Fix DFG doesGC() for TryGetById and ProfileType nodes.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-19  Mark Lam  <mark.lam@apple.com>
2
3         Fix DFG doesGC() for TryGetById and ProfileType nodes.
4         https://bugs.webkit.org/show_bug.cgi?id=194821
5         <rdar://problem/48206690>
6
7         Reviewed by Saam Barati.
8
9         Fix doesGC() for the following nodes:
10
11             ProfileType:
12                 calls operationProcessTypeProfilerLogDFG(), which can calculatedClassName(),
13                 which can call JSString::tryGetValue(), which can resolve a rope.
14
15             TryGetById:
16                 calls operationTryGetByIdOptimize(), which can startWatchingPropertyForReplacements()
17                 on a structure, which can allocate StructureRareData.
18
19         * dfg/DFGDoesGC.cpp:
20         (JSC::DFG::doesGC):
21
22 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
23
24         [JSC] Introduce JSNonDestructibleProxy for JavaScriptCore.framework's GlobalThis
25         https://bugs.webkit.org/show_bug.cgi?id=194799
26
27         Reviewed by Saam Barati.
28
29         JSProxy is destructible one because we have JSWindowProxy which has ref counted object.
30         However, JavaScriptCore.framework's JSProxy for GlobalThis does not need to be destructible.
31         This is important since we need to separate Heap subspaces between destructible and non-destructible objects.
32         If we can put more and more objects in non-destructible status, we can get rid of low-usage MarkedBlock.
33         This patch adds JSNonDestructibleProxy, which is not destructible JSProxy. While it inherits JSDestructibleObject,
34         we can make the subclass still non-destructible thanks to Subspace mechanism. This drops one more low-usage MarkedBlock.
35
36         * CMakeLists.txt:
37         * JavaScriptCore.xcodeproj/project.pbxproj:
38         * Sources.txt:
39         * runtime/JSGlobalObject.cpp:
40         (JSC::JSGlobalObject::resetPrototype):
41         (JSC::JSGlobalObject::finishCreation):
42         * runtime/JSNonDestructibleProxy.cpp: Added.
43         * runtime/JSNonDestructibleProxy.h: Added.
44         (JSC::JSNonDestructibleProxy::subspaceFor):
45         (JSC::JSNonDestructibleProxy::create):
46         (JSC::JSNonDestructibleProxy::createStructure):
47         (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
48         * runtime/JSProxy.h:
49         (JSC::JSProxy::JSProxy):
50
51 2019-02-19  Robin Morisset  <rmorisset@apple.com>
52
53         B3ReduceStrength::simplifyCFG() could do a lot more on each iteration
54         https://bugs.webkit.org/show_bug.cgi?id=194475
55
56         Reviewed by Saam Barati.
57
58         B3ReduceStrength::simplifyCFG() does three optimizations (which I will call A, B and C):
59         - A makes any terminal that points to a block that is empty except for a jump point to that jump's target instead.
60         - B transforms any branch or switch that points to a single block into a jump
61         - C finds blocks ending with jumps, whose successor has a single predecessor, and inline that successor block in place of the jump
62
63         It currently is limited in the following way:
64         - A and C can only fire once per block per iteration
65         - B can create jumps that would trigger A, but they may not be seen until the next iteration
66
67         Both problems are mitigated by going through the blocks in post-order, so that when a block is optimized most of its successors have already been optimized.
68         In a sense it is the symmetric of the peephole optimizer that goes in pre-order so that when an instruction is optimized most of its children have already been optimized.
69
70         On JetStream2 it reduces the average number of iterations from 3.35 to 3.24.
71
72         * b3/B3ReduceStrength.cpp:
73
74 2019-02-19  Tadeu Zagallo  <tzagallo@apple.com>
75
76         Move bytecode cache-related filesystem code out of CodeCache
77         https://bugs.webkit.org/show_bug.cgi?id=194675
78
79         Reviewed by Saam Barati.
80
81         The code is only used for the bytecode-cache tests, so it should live in
82         jsc.cpp rather than in the CodeCache. The logic now lives in ShellSourceProvider,
83         which overrides the a virtual method in SourceProvider, `cacheBytecode`,
84         in order to write the cache to disk.
85
86         * jsc.cpp:
87         (ShellSourceProvider::create):
88         (ShellSourceProvider::~ShellSourceProvider):
89         (ShellSourceProvider::cachePath const):
90         (ShellSourceProvider::loadBytecode):
91         (ShellSourceProvider::ShellSourceProvider):
92         (jscSource):
93         (GlobalObject::moduleLoaderFetch):
94         (functionDollarEvalScript):
95         (runWithOptions):
96         * parser/SourceProvider.h:
97         (JSC::SourceProvider::cacheBytecode const):
98         * runtime/CodeCache.cpp:
99         (JSC::writeCodeBlock):
100         * runtime/CodeCache.h:
101         (JSC::CodeCacheMap::fetchFromDiskImpl):
102
103 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
104
105         [ARM] Fix crash with sampling profiler
106         https://bugs.webkit.org/show_bug.cgi?id=194772
107
108         Reviewed by Mark Lam.
109
110         sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
111         did not update the stack pointer in a single instruction. The src register was first
112         moved into the stack pointer, the immediate imm was added in a subsequent instruction.
113
114         This was problematic when a signal handler was invoked before applying the immediate,
115         when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
116         a temporary register and then move it in one go into the stack pointer.
117
118         * assembler/MacroAssemblerARMv7.h:
119         (JSC::MacroAssemblerARMv7::add32):
120
121 2019-02-18  Mark Lam  <mark.lam@apple.com>
122
123         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
124         https://bugs.webkit.org/show_bug.cgi?id=194800
125         <rdar://problem/48183773>
126
127         Reviewed by Yusuke Suzuki.
128
129         Fix doesGC() for the following nodes:
130
131             CompareEq:
132             CompareLess:
133             CompareLessEq:
134             CompareGreater:
135             CompareGreaterEq:
136             CompareStrictEq:
137                 Only return false (i.e. does not GC) for child node use kinds that have
138                 been vetted to not do anything that can GC.  For all other use kinds
139                 (including StringUse and BigIntUse), we return true (i.e. does GC).
140
141         * dfg/DFGDoesGC.cpp:
142         (JSC::DFG::doesGC):
143
144 2019-02-16  Darin Adler  <darin@apple.com>
145
146         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
147         https://bugs.webkit.org/show_bug.cgi?id=194752
148
149         Reviewed by Daniel Bates.
150
151         * heap/HeapSnapshotBuilder.cpp:
152         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
153         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
154         keep behavior the same, so let's do that.
155
156         * parser/Lexer.cpp:
157         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
158         String::format and "%04x".
159
160 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
161
162         [JSC] Add LazyClassStructure::getInitializedOnMainThread
163         https://bugs.webkit.org/show_bug.cgi?id=194784
164         <rdar://problem/48154820>
165
166         Reviewed by Mark Lam.
167
168         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
169         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
170         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
171         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
172         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
173
174         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
175         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
176         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
177         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
178
179         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
180         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
181
182         * runtime/JSGlobalObject.h:
183         (JSC::JSGlobalObject::booleanPrototype const):
184         (JSC::JSGlobalObject::numberPrototype const):
185         (JSC::JSGlobalObject::symbolPrototype const):
186         * runtime/LazyClassStructure.h:
187         (JSC::LazyClassStructure::getInitializedOnMainThread const):
188         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
189         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
190         * runtime/LazyProperty.h:
191         (JSC::LazyProperty::get const):
192         (JSC::LazyProperty::getInitializedOnMainThread const):
193
194 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
195
196         Web Inspector: Better categorize CPU usage per-thread / worker
197         https://bugs.webkit.org/show_bug.cgi?id=194564
198
199         Reviewed by Devin Rousso.
200
201         * inspector/protocol/CPUProfiler.json:
202         Add additional properties per-Event, and new per-Thread object info.
203
204 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
205
206         Bytecode cache should a have a boot-specific validation
207         https://bugs.webkit.org/show_bug.cgi?id=194769
208         <rdar://problem/48149509>
209
210         Reviewed by Keith Miller.
211
212         Add the boot UUID to the cached bytecode to enforce that it is not reused
213         across reboots.
214
215         * runtime/CachedTypes.cpp:
216         (JSC::Encoder::malloc):
217         (JSC::GenericCacheEntry::GenericCacheEntry):
218         (JSC::GenericCacheEntry::tag const):
219         (JSC::CacheEntry::CacheEntry):
220         (JSC::CacheEntry::decode const):
221         (JSC::GenericCacheEntry::decode const):
222         (JSC::encodeCodeBlock):
223
224 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
225
226         Add MSE logging configuration
227         https://bugs.webkit.org/show_bug.cgi?id=194719
228         <rdar://problem/48122151>
229
230         Reviewed by Joseph Pecoraro.
231
232         * inspector/ConsoleMessage.cpp:
233         (Inspector::messageSourceValue):
234         * inspector/protocol/Console.json:
235         * inspector/scripts/codegen/generator.py:
236         * runtime/ConsoleTypes.h:
237
238 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
239
240         Add version number to cached bytecode
241         https://bugs.webkit.org/show_bug.cgi?id=194768
242         <rdar://problem/48147968>
243
244         Reviewed by Saam Barati.
245
246         Add a version number to the bytecode cache that should be unique per build.
247
248         * CMakeLists.txt:
249         * DerivedSources-output.xcfilelist:
250         * DerivedSources.make:
251         * runtime/CachedTypes.cpp:
252         (JSC::Encoder::malloc):
253         (JSC::GenericCacheEntry::GenericCacheEntry):
254         (JSC::CacheEntry::CacheEntry):
255         (JSC::CacheEntry::encode):
256         (JSC::CacheEntry::decode const):
257         (JSC::GenericCacheEntry::decode const):
258         (JSC::decodeCodeBlockImpl):
259         * runtime/CodeCache.h:
260         (JSC::CodeCacheMap::fetchFromDiskImpl):
261
262 2019-02-17  Saam Barati  <sbarati@apple.com>
263
264         WasmB3IRGenerator models some effects incorrectly
265         https://bugs.webkit.org/show_bug.cgi?id=194038
266
267         Reviewed by Keith Miller.
268
269         * wasm/WasmB3IRGenerator.cpp:
270         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
271         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
272         These two functions were using global state instead of the
273         arguments passed into the function.
274
275         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
276         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
277         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
278         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
279         Any patchpoint that allows scratch register usage must
280         also say that it clobbers the scratch registers.
281
282 2019-02-17  Saam Barati  <sbarati@apple.com>
283
284         Deadlock when adding a Structure property transition and then doing incremental marking
285         https://bugs.webkit.org/show_bug.cgi?id=194767
286
287         Reviewed by Mark Lam.
288
289         This can happen in the following scenario:
290         
291         You have a Structure S. S is on the mark stack. Then:
292         1. S grabs its lock
293         2. S adds a new property transition
294         3. We find out we need to do some incremental marking
295         4. We mark S
296         5. visitChildren on S will try to grab its lock
297         6. We are now in a deadlock
298
299         * heap/Heap.cpp:
300         (JSC::Heap::performIncrement):
301         * runtime/Structure.cpp:
302         (JSC::Structure::addNewPropertyTransition):
303
304 2019-02-17  David Kilzer  <ddkilzer@apple.com>
305
306         Unreviewed, rolling out r241620.
307
308         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
309         (Requested by ddkilzer on #webkit.)
310
311         Reverted changeset:
312
313         "[WTF] Add environment variable helpers"
314         https://bugs.webkit.org/show_bug.cgi?id=192405
315         https://trac.webkit.org/changeset/241620
316
317 2019-02-17  Commit Queue  <commit-queue@webkit.org>
318
319         Unreviewed, rolling out r241612.
320         https://bugs.webkit.org/show_bug.cgi?id=194762
321
322         "It regressed JetStream2 parsing tests by ~40%" (Requested by
323         saamyjoon on #webkit).
324
325         Reverted changeset:
326
327         "Move bytecode cache-related filesystem code out of CodeCache"
328         https://bugs.webkit.org/show_bug.cgi?id=194675
329         https://trac.webkit.org/changeset/241612
330
331 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
332
333         [JSC] JSWrapperObject should not be destructible
334         https://bugs.webkit.org/show_bug.cgi?id=194743
335
336         Reviewed by Saam Barati.
337
338         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
339         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
340         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
341
342         * runtime/BigIntObject.cpp:
343         (JSC::BigIntObject::BigIntObject):
344         * runtime/BooleanConstructor.cpp:
345         (JSC::BooleanConstructor::finishCreation):
346         * runtime/BooleanObject.cpp:
347         (JSC::BooleanObject::BooleanObject):
348         * runtime/BooleanObject.h:
349         * runtime/DateInstance.cpp:
350         (JSC::DateInstance::DateInstance):
351         (JSC::DateInstance::finishCreation):
352         * runtime/DateInstance.h:
353         * runtime/DatePrototype.cpp:
354         (JSC::dateProtoFuncGetTime):
355         (JSC::dateProtoFuncSetTime):
356         (JSC::setNewValueFromTimeArgs):
357         (JSC::setNewValueFromDateArgs):
358         (JSC::dateProtoFuncSetYear):
359         * runtime/JSCPoison.h:
360         * runtime/JSWrapperObject.h:
361         (JSC::JSWrapperObject::JSWrapperObject):
362         * runtime/NumberObject.cpp:
363         (JSC::NumberObject::NumberObject):
364         * runtime/NumberObject.h:
365         * runtime/StringConstructor.cpp:
366         (JSC::StringConstructor::finishCreation):
367         * runtime/StringObject.cpp:
368         (JSC::StringObject::StringObject):
369         * runtime/StringObject.h:
370         (JSC::StringObject::internalValue const):
371         * runtime/SymbolObject.cpp:
372         (JSC::SymbolObject::SymbolObject):
373         * runtime/SymbolObject.h:
374
375 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
376
377         [JSC] Shrink UnlinkedFunctionExecutable
378         https://bugs.webkit.org/show_bug.cgi?id=194733
379
380         Reviewed by Mark Lam.
381
382         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
383         directives can be found in the comment of non typical function's source code (Program,
384         Eval code, and Global function from function constructor etc.), and tricky thing is that
385         SourceProvider's directives are updated by Parser. The reason why we have these fields in
386         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
387         if we skip parsing by using CodeCache. These fields are effective only if (1)
388         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
389         or sourceMappingURLDirective. This is rare enough to purge them to a separated
390         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
391         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
392         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
393         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
394         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
395         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
396         one of size class.
397
398         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
399         And kill one MarkedBlock allocation in JSC initialization phase.
400
401         * bytecode/UnlinkedFunctionExecutable.cpp:
402         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
403         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
404         * bytecode/UnlinkedFunctionExecutable.h:
405         * debugger/DebuggerLocation.cpp:
406         (JSC::DebuggerLocation::DebuggerLocation):
407         * inspector/ScriptDebugServer.cpp:
408         (Inspector::ScriptDebugServer::dispatchDidParseSource):
409         * parser/Lexer.h:
410         (JSC::Lexer::sourceURLDirective const):
411         (JSC::Lexer::sourceMappingURLDirective const):
412         (JSC::Lexer::sourceURL const): Deleted.
413         (JSC::Lexer::sourceMappingURL const): Deleted.
414         * parser/Parser.h:
415         (JSC::Parser<LexerType>::parse):
416         * parser/SourceProvider.h:
417         (JSC::SourceProvider::sourceURLDirective const):
418         (JSC::SourceProvider::sourceMappingURLDirective const):
419         (JSC::SourceProvider::setSourceURLDirective):
420         (JSC::SourceProvider::setSourceMappingURLDirective):
421         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
422         since it is the correct name.
423         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
424         sourceMappingURLDirective since it is the correct name.
425         * runtime/CachedTypes.cpp:
426         (JSC::CachedSourceProviderShape::encode):
427         (JSC::CachedFunctionExecutableRareData::encode):
428         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
429         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
430         (JSC::CachedFunctionExecutable::rareData const):
431         (JSC::CachedFunctionExecutable::encode):
432         (JSC::CachedFunctionExecutable::decode const):
433         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
434         * runtime/CodeCache.cpp:
435         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
436         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
437         * runtime/CodeCache.h:
438         (JSC::generateUnlinkedCodeBlockImpl):
439         * runtime/FunctionExecutable.h:
440         * runtime/SamplingProfiler.cpp:
441         (JSC::SamplingProfiler::StackFrame::url):
442
443 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
444
445         [JSC] Remove unused global private variables
446         https://bugs.webkit.org/show_bug.cgi?id=194741
447
448         Reviewed by Joseph Pecoraro.
449
450         There are some private functions and constants that are no longer referenced from builtin JS code.
451         This patch cleans up them.
452
453         * builtins/BuiltinNames.h:
454         * builtins/ObjectConstructor.js:
455         (entries):
456         * runtime/JSGlobalObject.cpp:
457         (JSC::JSGlobalObject::init):
458
459 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
460
461         [JSC] Lazily create empty RegExp
462         https://bugs.webkit.org/show_bug.cgi?id=194735
463
464         Reviewed by Keith Miller.
465
466         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
467         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
468         one MarkedBlock.
469
470         * runtime/JSGlobalObject.cpp:
471         (JSC::JSGlobalObject::init):
472         * runtime/RegExpCache.cpp:
473         (JSC::RegExpCache::ensureEmptyRegExpSlow):
474         (JSC::RegExpCache::initialize): Deleted.
475         * runtime/RegExpCache.h:
476         (JSC::RegExpCache::ensureEmptyRegExp):
477         (JSC::RegExpCache::emptyRegExp const): Deleted.
478         * runtime/RegExpCachedResult.cpp:
479         (JSC::RegExpCachedResult::lastResult):
480         * runtime/RegExpCachedResult.h:
481         * runtime/VM.cpp:
482         (JSC::VM::VM):
483
484 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
485
486         [JSC] Make builtin objects more lazily initialized under non-JIT mode
487         https://bugs.webkit.org/show_bug.cgi?id=194727
488
489         Reviewed by Saam Barati.
490
491         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
492         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
493         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
494         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
495         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
496         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
497         MarkedBlock allocation just for Symbols.
498
499         * runtime/JSGlobalObject.cpp:
500         (JSC::JSGlobalObject::init):
501         (JSC::JSGlobalObject::visitChildren):
502         * runtime/JSGlobalObject.h:
503         (JSC::JSGlobalObject::numberToStringWatchpoint):
504         (JSC::JSGlobalObject::booleanPrototype const):
505         (JSC::JSGlobalObject::numberPrototype const):
506         (JSC::JSGlobalObject::symbolPrototype const):
507         (JSC::JSGlobalObject::booleanObjectStructure const):
508         (JSC::JSGlobalObject::symbolObjectStructure const):
509         (JSC::JSGlobalObject::numberObjectStructure const):
510         (JSC::JSGlobalObject::stringObjectStructure const):
511
512 2019-02-15  Michael Saboff  <msaboff@apple.com>
513
514         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
515         https://bugs.webkit.org/show_bug.cgi?id=194558
516
517         Reviewed by Saam Barati.
518
519         Added an in bounds check before the read of the next character for Unicode regular expressions
520         for pattern generation that didn't already have such checks.
521
522         * yarr/YarrJIT.cpp:
523         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
524         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
525         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
526         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
527
528 2019-02-15  Dean Jackson  <dino@apple.com>
529
530         Allow emulation of user gestures from Web Inspector console
531         https://bugs.webkit.org/show_bug.cgi?id=194725
532         <rdar://problem/48126604>
533
534         Reviewed by Joseph Pecoraro and Devin Rousso.
535
536         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
537         to the evaluate function, and mark the function as override so that PageRuntimeAgent
538         can change the behaviour.
539         (Inspector::InspectorRuntimeAgent::evaluate):
540         * inspector/agents/InspectorRuntimeAgent.h:
541         * inspector/protocol/Runtime.json:
542
543 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
544
545         [JSC] Do not initialize Wasm related data if Wasm is not enabled
546         https://bugs.webkit.org/show_bug.cgi?id=194728
547
548         Reviewed by Mark Lam.
549
550         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
551
552         * runtime/InitializeThreading.cpp:
553         (JSC::initializeThreading):
554         * runtime/JSLock.cpp:
555         (JSC::JSLock::didAcquireLock):
556
557 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
558
559         [WTF] Add environment variable helpers
560         https://bugs.webkit.org/show_bug.cgi?id=192405
561
562         Reviewed by Michael Catanzaro.
563
564         * inspector/remote/glib/RemoteInspectorGlib.cpp:
565         (Inspector::RemoteInspector::RemoteInspector):
566         (Inspector::RemoteInspector::start):
567         * jsc.cpp:
568         (startTimeoutThreadIfNeeded):
569         * runtime/Options.cpp:
570         (JSC::overrideOptionWithHeuristic):
571         (JSC::Options::overrideAliasedOptionWithHeuristic):
572         (JSC::Options::initialize):
573         * runtime/VM.cpp:
574         (JSC::enableAssembler):
575         (JSC::VM::VM):
576         * tools/CodeProfiling.cpp:
577         (JSC::CodeProfiling::notifyAllocator):
578         Utilize WTF::Environment where possible.
579
580 2019-02-15  Mark Lam  <mark.lam@apple.com>
581
582         SamplingProfiler::stackTracesAsJSON() should escape strings.
583         https://bugs.webkit.org/show_bug.cgi?id=194649
584         <rdar://problem/48072386>
585
586         Reviewed by Saam Barati.
587
588         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
589
590         * runtime/SamplingProfiler.cpp:
591         (JSC::SamplingProfiler::stackTracesAsJSON):
592         * runtime/TypeSet.cpp:
593         (JSC::TypeSet::toJSONString const):
594         (JSC::StructureShape::toJSONString const):
595
596 2019-02-15  Robin Morisset  <rmorisset@apple.com>
597
598         CodeBlock::jettison should clear related watchpoints
599         https://bugs.webkit.org/show_bug.cgi?id=194544
600
601         Reviewed by Mark Lam.
602
603         * bytecode/CodeBlock.cpp:
604         (JSC::CodeBlock::jettison):
605         * dfg/DFGCommonData.h:
606         (JSC::DFG::CommonData::clearWatchpoints): Added.
607         * dfg/CommonData.cpp:
608         (JSC::DFG::CommonData::clearWatchpoints): Added.
609
610 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
611
612         Move bytecode cache-related filesystem code out of CodeCache
613         https://bugs.webkit.org/show_bug.cgi?id=194675
614
615         Reviewed by Saam Barati.
616
617         That code is only used for the bytecode-cache tests, so it should live in
618         jsc.cpp rather than in the CodeCache.
619
620         * jsc.cpp:
621         (CliSourceProvider::create):
622         (CliSourceProvider::~CliSourceProvider):
623         (CliSourceProvider::cachePath const):
624         (CliSourceProvider::loadBytecode):
625         (CliSourceProvider::CliSourceProvider):
626         (jscSource):
627         (GlobalObject::moduleLoaderFetch):
628         (functionDollarEvalScript):
629         (runWithOptions):
630         * parser/SourceProvider.h:
631         (JSC::SourceProvider::cacheBytecode const):
632         * runtime/CodeCache.cpp:
633         (JSC::writeCodeBlock):
634         * runtime/CodeCache.h:
635         (JSC::CodeCacheMap::fetchFromDiskImpl):
636
637 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
638
639         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
640         https://bugs.webkit.org/show_bug.cgi?id=194714
641
642         Reviewed by Mark Lam.
643
644         Let's consider about the following extreme case.
645
646         1. VM (A) is created.
647         2. Another VM (B) is created on a different thread.
648         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
649         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
650         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
651         6. (A) sees the half-baked worklist, which may be in the middle of creation.
652
653         This patch puts store-store fence just before putting a pointer to a global variable.
654         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
655
656         * dfg/DFGWorklist.cpp:
657         (JSC::DFG::ensureGlobalDFGWorklist):
658         (JSC::DFG::ensureGlobalFTLWorklist):
659         * wasm/WasmWorklist.cpp:
660         (JSC::Wasm::ensureWorklist):
661
662 2019-02-15  Commit Queue  <commit-queue@webkit.org>
663
664         Unreviewed, rolling out r241559 and r241566.
665         https://bugs.webkit.org/show_bug.cgi?id=194710
666
667         Causes layout test crashes under GuardMalloc (Requested by
668         ryanhaddad on #webkit).
669
670         Reverted changesets:
671
672         "[WTF] Add environment variable helpers"
673         https://bugs.webkit.org/show_bug.cgi?id=192405
674         https://trac.webkit.org/changeset/241559
675
676         "Unreviewed build fix for WinCairo Debug after r241559."
677         https://trac.webkit.org/changeset/241566
678
679 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
680
681         [JSC] Do not even allocate JIT worklists in non-JIT mode
682         https://bugs.webkit.org/show_bug.cgi?id=194693
683
684         Reviewed by Mark Lam.
685
686         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
687         And we do not perform any GC operations that are only meaningful in JIT environment.
688
689         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
690         2. We remove DFG marking constraint in non-JIT mode.
691         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
692         4. We do not visit JITStubRoutineSet.
693         5. Align JITWorklist function names to the other worklists.
694
695         * dfg/DFGOSRExitPreparation.cpp:
696         (JSC::DFG::prepareCodeOriginForOSRExit):
697         * dfg/DFGPlan.h:
698         * dfg/DFGWorklist.cpp:
699         (JSC::DFG::markCodeBlocks): Deleted.
700         * dfg/DFGWorklist.h:
701         * heap/Heap.cpp:
702         (JSC::Heap::completeAllJITPlans):
703         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
704         (JSC::Heap::gatherScratchBufferRoots):
705         (JSC::Heap::removeDeadCompilerWorklistEntries):
706         (JSC::Heap::stopThePeriphery):
707         (JSC::Heap::suspendCompilerThreads):
708         (JSC::Heap::resumeCompilerThreads):
709         (JSC::Heap::addCoreConstraints):
710         * jit/JITWorklist.cpp:
711         (JSC::JITWorklist::existingGlobalWorklistOrNull):
712         (JSC::JITWorklist::ensureGlobalWorklist):
713         (JSC::JITWorklist::instance): Deleted.
714         * jit/JITWorklist.h:
715         * llint/LLIntSlowPaths.cpp:
716         (JSC::LLInt::jitCompileAndSetHeuristics):
717         * runtime/VM.cpp:
718         (JSC::VM::~VM):
719         (JSC::VM::gatherScratchBufferRoots):
720         (JSC::VM::gatherConservativeRoots): Deleted.
721         * runtime/VM.h:
722
723 2019-02-15  Saam barati  <sbarati@apple.com>
724
725         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
726         https://bugs.webkit.org/show_bug.cgi?id=194036
727
728         Reviewed by Yusuke Suzuki.
729
730         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
731         use linear scan for register allocation. Instead of linear scan, Air-O0 does
732         mostly block-local register allocation, and it does this as it's emitting
733         code directly. The register allocator uses liveness analysis to reduce
734         the number of spills. Doing register allocation as we're emitting code
735         allows us to skip editing the IR to insert spills, which saves a non trivial
736         amount of compile time. For stack allocation, we give each Tmp its own slot.
737         This is less than ideal. We probably want to do some trivial live range analysis
738         in the future. The reason this isn't a deal breaker for Wasm is that this patch
739         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
740         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
741         
742         This patch is another 25% Wasm startup time speedup. It seems to be worth
743         another 1% on JetStream2.
744
745         * JavaScriptCore.xcodeproj/project.pbxproj:
746         * Sources.txt:
747         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
748         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
749         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
750         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
751         (JSC::B3::Air::callFrameAddr):
752         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
753         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
754         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
755         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
756         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
757         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
758         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
759         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
760         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
761         * b3/air/AirCode.cpp:
762         * b3/air/AirCode.h:
763         * b3/air/AirGenerate.cpp:
764         (JSC::B3::Air::prepareForGeneration):
765         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
766         (JSC::B3::Air::generate):
767         * b3/air/AirHandleCalleeSaves.cpp:
768         (JSC::B3::Air::handleCalleeSaves):
769         * b3/air/AirHandleCalleeSaves.h:
770         * b3/air/AirTmpMap.h:
771         * runtime/Options.h:
772         * wasm/WasmAirIRGenerator.cpp:
773         (JSC::Wasm::AirIRGenerator::didKill):
774         (JSC::Wasm::AirIRGenerator::newTmp):
775         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
776         (JSC::Wasm::parseAndCompileAir):
777         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
778         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
779         * wasm/WasmAirIRGenerator.h:
780         * wasm/WasmB3IRGenerator.cpp:
781         (JSC::Wasm::B3IRGenerator::didKill):
782         * wasm/WasmBBQPlan.cpp:
783         (JSC::Wasm::BBQPlan::compileFunctions):
784         * wasm/WasmFunctionParser.h:
785         (JSC::Wasm::FunctionParser<Context>::parseBody):
786         (JSC::Wasm::FunctionParser<Context>::parseExpression):
787         * wasm/WasmValidate.cpp:
788         (JSC::Wasm::Validate::didKill):
789
790 2019-02-14  Saam barati  <sbarati@apple.com>
791
792         lowerStackArgs should lower Lea32/64 on ARM64 to Add
793         https://bugs.webkit.org/show_bug.cgi?id=194656
794
795         Reviewed by Yusuke Suzuki.
796
797         On arm64, Lea is just implemented as an add. However, Air treats it as an
798         address with a given width. Because of this width, we were incorrectly
799         computing whether or not this immediate could fit into the instruction itself
800         or it needed to be explicitly put into a register. This patch makes
801         AirLowerStackArgs lower Lea to Add on arm64.
802
803         * b3/air/AirLowerStackArgs.cpp:
804         (JSC::B3::Air::lowerStackArgs):
805         * b3/air/AirOpcode.opcodes:
806         * b3/air/testair.cpp:
807
808 2019-02-14  Saam Barati  <sbarati@apple.com>
809
810         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
811         https://bugs.webkit.org/show_bug.cgi?id=194583
812         <rdar://problem/48028140>
813
814         Reviewed by Yusuke Suzuki.
815
816         This patch makes it so that getVariablesUnderTDZ caches a result of
817         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
818         it's called in an environment where there are a lot of variables.
819         This patch makes it so we cache its results. This is profitable when
820         getVariablesUnderTDZ is called repeatedly with the same environment
821         state. This is common since we call this every time we encounter a
822         function definition/expression node.
823
824         * builtins/BuiltinExecutables.cpp:
825         (JSC::BuiltinExecutables::createExecutable):
826         * bytecode/UnlinkedFunctionExecutable.cpp:
827         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
828         * bytecode/UnlinkedFunctionExecutable.h:
829         * bytecompiler/BytecodeGenerator.cpp:
830         (JSC::BytecodeGenerator::popLexicalScopeInternal):
831         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
832         (JSC::BytecodeGenerator::pushTDZVariables):
833         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
834         (JSC::BytecodeGenerator::restoreTDZStack):
835         * bytecompiler/BytecodeGenerator.h:
836         (JSC::BytecodeGenerator::makeFunction):
837         * parser/VariableEnvironment.cpp:
838         (JSC::CompactVariableMap::Handle::Handle):
839         (JSC::CompactVariableMap::Handle::operator=):
840         * parser/VariableEnvironment.h:
841         (JSC::CompactVariableMap::Handle::operator bool const):
842         * runtime/CodeCache.cpp:
843         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
844
845 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
846
847         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
848         https://bugs.webkit.org/show_bug.cgi?id=194659
849
850         Reviewed by Mark Lam.
851
852         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
853         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
854         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
855
856         * dfg/DFGJITCode.h:
857         * dfg/DFGJITFinalizer.cpp:
858         (JSC::DFG::JITFinalizer::finalize):
859         (JSC::DFG::JITFinalizer::finalizeFunction):
860         * jit/JITCode.cpp:
861         (JSC::DirectJITCode::initializeCodeRefForDFG):
862         (JSC::DirectJITCode::initializeCodeRef): Deleted.
863         (JSC::NativeJITCode::initializeCodeRef): Deleted.
864         * jit/JITCode.h:
865         * llint/LLIntEntrypoint.cpp:
866         (JSC::LLInt::setFunctionEntrypoint):
867         (JSC::LLInt::setEvalEntrypoint):
868         (JSC::LLInt::setProgramEntrypoint):
869         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
870
871 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
872
873         [WTF] Add environment variable helpers
874         https://bugs.webkit.org/show_bug.cgi?id=192405
875
876         Reviewed by Michael Catanzaro.
877
878         * inspector/remote/glib/RemoteInspectorGlib.cpp:
879         (Inspector::RemoteInspector::RemoteInspector):
880         (Inspector::RemoteInspector::start):
881         * jsc.cpp:
882         (startTimeoutThreadIfNeeded):
883         * runtime/Options.cpp:
884         (JSC::overrideOptionWithHeuristic):
885         (JSC::Options::overrideAliasedOptionWithHeuristic):
886         (JSC::Options::initialize):
887         * runtime/VM.cpp:
888         (JSC::enableAssembler):
889         (JSC::VM::VM):
890         * tools/CodeProfiling.cpp:
891         (JSC::CodeProfiling::notifyAllocator):
892         Utilize WTF::Environment where possible.
893
894 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
895
896         [JSC] Should have default NativeJITCode
897         https://bugs.webkit.org/show_bug.cgi?id=194634
898
899         Reviewed by Mark Lam.
900
901         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
902         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
903         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
904         allocations, which takes 14KB.
905
906         * runtime/VM.cpp:
907         (JSC::jitCodeForCallTrampoline):
908         (JSC::jitCodeForConstructTrampoline):
909         (JSC::VM::getHostFunction):
910
911 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
912
913         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
914         https://bugs.webkit.org/show_bug.cgi?id=194576
915
916         Reviewed by Saam Barati.
917
918         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
919         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
920
921         * bytecode/UnlinkedFunctionExecutable.cpp:
922         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
923         (JSC::UnlinkedFunctionExecutable::link):
924         * bytecode/UnlinkedFunctionExecutable.h:
925         * runtime/CodeCache.cpp:
926         (JSC::generateUnlinkedCodeBlockForFunctions):
927
928 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
929
930         CachedBitVector's size must be converted from bits to bytes
931         https://bugs.webkit.org/show_bug.cgi?id=194441
932
933         Reviewed by Saam Barati.
934
935         CachedBitVector used its size in bits for memcpy. That didn't cause any
936         issues when encoding, since the size in bits was also used in the allocation,
937         but would overflow the actual BitVector buffer when decoding.
938
939         * runtime/CachedTypes.cpp:
940         (JSC::CachedBitVector::encode):
941         (JSC::CachedBitVector::decode const):
942
943 2019-02-13  Brian Burg  <bburg@apple.com>
944
945         Web Inspector: don't include accessibility role in DOM.Node object payloads
946         https://bugs.webkit.org/show_bug.cgi?id=194623
947         <rdar://problem/36384037>
948
949         Reviewed by Devin Rousso.
950
951         Remove property of DOM.Node that is no longer being sent.
952
953         * inspector/protocol/DOM.json:
954
955 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
956
957         We should only make rope strings when concatenating strings long enough.
958         https://bugs.webkit.org/show_bug.cgi?id=194465
959
960         Reviewed by Mark Lam.
961
962         This patch stops us from allocating a rope string if the resulting
963         rope would be smaller than the size of the JSRopeString object we
964         would need to allocate.
965
966         This patch also adds paths so that we don't unnecessarily allocate
967         JSString cells for primitives we are going to concatenate with a
968         string anyway.
969
970         The important change from the previous one is that we do not apply
971         the above rule to JSRopeStrings generated by JSStrings. If we convert
972         it to JSString, comparison of memory consumption becomes the following,
973         because JSRopeString does not have StringImpl until it is resolved.
974
975             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
976
977         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
978         resolving eagerly increases memory footprint. The point is that we need to
979         account newly created JSString and JSRopeString from the operands. This is the
980         reason why this patch adds different thresholds for each jsString functions.
981
982         This patch also avoids concatenation for ropes conservatively. Many ropes are
983         temporary cells. So we do not resolve eagerly if one of operands is already a
984         rope.
985
986         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
987
988             Before: 159.3778
989             After:  160.72340000000003
990
991         * dfg/DFGOperations.cpp:
992         * runtime/CommonSlowPaths.cpp:
993         (JSC::SLOW_PATH_DECL):
994         * runtime/JSString.h:
995         (JSC::JSString::isRope const):
996         * runtime/Operations.cpp:
997         (JSC::jsAddSlowCase):
998         * runtime/Operations.h:
999         (JSC::jsString):
1000         (JSC::jsAddNonNumber):
1001         (JSC::jsAdd):
1002
1003 2019-02-13  Saam Barati  <sbarati@apple.com>
1004
1005         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
1006         https://bugs.webkit.org/show_bug.cgi?id=194610
1007
1008         Reviewed by Michael Saboff.
1009
1010         BinarySwitch might use the scratch register. We must model the
1011         effects of that properly. This is already caught by our br-table
1012         tests on arm64.
1013
1014         * wasm/WasmAirIRGenerator.cpp:
1015         (JSC::Wasm::AirIRGenerator::addSwitch):
1016
1017 2019-02-13  Mark Lam  <mark.lam@apple.com>
1018
1019         Create a randomized free list for new StructureIDs on StructureIDTable resize.
1020         https://bugs.webkit.org/show_bug.cgi?id=194566
1021         <rdar://problem/47975502>
1022
1023         Reviewed by Michael Saboff.
1024
1025         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
1026         implementation is a little easier to read.
1027
1028         This patch appears to be perf neutral on JetStream2 (as run from the command line).
1029
1030         * runtime/StructureIDTable.cpp:
1031         (JSC::StructureIDTable::StructureIDTable):
1032         (JSC::StructureIDTable::makeFreeListFromRange):
1033         (JSC::StructureIDTable::resize):
1034         (JSC::StructureIDTable::allocateID):
1035         (JSC::StructureIDTable::deallocateID):
1036         * runtime/StructureIDTable.h:
1037         (JSC::StructureIDTable::get):
1038         (JSC::StructureIDTable::deallocateID):
1039         (JSC::StructureIDTable::allocateID):
1040         (JSC::StructureIDTable::flushOldTables):
1041
1042 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1043
1044         VariableLengthObject::allocate<T> should initialize objects
1045         https://bugs.webkit.org/show_bug.cgi?id=194534
1046
1047         Reviewed by Michael Saboff.
1048
1049         `buffer()` should not be called for empty VariableLengthObjects, but
1050         these cases were not being caught due to the objects not being properly
1051         initialized. Fix it so that allocate calls the constructor and fix the
1052         assertion failues.
1053
1054         * runtime/CachedTypes.cpp:
1055         (JSC::CachedObject::operator new):
1056         (JSC::VariableLengthObject::allocate):
1057         (JSC::CachedVector::encode):
1058         (JSC::CachedVector::decode const):
1059         (JSC::CachedUniquedStringImpl::decode const):
1060         (JSC::CachedBitVector::encode):
1061         (JSC::CachedBitVector::decode const):
1062         (JSC::CachedArray::encode):
1063         (JSC::CachedArray::decode const):
1064         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
1065         (JSC::CachedBigInt::decode const):
1066
1067 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1068
1069         CodeBlocks read from disk should not be re-written
1070         https://bugs.webkit.org/show_bug.cgi?id=194535
1071
1072         Reviewed by Michael Saboff.
1073
1074         Keep track of which CodeBlocks have been read from disk or have already
1075         been serialized in CodeCache.
1076
1077         * runtime/CodeCache.cpp:
1078         (JSC::CodeCache::write):
1079         * runtime/CodeCache.h:
1080         (JSC::SourceCodeValue::SourceCodeValue):
1081         (JSC::CodeCacheMap::fetchFromDiskImpl):
1082
1083 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
1084
1085         SourceCode should be copied when generating bytecode for functions
1086         https://bugs.webkit.org/show_bug.cgi?id=194536
1087
1088         Reviewed by Saam Barati.
1089
1090         The FunctionExecutable might be collected while generating the bytecode
1091         for nested functions, in which case the SourceCode reference would no
1092         longer be valid.
1093
1094         * runtime/CodeCache.cpp:
1095         (JSC::generateUnlinkedCodeBlockForFunctions):
1096
1097 2019-02-12  Saam barati  <sbarati@apple.com>
1098
1099         JSScript needs to retain its cache path NSURL*
1100         https://bugs.webkit.org/show_bug.cgi?id=194577
1101
1102         Reviewed by Tim Horton.
1103
1104         * API/JSScript.mm:
1105         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
1106         (-[JSScript dealloc]):
1107
1108 2019-02-12  Robin Morisset  <rmorisset@apple.com>
1109
1110         Make B3Value::returnsBool() more precise
1111         https://bugs.webkit.org/show_bug.cgi?id=194457
1112
1113         Reviewed by Saam Barati.
1114
1115         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
1116         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
1117         No new tests added as this should be indirectly tested by the already existing tests.
1118
1119         * b3/B3Value.cpp:
1120         (JSC::B3::Value::returnsBool const):
1121
1122 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1123
1124         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
1125         https://bugs.webkit.org/show_bug.cgi?id=194399
1126         <rdar://problem/47889777>
1127
1128         * dfg/DFGDoesGC.cpp:
1129         (JSC::DFG::doesGC):
1130
1131 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
1132
1133         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
1134         https://bugs.webkit.org/show_bug.cgi?id=194370
1135
1136         Reviewed by Darin Adler.
1137
1138         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
1139         necessary, but it will make errors more visible.
1140
1141         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1142         (Inspector::RemoteInspector::start):
1143         (Inspector::dbusConnectionCallAsyncReadyCallback):
1144         * inspector/remote/glib/RemoteInspectorServer.cpp:
1145         (Inspector::RemoteInspectorServer::start):
1146
1147 2019-02-12  Andy Estes  <aestes@apple.com>
1148
1149         [iOSMac] Enable Parental Controls Content Filtering
1150         https://bugs.webkit.org/show_bug.cgi?id=194521
1151         <rdar://39732376>
1152
1153         Reviewed by Tim Horton.
1154
1155         * Configurations/FeatureDefines.xcconfig:
1156
1157 2019-02-11  Mark Lam  <mark.lam@apple.com>
1158
1159         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1160         https://bugs.webkit.org/show_bug.cgi?id=194512
1161         <rdar://problem/47975465>
1162
1163         Reviewed by Yusuke Suzuki.
1164
1165         * runtime/StructureIDTable.cpp:
1166         (JSC::StructureIDTable::StructureIDTable):
1167         (JSC::StructureIDTable::allocateID):
1168         (JSC::StructureIDTable::deallocateID):
1169         * runtime/StructureIDTable.h:
1170
1171 2019-02-10  Mark Lam  <mark.lam@apple.com>
1172
1173         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1174         https://bugs.webkit.org/show_bug.cgi?id=194493
1175         <rdar://problem/36380852>
1176
1177         Reviewed by Yusuke Suzuki.
1178
1179         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1180         however not good for performance and memory usage.  As such, a debug ASSERT will
1181         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1182         possible to be instantiated with duplicate cases in
1183         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1184
1185         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1186         see duplicate cases.
1187
1188         * jit/BinarySwitch.cpp:
1189         (JSC::BinarySwitch::BinarySwitch):
1190
1191 2019-02-10  Darin Adler  <darin@apple.com>
1192
1193         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1194         https://bugs.webkit.org/show_bug.cgi?id=194485
1195
1196         Reviewed by Daniel Bates.
1197
1198         * heap/HeapSnapshotBuilder.cpp:
1199         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1200         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1201
1202         * runtime/JSGlobalObjectFunctions.cpp:
1203         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1204         including one in a call to appendByteAsHex.
1205         (JSC::globalFuncEscape): Ditto.
1206
1207 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1208
1209         Unreviewed, rolling out r241230.
1210         https://bugs.webkit.org/show_bug.cgi?id=194488
1211
1212         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1213         #webkit).
1214
1215         Reverted changeset:
1216
1217         "We should only make rope strings when concatenating strings
1218         long enough."
1219         https://bugs.webkit.org/show_bug.cgi?id=194465
1220         https://trac.webkit.org/changeset/241230
1221
1222 2019-02-10  Saam barati  <sbarati@apple.com>
1223
1224         BBQ-Air: Emit better code for switch
1225         https://bugs.webkit.org/show_bug.cgi?id=194053
1226
1227         Reviewed by Yusuke Suzuki.
1228
1229         Instead of emitting a linear set of jumps for Switch, this patch
1230         makes the BBQ-Air backend emit a binary switch.
1231
1232         * wasm/WasmAirIRGenerator.cpp:
1233         (JSC::Wasm::AirIRGenerator::addSwitch):
1234
1235 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1236
1237         Unreviewed, Lexer should use isLatin1 implementation in WTF
1238         https://bugs.webkit.org/show_bug.cgi?id=194466
1239
1240         Follow-up after r241233 pointed by Darin.
1241
1242         * parser/Lexer.cpp:
1243         (JSC::isLatin1): Deleted.
1244
1245 2019-02-09  Darin Adler  <darin@apple.com>
1246
1247         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1248         https://bugs.webkit.org/show_bug.cgi?id=194021
1249
1250         Reviewed by Geoffrey Garen.
1251
1252         * inspector/agents/InspectorConsoleAgent.cpp:
1253         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1254         makeString do the conversion without allocating/destroying a String.
1255         * inspector/agents/InspectorDebuggerAgent.cpp:
1256         (Inspector::objectGroupForBreakpointAction): Ditto.
1257         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1258         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1259         * runtime/JSGenericTypedArrayViewInlines.h:
1260         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1261         * runtime/NumberPrototype.cpp:
1262         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1263         of calling numberToFixedWidthString to do the same thing.
1264         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1265         numberToFixedPrecisionString to do the same thing.
1266         * runtime/SamplingProfiler.cpp:
1267         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1268
1269 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1270
1271         Unreviewed, rolling in r241237 again
1272         https://bugs.webkit.org/show_bug.cgi?id=194469
1273
1274         * runtime/JSString.h:
1275         (JSC::jsSubstring):
1276
1277 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1278
1279         Unreviewed, rolling out r241237.
1280         https://bugs.webkit.org/show_bug.cgi?id=194474
1281
1282         Shows significant memory increase in WSL (Requested by
1283         yusukesuzuki on #webkit).
1284
1285         Reverted changeset:
1286
1287         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1288         takes more memory"
1289         https://bugs.webkit.org/show_bug.cgi?id=194469
1290         https://trac.webkit.org/changeset/241237
1291
1292 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1293
1294         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1295         https://bugs.webkit.org/show_bug.cgi?id=194469
1296
1297         Reviewed by Geoffrey Garen.
1298
1299         * runtime/JSString.h:
1300         (JSC::jsSubstring):
1301
1302 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1303
1304         [JSC] CachedTypes should use jsString instead of JSString::create
1305         https://bugs.webkit.org/show_bug.cgi?id=194471
1306
1307         Reviewed by Mark Lam.
1308
1309         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1310
1311         * runtime/CachedTypes.cpp:
1312         (JSC::CachedJSValue::decode const):
1313
1314 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1315
1316         [JSC] Increase StructureIDTable initial capacity
1317         https://bugs.webkit.org/show_bug.cgi?id=194468
1318
1319         Reviewed by Mark Lam.
1320
1321         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1322         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1323         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1324         more memory dirty. We also remove some structures that are no longer used.
1325
1326         * runtime/JSGlobalObject.h:
1327         (JSC::JSGlobalObject::callbackObjectStructure const):
1328         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1329         * runtime/StructureIDTable.h:
1330         * runtime/VM.h:
1331
1332 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1333
1334         [JSC] String.fromCharCode's slow path always generates 16bit string
1335         https://bugs.webkit.org/show_bug.cgi?id=194466
1336
1337         Reviewed by Keith Miller.
1338
1339         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1340         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1341         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1342         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1343         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1344         as much as possible.
1345
1346         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1347
1348         * runtime/StringConstructor.cpp:
1349         (JSC::stringFromCharCode):
1350
1351 2019-02-08  Keith Miller  <keith_miller@apple.com>
1352
1353         We should only make rope strings when concatenating strings long enough.
1354         https://bugs.webkit.org/show_bug.cgi?id=194465
1355
1356         Reviewed by Saam Barati.
1357
1358         This patch stops us from allocating a rope string if the resulting
1359         rope would be smaller than the size of the JSRopeString object we
1360         would need to allocate.
1361
1362         This patch also adds paths so that we don't unnecessarily allocate
1363         JSString cells for primitives we are going to concatenate with a
1364         string anyway.
1365
1366         * dfg/DFGOperations.cpp:
1367         * runtime/CommonSlowPaths.cpp:
1368         (JSC::SLOW_PATH_DECL):
1369         * runtime/JSString.h:
1370         * runtime/Operations.cpp:
1371         (JSC::jsAddSlowCase):
1372         * runtime/Operations.h:
1373         (JSC::jsString):
1374         (JSC::jsAdd):
1375
1376 2019-02-08  Saam barati  <sbarati@apple.com>
1377
1378         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1379         https://bugs.webkit.org/show_bug.cgi?id=194334
1380         <rdar://problem/47844327>
1381
1382         Reviewed by Mark Lam.
1383
1384         * dfg/DFGAbstractInterpreterInlines.h:
1385         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1386         * dfg/DFGArgumentsEliminationPhase.cpp:
1387         * dfg/DFGByteCodeParser.cpp:
1388         (JSC::DFG::ByteCodeParser::parseBlock):
1389         * dfg/DFGClobberize.h:
1390         (JSC::DFG::clobberize):
1391         * dfg/DFGConstantFoldingPhase.cpp:
1392         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1393         * dfg/DFGFixupPhase.cpp:
1394         (JSC::DFG::FixupPhase::fixupNode):
1395         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1396         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1397         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1398         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1399         * dfg/DFGNodeType.h:
1400         * dfg/DFGSSALoweringPhase.cpp:
1401         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1402         * dfg/DFGSpeculativeJIT.cpp:
1403         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1404         * ftl/FTLLowerDFGToB3.cpp:
1405         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1406         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1407
1408 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1409
1410         [JSC] Shrink sizeof(CodeBlock) more
1411         https://bugs.webkit.org/show_bug.cgi?id=194419
1412
1413         Reviewed by Mark Lam.
1414
1415         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1416
1417         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1418         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1419         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1420
1421         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1422         And we do not touch it in CodeBlock::~CodeBlock.
1423
1424         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1425         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1426         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1427
1428         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1429
1430         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1431
1432         * bytecode/CodeBlock.cpp:
1433         (JSC::CodeBlock::hash const):
1434         (JSC::CodeBlock::sourceCodeForTools const):
1435         (JSC::CodeBlock::dumpAssumingJITType const):
1436         (JSC::CodeBlock::dumpSource):
1437         (JSC::CodeBlock::CodeBlock):
1438         (JSC::CodeBlock::finishCreation):
1439         (JSC::CodeBlock::propagateTransitions):
1440         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1441         (JSC::CodeBlock::setCalleeSaveRegisters):
1442         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1443         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1444         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1445         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1446         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1447         (JSC::CodeBlock::newReplacement):
1448         (JSC::CodeBlock::replacement):
1449         (JSC::CodeBlock::computeCapabilityLevel):
1450         (JSC::CodeBlock::jettison):
1451         (JSC::CodeBlock::calleeSaveRegisters const):
1452         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1453         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1454         (JSC::CodeBlock::getArrayProfile):
1455         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1456         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1457         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1458         (JSC::CodeBlock::validate):
1459         (JSC::CodeBlock::outOfLineJumpTarget):
1460         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1461         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1462         * bytecode/CodeBlock.h:
1463         (JSC::CodeBlock::specializationKind const):
1464         (JSC::CodeBlock::isStrictMode const):
1465         (JSC::CodeBlock::isConstructor const):
1466         (JSC::CodeBlock::codeType const):
1467         (JSC::CodeBlock::isKnownNotImmediate):
1468         (JSC::CodeBlock::instructions const):
1469         (JSC::CodeBlock::ownerExecutable const):
1470         (JSC::CodeBlock::thisRegister const):
1471         (JSC::CodeBlock::source const):
1472         (JSC::CodeBlock::sourceOffset const):
1473         (JSC::CodeBlock::firstLineColumnOffset const):
1474         (JSC::CodeBlock::createRareDataIfNecessary):
1475         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1476         (JSC::CodeBlock::setThisRegister): Deleted.
1477         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1478         * bytecode/EvalCodeBlock.h:
1479         * bytecode/FunctionCodeBlock.h:
1480         * bytecode/GlobalCodeBlock.h:
1481         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1482         * bytecode/ModuleProgramCodeBlock.h:
1483         * bytecode/ProgramCodeBlock.h:
1484         * debugger/Debugger.cpp:
1485         (JSC::Debugger::toggleBreakpoint):
1486         * debugger/DebuggerCallFrame.cpp:
1487         (JSC::DebuggerCallFrame::sourceID const):
1488         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1489         * debugger/DebuggerScope.cpp:
1490         (JSC::DebuggerScope::location const):
1491         * dfg/DFGByteCodeParser.cpp:
1492         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1493         (JSC::DFG::ByteCodeParser::inliningCost):
1494         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1495         * dfg/DFGCapabilities.cpp:
1496         (JSC::DFG::isSupportedForInlining):
1497         (JSC::DFG::mightCompileEval):
1498         (JSC::DFG::mightCompileProgram):
1499         (JSC::DFG::mightCompileFunctionForCall):
1500         (JSC::DFG::mightCompileFunctionForConstruct):
1501         (JSC::DFG::canUseOSRExitFuzzing):
1502         * dfg/DFGGraph.h:
1503         (JSC::DFG::Graph::executableFor):
1504         * dfg/DFGJITCompiler.cpp:
1505         (JSC::DFG::JITCompiler::compileFunction):
1506         * dfg/DFGOSREntry.cpp:
1507         (JSC::DFG::prepareOSREntry):
1508         * dfg/DFGOSRExit.cpp:
1509         (JSC::DFG::restoreCalleeSavesFor):
1510         (JSC::DFG::saveCalleeSavesFor):
1511         (JSC::DFG::saveOrCopyCalleeSavesFor):
1512         * dfg/DFGOSRExitCompilerCommon.cpp:
1513         (JSC::DFG::handleExitCounts):
1514         * dfg/DFGOperations.cpp:
1515         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1516         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1517         * ftl/FTLCapabilities.cpp:
1518         (JSC::FTL::canCompile):
1519         * ftl/FTLLink.cpp:
1520         (JSC::FTL::link):
1521         * ftl/FTLOSRExitCompiler.cpp:
1522         (JSC::FTL::compileStub):
1523         * interpreter/CallFrame.cpp:
1524         (JSC::CallFrame::callerSourceOrigin):
1525         * interpreter/Interpreter.cpp:
1526         (JSC::eval):
1527         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1528         * interpreter/StackVisitor.cpp:
1529         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1530         (JSC::StackVisitor::Frame::sourceURL const):
1531         (JSC::StackVisitor::Frame::sourceID):
1532         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1533         * interpreter/StackVisitor.h:
1534         * jit/AssemblyHelpers.h:
1535         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1536         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1537         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1538         * jit/CallFrameShuffleData.cpp:
1539         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1540         * jit/JIT.cpp:
1541         (JSC::JIT::compileWithoutLinking):
1542         * jit/JITToDFGDeferredCompilationCallback.cpp:
1543         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1544         * jit/JITWorklist.cpp:
1545         (JSC::JITWorklist::Plan::finalize):
1546         (JSC::JITWorklist::compileNow):
1547         * jit/RegisterAtOffsetList.cpp:
1548         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1549         * jit/RegisterAtOffsetList.h:
1550         (JSC::RegisterAtOffsetList::at const):
1551         * runtime/ErrorInstance.cpp:
1552         (JSC::appendSourceToError):
1553         * runtime/ScriptExecutable.cpp:
1554         (JSC::ScriptExecutable::newCodeBlockFor):
1555         * runtime/StackFrame.cpp:
1556         (JSC::StackFrame::sourceID const):
1557         (JSC::StackFrame::sourceURL const):
1558         (JSC::StackFrame::computeLineAndColumn const):
1559
1560 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1561
1562         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1563         https://bugs.webkit.org/show_bug.cgi?id=194460
1564
1565         Reviewed by Mark Lam.
1566
1567         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1568
1569         * b3/B3LowerMacros.cpp:
1570
1571 2019-02-08  Mark Lam  <mark.lam@apple.com>
1572
1573         Use maxSingleCharacterString in comparisons instead of literal constants.
1574         https://bugs.webkit.org/show_bug.cgi?id=194452
1575
1576         Reviewed by Yusuke Suzuki.
1577
1578         This way, if we ever change maxSingleCharacterString, it won't break all this code
1579         that relies on it being 0xff implicitly.
1580
1581         * dfg/DFGSpeculativeJIT.cpp:
1582         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1583         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1584         * ftl/FTLLowerDFGToB3.cpp:
1585         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1586         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1587         * jit/ThunkGenerators.cpp:
1588         (JSC::stringGetByValGenerator):
1589         (JSC::charToString):
1590
1591 2019-02-08  Mark Lam  <mark.lam@apple.com>
1592
1593         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1594         https://bugs.webkit.org/show_bug.cgi?id=194446
1595         <rdar://problem/47926792>
1596
1597         Reviewed by Saam Barati.
1598
1599         Fix doesGC() for the following nodes:
1600
1601             CheckTierUpAtReturn:
1602                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1603                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1604
1605             CheckTierUpInLoop:
1606                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1607                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1608
1609             CheckTierUpAndOSREnter:
1610                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1611                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1612
1613             GetByVal:
1614                 case Array::String calls operationSingleCharacterString(), which calls
1615                 jsSingleCharacterString(), which can allocate a string.
1616
1617             PutByValDirect:
1618             PutByVal:
1619             PutByValAlias:
1620                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1621                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1622                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1623                 slow paths call putByValInternal(), which may create exception objects, or
1624                 call the generic JSValue::put() which may execute arbitrary code.
1625
1626             StringCharAt:
1627                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1628                 which can allocate a string.
1629
1630         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1631         to use the maxSingleCharacterString constant instead of a literal constant.
1632
1633         * dfg/DFGDoesGC.cpp:
1634         (JSC::DFG::doesGC):
1635         * dfg/DFGSpeculativeJIT.cpp:
1636         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1637         * dfg/DFGSpeculativeJIT64.cpp:
1638         (JSC::DFG::SpeculativeJIT::compile):
1639         * ftl/FTLLowerDFGToB3.cpp:
1640         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1641         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1642         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1643
1644 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1645
1646         [JSC] SourceProviderCacheItem should be small
1647         https://bugs.webkit.org/show_bug.cgi?id=194432
1648
1649         Reviewed by Saam Barati.
1650
1651         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1652         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1653         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1654
1655         * parser/Parser.cpp:
1656         (JSC::Parser<LexerType>::parseFunctionInfo):
1657         * parser/ParserModes.h:
1658         * parser/ParserTokens.h:
1659         * parser/SourceProviderCacheItem.h:
1660         (JSC::SourceProviderCacheItem::endFunctionToken const):
1661         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1662
1663 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1664
1665         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1666         https://bugs.webkit.org/show_bug.cgi?id=194420
1667
1668         Reviewed by Saam Barati.
1669
1670         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1671         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1672         This trivial patch fixes both.
1673
1674         * b3/B3ReduceStrength.cpp:
1675         * b3/testb3.cpp:
1676         (JSC::B3::testAbsNegArg):
1677
1678 2019-02-07  Keith Miller  <keith_miller@apple.com>
1679
1680         Better error messages for module loader SPI
1681         https://bugs.webkit.org/show_bug.cgi?id=194421
1682
1683         Reviewed by Saam Barati.
1684
1685         * API/JSAPIGlobalObject.mm:
1686         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1687
1688 2019-02-07  Mark Lam  <mark.lam@apple.com>
1689
1690         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1691         https://bugs.webkit.org/show_bug.cgi?id=194399
1692         <rdar://problem/47889777>
1693
1694         Reviewed by Yusuke Suzuki.
1695
1696         Fix doesGC() for the following nodes:
1697
1698             CheckTraps:
1699                 We normally will not emit this node because Options::usePollingTraps() is
1700                 false by default.  However, as it is implemented now, CheckTraps can GC
1701                 because it can allocate a TerminatedExecutionException.  If we make the
1702                 TerminatedExecutionException a singleton allocated at initialization time,
1703                 doesGC() can return false for CheckTraps.
1704                 https://bugs.webkit.org/show_bug.cgi?id=194323
1705
1706             GetMapBucket:
1707                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1708                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1709                 can resolve a rope.
1710
1711             Switch:
1712                 If switchData kind is SwitchChar, can call operationResolveRope() .
1713                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1714                     can call operationSwitchString() which resolves ropes.
1715
1716             DirectTailCall:
1717             ForceOSRExit:
1718             Return:
1719             TailCallForwardVarargs:
1720             TailCallVarargs:
1721             Throw:
1722                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1723                 for them, but following our conservative practice, unless we have a good
1724                 reason for doesGC() to return false, we should just return true.
1725
1726         * dfg/DFGDoesGC.cpp:
1727         (JSC::DFG::doesGC):
1728
1729 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1730
1731         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1732         https://bugs.webkit.org/show_bug.cgi?id=194250
1733
1734         Reviewed by Saam Barati.
1735
1736         Adds the following optimizations for integers:
1737         - Sub(x, x) => 0
1738             Already covered by the test testSubArg
1739         - Sub(x1, Neg(x2)) => Add (x1, x2)
1740             Added test: testSubNeg
1741         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1742             Added test: testNegSub
1743         - Add(Neg(x1), x2) => Sub(x2, x1)
1744             Added test: testAddNeg1
1745         - Add(x1, Neg(x2)) => Sub(x1, x2)
1746             Added test: testAddNeg2
1747         Adds the following optimization for floating point values:
1748         - Abs(Neg(x)) => Abs(x)
1749             Added test: testAbsNegArg
1750             Adds the following optimization:
1751
1752         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1753
1754         * b3/B3ReduceStrength.cpp:
1755         * b3/testb3.cpp:
1756         (JSC::B3::testAddNeg1):
1757         (JSC::B3::testAddNeg2):
1758         (JSC::B3::testSubNeg):
1759         (JSC::B3::testNegSub):
1760         (JSC::B3::testAbsAbsArg):
1761         (JSC::B3::testAbsNegArg):
1762         (JSC::B3::run):
1763
1764 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1765
1766         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1767         https://bugs.webkit.org/show_bug.cgi?id=194374
1768
1769         Reviewed by Geoffrey Garen.
1770
1771         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1772         But pointer is larger than single character. BufferInternal StringImpl with single character
1773         is more memory efficient.
1774
1775         * runtime/SmallStrings.cpp:
1776         (JSC::SmallStringsStorage::SmallStringsStorage):
1777         (JSC::SmallStrings::SmallStrings):
1778         * runtime/SmallStrings.h:
1779
1780 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1781
1782         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1783         https://bugs.webkit.org/show_bug.cgi?id=194369
1784         <rdar://problem/47813087>
1785
1786         Reviewed by Saam Barati.
1787
1788         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1789         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1790         constant folding phase.
1791
1792         * dfg/DFGAbstractInterpreterInlines.h:
1793         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1794
1795 2019-02-06  Devin Rousso  <drousso@apple.com>
1796
1797         Web Inspector: DOM: don't send the entire function string with each event listener
1798         https://bugs.webkit.org/show_bug.cgi?id=194293
1799         <rdar://problem/47822809>
1800
1801         Reviewed by Joseph Pecoraro.
1802
1803         * inspector/protocol/DOM.json:
1804
1805         * runtime/JSFunction.h:
1806         Export `calculatedDisplayName`.
1807
1808 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1809
1810         [JSC] PrivateName to PublicName hash table is wasteful
1811         https://bugs.webkit.org/show_bug.cgi?id=194277
1812
1813         Reviewed by Michael Saboff.
1814
1815         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1816         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1817         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1818         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1819
1820         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1821
1822         1. PrivateName's content should be the same to PublicName.
1823         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1824            the public name should be easily crafted from the given PrivateName.
1825
1826         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1827         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1828
1829         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1830         WebCore.
1831
1832         * builtins/BuiltinNames.cpp:
1833         (JSC::BuiltinNames::BuiltinNames):
1834         * builtins/BuiltinNames.h:
1835         (JSC::BuiltinNames::lookUpPrivateName const):
1836         (JSC::BuiltinNames::getPublicName const):
1837         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1838         (JSC::BuiltinNames::appendExternalName):
1839         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1840         * builtins/BuiltinUtils.h:
1841         * bytecode/BytecodeDumper.cpp:
1842         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1843         * bytecompiler/NodesCodegen.cpp:
1844         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1845         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1846         * parser/Lexer.cpp:
1847         (JSC::Lexer<LChar>::parseIdentifier):
1848         (JSC::Lexer<UChar>::parseIdentifier):
1849         * parser/Parser.cpp:
1850         (JSC::Parser<LexerType>::createGeneratorParameters):
1851         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1852         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1853         (JSC::Parser<LexerType>::parseClassDeclaration):
1854         (JSC::Parser<LexerType>::parseExportDeclaration):
1855         (JSC::Parser<LexerType>::parseMemberExpression):
1856         * parser/ParserArena.h:
1857         (JSC::IdentifierArena::makeIdentifier):
1858         * runtime/CachedTypes.cpp:
1859         (JSC::CachedUniquedStringImpl::encode):
1860         (JSC::CachedUniquedStringImpl::decode const):
1861         * runtime/CommonIdentifiers.cpp:
1862         (JSC::CommonIdentifiers::CommonIdentifiers):
1863         (JSC::CommonIdentifiers::lookUpPrivateName const):
1864         (JSC::CommonIdentifiers::getPublicName const):
1865         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1866         * runtime/CommonIdentifiers.h:
1867         * runtime/ExceptionHelpers.cpp:
1868         (JSC::createUndefinedVariableError):
1869         * runtime/Identifier.cpp:
1870         (JSC::Identifier::dump const):
1871         * runtime/Identifier.h:
1872         * runtime/IdentifierInlines.h:
1873         (JSC::Identifier::fromUid):
1874         * runtime/JSTypedArrayViewPrototype.cpp:
1875         (JSC::JSTypedArrayViewPrototype::finishCreation):
1876         * tools/JSDollarVM.cpp:
1877         (JSC::functionGetPrivateProperty):
1878
1879 2019-02-06  Keith Rollin  <krollin@apple.com>
1880
1881         Really enable the automatic checking and regenerations of .xcfilelists during builds
1882         https://bugs.webkit.org/show_bug.cgi?id=194357
1883         <rdar://problem/47861231>
1884
1885         Reviewed by Chris Dumez.
1886
1887         Bug 194124 was supposed to enable the automatic checking and
1888         regenerating of .xcfilelist files during the build. While related
1889         changes were included in that patch, the change to actually enable the
1890         operation somehow was omitted. This patch actually enables the
1891         operation. The check-xcfilelist.sh scripts now check
1892         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1893         from the checking.
1894
1895         * Scripts/check-xcfilelists.sh:
1896
1897 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1898
1899         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1900         https://bugs.webkit.org/show_bug.cgi?id=194339
1901
1902         Reviewed by Michael Saboff.
1903
1904         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1905         They have even the same structure. This patch unifies the subspaces for them.
1906
1907         * runtime/DirectEvalExecutable.h:
1908         * runtime/EvalExecutable.h:
1909         (JSC::EvalExecutable::subspaceFor):
1910         * runtime/IndirectEvalExecutable.h:
1911         * runtime/VM.cpp:
1912         * runtime/VM.h:
1913         (JSC::VM::forEachScriptExecutableSpace):
1914
1915 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1916
1917         [JSC] NativeExecutable should be smaller
1918         https://bugs.webkit.org/show_bug.cgi?id=194331
1919
1920         Reviewed by Michael Saboff.
1921
1922         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1923         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1924         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1925         only takes one MarkedBlock for NativeExecutable.
1926
1927         To make NativeExecutable smaller,
1928
1929         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1930            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1931
1932         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1933            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1934            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1935
1936         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1937            Intrinsic for NativeExecutable.
1938
1939         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1940
1941         * CMakeLists.txt:
1942         * JavaScriptCore.xcodeproj/project.pbxproj:
1943         * bytecode/CallVariant.h:
1944         * interpreter/Interpreter.cpp:
1945         * jit/JITCode.cpp:
1946         (JSC::DirectJITCode::DirectJITCode):
1947         (JSC::NativeJITCode::NativeJITCode):
1948         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1949         * jit/JITCode.h:
1950         (JSC::JITCode::signature const):
1951         (JSC::JITCode::intrinsic):
1952         * jit/JITOperations.cpp:
1953         * jit/JITThunks.cpp:
1954         (JSC::JITThunks::hostFunctionStub):
1955         * jit/Repatch.cpp:
1956         * llint/LLIntSlowPaths.cpp:
1957         * runtime/ExecutableBase.cpp:
1958         (JSC::ExecutableBase::dump const):
1959         (JSC::ExecutableBase::hashFor const):
1960         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1961         (JSC::ExecutableBase::clearCode): Deleted.
1962         * runtime/ExecutableBase.h:
1963         (JSC::ExecutableBase::ExecutableBase):
1964         (JSC::ExecutableBase::isModuleProgramExecutable):
1965         (JSC::ExecutableBase::isHostFunction const):
1966         (JSC::ExecutableBase::generatedJITCodeForCall const):
1967         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1968         (JSC::ExecutableBase::generatedJITCodeFor const):
1969         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1970         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1971         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1972         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1973         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1974         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1975         (JSC::ExecutableBase::intrinsic const): Deleted.
1976         * runtime/ExecutableBaseInlines.h: Added.
1977         (JSC::ExecutableBase::intrinsic const):
1978         (JSC::ExecutableBase::hasJITCodeForCall const):
1979         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1980         * runtime/JSBoundFunction.cpp:
1981         * runtime/JSType.cpp:
1982         (WTF::printInternal):
1983         * runtime/JSType.h:
1984         * runtime/NativeExecutable.cpp:
1985         (JSC::NativeExecutable::create):
1986         (JSC::NativeExecutable::createStructure):
1987         (JSC::NativeExecutable::NativeExecutable):
1988         (JSC::NativeExecutable::signatureFor const):
1989         (JSC::NativeExecutable::intrinsic const):
1990         * runtime/NativeExecutable.h:
1991         * runtime/ScriptExecutable.cpp:
1992         (JSC::ScriptExecutable::ScriptExecutable):
1993         (JSC::ScriptExecutable::clearCode):
1994         (JSC::ScriptExecutable::installCode):
1995         (JSC::ScriptExecutable::hasClearableCode const):
1996         * runtime/ScriptExecutable.h:
1997         (JSC::ScriptExecutable::intrinsic const):
1998         (JSC::ScriptExecutable::hasJITCodeForCall const):
1999         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
2000         * runtime/VM.cpp:
2001         (JSC::VM::getHostFunction):
2002
2003 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
2004
2005         Build failure after r240431
2006         https://bugs.webkit.org/show_bug.cgi?id=194330
2007
2008         Reviewed by Žan Doberšek.
2009
2010         * API/glib/JSCOptions.cpp:
2011
2012 2019-02-05  Mark Lam  <mark.lam@apple.com>
2013
2014         Fix DFG's doesGC() for a few more nodes.
2015         https://bugs.webkit.org/show_bug.cgi?id=194307
2016         <rdar://problem/47832956>
2017
2018         Reviewed by Yusuke Suzuki.
2019
2020         Fix doesGC() for the following nodes:
2021
2022             NumberToStringWithValidRadixConstant:
2023                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
2024                 which can allocate a string.
2025                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
2026                 which can allocate a string.
2027                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
2028                 which can allocate a string.
2029
2030             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
2031                 memory for all kinds of objects.
2032             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
2033                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
2034                 these allocates memory for the match result.
2035             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
2036                 calls RegExpObject's collectMatches(), which allocates an array amongst
2037                 other objects.
2038
2039             StringFromCharCode:
2040                 If the uint32 code to convert is greater than maxSingleCharacterString,
2041                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
2042                 which allocates a new string if the code is greater than maxSingleCharacterString.
2043
2044         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
2045         to use maxSingleCharacterString instead of a literal constant.
2046
2047         * dfg/DFGDoesGC.cpp:
2048         (JSC::DFG::doesGC):
2049         * dfg/DFGSpeculativeJIT.cpp:
2050         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2051         * ftl/FTLLowerDFGToB3.cpp:
2052         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
2053
2054 2019-02-05  Keith Rollin  <krollin@apple.com>
2055
2056         Enable the automatic checking and regenerations of .xcfilelists during builds
2057         https://bugs.webkit.org/show_bug.cgi?id=194124
2058         <rdar://problem/47721277>
2059
2060         Reviewed by Tim Horton.
2061
2062         Bug 193790 add a facility for checking -- during build time -- that
2063         any needed .xcfilelist files are up-to-date and for updating them if
2064         they are not. This facility was initially opt-in by setting
2065         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
2066         the process seemed robust. Its now time to enable this facility and
2067         make it opt-out. If there is a need to disable this facility, set and
2068         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
2069         running `make` or `build-webkit`, or before running Xcode from the
2070         command line.
2071
2072         Additionally, remove the step that generates a list of source files
2073         going into the UnifiedSources build step. It's only necessarily to
2074         specify Sources.txt and SourcesCocoa.txt as inputs.
2075
2076         * JavaScriptCore.xcodeproj/project.pbxproj:
2077         * UnifiedSources-input.xcfilelist: Removed.
2078
2079 2019-02-05  Keith Rollin  <krollin@apple.com>
2080
2081         Update .xcfilelist files
2082         https://bugs.webkit.org/show_bug.cgi?id=194121
2083         <rdar://problem/47720863>
2084
2085         Reviewed by Tim Horton.
2086
2087         Preparatory to enabling the facility for automatically updating the
2088         .xcfilelist files, check in a freshly-updated set so that not everyone
2089         runs up against having to regenerate them themselves.
2090
2091         * DerivedSources-input.xcfilelist:
2092         * DerivedSources-output.xcfilelist:
2093
2094 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
2095
2096         [INTL] improve efficiency of Intl.NumberFormat formatToParts
2097         https://bugs.webkit.org/show_bug.cgi?id=185557
2098
2099         Reviewed by Mark Lam.
2100
2101         Since field nesting depth is minimal, this algorithm should be effectively O(n),
2102         where n is the number of characters in the formatted string.
2103         It may be less memory efficient than the previous impl, since the intermediate Vector
2104         is the length of the string, instead of the count of the fields.
2105
2106         * runtime/IntlNumberFormat.cpp:
2107         (JSC::IntlNumberFormat::formatToParts):
2108         * runtime/IntlNumberFormat.h:
2109
2110 2019-02-05  Mark Lam  <mark.lam@apple.com>
2111
2112         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
2113         https://bugs.webkit.org/show_bug.cgi?id=194298
2114         <rdar://problem/47827555>
2115
2116         Reviewed by Saam Barati.
2117
2118         We do this for 3 reasons:
2119         1. It's clearer when reading doesGC()'s code that these nodes will return true.
2120         2. If things change in the future where clobberize() no longer reports these nodes
2121            as write(Heap), each node should be vetted first to make sure that it can never
2122            GC before being moved back to the doesGC() list that returns false.
2123         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
2124            correct in its claims about the nodes' GCing possibility.
2125
2126         The list of nodes moved are:
2127
2128             ArrayPush
2129             ArrayPop
2130             Call
2131             CallEval
2132             CallForwardVarargs
2133             CallVarargs
2134             Construct
2135             ConstructForwardVarargs
2136             ConstructVarargs
2137             DefineDataProperty
2138             DefineAccessorProperty
2139             DeleteById
2140             DeleteByVal
2141             DirectCall
2142             DirectConstruct
2143             DirectTailCallInlinedCaller
2144             GetById
2145             GetByIdDirect
2146             GetByIdDirectFlush
2147             GetByIdFlush
2148             GetByIdWithThis
2149             GetByValWithThis
2150             GetDirectPname
2151             GetDynamicVar
2152             HasGenericProperty
2153             HasOwnProperty
2154             HasStructureProperty
2155             InById
2156             InByVal
2157             InstanceOf
2158             InstanceOfCustom
2159             LoadVarargs
2160             NumberToStringWithRadix
2161             PutById
2162             PutByIdDirect
2163             PutByIdFlush
2164             PutByIdWithThis
2165             PutByOffset
2166             PutByValWithThis
2167             PutDynamicVar
2168             PutGetterById
2169             PutGetterByVal
2170             PutGetterSetterById
2171             PutSetterById
2172             PutSetterByVal
2173             PutStack
2174             PutToArguments
2175             RegExpExec
2176             RegExpTest
2177             ResolveScope
2178             ResolveScopeForHoistingFuncDeclInEval
2179             TailCall
2180             TailCallForwardVarargsInlinedCaller
2181             TailCallInlinedCaller
2182             TailCallVarargsInlinedCaller
2183             ToNumber
2184             ToPrimitive
2185             ValueNegate
2186
2187         * dfg/DFGDoesGC.cpp:
2188         (JSC::DFG::doesGC):
2189
2190 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2191
2192         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2193         https://bugs.webkit.org/show_bug.cgi?id=194281
2194
2195         Reviewed by Michael Saboff.
2196
2197         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2198         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2199
2200         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2201         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2202         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2203
2204         * bytecode/CodeBlock.cpp:
2205         (JSC::CodeBlock::finishCreation):
2206         * bytecode/CodeBlock.h:
2207         (JSC::CodeBlock::bitVectors const): Deleted.
2208         * bytecode/CodeType.h:
2209         * bytecode/UnlinkedCodeBlock.cpp:
2210         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2211         (JSC::UnlinkedCodeBlock::shrinkToFit):
2212         * bytecode/UnlinkedCodeBlock.h:
2213         (JSC::UnlinkedCodeBlock::bitVector):
2214         (JSC::UnlinkedCodeBlock::addBitVector):
2215         (JSC::UnlinkedCodeBlock::addSetConstant):
2216         (JSC::UnlinkedCodeBlock::constantRegisters):
2217         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2218         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2219         (JSC::UnlinkedCodeBlock::codeType const):
2220         (JSC::UnlinkedCodeBlock::didOptimize const):
2221         (JSC::UnlinkedCodeBlock::setDidOptimize):
2222         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2223         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2224         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2225         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2226         * bytecompiler/BytecodeGenerator.cpp:
2227         (JSC::BytecodeGenerator::emitLoad):
2228         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2229         * bytecompiler/BytecodeGenerator.h:
2230         * runtime/CachedTypes.cpp:
2231         (JSC::CachedCodeBlockRareData::encode):
2232         (JSC::CachedCodeBlockRareData::decode const):
2233         (JSC::CachedCodeBlock::scopeRegister const):
2234         (JSC::CachedCodeBlock::codeType const):
2235         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2236         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2237         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2238         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2239
2240 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2241
2242         Unreviewed, add missing exception checks after r240637
2243         https://bugs.webkit.org/show_bug.cgi?id=193546
2244
2245         * tools/JSDollarVM.cpp:
2246         (JSC::functionShadowChickenFunctionsOnStack):
2247
2248 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2249
2250         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2251         https://bugs.webkit.org/show_bug.cgi?id=193993
2252
2253         Reviewed by Keith Miller.
2254
2255         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2256         And some of them are rarely used. We should allocate it lazily.
2257
2258         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2259         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2260         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2261         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2262         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2263         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2264         by using WTF::storeStoreFence when lazily allocating it.
2265
2266         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2267         existence of the space before touching this. This is not racy because the main thread is stopped when
2268         the constraint solving is working.
2269
2270         This changes sizeof(VM) from 64736 to 56472.
2271
2272         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2273         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2274         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2275         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2276         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2277         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2278         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2279
2280         * API/JSCallbackFunction.h:
2281         * API/ObjCCallbackFunction.h:
2282         (JSC::ObjCCallbackFunction::subspaceFor):
2283         * API/glib/JSCCallbackFunction.h:
2284         * CMakeLists.txt:
2285         * JavaScriptCore.xcodeproj/project.pbxproj:
2286         * bytecode/CodeBlock.cpp:
2287         (JSC::CodeBlock::visitChildren):
2288         (JSC::CodeBlock::finalizeUnconditionally):
2289         * bytecode/CodeBlock.h:
2290         * bytecode/EvalCodeBlock.h:
2291         * bytecode/ExecutableToCodeBlockEdge.h:
2292         * bytecode/FunctionCodeBlock.h:
2293         * bytecode/ModuleProgramCodeBlock.h:
2294         * bytecode/ProgramCodeBlock.h:
2295         * bytecode/UnlinkedFunctionExecutable.cpp:
2296         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2297         * bytecode/UnlinkedFunctionExecutable.h:
2298         * dfg/DFGSpeculativeJIT.cpp:
2299         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2300         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2301         (JSC::DFG::SpeculativeJIT::compileNewObject):
2302         * ftl/FTLLowerDFGToB3.cpp:
2303         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2304         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2305         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2306         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2307         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2308         * heap/Heap.cpp:
2309         (JSC::Heap::finalizeUnconditionalFinalizers):
2310         (JSC::Heap::deleteAllCodeBlocks):
2311         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2312         (JSC::Heap::addCoreConstraints):
2313         * heap/Subspace.cpp:
2314         (JSC::Subspace::initialize):
2315         * jit/AssemblyHelpers.h:
2316         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2317         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2318         * jit/JITOpcodes.cpp:
2319         (JSC::JIT::emit_op_new_object):
2320         * jit/JITOpcodes32_64.cpp:
2321         (JSC::JIT::emit_op_new_object):
2322         * runtime/DirectArguments.h:
2323         * runtime/DirectEvalExecutable.h:
2324         * runtime/ErrorInstance.h:
2325         (JSC::ErrorInstance::subspaceFor):
2326         * runtime/ExecutableBase.h:
2327         * runtime/FunctionExecutable.h:
2328         * runtime/IndirectEvalExecutable.h:
2329         * runtime/InferredValue.cpp:
2330         (JSC::InferredValue::visitChildren):
2331         * runtime/InferredValue.h:
2332         * runtime/InferredValueInlines.h:
2333         (JSC::InferredValue::finalizeUnconditionally):
2334         * runtime/InternalFunction.h:
2335         * runtime/JSAsyncFunction.h:
2336         * runtime/JSAsyncGeneratorFunction.h:
2337         * runtime/JSBoundFunction.h:
2338         * runtime/JSCell.h:
2339         (JSC::subspaceFor):
2340         (JSC::subspaceForConcurrently):
2341         * runtime/JSCellInlines.h:
2342         (JSC::allocatorForNonVirtualConcurrently):
2343         * runtime/JSCustomGetterSetterFunction.h:
2344         * runtime/JSDestructibleObject.h:
2345         * runtime/JSFunction.h:
2346         * runtime/JSGeneratorFunction.h:
2347         * runtime/JSImmutableButterfly.h:
2348         * runtime/JSLexicalEnvironment.h:
2349         (JSC::JSLexicalEnvironment::subspaceFor):
2350         * runtime/JSNativeStdFunction.h:
2351         * runtime/JSSegmentedVariableObject.h:
2352         * runtime/JSString.h:
2353         * runtime/ModuleProgramExecutable.h:
2354         * runtime/NativeExecutable.h:
2355         * runtime/ProgramExecutable.h:
2356         * runtime/PropertyMapHashTable.h:
2357         * runtime/ProxyRevoke.h:
2358         * runtime/ScopedArguments.h:
2359         * runtime/ScriptExecutable.cpp:
2360         (JSC::ScriptExecutable::clearCode):
2361         (JSC::ScriptExecutable::installCode):
2362         * runtime/Structure.h:
2363         * runtime/StructureRareData.h:
2364         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2365         * runtime/VM.cpp:
2366         (JSC::VM::VM):
2367         * runtime/VM.h:
2368         (JSC::VM::SpaceAndSet::SpaceAndSet):
2369         (JSC::VM::SpaceAndSet::setFor):
2370         (JSC::VM::forEachScriptExecutableSpace):
2371         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2372         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2373         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2374         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2375         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2376         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2377         * runtime/WeakMapImpl.h:
2378         (JSC::WeakMapImpl::subspaceFor):
2379         * wasm/js/JSWebAssemblyCodeBlock.h:
2380         * wasm/js/JSWebAssemblyMemory.h:
2381         * wasm/js/WebAssemblyFunction.h:
2382         * wasm/js/WebAssemblyWrapperFunction.h:
2383
2384 2019-02-04  Keith Miller  <keith_miller@apple.com>
2385
2386         Change llint operand macros to inline functions
2387         https://bugs.webkit.org/show_bug.cgi?id=194248
2388
2389         Reviewed by Mark Lam.
2390
2391         * llint/LLIntSlowPaths.cpp:
2392         (JSC::LLInt::getNonConstantOperand):
2393         (JSC::LLInt::getOperand):
2394         (JSC::LLInt::llint_trace_value):
2395         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2396         (JSC::LLInt::getByVal):
2397         (JSC::LLInt::genericCall):
2398         (JSC::LLInt::varargsSetup):
2399         (JSC::LLInt::commonCallEval):
2400
2401 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2402
2403         when lowering AssertNotEmpty, create the value before creating the patchpoint
2404         https://bugs.webkit.org/show_bug.cgi?id=194231
2405
2406         Reviewed by Saam Barati.
2407
2408         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2409         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2410
2411         * ftl/FTLLowerDFGToB3.cpp:
2412         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2413
2414 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2415
2416         [JSC] ExecutableToCodeBlockEdge should be smaller
2417         https://bugs.webkit.org/show_bug.cgi?id=194244
2418
2419         Reviewed by Michael Saboff.
2420
2421         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2422         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2423         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2424         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2425
2426         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2427         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2428         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2429
2430         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2431         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2432         does not touch it if it is called in non-main threads).
2433
2434         * bytecode/ExecutableToCodeBlockEdge.cpp:
2435         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2436         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2437         (JSC::ExecutableToCodeBlockEdge::activate):
2438         (JSC::ExecutableToCodeBlockEdge::deactivate):
2439         (JSC::ExecutableToCodeBlockEdge::isActive const):
2440         * bytecode/ExecutableToCodeBlockEdge.h:
2441         * runtime/JSCell.h:
2442         * runtime/JSCellInlines.h:
2443         (JSC::JSCell::perCellBit const):
2444         (JSC::JSCell::setPerCellBit):
2445         (JSC::JSCell::mayBePrototype const): Deleted.
2446         (JSC::JSCell::didBecomePrototype): Deleted.
2447         * runtime/JSObject.cpp:
2448         (JSC::JSObject::setPrototypeDirect):
2449         * runtime/JSObject.h:
2450         * runtime/JSObjectInlines.h:
2451         (JSC::JSObject::mayBePrototype const):
2452         (JSC::JSObject::didBecomePrototype):
2453         * runtime/JSTypeInfo.h:
2454         (JSC::TypeInfo::perCellBit):
2455         (JSC::TypeInfo::mergeInlineTypeFlags):
2456         (JSC::TypeInfo::mayBePrototype): Deleted.
2457
2458 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2459
2460         [JSC] Shrink size of FunctionExecutable
2461         https://bugs.webkit.org/show_bug.cgi?id=194191
2462
2463         Reviewed by Michael Saboff.
2464
2465         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2466         improves the allocation efficiency.
2467
2468         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2469            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2470
2471         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2472            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2473            the size of FunctionExecutable in the common case.
2474
2475         This patch changes the size of FunctionExecutable from 176 to 144.
2476
2477         * bytecode/CodeBlock.cpp:
2478         (JSC::CodeBlock::dumpSource):
2479         (JSC::CodeBlock::finishCreation):
2480         * dfg/DFGNode.h:
2481         (JSC::DFG::Node::OpInfoWrapper::as const):
2482         * interpreter/StackVisitor.cpp:
2483         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2484         * runtime/ExecutableBase.h:
2485         * runtime/FunctionExecutable.cpp:
2486         (JSC::FunctionExecutable::FunctionExecutable):
2487         (JSC::FunctionExecutable::ensureRareDataSlow):
2488         * runtime/FunctionExecutable.h:
2489         * runtime/Intrinsic.h:
2490         * runtime/ModuleProgramExecutable.cpp:
2491         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2492         * runtime/ProgramExecutable.cpp:
2493         (JSC::ProgramExecutable::ProgramExecutable):
2494         * runtime/ScriptExecutable.cpp:
2495         (JSC::ScriptExecutable::ScriptExecutable):
2496         (JSC::ScriptExecutable::overrideLineNumber const):
2497         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2498         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2499         * runtime/ScriptExecutable.h:
2500         (JSC::ScriptExecutable::firstLine const):
2501         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2502         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2503         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2504         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2505         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2506         * runtime/StackFrame.cpp:
2507         (JSC::StackFrame::computeLineAndColumn const):
2508         * tools/JSDollarVM.cpp:
2509         (JSC::functionReturnTypeFor):
2510
2511 2019-02-04  Mark Lam  <mark.lam@apple.com>
2512
2513         DFG's doesGC() is incorrect about the SameValue node's behavior.
2514         https://bugs.webkit.org/show_bug.cgi?id=194211
2515         <rdar://problem/47608913>
2516
2517         Reviewed by Saam Barati.
2518
2519         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2520         it calls operationSameValue() which may allocate memory for resolving ropes.
2521
2522         * dfg/DFGDoesGC.cpp:
2523         (JSC::DFG::doesGC):
2524
2525 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2526
2527         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2528         https://bugs.webkit.org/show_bug.cgi?id=194031
2529
2530         Reviewed by Saam Barati.
2531
2532         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2533         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2534         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2535         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2536
2537         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2538         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2539
2540         * bytecode/MetadataTable.cpp:
2541         (JSC::MetadataTable::MetadataTable):
2542         (JSC::MetadataTable::~MetadataTable):
2543         * bytecode/UnlinkedCodeBlock.cpp:
2544         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2545         (JSC::UnlinkedCodeBlock::visitChildren):
2546         (JSC::UnlinkedCodeBlock::estimatedSize):
2547         (JSC::UnlinkedCodeBlock::setInstructions):
2548         * bytecode/UnlinkedCodeBlock.h:
2549         (JSC::UnlinkedCodeBlock::metadata):
2550         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2551         * bytecode/UnlinkedMetadataTable.h:
2552         (JSC::UnlinkedMetadataTable::create):
2553         * bytecode/UnlinkedMetadataTableInlines.h:
2554         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2555         * runtime/CachedTypes.cpp:
2556         (JSC::CachedMetadataTable::decode const):
2557         (JSC::CachedCodeBlock::metadata const):
2558         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2559         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2560         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2561
2562 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2563
2564         [JSC] Decouple JIT related data from CodeBlock
2565         https://bugs.webkit.org/show_bug.cgi?id=194187
2566
2567         Reviewed by Saam Barati.
2568
2569         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2570         We have three types of data in CodeBlock.
2571
2572         1. The data which is always used. CodeBlock needs to hold it.
2573         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2574         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2575
2576         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2577         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2578         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2579         in both non-JIT and *JIT* modes.
2580
2581         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2582         by the lock of CodeBlock.
2583
2584         The size of CodeBlock is reduced from 512 to 352.
2585
2586         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2587
2588             Footprint geomean: 36696503 (34.997 MB)
2589             Peak Footprint geomean: 38595988 (36.808 MB)
2590             Score: 37634263 (35.891 MB)
2591
2592             Footprint geomean: 37172768 (35.451 MB)
2593             Peak Footprint geomean: 38978288 (37.173 MB)
2594             Score: 38064824 (36.301 MB)
2595
2596         * bytecode/CodeBlock.cpp:
2597         (JSC::CodeBlock::~CodeBlock):
2598         (JSC::CodeBlock::propagateTransitions):
2599         (JSC::CodeBlock::ensureJITDataSlow):
2600         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2601         (JSC::CodeBlock::getICStatusMap):
2602         (JSC::CodeBlock::addStubInfo):
2603         (JSC::CodeBlock::addJITAddIC):
2604         (JSC::CodeBlock::addJITMulIC):
2605         (JSC::CodeBlock::addJITSubIC):
2606         (JSC::CodeBlock::addJITNegIC):
2607         (JSC::CodeBlock::findStubInfo):
2608         (JSC::CodeBlock::addByValInfo):
2609         (JSC::CodeBlock::addCallLinkInfo):
2610         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2611         (JSC::CodeBlock::addRareCaseProfile):
2612         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2613         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2614         (JSC::CodeBlock::resetJITData):
2615         (JSC::CodeBlock::stronglyVisitStrongReferences):
2616         (JSC::CodeBlock::shrinkToFit):
2617         (JSC::CodeBlock::linkIncomingCall):
2618         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2619         (JSC::CodeBlock::unlinkIncomingCalls):
2620         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2621         (JSC::CodeBlock::dumpValueProfiles):
2622         (JSC::CodeBlock::setPCToCodeOriginMap):
2623         (JSC::CodeBlock::findPC):
2624         (JSC::CodeBlock::dumpMathICStats):
2625         * bytecode/CodeBlock.h:
2626         (JSC::CodeBlock::ensureJITData):
2627         (JSC::CodeBlock::setJITCodeMap):
2628         (JSC::CodeBlock::jitCodeMap):
2629         (JSC::CodeBlock::likelyToTakeSlowCase):
2630         (JSC::CodeBlock::couldTakeSlowCase):
2631         (JSC::CodeBlock::lazyOperandValueProfiles):
2632         (JSC::CodeBlock::stubInfoBegin): Deleted.
2633         (JSC::CodeBlock::stubInfoEnd): Deleted.
2634         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2635         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2636         (JSC::CodeBlock::jitCodeMap const): Deleted.
2637         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2638         * bytecode/MethodOfGettingAValueProfile.cpp:
2639         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2640         (JSC::MethodOfGettingAValueProfile::reportValue):
2641         * dfg/DFGByteCodeParser.cpp:
2642         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2643         * jit/JIT.h:
2644         * jit/JITOperations.cpp:
2645         (JSC::tryGetByValOptimize):
2646         * jit/JITPropertyAccess.cpp:
2647         (JSC::JIT::privateCompileGetByVal):
2648         (JSC::JIT::privateCompilePutByVal):
2649
2650 2018-12-16  Darin Adler  <darin@apple.com>
2651
2652         Convert additional String::format clients to alternative approaches
2653         https://bugs.webkit.org/show_bug.cgi?id=192746
2654
2655         Reviewed by Alexey Proskuryakov.
2656
2657         * inspector/agents/InspectorConsoleAgent.cpp:
2658         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2659         and FormattedNumber::fixedWidth.
2660
2661 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2662
2663         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2664         https://bugs.webkit.org/show_bug.cgi?id=194177
2665
2666         Reviewed by Saam Barati.
2667
2668         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2669         We can share the IsoSubspace for JSFunction.
2670
2671         * runtime/JSAsyncFunction.h:
2672         * runtime/JSAsyncGeneratorFunction.h:
2673         * runtime/JSGeneratorFunction.h:
2674         * runtime/VM.cpp:
2675         (JSC::VM::VM):
2676         * runtime/VM.h:
2677
2678 2019-02-01  Mark Lam  <mark.lam@apple.com>
2679
2680         Remove invalid assertion in DFG's compileDoubleRep().
2681         https://bugs.webkit.org/show_bug.cgi?id=194130
2682         <rdar://problem/47699474>
2683
2684         Reviewed by Saam Barati.
2685
2686         * dfg/DFGSpeculativeJIT.cpp:
2687         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2688
2689 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2690
2691         [JSC] Unify CodeBlock IsoSubspaces
2692         https://bugs.webkit.org/show_bug.cgi?id=194167
2693
2694         Reviewed by Saam Barati.
2695
2696         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2697         But this is not necessary since,
2698
2699         1. They do not override the classInfo methods.
2700         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2701
2702         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2703         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2704         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2705
2706         This patch unifies these IsoSubspaces into one.
2707
2708         * bytecode/CodeBlock.cpp:
2709         (JSC::CodeBlock::destroy):
2710         * bytecode/CodeBlock.h:
2711         * bytecode/EvalCodeBlock.cpp:
2712         (JSC::EvalCodeBlock::destroy): Deleted.
2713         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2714         * bytecode/FunctionCodeBlock.cpp:
2715         (JSC::FunctionCodeBlock::destroy): Deleted.
2716         * bytecode/FunctionCodeBlock.h:
2717         * bytecode/GlobalCodeBlock.h:
2718         * bytecode/ModuleProgramCodeBlock.cpp:
2719         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2720         * bytecode/ModuleProgramCodeBlock.h:
2721         * bytecode/ProgramCodeBlock.cpp:
2722         (JSC::ProgramCodeBlock::destroy): Deleted.
2723         * bytecode/ProgramCodeBlock.h:
2724         * interpreter/Interpreter.cpp:
2725         (JSC::Interpreter::execute):
2726         * runtime/VM.cpp:
2727         (JSC::VM::VM):
2728         * runtime/VM.h:
2729         (JSC::VM::forEachCodeBlockSpace):
2730
2731 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2732
2733         Unreviewed, follow-up after r240859
2734         https://bugs.webkit.org/show_bug.cgi?id=194145
2735
2736         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2737         And rename cellDangerousBitsSpace back to cellSpace.
2738
2739         * runtime/JSCellInlines.h:
2740         (JSC::JSCell::subspaceFor):
2741         * runtime/VM.cpp:
2742         (JSC::VM::VM):
2743         * runtime/VM.h:
2744
2745 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2746
2747         [JSC] Remove cellJSValueOOBSpace
2748         https://bugs.webkit.org/show_bug.cgi?id=194145
2749
2750         Reviewed by Mark Lam.
2751
2752         * runtime/JSObject.h:
2753         (JSC::JSObject::subspaceFor): Deleted.
2754         * runtime/VM.cpp:
2755         (JSC::VM::VM):
2756         * runtime/VM.h:
2757
2758 2019-01-31  Mark Lam  <mark.lam@apple.com>
2759
2760         Remove poisoning from CodeBlock and LLInt code.
2761         https://bugs.webkit.org/show_bug.cgi?id=194113
2762
2763         Reviewed by Yusuke Suzuki.
2764
2765         * bytecode/CodeBlock.cpp:
2766         (JSC::CodeBlock::CodeBlock):
2767         (JSC::CodeBlock::~CodeBlock):
2768         (JSC::CodeBlock::setConstantRegisters):
2769         (JSC::CodeBlock::propagateTransitions):
2770         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2771         (JSC::CodeBlock::jettison):
2772         (JSC::CodeBlock::predictedMachineCodeSize):
2773         * bytecode/CodeBlock.h:
2774         (JSC::CodeBlock::vm const):
2775         (JSC::CodeBlock::addConstant):
2776         (JSC::CodeBlock::heap const):
2777         (JSC::CodeBlock::replaceConstant):
2778         * llint/LLIntOfflineAsmConfig.h:
2779         * llint/LLIntSlowPaths.cpp:
2780         (JSC::LLInt::handleHostCall):
2781         (JSC::LLInt::setUpCall):
2782         * llint/LowLevelInterpreter.asm:
2783         * llint/LowLevelInterpreter32_64.asm:
2784         * llint/LowLevelInterpreter64.asm:
2785
2786 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2787
2788         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2789         https://bugs.webkit.org/show_bug.cgi?id=194107
2790
2791         Reviewed by Saam Barati.
2792
2793         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2794         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2795
2796         * CMakeLists.txt:
2797         * DerivedSources.make:
2798         * JavaScriptCore.xcodeproj/project.pbxproj:
2799         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2800         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2801         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2802         (JSC::AsyncFromSyncIteratorPrototype::create):
2803         * runtime/AsyncFromSyncIteratorPrototype.h:
2804
2805 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2806
2807         Fix `runJITThreadLimitTests` in testapi
2808         https://bugs.webkit.org/show_bug.cgi?id=194064
2809         <rdar://problem/46139147>
2810
2811         Reviewed by Mark Lam.
2812
2813         Fix typo where `targetNumberOfThreads` was not being used.
2814
2815         * API/tests/testapi.mm:
2816         (runJITThreadLimitTests):
2817
2818 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2819
2820         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2821         https://bugs.webkit.org/show_bug.cgi?id=194112
2822
2823         Reviewed by Mark Lam.
2824
2825         `testBytecodeCache` does not populate the bytecode cache for the global
2826         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2827
2828         * API/tests/testapi.mm:
2829         (testBytecodeCache):
2830
2831 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2832
2833         Unreviewed, follow-up after r240796
2834
2835         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2836         when allocating InferredValue in FunctionExecutable::finishCreation.
2837
2838         * runtime/FunctionExecutable.cpp:
2839         (JSC::FunctionExecutable::FunctionExecutable):
2840         (JSC::FunctionExecutable::finishCreation):
2841
2842 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2843
2844         [JSC] Do not use InferredValue in non-JIT configuration
2845         https://bugs.webkit.org/show_bug.cgi?id=194084
2846
2847         Reviewed by Saam Barati.
2848
2849         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2850         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2851         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2852         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2853         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2854         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2855         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2856         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2857
2858         * bytecode/ObjectAllocationProfileInlines.h:
2859         (JSC::ObjectAllocationProfile::initializeProfile):
2860         * runtime/FunctionExecutable.cpp:
2861         (JSC::FunctionExecutable::finishCreation):
2862         (JSC::FunctionExecutable::visitChildren):
2863         * runtime/FunctionExecutable.h:
2864         * runtime/InferredValue.cpp:
2865         (JSC::InferredValue::create):
2866         * runtime/JSAsyncFunction.cpp:
2867         (JSC::JSAsyncFunction::create):
2868         * runtime/JSAsyncGeneratorFunction.cpp:
2869         (JSC::JSAsyncGeneratorFunction::create):
2870         * runtime/JSFunction.cpp:
2871         (JSC::JSFunction::create):
2872         * runtime/JSFunctionInlines.h:
2873         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2874         * runtime/JSGeneratorFunction.cpp:
2875         (JSC::JSGeneratorFunction::create):
2876         * runtime/JSSymbolTableObject.h:
2877         (JSC::JSSymbolTableObject::setSymbolTable):
2878         * runtime/SymbolTable.cpp:
2879         (JSC::SymbolTable::finishCreation):
2880         * runtime/VM.cpp:
2881         (JSC::VM::VM):
2882
2883 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2884
2885         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2886         https://bugs.webkit.org/show_bug.cgi?id=194085
2887
2888         Reviewed by Yusuke Suzuki.
2889
2890         r240730 changed ud_itab.py and caused incremental build failures
2891         for Ninja builds.
2892
2893         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2894
2895 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2896
2897         [JSC] Symbol should be in destructibleCellSpace
2898         https://bugs.webkit.org/show_bug.cgi?id=194082
2899
2900         Reviewed by Saam Barati.
2901
2902         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2903         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2904         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2905         Symbol's space destructibleCellSpace to appropriately call the destructor.
2906
2907         * runtime/Symbol.h:
2908
2909 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2910
2911         Unreviewed, rolling out r240755.
2912
2913         This was not correct
2914
2915         Reverted changeset:
2916
2917         "Unreviewed, fix GCC build after r240730"
2918         https://bugs.webkit.org/show_bug.cgi?id=194041
2919         https://trac.webkit.org/changeset/240755
2920
2921 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2922
2923         Unreviewed, fix GCC build after r240730
2924         https://bugs.webkit.org/show_bug.cgi?id=194041
2925         <rdar://problem/47680981>
2926
2927         * disassembler/udis86/ud_itab.py:
2928         (UdItabGenerator.genOpcodeTablesLookupIndex):
2929
2930 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2931
2932         testapi's `testBytecodeCache` does not need to run the code twice
2933         https://bugs.webkit.org/show_bug.cgi?id=194046
2934
2935         Reviewed by Mark Lam.
2936
2937         Since we populate the cache eagerly (unlike the stress tests) we don't
2938         need to run the code twice.
2939
2940         * API/tests/testapi.mm:
2941         (testBytecodeCache):
2942
2943 2019-01-30  Saam barati  <sbarati@apple.com>
2944
2945         [WebAssembly] Change BBQ to generate Air IR
2946         https://bugs.webkit.org/show_bug.cgi?id=191802
2947         <rdar://problem/47651718>
2948
2949         Reviewed by Keith Miller.
2950
2951         This patch adds a new Wasm compiler for the BBQ tier. Instead
2952         of compiling using  B3-01, we now generate Air code directly.
2953         The goal of doing this was to speed up compile times for Wasm
2954         programs.
2955         
2956         This patch provides us with a 20-30% compile time speedup. However, I
2957         have ideas on how to improve compile times even further. For example,
2958         we should probably implement a faster running register allocator:
2959         https://bugs.webkit.org/show_bug.cgi?id=194036
2960         
2961         We can also improve on the code we generate.
2962         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2963         And we should do better instruction selection in various
2964         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2965
2966         * JavaScriptCore.xcodeproj/project.pbxproj:
2967         * Sources.txt:
2968         * b3/B3LowerToAir.cpp:
2969         * b3/B3StackmapSpecial.h:
2970         * b3/air/AirCode.cpp:
2971         (JSC::B3::Air::Code::emitDefaultPrologue):
2972         * b3/air/AirCode.h:
2973         * b3/air/AirTmp.h:
2974         (JSC::B3::Air::Tmp::Tmp):
2975         * runtime/Options.h:
2976         * wasm/WasmAirIRGenerator.cpp: Added.
2977         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2978         (JSC::Wasm::TypedTmp::TypedTmp):
2979         (JSC::Wasm::TypedTmp::operator== const):
2980         (JSC::Wasm::TypedTmp::operator!= const):
2981         (JSC::Wasm::TypedTmp::operator bool const):
2982         (JSC::Wasm::TypedTmp::operator Tmp const):
2983         (JSC::Wasm::TypedTmp::operator Arg const):
2984         (JSC::Wasm::TypedTmp::tmp const):
2985         (JSC::Wasm::TypedTmp::type const):
2986         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2987         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2988         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2989         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2990         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2991         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2992         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2993         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2994         (JSC::Wasm::AirIRGenerator::emptyExpression):
2995         (JSC::Wasm::AirIRGenerator::fail const):
2996         (JSC::Wasm::AirIRGenerator::setParser):
2997         (JSC::Wasm::AirIRGenerator::toTmpVector):
2998         (JSC::Wasm::AirIRGenerator::validateInst):
2999         (JSC::Wasm::AirIRGenerator::extractArg):
3000         (JSC::Wasm::AirIRGenerator::append):
3001         (JSC::Wasm::AirIRGenerator::appendEffectful):
3002         (JSC::Wasm::AirIRGenerator::newTmp):
3003         (JSC::Wasm::AirIRGenerator::g32):
3004         (JSC::Wasm::AirIRGenerator::g64):
3005         (JSC::Wasm::AirIRGenerator::f32):
3006         (JSC::Wasm::AirIRGenerator::f64):
3007         (JSC::Wasm::AirIRGenerator::tmpForType):
3008         (JSC::Wasm::AirIRGenerator::addPatchpoint):
3009         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
3010         (JSC::Wasm::AirIRGenerator::emitCheck):
3011         (JSC::Wasm::AirIRGenerator::emitCCall):
3012         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
3013         (JSC::Wasm::AirIRGenerator::instanceValue):
3014         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
3015         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
3016         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
3017         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
3018         (JSC::Wasm::AirIRGenerator::emitThrowException):
3019         (JSC::Wasm::AirIRGenerator::addLocal):
3020         (JSC::Wasm::AirIRGenerator::addConstant):
3021         (JSC::Wasm::AirIRGenerator::addArguments):
3022         (JSC::Wasm::AirIRGenerator::getLocal):
3023         (JSC::Wasm::AirIRGenerator::addUnreachable):
3024         (JSC::Wasm::AirIRGenerator::addGrowMemory):
3025         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
3026         (JSC::Wasm::AirIRGenerator::setLocal):
3027         (JSC::Wasm::AirIRGenerator::getGlobal):
3028         (JSC::Wasm::AirIRGenerator::setGlobal):
3029         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
3030         (JSC::Wasm::sizeOfLoadOp):
3031         (JSC::Wasm::AirIRGenerator::emitLoadOp):
3032         (JSC::Wasm::AirIRGenerator::load):
3033         (JSC::Wasm::sizeOfStoreOp):
3034         (JSC::Wasm::AirIRGenerator::emitStoreOp):
3035         (JSC::Wasm::AirIRGenerator::store):
3036         (JSC::Wasm::AirIRGenerator::addSelect):
3037         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
3038         (JSC::Wasm::AirIRGenerator::addLoop):
3039         (JSC::Wasm::AirIRGenerator::addTopLevel):
3040         (JSC::Wasm::AirIRGenerator::addBlock):
3041         (JSC::Wasm::AirIRGenerator::addIf):
3042         (JSC::Wasm::AirIRGenerator::addElse):
3043         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
3044         (JSC::Wasm::AirIRGenerator::addReturn):
3045         (JSC::Wasm::AirIRGenerator::addBranch):
3046         (JSC::Wasm::AirIRGenerator::addSwitch):
3047         (JSC::Wasm::AirIRGenerator::endBlock):
3048         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
3049         (JSC::Wasm::AirIRGenerator::addCall):
3050         (JSC::Wasm::AirIRGenerator::addCallIndirect):
3051         (JSC::Wasm::AirIRGenerator::unify):
3052         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
3053         (JSC::Wasm::AirIRGenerator::dump):
3054         (JSC::Wasm::AirIRGenerator::origin):
3055         (JSC::Wasm::parseAndCompileAir):
3056         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
3057         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
3058         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
3059         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
3060         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
3061         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
3062         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
3063         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
3064         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
3065         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
3066         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
3067         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
3068         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
3069         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
3070         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
3071         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
3072         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
3073         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
3074         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
3075         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
3076         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
3077         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
3078         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
3079         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
3080         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
3081         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
3082         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
3083         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
3084         (JSC::Wasm::AirIRGenerator::addShift):
3085         (JSC::Wasm::AirIRGenerator::addIntegerSub):
3086         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
3087         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
3088         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
3089         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
3090         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
3091         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
3092         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
3093         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
3094         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
3095         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
3096         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
3097         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
3098         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
3099         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
3100         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
3101         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
3102         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
3103         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
3104         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
3105         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
3106         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
3107         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
3108         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
3109         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
3110         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
3111         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
3112         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
3113         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
3114         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
3115         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
3116         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
3117         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
3118         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
3119         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
3120         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
3121         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
3122         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
3123         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
3124         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
3125         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
3126         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
3127         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
3128         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
3129         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
3130         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
3131         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
3132         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
3133         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
3134         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
3135         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
3136         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
3137         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
3138         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
3139         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
3140         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
3141         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
3142         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3143         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3144         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3145         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3146         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3147         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3148         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3149         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3150         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3151         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3152         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3153         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3154         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3155         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3156         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3157         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3158         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3159         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3160         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3161         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3162         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3163         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3164         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3165         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3166         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3167         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3168         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3169         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3170         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3171         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3172         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3173         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3174         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3175         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3176         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3177         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3178         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3179         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3180         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3181         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3182         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3183         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3184         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3185         * wasm/WasmAirIRGenerator.h: Added.
3186         * wasm/WasmB3IRGenerator.cpp:
3187         (JSC::Wasm::B3IRGenerator::emptyExpression):
3188         * wasm/WasmBBQPlan.cpp:
3189         (JSC::Wasm::BBQPlan::compileFunctions):
3190         * wasm/WasmCallingConvention.cpp:
3191         (JSC::Wasm::jscCallingConventionAir):
3192         (JSC::Wasm::wasmCallingConventionAir):
3193         * wasm/WasmCallingConvention.h:
3194         (JSC::Wasm::CallingConvention::CallingConvention):
3195         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3196         (JSC::Wasm::CallingConvention::marshallArgument const):
3197         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3198         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3199         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3200         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3201         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3202         (JSC::Wasm::CallingConventionAir::loadArguments const):
3203         (JSC::Wasm::CallingConventionAir::setupCall const):
3204         (JSC::Wasm::nextJSCOffset):
3205         * wasm/WasmFunctionParser.h:
3206         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3207         * wasm/WasmValidate.cpp:
3208         (JSC::Wasm::Validate::emptyExpression):
3209
3210 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3211
3212         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3213         https://bugs.webkit.org/show_bug.cgi?id=194050
3214         <rdar://problem/47595592>
3215
3216         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3217         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3218
3219         Reviewed by Yusuke Suzuki.
3220
3221         * ftl/FTLOperations.cpp:
3222         (JSC::FTL::operationMaterializeObjectInOSR):
3223
3224 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3225
3226         Remove assertion that CachedSymbolTables should have no RareData
3227         https://bugs.webkit.org/show_bug.cgi?id=194037
3228
3229         Reviewed by Mark Lam.
3230
3231         It turns out that we don't need to cache the SymbolTableRareData and
3232         we should not assert that it's empty.
3233
3234         * runtime/CachedTypes.cpp:
3235         (JSC::CachedSymbolTable::encode):
3236
3237 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3238
3239         CachedBytecode's move constructor should not call `freeDataIfOwned`
3240         https://bugs.webkit.org/show_bug.cgi?id=194045
3241
3242         Reviewed by Mark Lam.
3243
3244         That might result in freeing a garbage value
3245
3246         * parser/SourceProvider.h:
3247         (JSC::CachedBytecode::CachedBytecode):
3248
3249 2019-01-30  Keith Miller  <keith_miller@apple.com>
3250
3251         mul32 should convert powers of 2 to an lshift
3252         https://bugs.webkit.org/show_bug.cgi?id=193957
3253
3254         Reviewed by Yusuke Suzuki.
3255
3256         * assembler/MacroAssembler.h:
3257         (JSC::MacroAssembler::mul32):
3258         * assembler/testmasm.cpp:
3259         (JSC::int32Operands):
3260         (JSC::testMul32WithImmediates):
3261         (JSC::run):
3262
3263 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3264
3265         [JSC] Make disassembler data structures constant read-only data
3266         https://bugs.webkit.org/show_bug.cgi?id=194041
3267
3268         Reviewed by Mark Lam.
3269
3270         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3271         This patch makes them "const".
3272
3273         * disassembler/ARM64/A64DOpcode.cpp:
3274         * disassembler/udis86/ud_itab.py:
3275         (UdItabGenerator.genOpcodeTablesLookupIndex):
3276         (UdItabGenerator.genInsnTable):
3277         (UdItabGenerator.genMnemonicsList):
3278         (genItabH):
3279         * disassembler/udis86/udis86_decode.h:
3280         * disassembler/udis86/udis86_syn.c:
3281         * disassembler/udis86/udis86_syn.h:
3282         * disassembler/udis86/udis86_types.h:
3283
3284 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3285
3286         Unreviewed, update the builtin test results
3287         https://bugs.webkit.org/show_bug.cgi?id=194015
3288
3289         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3290         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3291         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3292         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3293         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3294         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3295         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3296         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3297         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3298         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3299         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3300         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3301         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3302
3303 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3304
3305         [JSC] Make global static variables "const" as much as possible
3306         https://bugs.webkit.org/show_bug.cgi?id=194015
3307
3308         Reviewed by Mark Lam.
3309
3310         Some of global static variables are not "const". For example, `static const char* name = ...`
3311         is not constant variable. We should make it `static const char* const name = ...`.
3312
3313         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3314         (generate_externs_for_object):
3315         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3316         (generate_externs_for_object):
3317         * Scripts/wkbuiltins/builtins_generator.py:
3318         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3319         * assembler/MacroAssembler.h:
3320         (JSC::MacroAssembler::additionBlindedConstant):
3321         * b3/air/AirFormTable.h:
3322         * b3/air/opcode_generator.rb:
3323         * runtime/JSObject.cpp:
3324         (JSC::JSObject::visitButterfly):
3325         * tools/CodeProfile.cpp:
3326         * tools/CodeProfile.h:
3327
3328 2019-01-29  Keith Miller  <keith_miller@apple.com>
3329
3330         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3331         https://bugs.webkit.org/show_bug.cgi?id=194000
3332         <rdar://problem/47642894>
3333
3334         Reviewed by Mark Lam.
3335
3336         default constructor is unused and
3337         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3338         data member which causes sadness.
3339
3340         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3341
3342 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3343
3344         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3345
3346         Rubber-stamped by Yusuke Suzuki.
3347
3348         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3349
3350         * parser/Parser.h:
3351         (JSC::Parser::declareHoistedVariable):
3352
3353 2019-01-29  Mark Lam  <mark.lam@apple.com>
3354
3355         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3356         https://bugs.webkit.org/show_bug.cgi?id=132333
3357
3358         Reviewed by Yusuke Suzuki.
3359
3360         * bytecode/InstructionStream.h:
3361         (JSC::InstructionStreamWriter::write):
3362         - The 32-bit write() function need not invert the order of the bytes written to
3363           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3364           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3365
3366         * llint/LLIntOfflineAsmConfig.h:
3367         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3368
3369 2019-01-29  Mark Lam  <mark.lam@apple.com>
3370
3371         ValueRecovery::recover() should purify NaN values it recovers.
3372         https://bugs.webkit.org/show_bug.cgi?id=193978
3373         <rdar://problem/47625488>
3374
3375         Reviewed by Saam Barati.
3376
3377         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3378         recovered DoubleDisplacedInJSStack values need to be purified.
3379         ValueRecovery::recover() should do the same.
3380
3381         * bytecode/ValueRecovery.cpp:
3382         (JSC::ValueRecovery::recover const):
3383
3384 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3385
3386         [JSC] FTL should handle LocalAllocator*
3387         https://bugs.webkit.org/show_bug.cgi?id=193980
3388
3389         Reviewed by Saam Barati.
3390
3391         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3392         because the FTL still use the incoming value as 32bit integer there.
3393
3394         * ftl/FTLLowerDFGToB3.cpp:
3395         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3396
3397 2019-01-29  Keith Rollin  <krollin@apple.com>
3398
3399         Add .xcfilelists to Run Script build phases
3400         https://bugs.webkit.org/show_bug.cgi?id=193792
3401         <rdar://problem/47201785>
3402
3403         Reviewed by Alex Christensen.
3404
3405         As part of supporting XCBuild, update the necessary Run Script build
3406         phases in their Xcode projects to refer to their associated
3407         .xcfilelist files.
3408
3409         Note that the addition of these files bumps the Xcode project version
3410         number to something that's Xcode 10 compatible. This change means that
3411         older versions of the Xcode IDE can't read these projects. Nor can it
3412         fully load workspaces that refer to these projects (the updated
3413         projects are shown as non-expandable placeholders). `xcodebuild` can
3414         still build these projects; it's just that the IDE can't open them.
3415
3416         * JavaScriptCore.xcodeproj/project.pbxproj:
3417
3418 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3419
3420         [ARM] Check for negative zero instead of just zero
3421         https://bugs.webkit.org/show_bug.cgi?id=193689
3422
3423         Reviewed by Mark Lam.
3424
3425         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3426         of just bailing out for zero.
3427
3428         * assembler/MacroAssemblerARMv7.h:
3429         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3430
3431 2019-01-28  Devin Rousso  <drousso@apple.com>
3432
3433         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3434         https://bugs.webkit.org/show_bug.cgi?id=193863
3435         <rdar://problem/47572764>
3436
3437         Reviewed by Joseph Pecoraro.
3438
3439         * inspector/protocol/Page.json:
3440         Add more values to the `Setting` enum type:
3441          - `ICECandidateFilteringEnabled`
3442          - `MediaCaptureRequiresSecureConnection`
3443          - `MockCaptureDevicesEnabled`
3444
3445 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3446
3447         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3448         https://bugs.webkit.org/show_bug.cgi?id=193941
3449
3450         Reviewed by Alex Christensen.
3451
3452         * API/JSWeakObjectMapRefPrivate.cpp:
3453         * bytecompiler/NodesCodegen.cpp:
3454         * heap/MachineStackMarker.cpp:
3455         * jit/ExecutableAllocator.cpp:
3456         * jsc.cpp:
3457         * parser/Nodes.cpp:
3458         * runtime/DateConstructor.cpp:
3459         * runtime/DateConversion.cpp:
3460         * runtime/DateInstance.cpp:
3461         * runtime/DatePrototype.cpp:
3462         * runtime/InitializeThreading.cpp:
3463         * runtime/IteratorOperations.cpp:
3464         * runtime/JSDateMath.cpp:
3465         * runtime/JSGlobalObjectFunctions.cpp:
3466         * runtime/StringPrototype.cpp:
3467         * runtime/VM.cpp:
3468         * testRegExp.cpp:
3469         * tools/JSDollarVM.cpp:
3470         * yarr/YarrInterpreter.cpp:
3471         * yarr/YarrJIT.cpp:
3472         * yarr/YarrPattern.cpp:
3473         * yarr/YarrUnicodeProperties.cpp:
3474
3475 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3476
3477         [JSC] Reduce size of memory used for ShadowChicken
3478         https://bugs.webkit.org/show_bug.cgi?id=193546
3479
3480         Reviewed by Mark Lam.
3481
3482         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3483         The removal of ShadowChicken saves 55KB memory.
3484
3485         * debugger/DebuggerCallFrame.cpp:
3486         (JSC::DebuggerCallFrame::create):
3487         * ftl/FTLLowerDFGToB3.cpp:
3488         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3489         * heap/Heap.cpp:
3490         (JSC::Heap::stopThePeriphery):
3491         (JSC::Heap::addCoreConstraints):
3492         * jit/CCallHelpers.cpp:
3493         (JSC::CCallHelpers::ensureShadowChickenPacket):
3494         * jit/JITExceptions.cpp:
3495         (JSC::genericUnwind):
3496         * jit/JITOpcodes.cpp:
3497         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3498         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3499         * jit/JITOpcodes32_64.cpp:
3500         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3501         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3502         * jit/JITOperations.cpp:
3503         * llint/LLIntSlowPaths.cpp:
3504         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3505         * runtime/JSGlobalObject.cpp:
3506         (JSC::JSGlobalObject::setDebugger):
3507         * runtime/JSGlobalObject.h:
3508         (JSC::JSGlobalObject::setDebugger): Deleted.
3509         * runtime/VM.cpp:
3510         (JSC::VM::VM):
3511         (JSC::VM::ensureShadowChicken):
3512         * runtime/VM.h:
3513         (JSC::VM::shadowChicken):
3514         * tools/JSDollarVM.cpp:
3515         (JSC::functionShadowChickenFunctionsOnStack):
3516         (JSC::changeDebuggerModeWhenIdle):
3517
3518 2019-01-28  Andy Estes  <aestes@apple.com>
3519
3520         [watchOS] Enable Parental Controls content filtering
3521         https://bugs.webkit.org/show_bug.cgi?id=193939
3522         <rdar://problem/46641912>
3523
3524         Reviewed by Ryosuke Niwa.
3525
3526         * Configurations/FeatureDefines.xcconfig:
3527
3528 2019-01-28  Mark Lam  <mark.lam@apple.com>
3529
3530         ToString node actually does GC.
3531         https://bugs.webkit.org/show_bug.cgi?id=193920
3532         <rdar://problem/46695900>
3533
3534         Reviewed by Yusuke Suzuki.
3535
3536         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3537         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3538
3539         * dfg/DFGDoesGC.cpp:
3540         (JSC::DFG::doesGC):
3541
3542 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3543
3544         [JSC] RegExpConstructor should not have own IsoSubspace
3545         https://bugs.webkit.org/show_bug.cgi?id=193801
3546
3547         Reviewed by Mark Lam.
3548
3549         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3550         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3551         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3552         it from RegExpConstructor members.
3553
3554         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3555         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3556         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3557
3558         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3559
3560         * CMakeLists.txt:
3561         * JavaScriptCore.xcodeproj/project.pbxproj:
3562         * Sources.txt:
3563         * dfg/DFGOperations.cpp:
3564         * dfg/DFGSpeculativeJIT.cpp:
3565         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3566         * dfg/DFGStrengthReductionPhase.cpp:
3567         (JSC::DFG::StrengthReductionPhase::handleNode):
3568         * ftl/FTLAbstractHeapRepository.cpp:
3569         * ftl/FTLAbstractHeapRepository.h:
3570         * ftl/FTLLowerDFGToB3.cpp:
3571         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3572         * runtime/JSGlobalObject.cpp:
3573         (JSC::JSGlobalObject::init):
3574         (JSC::JSGlobalObject::visitChildren):
3575         * runtime/JSGlobalObject.h:
3576         (JSC::JSGlobalObject::regExpGlobalData):
3577         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3578         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3579         * runtime/RegExpCache.cpp:
3580         (JSC::RegExpCache::initialize):
3581         * runtime/RegExpCache.h:
3582         (JSC::RegExpCache::emptyRegExp const):
3583         * runtime/RegExpCachedResult.cpp:
3584         (JSC::RegExpCachedResult::visitAggregate):
3585         (JSC::RegExpCachedResult::visitChildren): Deleted.
3586         * runtime/RegExpCachedResult.h:
3587         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3588         * runtime/RegExpConstructor.cpp:
3589         (JSC::RegExpConstructor::RegExpConstructor):
3590         (JSC::regExpConstructorDollar):
3591         (JSC::regExpConstructorInput):
3592         (JSC::regExpConstructorMultiline):
3593         (JSC::regExpConstructorLastMatch):
3594         (JSC::regExpConstructorLastParen):
3595         (JSC::regExpConstructorLeftContext):
3596         (JSC::regExpConstructorRightContext):
3597         (JSC::setRegExpConstructorInput):
3598         (JSC::setRegExpConstructorMultiline):
3599         (JSC::RegExpConstructor::destroy): Deleted.
3600         (JSC::RegExpConstructor::visitChildren): Deleted.
3601         (JSC::RegExpConstructor::getBackref): Deleted.
3602         (JSC::RegExpConstructor::getLastParen): Deleted.
3603         (JSC::RegExpConstructor::getLeftContext): Deleted.
3604         (JSC::RegExpConstructor::getRightContext): Deleted.
3605         * runtime/RegExpConstructor.h:
3606         (JSC::RegExpConstructor::performMatch): Deleted.
3607         (JSC::RegExpConstructor::recordMatch): Deleted.
3608         * runtime/RegExpGlobalData.cpp: Added.
3609         (JSC::RegExpGlobalData::visitAggregate):
3610         (JSC::RegExpGlobalData::getBackref):
3611         (JSC::RegExpGlobalData::getLastParen):
3612         (JSC::RegExpGlobalData::getLeftContext):
3613         (JSC::RegExpGlobalData::getRightContext):
3614         * runtime/RegExpGlobalData.h: Added.
3615         (JSC::RegExpGlobalData::cachedResult):
3616         (JSC::RegExpGlobalData::setMultiline):
3617         (JSC::RegExpGlobalData::multiline const):
3618         (JSC::RegExpGlobalData::input):
3619         (JSC::RegExpGlobalData::offsetOfCachedResult):
3620         * runtime/RegExpGlobalDataInlines.h: Added.
3621         (JSC::RegExpGlobalData::setInput):
3622         (JSC::RegExpGlobalData::performMatch):
3623         (JSC::RegExpGlobalData::recordMatch):
3624         * runtime/RegExpObject.cpp:
3625         (JSC::RegExpObject::matchGlobal):
3626         * runtime/RegExpObjectInlines.h:
3627         (JSC::RegExpObject::execInline):
3628         (JSC::RegExpObject::matchInline):
3629         (JSC::collectMatches):
3630         * runtime/RegExpPrototype.cpp:
3631         (JSC::RegExpPrototype::finishCreation):
3632         (JSC::regExpProtoFuncSearchFast):
3633         (JSC::RegExpPrototype::visitChildren): Deleted.
3634         * runtime/RegExpPrototype.h:
3635         * runtime/StringPrototype.cpp:
3636         (JSC::removeUsingRegExpSearch):
3637         (JSC::replaceUsingRegExpSearch):
3638         * runtime/VM.cpp:
3639         (JSC::VM::VM):
3640         * runtime/VM.h:
3641
3642 2018-12-15  Darin Adler  <darin@apple.com>
3643
3644         Replace many uses of String::format with more type-safe alternatives
3645         https://bugs.webkit.org/show_bug.cgi?id=192742
3646
3647         Reviewed by Mark Lam.
3648
3649         * inspector/InjectedScriptBase.cpp:
3650         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3651         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3652         * inspector/InspectorBackendDispatcher.cpp:
3653         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3654         * inspector/agents/InspectorConsoleAgent.cpp:
3655         (Inspector::InspectorConsoleAgent::enable): Ditto.
3656         * jsc.cpp:
3657         (FunctionJSCStackFunctor::operator() const): Ditto.
3658
3659         * runtime/CodeCache.cpp:
3660         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3661         using String::number.
3662
3663         * runtime/IntlDateTimeFormat.cpp:
3664         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3665         * runtime/IntlObject.cpp:
3666         (JSC::canonicalizeLocaleList): Ditto.
3667
3668 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3669
3670         AX: Introduce a static accessibility tree
3671         https://bugs.webkit.org/show_bug.cgi?id=193348
3672         <rdar://problem/47203295>
3673
3674         Reviewed by Ryosuke Niwa.
3675
3676         * Configurations/FeatureDefines.xcconfig:
3677
3678 2019-01-26  Devin Rousso  <drousso@apple.com>
3679
3680         Web Inspector: provide a way to edit the user agent of a remote target
3681         https://bugs.webkit.org/show_bug.cgi?id=193862
3682         <rdar://problem/47359292>
3683
3684         Reviewed by Joseph Pecoraro.
3685
3686         * inspector/protocol/Page.json:
3687         Add `overrideUserAgent` command.
3688
3689 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3690
3691         [JSC] NativeErrorConstructor should not have own IsoSubspace
3692         https://bugs.webkit.org/show_bug.cgi?id=193713
3693
3694         Reviewed by Saam Barati.
3695
3696         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3697         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3698         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3699         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3700         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3701         referenced.
3702
3703         * CMakeLists.txt:
3704         * JavaScriptCore.xcodeproj/project.pbxproj:
3705         * Sources.txt:
3706         * builtins/BuiltinNames.h:
3707         * interpreter/Interpreter.h:
3708         * runtime/Error.cpp:
3709         (JSC::createEvalError):
3710         (JSC::createRangeError):
3711         (JSC::createReferenceError):
3712         (JSC::createSyntaxError):
3713         (JSC::createTypeError):
3714         (JSC::createURIError):
3715         (WTF::printInternal): Deleted.
3716         * runtime/Error.h:
3717         * runtime/ErrorPrototype.cpp:
3718         (JSC::ErrorPrototype::create):
3719         (JSC::ErrorPrototype::finishCreation):
3720         * runtime/ErrorPrototype.h:
3721         (JSC::ErrorPrototype::create): Deleted.
3722         * runtime/ErrorType.cpp: Added.
3723         (JSC::errorTypeName):
3724         (WTF::printInternal):
3725         * runtime/ErrorType.h: Added.
3726         * runtime/JSGlobalObject.cpp:
3727         (JSC::JSGlobalObject::initializeErrorConstructor):
3728         (JSC::JSGlobalObject::init):
3729         (JSC::JSGlobalObject::visitChildren):
3730         * runtime/JSGlobalObject.h:
3731         (JSC::JSGlobalObject::internalPromiseConstructor const):
3732         (JSC::JSGlobalObject::errorStructure const):
3733         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3734         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3735         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3736         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3737         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3738         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3739         * runtime/NativeErrorConstructor.cpp:
3740         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3741         (JSC::NativeErrorConstructorBase::finishCreation):
3742         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3743         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3744         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3745         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3746         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3747         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3748         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3749         * runtime/NativeErrorConstructor.h:
3750         (JSC::NativeErrorConstructorBase::createStructure):
3751         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3752         * runtime/NativeErrorPrototype.cpp:
3753         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3754         * runtime/NativeErrorPrototype.h:
3755         * runtime/VM.cpp:
3756         (JSC::VM::VM):
3757         * runtime/VM.h:
3758         * wasm/js/WasmToJS.cpp:
3759         (JSC::Wasm::handleBadI64Use):
3760
3761 2019-01-25  Devin Rousso  <drousso@apple.com>
3762
3763         Web Inspector: provide a way to edit page settings on a remote target
3764         https://bugs.webkit.org/show_bug.cgi?id=193813
3765         <rdar://problem/47359510>
3766
3767         Reviewed by Joseph Pecoraro.
3768
3769         * inspector/protocol/Page.json:
3770         Add `overrideSetting` command with supporting `Setting` enum type.
3771
3772 2019-01-25  Keith Rollin  <krollin@apple.com>
3773
3774         Update Xcode projects with "Check .xcfilelists" build phase
3775         https://bugs.webkit.org/show_bug.cgi?id=193790
3776         <rdar://problem/47201374>
3777
3778         Reviewed by Alex Christensen.
3779
3780         Support for XCBuild includes specifying inputs and outputs to various
3781         Run Script build phases. These inputs and outputs are specified as
3782         .xcfilelist files. Once created, these .xcfilelist files need to be
3783         kept up-to-date. In order to check that they are up-to-date or not,
3784         add an Xcode build step that invokes an external script that performs
3785         the checking. If the .xcfilelists are found to be out-of-date, update
3786         them, halt the build, and instruct the developer to restart the build
3787         with up-to-date files.
3788
3789         At this time, the checking and regenerating is performed only if the
3790         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3791         who want to use this facility can set this variable and test out the
3792         checking/regenerating. Once it seems like there are no egregious
3793         issues that upset a developer's workflow, we'll unconditionally enable
3794         this facility.
3795
3796         * JavaScriptCore.xcodeproj/project.pbxproj:
3797         * Scripts/check-xcfilelists.sh: Added.
3798
3799 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3800
3801         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3802         https://bugs.webkit.org/show_bug.cgi?id=193796
3803         <rdar://problem/47532910>
3804
3805         Reviewed by Devin Rousso.
3806
3807         * runtime/SamplingProfiler.cpp:
3808         (JSC::SamplingProfiler::machThread):
3809         * runtime/SamplingProfiler.h:
3810         Expose the mach_port_t of the SamplingProfiler thread
3811         so it can be tested against later.
3812
3813 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3814
3815         Fix Windows build after r240511
3816
3817         * bytecode/UnlinkedFunctionExecutable.cpp:
3818         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3819
3820 2019-01-25  Keith Rollin  <krollin@apple.com>
3821
3822         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3823         https://bugs.webkit.org/show_bug.cgi?id=193781
3824         <rdar://problem/47201153>
3825
3826         Reviewed by Alex Christensen.
3827
3828         Part of generating the .xcfilelists used as part of adopting XCBuild
3829         includes running `make DerivedSources.make` from a standalone script.
3830         It’s important for this invocation to have the same environment as
3831         when the actual build invokes `make DerivedSources.make`. If the
3832         environments are different, then the two invocations will provide
3833         different results. In order to get the same environment in the
3834         standalone script, have the script launch xcodebuild targeting the
3835         "Apply Configuration to XCFileLists" build target, which will then
3836         re-invoke our standalone script. The script is now running again, this
3837         time in an environment with all workspace, project, target, xcconfig
3838         and other environment variables established.
3839
3840         The "Apply Configuration to XCFileLists" build target accomplishes
3841         this task via a small embedded shell script that consists only of:
3842
3843             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3844
3845         The process that invokes "Apply Configuration to XCFileLists" first
3846         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3847         evaluated and exports it into the shell environment. When xcodebuild
3848         is invoked, it inherits the value of this variable and can `eval` the
3849         contents of that variable. Our external standalone script can then set
3850         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3851         of command-line parameters needed to restart itself in the appropriate
3852         state.
3853
3854         * JavaScriptCore.xcodeproj/project.pbxproj:
3855
3856 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3857
3858         Add API to generate and consume cached bytecode
3859         https://bugs.webkit.org/show_bug.cgi?id=193401
3860         <rdar://problem/47514099>
3861
3862         Reviewed by Keith Miller.
3863
3864         Add the `generateBytecode` and `generateModuleBytecode` functions to
3865         generate serialized bytecode for a given `SourceCode`. These functions
3866         will eagerly generate code for all the nested functions.
3867
3868         Additionally, update the API methods in JSScript to generate and use the
3869         bytecode when the bytecodeCache path is provided.
3870
3871         * API/JSAPIGlobalObject.mm:
3872         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3873         * API/JSContext.mm:
3874         (-[JSContext wrapperMap]):
3875         * API/JSContextInternal.h:
3876         * API/JSScript.mm:
3877         (+[JSScript scriptWithSource:inVirtualMachine:]):
3878         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3879         (-[JSScript dealloc]):
3880         (-[JSScript readCache]):
3881         (-[JSScript writeCache]):
3882         (-[JSScript hash]):
3883         (-[JSScript source]):
3884         (-[JSScript cachedBytecode]):
3885         (-[JSScript jsSourceCode:]):
3886         * API/JSScriptInternal.h:
3887         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3888         (JSScriptSourceProvider::create):
3889         (JSScriptSourceProvider::JSScriptSourceProvider):
3890         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3891         (JSScriptSourceProvider::hash const):
3892         (JSScriptSourceProvider::source const):
3893         (JSScriptSourceProvider::cachedBytecode const):
3894         * API/JSVirtualMachine.mm:
3895         (-[JSVirtualMachine vm]):
3896         * API/JSVirtualMachineInternal.h:
3897         * API/tests/testapi.mm:
3898         (testBytecodeCache):