  Keith Rollin  <krollin@apple.com>
3580
3581         Update Xcode projects with "Check .xcfilelists" build phase
3582         https://bugs.webkit.org/show_bug.cgi?id=193790
3583         <rdar://problem/47201374>
3584
3585         Reviewed by Alex Christensen.
3586
3587         Support for XCBuild includes specifying inputs and outputs to various
3588         Run Script build phases. These inputs and outputs are specified as
3589         .xcfilelist files. Once created, these .xcfilelist files need to be
3590         kept up-to-date. In order to check that they are up-to-date or not,
3591         add an Xcode build step that invokes an external script that performs
3592         the checking. If the .xcfilelists are found to be out-of-date, update
3593         them, halt the build, and instruct the developer to restart the build
3594         with up-to-date files.
3595
3596         At this time, the checking and regenerating is performed only if the
3597         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3598         who want to use this facility can set this variable and test out the
3599         checking/regenerating. Once it seems like there are no egregious
3600         issues that upset a developer's workflow, we'll unconditionally enable
3601         this facility.
3602
3603         * JavaScriptCore.xcodeproj/project.pbxproj:
3604         * Scripts/check-xcfilelists.sh: Added.
3605
3606 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3607
3608         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3609         https://bugs.webkit.org/show_bug.cgi?id=193796
3610         <rdar://problem/47532910>
3611
3612         Reviewed by Devin Rousso.
3613
3614         * runtime/SamplingProfiler.cpp:
3615         (JSC::SamplingProfiler::machThread):
3616         * runtime/SamplingProfiler.h:
3617         Expose the mach_port_t of the SamplingProfiler thread
3618         so it can be tested against later.
3619
3620 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3621
3622         Fix Windows build after r240511
3623
3624         * bytecode/UnlinkedFunctionExecutable.cpp:
3625         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3626
3627 2019-01-25  Keith Rollin  <krollin@apple.com>
3628
3629         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3630         https://bugs.webkit.org/show_bug.cgi?id=193781
3631         <rdar://problem/47201153>
3632
3633         Reviewed by Alex Christensen.
3634
3635         Part of generating the .xcfilelists used as part of adopting XCBuild
3636         includes running `make DerivedSources.make` from a standalone script.
3637         It’s important for this invocation to have the same environment as
3638         when the actual build invokes `make DerivedSources.make`. If the
3639         environments are different, then the two invocations will provide
3640         different results. In order to get the same environment in the
3641         standalone script, have the script launch xcodebuild targeting the
3642         "Apply Configuration to XCFileLists" build target, which will then
3643         re-invoke our standalone script. The script is now running again, this
3644         time in an environment with all workspace, project, target, xcconfig
3645         and other environment variables established.
3646
3647         The "Apply Configuration to XCFileLists" build target accomplishes
3648         this task via a small embedded shell script that consists only of:
3649
3650             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3651
3652         The process that invokes "Apply Configuration to XCFileLists" first
3653         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3654         evaluated and exports it into the shell environment. When xcodebuild
3655         is invoked, it inherits the value of this variable and can `eval` the
3656         contents of that variable. Our external standalone script can then set
3657         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3658         of command-line parameters needed to restart itself in the appropriate
3659         state.
3660
3661         * JavaScriptCore.xcodeproj/project.pbxproj:
3662
3663 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3664
3665         Add API to generate and consume cached bytecode
3666         https://bugs.webkit.org/show_bug.cgi?id=193401
3667         <rdar://problem/47514099>
3668
3669         Reviewed by Keith Miller.
3670
3671         Add the `generateBytecode` and `generateModuleBytecode` functions to
3672         generate serialized bytecode for a given `SourceCode`. These functions
3673         will eagerly generate code for all the nested functions.
3674
3675         Additionally, update the API methods in JSScript to generate and use the
3676         bytecode when the bytecodeCache path is provided.
3677
3678         * API/JSAPIGlobalObject.mm:
3679         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3680         * API/JSContext.mm:
3681         (-[JSContext wrapperMap]):
3682         * API/JSContextInternal.h:
3683         * API/JSScript.mm:
3684         (+[JSScript scriptWithSource:inVirtualMachine:]):
3685         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3686         (-[JSScript dealloc]):
3687         (-[JSScript readCache]):
3688         (-[JSScript writeCache]):
3689         (-[JSScript hash]):
3690         (-[JSScript source]):
3691         (-[JSScript cachedBytecode]):
3692         (-[JSScript jsSourceCode:]):
3693         * API/JSScriptInternal.h:
3694         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3695         (JSScriptSourceProvider::create):
3696         (JSScriptSourceProvider::JSScriptSourceProvider):
3697         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3698         (JSScriptSourceProvider::hash const):
3699         (JSScriptSourceProvider::source const):
3700         (JSScriptSourceProvider::cachedBytecode const):
3701         * API/JSVirtualMachine.mm:
3702         (-[JSVirtualMachine vm]):
3703         * API/JSVirtualMachineInternal.h:
3704         * API/tests/testapi.mm:
3705         (testBytecodeCache):
3706         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3707         (testObjectiveCAPI):
3708         * JavaScriptCore.xcodeproj/project.pbxproj:
3709         * SourcesCocoa.txt:
3710         * bytecode/UnlinkedFunctionExecutable.cpp:
3711         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3712         * bytecode/UnlinkedFunctionExecutable.h:
3713         * parser/SourceCodeKey.h:
3714         (JSC::SourceCodeKey::source const):
3715         * parser/SourceProvider.h:
3716         (JSC::CachedBytecode::CachedBytecode):
3717         (JSC::CachedBytecode::operator=):
3718         (JSC::CachedBytecode::data const):
3719         (JSC::CachedBytecode::size const):
3720         (JSC::CachedBytecode::owned const):
3721         (JSC::CachedBytecode::~CachedBytecode):
3722         (JSC::CachedBytecode::freeDataIfOwned):
3723         (JSC::SourceProvider::cachedBytecode const):
3724         * parser/UnlinkedSourceCode.h:
3725         (JSC::UnlinkedSourceCode::provider const):
3726         * runtime/CodeCache.cpp:
3727         (JSC::generateUnlinkedCodeBlockForFunctions):
3728         (JSC::writeCodeBlock):
3729         (JSC::serializeBytecode):
3730         * runtime/CodeCache.h:
3731         (JSC::CodeCacheMap::fetchFromDiskImpl):
3732         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3733         (JSC::generateUnlinkedCodeBlockImpl):
3734         (JSC::generateUnlinkedCodeBlock):
3735         * runtime/Completion.cpp:
3736         (JSC::generateBytecode):
3737         (JSC::generateModuleBytecode):
3738         * runtime/Completion.h:
3739         * runtime/Options.cpp:
3740         (JSC::recomputeDependentOptions):
3741
3742 2019-01-25  Keith Rollin  <krollin@apple.com>
3743
3744         Update WebKitAdditions.xcconfig with correct order of variable definitions
3745         https://bugs.webkit.org/show_bug.cgi?id=193793
3746         <rdar://problem/47532439>
3747
3748         Reviewed by Alex Christensen.
3749
3750         XCBuild changes the way xcconfig variables are evaluated. In short,
3751         all config file assignments are now considered in part of the
3752         evaluation. When using the new build system and an .xcconfig file
3753         contains multiple assignments of the same build setting:
3754
3755         - Later assignments using $(inherited) will inherit from earlier
3756           assignments in the xcconfig file.
3757         - Later assignments not using $(inherited) will take precedence over
3758           earlier assignments. An assignment to a more general setting will
3759           mask an earlier assignment to a less general setting. For example,
3760           an assignment without a condition ('FOO = bar') will completely mask
3761           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3762
3763         This affects some of our .xcconfig files, in that sometimes platform-
3764         or sdk-specific definitions appear before the general definitions.
3765         Under the new evaluations rules, the general definitions alway take
3766         effect because they always overwrite the more-specific definitions. The
3767         solution is to swap the order, so that the general definitions are
3768         established first, and then conditionally overwritten by the
3769         more-specific definitions.
3770
3771         * Configurations/Version.xcconfig:
3772
3773 2019-01-25  Keith Rollin  <krollin@apple.com>
3774
3775         Update existing .xcfilelists
3776         https://bugs.webkit.org/show_bug.cgi?id=193791
3777         <rdar://problem/47201706>
3778
3779         Reviewed by Alex Christensen.
3780
3781         Many .xcfilelist files were added in r238824 in order to support
3782         XCBuild. Update these with recent changes to the set of build files
3783         and with the current generate-xcfilelist script.
3784
3785         * DerivedSources-input.xcfilelist:
3786         * DerivedSources-output.xcfilelist:
3787         * UnifiedSources-input.xcfilelist:
3788         * UnifiedSources-output.xcfilelist:
3789
3790 2019-01-25  Jon Davis  <jond@apple.com>
3791
3792         Update JavaScriptCore feature status entries.
3793         https://bugs.webkit.org/show_bug.cgi?id=193797
3794
3795         Reviewed by Mark Lam.
3796         
3797         Updated feature status for Async Iteration, and Object rest/spread.
3798
3799         * features.json:
3800
3801 2019-01-24  Keith Miller  <keith_miller@apple.com>
3802
3803         Remove usage of internal macro from private header
3804         https://bugs.webkit.org/show_bug.cgi?id=193809
3805
3806         Reviewed by Saam Barati.
3807
3808         Also, add a new file to include all of our API headers to make sure
3809         they don't accidentally include C++ or internal values.
3810
3811         * API/JSScript.h:
3812         * API/tests/testIncludes.m: Added.
3813         * JavaScriptCore.xcodeproj/project.pbxproj:
3814
3815 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3816
3817         [JSC] ErrorConstructor should not have own IsoSubspace
3818         https://bugs.webkit.org/show_bug.cgi?id=193800
3819
3820         Reviewed by Saam Barati.
3821
3822         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3823         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3824         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3825         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3826         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3827         into IsoSubspaces) described,
3828
3829             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3830             appear to just override methods, which are called dynamically via the structure or class of the object.
3831             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3832
3833         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3834         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3835         This reduces the memory usage.
3836
3837         * interpreter/Interpreter.h:
3838         * runtime/Error.cpp:
3839         (JSC::getStackTrace):
3840         * runtime/ErrorConstructor.cpp:
3841         (JSC::ErrorConstructor::ErrorConstructor):
3842         (JSC::ErrorConstructor::finishCreation):
3843         (JSC::constructErrorConstructor):
3844         (JSC::callErrorConstructor):
3845         (JSC::ErrorConstructor::put):
3846         (JSC::ErrorConstructor::deleteProperty):
3847         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3848         (JSC::Interpreter::callErrorConstructor): Deleted.
3849         * runtime/ErrorConstructor.h:
3850         * runtime/JSGlobalObject.cpp:
3851         (JSC::JSGlobalObject::JSGlobalObject):
3852         (JSC::JSGlobalObject::init):
3853         (JSC::JSGlobalObject::visitChildren):
3854         * runtime/JSGlobalObject.h:
3855         (JSC::JSGlobalObject::stackTraceLimit const):
3856         (JSC::JSGlobalObject::setStackTraceLimit):
3857         (JSC::JSGlobalObject::errorConstructor const): Deleted.
3858         * runtime/VM.cpp:
3859         (JSC::VM::VM):
3860         * runtime/VM.h:
3861
3862 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
3863
3864         Web Inspector: CPU Usage Timeline
3865         https://bugs.webkit.org/show_bug.cgi?id=193730
3866         <rdar://problem/46797201>
3867
3868         Reviewed by Devin Rousso.
3869
3870         * CMakeLists.txt:
3871         * DerivedSources-input.xcfilelist:
3872         * DerivedSources.make:
3873         New files.
3874
3875         * inspector/protocol/CPUProfiler.json: Added.
3876         New domain that follows the pattern of Memory/ScriptProfiler.
3877
3878         * inspector/protocol/Timeline.json:
3879         New enum to auto-start a CPU instrument in the backend.
3880
3881 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3882
3883         [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
3884         https://bugs.webkit.org/show_bug.cgi?id=193774
3885
3886         Reviewed by Mark Lam.
3887
3888         We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
3889         But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
3890         for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
3891         ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
3892         for these two constructor instances. They are only two instances per JSGlobalObject.
3893
3894         This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
3895         of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
3896         its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
3897         and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
3898         we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
3899         for ArrayBufferConstructors, and reduces the memory usage.
3900
3901         * runtime/JSArrayBufferConstructor.cpp:
3902         (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
3903         (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
3904         (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
3905         (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):