Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-16  Darin Adler  <darin@apple.com>
2
3         Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
4         https://bugs.webkit.org/show_bug.cgi?id=194752
5
6         Reviewed by Daniel Bates.
7
8         * heap/HeapSnapshotBuilder.cpp:
9         (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
10         this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
11         keep behavior the same, so let's do that.
12
13         * parser/Lexer.cpp:
14         (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
15         String::format and "%04x".
16
17 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
18
19         [JSC] Add LazyClassStructure::getInitializedOnMainThread
20         https://bugs.webkit.org/show_bug.cgi?id=194784
21         <rdar://problem/48154820>
22
23         Reviewed by Mark Lam.
24
25         LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
26         we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
27         and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
28         called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
29         and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.
30
31         This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
32         can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
33         this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
34         With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.
35
36         Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
37         crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.
38
39         * runtime/JSGlobalObject.h:
40         (JSC::JSGlobalObject::booleanPrototype const):
41         (JSC::JSGlobalObject::numberPrototype const):
42         (JSC::JSGlobalObject::symbolPrototype const):
43         * runtime/LazyClassStructure.h:
44         (JSC::LazyClassStructure::getInitializedOnMainThread const):
45         (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
46         (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
47         * runtime/LazyProperty.h:
48         (JSC::LazyProperty::get const):
49         (JSC::LazyProperty::getInitializedOnMainThread const):
50
51 2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>
52
53         Web Inspector: Better categorize CPU usage per-thread / worker
54         https://bugs.webkit.org/show_bug.cgi?id=194564
55
56         Reviewed by Devin Rousso.
57
58         * inspector/protocol/CPUProfiler.json:
59         Add additional properties per-Event, and new per-Thread object info.
60
61 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
62
63         Bytecode cache should a have a boot-specific validation
64         https://bugs.webkit.org/show_bug.cgi?id=194769
65         <rdar://problem/48149509>
66
67         Reviewed by Keith Miller.
68
69         Add the boot UUID to the cached bytecode to enforce that it is not reused
70         across reboots.
71
72         * runtime/CachedTypes.cpp:
73         (JSC::Encoder::malloc):
74         (JSC::GenericCacheEntry::GenericCacheEntry):
75         (JSC::GenericCacheEntry::tag const):
76         (JSC::CacheEntry::CacheEntry):
77         (JSC::CacheEntry::decode const):
78         (JSC::GenericCacheEntry::decode const):
79         (JSC::encodeCodeBlock):
80
81 2019-02-18  Eric Carlson  <eric.carlson@apple.com>
82
83         Add MSE logging configuration
84         https://bugs.webkit.org/show_bug.cgi?id=194719
85         <rdar://problem/48122151>
86
87         Reviewed by Joseph Pecoraro.
88
89         * inspector/ConsoleMessage.cpp:
90         (Inspector::messageSourceValue):
91         * inspector/protocol/Console.json:
92         * inspector/scripts/codegen/generator.py:
93         * runtime/ConsoleTypes.h:
94
95 2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>
96
97         Add version number to cached bytecode
98         https://bugs.webkit.org/show_bug.cgi?id=194768
99         <rdar://problem/48147968>
100
101         Reviewed by Saam Barati.
102
103         Add a version number to the bytecode cache that should be unique per build.
104
105         * CMakeLists.txt:
106         * DerivedSources-output.xcfilelist:
107         * DerivedSources.make:
108         * runtime/CachedTypes.cpp:
109         (JSC::Encoder::malloc):
110         (JSC::GenericCacheEntry::GenericCacheEntry):
111         (JSC::CacheEntry::CacheEntry):
112         (JSC::CacheEntry::encode):
113         (JSC::CacheEntry::decode const):
114         (JSC::GenericCacheEntry::decode const):
115         (JSC::decodeCodeBlockImpl):
116         * runtime/CodeCache.h:
117         (JSC::CodeCacheMap::fetchFromDiskImpl):
118
119 2019-02-17  Saam Barati  <sbarati@apple.com>
120
121         WasmB3IRGenerator models some effects incorrectly
122         https://bugs.webkit.org/show_bug.cgi?id=194038
123
124         Reviewed by Keith Miller.
125
126         * wasm/WasmB3IRGenerator.cpp:
127         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
128         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
129         These two functions were using global state instead of the
130         arguments passed into the function.
131
132         (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
133         (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
134         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
135         (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
136         Any patchpoint that allows scratch register usage must
137         also say that it clobbers the scratch registers.
138
139 2019-02-17  Saam Barati  <sbarati@apple.com>
140
141         Deadlock when adding a Structure property transition and then doing incremental marking
142         https://bugs.webkit.org/show_bug.cgi?id=194767
143
144         Reviewed by Mark Lam.
145
146         This can happen in the following scenario:
147         
148         You have a Structure S. S is on the mark stack. Then:
149         1. S grabs its lock
150         2. S adds a new property transition
151         3. We find out we need to do some incremental marking
152         4. We mark S
153         5. visitChildren on S will try to grab its lock
154         6. We are now in a deadlock
155
156         * heap/Heap.cpp:
157         (JSC::Heap::performIncrement):
158         * runtime/Structure.cpp:
159         (JSC::Structure::addNewPropertyTransition):
160
161 2019-02-17  David Kilzer  <ddkilzer@apple.com>
162
163         Unreviewed, rolling out r241620.
164
165         "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
166         (Requested by ddkilzer on #webkit.)
167
168         Reverted changeset:
169
170         "[WTF] Add environment variable helpers"
171         https://bugs.webkit.org/show_bug.cgi?id=192405
172         https://trac.webkit.org/changeset/241620
173
174 2019-02-17  Commit Queue  <commit-queue@webkit.org>
175
176         Unreviewed, rolling out r241612.
177         https://bugs.webkit.org/show_bug.cgi?id=194762
178
179         "It regressed JetStream2 parsing tests by ~40%" (Requested by
180         saamyjoon on #webkit).
181
182         Reverted changeset:
183
184         "Move bytecode cache-related filesystem code out of CodeCache"
185         https://bugs.webkit.org/show_bug.cgi?id=194675
186         https://trac.webkit.org/changeset/241612
187
188 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
189
190         [JSC] JSWrapperObject should not be destructible
191         https://bugs.webkit.org/show_bug.cgi?id=194743
192
193         Reviewed by Saam Barati.
194
195         JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
196         Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
197         JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.
198
199         * runtime/BigIntObject.cpp:
200         (JSC::BigIntObject::BigIntObject):
201         * runtime/BooleanConstructor.cpp:
202         (JSC::BooleanConstructor::finishCreation):
203         * runtime/BooleanObject.cpp:
204         (JSC::BooleanObject::BooleanObject):
205         * runtime/BooleanObject.h:
206         * runtime/DateInstance.cpp:
207         (JSC::DateInstance::DateInstance):
208         (JSC::DateInstance::finishCreation):
209         * runtime/DateInstance.h:
210         * runtime/DatePrototype.cpp:
211         (JSC::dateProtoFuncGetTime):
212         (JSC::dateProtoFuncSetTime):
213         (JSC::setNewValueFromTimeArgs):
214         (JSC::setNewValueFromDateArgs):
215         (JSC::dateProtoFuncSetYear):
216         * runtime/JSCPoison.h:
217         * runtime/JSWrapperObject.h:
218         (JSC::JSWrapperObject::JSWrapperObject):
219         * runtime/NumberObject.cpp:
220         (JSC::NumberObject::NumberObject):
221         * runtime/NumberObject.h:
222         * runtime/StringConstructor.cpp:
223         (JSC::StringConstructor::finishCreation):
224         * runtime/StringObject.cpp:
225         (JSC::StringObject::StringObject):
226         * runtime/StringObject.h:
227         (JSC::StringObject::internalValue const):
228         * runtime/SymbolObject.cpp:
229         (JSC::SymbolObject::SymbolObject):
230         * runtime/SymbolObject.h:
231
232 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
233
234         [JSC] Shrink UnlinkedFunctionExecutable
235         https://bugs.webkit.org/show_bug.cgi?id=194733
236
237         Reviewed by Mark Lam.
238
239         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
240         directives can be found in the comment of non typical function's source code (Program,
241         Eval code, and Global function from function constructor etc.), and tricky thing is that
242         SourceProvider's directives are updated by Parser. The reason why we have these fields in
243         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
244         if we skip parsing by using CodeCache. These fields are effective only if (1)
245         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
246         or sourceMappingURLDirective. This is rare enough to purge them to a separated
247         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
248         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
249         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
250         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
251         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
252         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
253         one of size class.
254
255         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
256         And kill one MarkedBlock allocation in JSC initialization phase.
257
258         * bytecode/UnlinkedFunctionExecutable.cpp:
259         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
260         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
261         * bytecode/UnlinkedFunctionExecutable.h:
262         * debugger/DebuggerLocation.cpp:
263         (JSC::DebuggerLocation::DebuggerLocation):
264         * inspector/ScriptDebugServer.cpp:
265         (Inspector::ScriptDebugServer::dispatchDidParseSource):
266         * parser/Lexer.h:
267         (JSC::Lexer::sourceURLDirective const):
268         (JSC::Lexer::sourceMappingURLDirective const):
269         (JSC::Lexer::sourceURL const): Deleted.
270         (JSC::Lexer::sourceMappingURL const): Deleted.
271         * parser/Parser.h:
272         (JSC::Parser<LexerType>::parse):
273         * parser/SourceProvider.h:
274         (JSC::SourceProvider::sourceURLDirective const):
275         (JSC::SourceProvider::sourceMappingURLDirective const):
276         (JSC::SourceProvider::setSourceURLDirective):
277         (JSC::SourceProvider::setSourceMappingURLDirective):
278         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
279         since it is the correct name.
280         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
281         sourceMappingURLDirective since it is the correct name.
282         * runtime/CachedTypes.cpp:
283         (JSC::CachedSourceProviderShape::encode):
284         (JSC::CachedFunctionExecutableRareData::encode):
285         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
286         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
287         (JSC::CachedFunctionExecutable::rareData const):
288         (JSC::CachedFunctionExecutable::encode):
289         (JSC::CachedFunctionExecutable::decode const):
290         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
291         * runtime/CodeCache.cpp:
292         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
293         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
294         * runtime/CodeCache.h:
295         (JSC::generateUnlinkedCodeBlockImpl):
296         * runtime/FunctionExecutable.h:
297         * runtime/SamplingProfiler.cpp:
298         (JSC::SamplingProfiler::StackFrame::url):
299
300 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
301
302         [JSC] Remove unused global private variables
303         https://bugs.webkit.org/show_bug.cgi?id=194741
304
305         Reviewed by Joseph Pecoraro.
306
307         There are some private functions and constants that are no longer referenced from builtin JS code.
308         This patch cleans up them.
309
310         * builtins/BuiltinNames.h:
311         * builtins/ObjectConstructor.js:
312         (entries):
313         * runtime/JSGlobalObject.cpp:
314         (JSC::JSGlobalObject::init):
315
316 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
317
318         [JSC] Lazily create empty RegExp
319         https://bugs.webkit.org/show_bug.cgi?id=194735
320
321         Reviewed by Keith Miller.
322
323         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
324         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
325         one MarkedBlock.
326
327         * runtime/JSGlobalObject.cpp:
328         (JSC::JSGlobalObject::init):
329         * runtime/RegExpCache.cpp:
330         (JSC::RegExpCache::ensureEmptyRegExpSlow):
331         (JSC::RegExpCache::initialize): Deleted.
332         * runtime/RegExpCache.h:
333         (JSC::RegExpCache::ensureEmptyRegExp):
334         (JSC::RegExpCache::emptyRegExp const): Deleted.
335         * runtime/RegExpCachedResult.cpp:
336         (JSC::RegExpCachedResult::lastResult):
337         * runtime/RegExpCachedResult.h:
338         * runtime/VM.cpp:
339         (JSC::VM::VM):
340
341 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
342
343         [JSC] Make builtin objects more lazily initialized under non-JIT mode
344         https://bugs.webkit.org/show_bug.cgi?id=194727
345
346         Reviewed by Saam Barati.
347
348         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
349         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
350         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
351         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
352         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
353         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
354         MarkedBlock allocation just for Symbols.
355
356         * runtime/JSGlobalObject.cpp:
357         (JSC::JSGlobalObject::init):
358         (JSC::JSGlobalObject::visitChildren):
359         * runtime/JSGlobalObject.h:
360         (JSC::JSGlobalObject::numberToStringWatchpoint):
361         (JSC::JSGlobalObject::booleanPrototype const):
362         (JSC::JSGlobalObject::numberPrototype const):
363         (JSC::JSGlobalObject::symbolPrototype const):
364         (JSC::JSGlobalObject::booleanObjectStructure const):
365         (JSC::JSGlobalObject::symbolObjectStructure const):
366         (JSC::JSGlobalObject::numberObjectStructure const):
367         (JSC::JSGlobalObject::stringObjectStructure const):
368
369 2019-02-15  Michael Saboff  <msaboff@apple.com>
370
371         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
372         https://bugs.webkit.org/show_bug.cgi?id=194558
373
374         Reviewed by Saam Barati.
375
376         Added an in bounds check before the read of the next character for Unicode regular expressions
377         for pattern generation that didn't already have such checks.
378
379         * yarr/YarrJIT.cpp:
380         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
381         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
382         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
383         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
384
385 2019-02-15  Dean Jackson  <dino@apple.com>
386
387         Allow emulation of user gestures from Web Inspector console
388         https://bugs.webkit.org/show_bug.cgi?id=194725
389         <rdar://problem/48126604>
390
391         Reviewed by Joseph Pecoraro and Devin Rousso.
392
393         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
394         to the evaluate function, and mark the function as override so that PageRuntimeAgent
395         can change the behaviour.
396         (Inspector::InspectorRuntimeAgent::evaluate):
397         * inspector/agents/InspectorRuntimeAgent.h:
398         * inspector/protocol/Runtime.json:
399
400 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
401
402         [JSC] Do not initialize Wasm related data if Wasm is not enabled
403         https://bugs.webkit.org/show_bug.cgi?id=194728
404
405         Reviewed by Mark Lam.
406
407         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
408
409         * runtime/InitializeThreading.cpp:
410         (JSC::initializeThreading):
411         * runtime/JSLock.cpp:
412         (JSC::JSLock::didAcquireLock):
413
414 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
415
416         [WTF] Add environment variable helpers
417         https://bugs.webkit.org/show_bug.cgi?id=192405
418
419         Reviewed by Michael Catanzaro.
420
421         * inspector/remote/glib/RemoteInspectorGlib.cpp:
422         (Inspector::RemoteInspector::RemoteInspector):
423         (Inspector::RemoteInspector::start):
424         * jsc.cpp:
425         (startTimeoutThreadIfNeeded):
426         * runtime/Options.cpp:
427         (JSC::overrideOptionWithHeuristic):
428         (JSC::Options::overrideAliasedOptionWithHeuristic):
429         (JSC::Options::initialize):
430         * runtime/VM.cpp:
431         (JSC::enableAssembler):
432         (JSC::VM::VM):
433         * tools/CodeProfiling.cpp:
434         (JSC::CodeProfiling::notifyAllocator):
435         Utilize WTF::Environment where possible.
436
437 2019-02-15  Mark Lam  <mark.lam@apple.com>
438
439         SamplingProfiler::stackTracesAsJSON() should escape strings.
440         https://bugs.webkit.org/show_bug.cgi?id=194649
441         <rdar://problem/48072386>
442
443         Reviewed by Saam Barati.
444
445         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
446
447         * runtime/SamplingProfiler.cpp:
448         (JSC::SamplingProfiler::stackTracesAsJSON):
449         * runtime/TypeSet.cpp:
450         (JSC::TypeSet::toJSONString const):
451         (JSC::StructureShape::toJSONString const):
452
453 2019-02-15  Robin Morisset  <rmorisset@apple.com>
454
455         CodeBlock::jettison should clear related watchpoints
456         https://bugs.webkit.org/show_bug.cgi?id=194544
457
458         Reviewed by Mark Lam.
459
460         * bytecode/CodeBlock.cpp:
461         (JSC::CodeBlock::jettison):
462         * dfg/DFGCommonData.h:
463         (JSC::DFG::CommonData::clearWatchpoints): Added.
464         * dfg/CommonData.cpp:
465         (JSC::DFG::CommonData::clearWatchpoints): Added.
466
467 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
468
469         Move bytecode cache-related filesystem code out of CodeCache
470         https://bugs.webkit.org/show_bug.cgi?id=194675
471
472         Reviewed by Saam Barati.
473
474         That code is only used for the bytecode-cache tests, so it should live in
475         jsc.cpp rather than in the CodeCache.
476
477         * jsc.cpp:
478         (CliSourceProvider::create):
479         (CliSourceProvider::~CliSourceProvider):
480         (CliSourceProvider::cachePath const):
481         (CliSourceProvider::loadBytecode):
482         (CliSourceProvider::CliSourceProvider):
483         (jscSource):
484         (GlobalObject::moduleLoaderFetch):
485         (functionDollarEvalScript):
486         (runWithOptions):
487         * parser/SourceProvider.h:
488         (JSC::SourceProvider::cacheBytecode const):
489         * runtime/CodeCache.cpp:
490         (JSC::writeCodeBlock):
491         * runtime/CodeCache.h:
492         (JSC::CodeCacheMap::fetchFromDiskImpl):
493
494 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
495
496         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
497         https://bugs.webkit.org/show_bug.cgi?id=194714
498
499         Reviewed by Mark Lam.
500
501         Let's consider about the following extreme case.
502
503         1. VM (A) is created.
504         2. Another VM (B) is created on a different thread.
505         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
506         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
507         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
508         6. (A) sees the half-baked worklist, which may be in the middle of creation.
509
510         This patch puts store-store fence just before putting a pointer to a global variable.
511         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
512
513         * dfg/DFGWorklist.cpp:
514         (JSC::DFG::ensureGlobalDFGWorklist):
515         (JSC::DFG::ensureGlobalFTLWorklist):
516         * wasm/WasmWorklist.cpp:
517         (JSC::Wasm::ensureWorklist):
518
519 2019-02-15  Commit Queue  <commit-queue@webkit.org>
520
521         Unreviewed, rolling out r241559 and r241566.
522         https://bugs.webkit.org/show_bug.cgi?id=194710
523
524         Causes layout test crashes under GuardMalloc (Requested by
525         ryanhaddad on #webkit).
526
527         Reverted changesets:
528
529         "[WTF] Add environment variable helpers"
530         https://bugs.webkit.org/show_bug.cgi?id=192405
531         https://trac.webkit.org/changeset/241559
532
533         "Unreviewed build fix for WinCairo Debug after r241559."
534         https://trac.webkit.org/changeset/241566
535
536 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
537
538         [JSC] Do not even allocate JIT worklists in non-JIT mode
539         https://bugs.webkit.org/show_bug.cgi?id=194693
540
541         Reviewed by Mark Lam.
542
543         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
544         And we do not perform any GC operations that are only meaningful in JIT environment.
545
546         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
547         2. We remove DFG marking constraint in non-JIT mode.
548         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
549         4. We do not visit JITStubRoutineSet.
550         5. Align JITWorklist function names to the other worklists.
551
552         * dfg/DFGOSRExitPreparation.cpp:
553         (JSC::DFG::prepareCodeOriginForOSRExit):
554         * dfg/DFGPlan.h:
555         * dfg/DFGWorklist.cpp:
556         (JSC::DFG::markCodeBlocks): Deleted.
557         * dfg/DFGWorklist.h:
558         * heap/Heap.cpp:
559         (JSC::Heap::completeAllJITPlans):
560         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
561         (JSC::Heap::gatherScratchBufferRoots):
562         (JSC::Heap::removeDeadCompilerWorklistEntries):
563         (JSC::Heap::stopThePeriphery):
564         (JSC::Heap::suspendCompilerThreads):
565         (JSC::Heap::resumeCompilerThreads):
566         (JSC::Heap::addCoreConstraints):
567         * jit/JITWorklist.cpp:
568         (JSC::JITWorklist::existingGlobalWorklistOrNull):
569         (JSC::JITWorklist::ensureGlobalWorklist):
570         (JSC::JITWorklist::instance): Deleted.
571         * jit/JITWorklist.h:
572         * llint/LLIntSlowPaths.cpp:
573         (JSC::LLInt::jitCompileAndSetHeuristics):
574         * runtime/VM.cpp:
575         (JSC::VM::~VM):
576         (JSC::VM::gatherScratchBufferRoots):
577         (JSC::VM::gatherConservativeRoots): Deleted.
578         * runtime/VM.h:
579
580 2019-02-15  Saam barati  <sbarati@apple.com>
581
582         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
583         https://bugs.webkit.org/show_bug.cgi?id=194036
584
585         Reviewed by Yusuke Suzuki.
586
587         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
588         use linear scan for register allocation. Instead of linear scan, Air-O0 does
589         mostly block-local register allocation, and it does this as it's emitting
590         code directly. The register allocator uses liveness analysis to reduce
591         the number of spills. Doing register allocation as we're emitting code
592         allows us to skip editing the IR to insert spills, which saves a non trivial
593         amount of compile time. For stack allocation, we give each Tmp its own slot.
594         This is less than ideal. We probably want to do some trivial live range analysis
595         in the future. The reason this isn't a deal breaker for Wasm is that this patch
596         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
597         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
598         
599         This patch is another 25% Wasm startup time speedup. It seems to be worth
600         another 1% on JetStream2.
601
602         * JavaScriptCore.xcodeproj/project.pbxproj:
603         * Sources.txt:
604         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
605         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
606         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
607         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
608         (JSC::B3::Air::callFrameAddr):
609         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
610         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
611         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
612         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
613         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
614         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
615         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
616         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
617         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
618         * b3/air/AirCode.cpp:
619         * b3/air/AirCode.h:
620         * b3/air/AirGenerate.cpp:
621         (JSC::B3::Air::prepareForGeneration):
622         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
623         (JSC::B3::Air::generate):
624         * b3/air/AirHandleCalleeSaves.cpp:
625         (JSC::B3::Air::handleCalleeSaves):
626         * b3/air/AirHandleCalleeSaves.h:
627         * b3/air/AirTmpMap.h:
628         * runtime/Options.h:
629         * wasm/WasmAirIRGenerator.cpp:
630         (JSC::Wasm::AirIRGenerator::didKill):
631         (JSC::Wasm::AirIRGenerator::newTmp):
632         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
633         (JSC::Wasm::parseAndCompileAir):
634         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
635         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
636         * wasm/WasmAirIRGenerator.h:
637         * wasm/WasmB3IRGenerator.cpp:
638         (JSC::Wasm::B3IRGenerator::didKill):
639         * wasm/WasmBBQPlan.cpp:
640         (JSC::Wasm::BBQPlan::compileFunctions):
641         * wasm/WasmFunctionParser.h:
642         (JSC::Wasm::FunctionParser<Context>::parseBody):
643         (JSC::Wasm::FunctionParser<Context>::parseExpression):
644         * wasm/WasmValidate.cpp:
645         (JSC::Wasm::Validate::didKill):
646
647 2019-02-14  Saam barati  <sbarati@apple.com>
648
649         lowerStackArgs should lower Lea32/64 on ARM64 to Add
650         https://bugs.webkit.org/show_bug.cgi?id=194656
651
652         Reviewed by Yusuke Suzuki.
653
654         On arm64, Lea is just implemented as an add. However, Air treats it as an
655         address with a given width. Because of this width, we were incorrectly
656         computing whether or not this immediate could fit into the instruction itself
657         or it needed to be explicitly put into a register. This patch makes
658         AirLowerStackArgs lower Lea to Add on arm64.
659
660         * b3/air/AirLowerStackArgs.cpp:
661         (JSC::B3::Air::lowerStackArgs):
662         * b3/air/AirOpcode.opcodes:
663         * b3/air/testair.cpp:
664
665 2019-02-14  Saam Barati  <sbarati@apple.com>
666
667         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
668         https://bugs.webkit.org/show_bug.cgi?id=194583
669         <rdar://problem/48028140>
670
671         Reviewed by Yusuke Suzuki.
672
673         This patch makes it so that getVariablesUnderTDZ caches a result of
674         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
675         it's called in an environment where there are a lot of variables.
676         This patch makes it so we cache its results. This is profitable when
677         getVariablesUnderTDZ is called repeatedly with the same environment
678         state. This is common since we call this every time we encounter a
679         function definition/expression node.
680
681         * builtins/BuiltinExecutables.cpp:
682         (JSC::BuiltinExecutables::createExecutable):
683         * bytecode/UnlinkedFunctionExecutable.cpp:
684         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
685         * bytecode/UnlinkedFunctionExecutable.h:
686         * bytecompiler/BytecodeGenerator.cpp:
687         (JSC::BytecodeGenerator::popLexicalScopeInternal):
688         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
689         (JSC::BytecodeGenerator::pushTDZVariables):
690         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
691         (JSC::BytecodeGenerator::restoreTDZStack):
692         * bytecompiler/BytecodeGenerator.h:
693         (JSC::BytecodeGenerator::makeFunction):
694         * parser/VariableEnvironment.cpp:
695         (JSC::CompactVariableMap::Handle::Handle):
696         (JSC::CompactVariableMap::Handle::operator=):
697         * parser/VariableEnvironment.h:
698         (JSC::CompactVariableMap::Handle::operator bool const):
699         * runtime/CodeCache.cpp:
700         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
701
702 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
703
704         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
705         https://bugs.webkit.org/show_bug.cgi?id=194659
706
707         Reviewed by Mark Lam.
708
709         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
710         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
711         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
712
713         * dfg/DFGJITCode.h:
714         * dfg/DFGJITFinalizer.cpp:
715         (JSC::DFG::JITFinalizer::finalize):
716         (JSC::DFG::JITFinalizer::finalizeFunction):
717         * jit/JITCode.cpp:
718         (JSC::DirectJITCode::initializeCodeRefForDFG):
719         (JSC::DirectJITCode::initializeCodeRef): Deleted.
720         (JSC::NativeJITCode::initializeCodeRef): Deleted.
721         * jit/JITCode.h:
722         * llint/LLIntEntrypoint.cpp:
723         (JSC::LLInt::setFunctionEntrypoint):
724         (JSC::LLInt::setEvalEntrypoint):
725         (JSC::LLInt::setProgramEntrypoint):
726         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
727
728 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
729
730         [WTF] Add environment variable helpers
731         https://bugs.webkit.org/show_bug.cgi?id=192405
732
733         Reviewed by Michael Catanzaro.
734
735         * inspector/remote/glib/RemoteInspectorGlib.cpp:
736         (Inspector::RemoteInspector::RemoteInspector):
737         (Inspector::RemoteInspector::start):
738         * jsc.cpp:
739         (startTimeoutThreadIfNeeded):
740         * runtime/Options.cpp:
741         (JSC::overrideOptionWithHeuristic):
742         (JSC::Options::overrideAliasedOptionWithHeuristic):
743         (JSC::Options::initialize):
744         * runtime/VM.cpp:
745         (JSC::enableAssembler):
746         (JSC::VM::VM):
747         * tools/CodeProfiling.cpp:
748         (JSC::CodeProfiling::notifyAllocator):
749         Utilize WTF::Environment where possible.
750
751 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
752
753         [JSC] Should have default NativeJITCode
754         https://bugs.webkit.org/show_bug.cgi?id=194634
755
756         Reviewed by Mark Lam.
757
758         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
759         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
760         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
761         allocations, which takes 14KB.
762
763         * runtime/VM.cpp:
764         (JSC::jitCodeForCallTrampoline):
765         (JSC::jitCodeForConstructTrampoline):
766         (JSC::VM::getHostFunction):
767
768 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
769
770         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
771         https://bugs.webkit.org/show_bug.cgi?id=194576
772
773         Reviewed by Saam Barati.
774
775         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
776         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
777
778         * bytecode/UnlinkedFunctionExecutable.cpp:
779         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
780         (JSC::UnlinkedFunctionExecutable::link):
781         * bytecode/UnlinkedFunctionExecutable.h:
782         * runtime/CodeCache.cpp:
783         (JSC::generateUnlinkedCodeBlockForFunctions):
784
785 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
786
787         CachedBitVector's size must be converted from bits to bytes
788         https://bugs.webkit.org/show_bug.cgi?id=194441
789
790         Reviewed by Saam Barati.
791
792         CachedBitVector used its size in bits for memcpy. That didn't cause any
793         issues when encoding, since the size in bits was also used in the allocation,
794         but would overflow the actual BitVector buffer when decoding.
795
796         * runtime/CachedTypes.cpp:
797         (JSC::CachedBitVector::encode):
798         (JSC::CachedBitVector::decode const):
799
800 2019-02-13  Brian Burg  <bburg@apple.com>
801
802         Web Inspector: don't include accessibility role in DOM.Node object payloads
803         https://bugs.webkit.org/show_bug.cgi?id=194623
804         <rdar://problem/36384037>
805
806         Reviewed by Devin Rousso.
807
808         Remove property of DOM.Node that is no longer being sent.
809
810         * inspector/protocol/DOM.json:
811
812 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
813
814         We should only make rope strings when concatenating strings long enough.
815         https://bugs.webkit.org/show_bug.cgi?id=194465
816
817         Reviewed by Mark Lam.
818
819         This patch stops us from allocating a rope string if the resulting
820         rope would be smaller than the size of the JSRopeString object we
821         would need to allocate.
822
823         This patch also adds paths so that we don't unnecessarily allocate
824         JSString cells for primitives we are going to concatenate with a
825         string anyway.
826
827         The important change from the previous one is that we do not apply
828         the above rule to JSRopeStrings generated by JSStrings. If we convert
829         it to JSString, comparison of memory consumption becomes the following,
830         because JSRopeString does not have StringImpl until it is resolved.
831
832             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
833
834         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
835         resolving eagerly increases memory footprint. The point is that we need to
836         account newly created JSString and JSRopeString from the operands. This is the
837         reason why this patch adds different thresholds for each jsString functions.
838
839         This patch also avoids concatenation for ropes conservatively. Many ropes are
840         temporary cells. So we do not resolve eagerly if one of operands is already a
841         rope.
842
843         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
844
845             Before: 159.3778
846             After:  160.72340000000003
847
848         * dfg/DFGOperations.cpp:
849         * runtime/CommonSlowPaths.cpp:
850         (JSC::SLOW_PATH_DECL):
851         * runtime/JSString.h:
852         (JSC::JSString::isRope const):
853         * runtime/Operations.cpp:
854         (JSC::jsAddSlowCase):
855         * runtime/Operations.h:
856         (JSC::jsString):
857         (JSC::jsAddNonNumber):
858         (JSC::jsAdd):
859
860 2019-02-13  Saam Barati  <sbarati@apple.com>
861
862         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
863         https://bugs.webkit.org/show_bug.cgi?id=194610
864
865         Reviewed by Michael Saboff.
866
867         BinarySwitch might use the scratch register. We must model the
868         effects of that properly. This is already caught by our br-table
869         tests on arm64.
870
871         * wasm/WasmAirIRGenerator.cpp:
872         (JSC::Wasm::AirIRGenerator::addSwitch):
873
874 2019-02-13  Mark Lam  <mark.lam@apple.com>
875
876         Create a randomized free list for new StructureIDs on StructureIDTable resize.
877         https://bugs.webkit.org/show_bug.cgi?id=194566
878         <rdar://problem/47975502>
879
880         Reviewed by Michael Saboff.
881
882         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
883         implementation is a little easier to read.
884
885         This patch appears to be perf neutral on JetStream2 (as run from the command line).
886
887         * runtime/StructureIDTable.cpp:
888         (JSC::StructureIDTable::StructureIDTable):
889         (JSC::StructureIDTable::makeFreeListFromRange):
890         (JSC::StructureIDTable::resize):
891         (JSC::StructureIDTable::allocateID):
892         (JSC::StructureIDTable::deallocateID):
893         * runtime/StructureIDTable.h:
894         (JSC::StructureIDTable::get):
895         (JSC::StructureIDTable::deallocateID):
896         (JSC::StructureIDTable::allocateID):
897         (JSC::StructureIDTable::flushOldTables):
898
899 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
900
901         VariableLengthObject::allocate<T> should initialize objects
902         https://bugs.webkit.org/show_bug.cgi?id=194534
903
904         Reviewed by Michael Saboff.
905
906         `buffer()` should not be called for empty VariableLengthObjects, but
907         these cases were not being caught due to the objects not being properly
908         initialized. Fix it so that allocate calls the constructor and fix the
909         assertion failues.
910
911         * runtime/CachedTypes.cpp:
912         (JSC::CachedObject::operator new):
913         (JSC::VariableLengthObject::allocate):
914         (JSC::CachedVector::encode):
915         (JSC::CachedVector::decode const):
916         (JSC::CachedUniquedStringImpl::decode const):
917         (JSC::CachedBitVector::encode):
918         (JSC::CachedBitVector::decode const):
919         (JSC::CachedArray::encode):
920         (JSC::CachedArray::decode const):
921         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
922         (JSC::CachedBigInt::decode const):
923
924 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
925
926         CodeBlocks read from disk should not be re-written
927         https://bugs.webkit.org/show_bug.cgi?id=194535
928
929         Reviewed by Michael Saboff.
930
931         Keep track of which CodeBlocks have been read from disk or have already
932         been serialized in CodeCache.
933
934         * runtime/CodeCache.cpp:
935         (JSC::CodeCache::write):
936         * runtime/CodeCache.h:
937         (JSC::SourceCodeValue::SourceCodeValue):
938         (JSC::CodeCacheMap::fetchFromDiskImpl):
939
940 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
941
942         SourceCode should be copied when generating bytecode for functions
943         https://bugs.webkit.org/show_bug.cgi?id=194536
944
945         Reviewed by Saam Barati.
946
947         The FunctionExecutable might be collected while generating the bytecode
948         for nested functions, in which case the SourceCode reference would no
949         longer be valid.
950
951         * runtime/CodeCache.cpp:
952         (JSC::generateUnlinkedCodeBlockForFunctions):
953
954 2019-02-12  Saam barati  <sbarati@apple.com>
955
956         JSScript needs to retain its cache path NSURL*
957         https://bugs.webkit.org/show_bug.cgi?id=194577
958
959         Reviewed by Tim Horton.
960
961         * API/JSScript.mm:
962         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
963         (-[JSScript dealloc]):
964
965 2019-02-12  Robin Morisset  <rmorisset@apple.com>
966
967         Make B3Value::returnsBool() more precise
968         https://bugs.webkit.org/show_bug.cgi?id=194457
969
970         Reviewed by Saam Barati.
971
972         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
973         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
974         No new tests added as this should be indirectly tested by the already existing tests.
975
976         * b3/B3Value.cpp:
977         (JSC::B3::Value::returnsBool const):
978
979 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
980
981         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
982         https://bugs.webkit.org/show_bug.cgi?id=194399
983         <rdar://problem/47889777>
984
985         * dfg/DFGDoesGC.cpp:
986         (JSC::DFG::doesGC):
987
988 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
989
990         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
991         https://bugs.webkit.org/show_bug.cgi?id=194370
992
993         Reviewed by Darin Adler.
994
995         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
996         necessary, but it will make errors more visible.
997
998         * inspector/remote/glib/RemoteInspectorGlib.cpp:
999         (Inspector::RemoteInspector::start):
1000         (Inspector::dbusConnectionCallAsyncReadyCallback):
1001         * inspector/remote/glib/RemoteInspectorServer.cpp:
1002         (Inspector::RemoteInspectorServer::start):
1003
1004 2019-02-12  Andy Estes  <aestes@apple.com>
1005
1006         [iOSMac] Enable Parental Controls Content Filtering
1007         https://bugs.webkit.org/show_bug.cgi?id=194521
1008         <rdar://39732376>
1009
1010         Reviewed by Tim Horton.
1011
1012         * Configurations/FeatureDefines.xcconfig:
1013
1014 2019-02-11  Mark Lam  <mark.lam@apple.com>
1015
1016         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
1017         https://bugs.webkit.org/show_bug.cgi?id=194512
1018         <rdar://problem/47975465>
1019
1020         Reviewed by Yusuke Suzuki.
1021
1022         * runtime/StructureIDTable.cpp:
1023         (JSC::StructureIDTable::StructureIDTable):
1024         (JSC::StructureIDTable::allocateID):
1025         (JSC::StructureIDTable::deallocateID):
1026         * runtime/StructureIDTable.h:
1027
1028 2019-02-10  Mark Lam  <mark.lam@apple.com>
1029
1030         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
1031         https://bugs.webkit.org/show_bug.cgi?id=194493
1032         <rdar://problem/36380852>
1033
1034         Reviewed by Yusuke Suzuki.
1035
1036         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
1037         however not good for performance and memory usage.  As such, a debug ASSERT will
1038         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
1039         possible to be instantiated with duplicate cases in
1040         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
1041
1042         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
1043         see duplicate cases.
1044
1045         * jit/BinarySwitch.cpp:
1046         (JSC::BinarySwitch::BinarySwitch):
1047
1048 2019-02-10  Darin Adler  <darin@apple.com>
1049
1050         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
1051         https://bugs.webkit.org/show_bug.cgi?id=194485
1052
1053         Reviewed by Daniel Bates.
1054
1055         * heap/HeapSnapshotBuilder.cpp:
1056         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
1057         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
1058
1059         * runtime/JSGlobalObjectFunctions.cpp:
1060         (JSC::encode): Removed some unneeded casts in StringBuilder code,
1061         including one in a call to appendByteAsHex.
1062         (JSC::globalFuncEscape): Ditto.
1063
1064 2019-02-10  Commit Queue  <commit-queue@webkit.org>
1065
1066         Unreviewed, rolling out r241230.
1067         https://bugs.webkit.org/show_bug.cgi?id=194488
1068
1069         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
1070         #webkit).
1071
1072         Reverted changeset:
1073
1074         "We should only make rope strings when concatenating strings
1075         long enough."
1076         https://bugs.webkit.org/show_bug.cgi?id=194465
1077         https://trac.webkit.org/changeset/241230
1078
1079 2019-02-10  Saam barati  <sbarati@apple.com>
1080
1081         BBQ-Air: Emit better code for switch
1082         https://bugs.webkit.org/show_bug.cgi?id=194053
1083
1084         Reviewed by Yusuke Suzuki.
1085
1086         Instead of emitting a linear set of jumps for Switch, this patch
1087         makes the BBQ-Air backend emit a binary switch.
1088
1089         * wasm/WasmAirIRGenerator.cpp:
1090         (JSC::Wasm::AirIRGenerator::addSwitch):
1091
1092 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1093
1094         Unreviewed, Lexer should use isLatin1 implementation in WTF
1095         https://bugs.webkit.org/show_bug.cgi?id=194466
1096
1097         Follow-up after r241233 pointed by Darin.
1098
1099         * parser/Lexer.cpp:
1100         (JSC::isLatin1): Deleted.
1101
1102 2019-02-09  Darin Adler  <darin@apple.com>
1103
1104         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
1105         https://bugs.webkit.org/show_bug.cgi?id=194021
1106
1107         Reviewed by Geoffrey Garen.
1108
1109         * inspector/agents/InspectorConsoleAgent.cpp:
1110         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
1111         makeString do the conversion without allocating/destroying a String.
1112         * inspector/agents/InspectorDebuggerAgent.cpp:
1113         (Inspector::objectGroupForBreakpointAction): Ditto.
1114         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
1115         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
1116         * runtime/JSGenericTypedArrayViewInlines.h:
1117         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
1118         * runtime/NumberPrototype.cpp:
1119         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
1120         of calling numberToFixedWidthString to do the same thing.
1121         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
1122         numberToFixedPrecisionString to do the same thing.
1123         * runtime/SamplingProfiler.cpp:
1124         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
1125
1126 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
1127
1128         Unreviewed, rolling in r241237 again
1129         https://bugs.webkit.org/show_bug.cgi?id=194469
1130
1131         * runtime/JSString.h:
1132         (JSC::jsSubstring):
1133
1134 2019-02-09  Commit Queue  <commit-queue@webkit.org>
1135
1136         Unreviewed, rolling out r241237.
1137         https://bugs.webkit.org/show_bug.cgi?id=194474
1138
1139         Shows significant memory increase in WSL (Requested by
1140         yusukesuzuki on #webkit).
1141
1142         Reverted changeset:
1143
1144         "[WTF] Use BufferInternal StringImpl if substring StringImpl
1145         takes more memory"
1146         https://bugs.webkit.org/show_bug.cgi?id=194469
1147         https://trac.webkit.org/changeset/241237
1148
1149 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1150
1151         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
1152         https://bugs.webkit.org/show_bug.cgi?id=194469
1153
1154         Reviewed by Geoffrey Garen.
1155
1156         * runtime/JSString.h:
1157         (JSC::jsSubstring):
1158
1159 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1160
1161         [JSC] CachedTypes should use jsString instead of JSString::create
1162         https://bugs.webkit.org/show_bug.cgi?id=194471
1163
1164         Reviewed by Mark Lam.
1165
1166         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
1167
1168         * runtime/CachedTypes.cpp:
1169         (JSC::CachedJSValue::decode const):
1170
1171 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1172
1173         [JSC] Increase StructureIDTable initial capacity
1174         https://bugs.webkit.org/show_bug.cgi?id=194468
1175
1176         Reviewed by Mark Lam.
1177
1178         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
1179         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
1180         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
1181         more memory dirty. We also remove some structures that are no longer used.
1182
1183         * runtime/JSGlobalObject.h:
1184         (JSC::JSGlobalObject::callbackObjectStructure const):
1185         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
1186         * runtime/StructureIDTable.h:
1187         * runtime/VM.h:
1188
1189 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1190
1191         [JSC] String.fromCharCode's slow path always generates 16bit string
1192         https://bugs.webkit.org/show_bug.cgi?id=194466
1193
1194         Reviewed by Keith Miller.
1195
1196         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
1197         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
1198         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
1199         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
1200         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
1201         as much as possible.
1202
1203         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
1204
1205         * runtime/StringConstructor.cpp:
1206         (JSC::stringFromCharCode):
1207
1208 2019-02-08  Keith Miller  <keith_miller@apple.com>
1209
1210         We should only make rope strings when concatenating strings long enough.
1211         https://bugs.webkit.org/show_bug.cgi?id=194465
1212
1213         Reviewed by Saam Barati.
1214
1215         This patch stops us from allocating a rope string if the resulting
1216         rope would be smaller than the size of the JSRopeString object we
1217         would need to allocate.
1218
1219         This patch also adds paths so that we don't unnecessarily allocate
1220         JSString cells for primitives we are going to concatenate with a
1221         string anyway.
1222
1223         * dfg/DFGOperations.cpp:
1224         * runtime/CommonSlowPaths.cpp:
1225         (JSC::SLOW_PATH_DECL):
1226         * runtime/JSString.h:
1227         * runtime/Operations.cpp:
1228         (JSC::jsAddSlowCase):
1229         * runtime/Operations.h:
1230         (JSC::jsString):
1231         (JSC::jsAdd):
1232
1233 2019-02-08  Saam barati  <sbarati@apple.com>
1234
1235         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1236         https://bugs.webkit.org/show_bug.cgi?id=194334
1237         <rdar://problem/47844327>
1238
1239         Reviewed by Mark Lam.
1240
1241         * dfg/DFGAbstractInterpreterInlines.h:
1242         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1243         * dfg/DFGArgumentsEliminationPhase.cpp:
1244         * dfg/DFGByteCodeParser.cpp:
1245         (JSC::DFG::ByteCodeParser::parseBlock):
1246         * dfg/DFGClobberize.h:
1247         (JSC::DFG::clobberize):
1248         * dfg/DFGConstantFoldingPhase.cpp:
1249         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1250         * dfg/DFGFixupPhase.cpp:
1251         (JSC::DFG::FixupPhase::fixupNode):
1252         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1253         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1254         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1255         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1256         * dfg/DFGNodeType.h:
1257         * dfg/DFGSSALoweringPhase.cpp:
1258         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1259         * dfg/DFGSpeculativeJIT.cpp:
1260         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1261         * ftl/FTLLowerDFGToB3.cpp:
1262         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1263         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1264
1265 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1266
1267         [JSC] Shrink sizeof(CodeBlock) more
1268         https://bugs.webkit.org/show_bug.cgi?id=194419
1269
1270         Reviewed by Mark Lam.
1271
1272         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1273
1274         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1275         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1276         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1277
1278         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1279         And we do not touch it in CodeBlock::~CodeBlock.
1280
1281         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1282         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1283         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1284
1285         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1286
1287         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1288
1289         * bytecode/CodeBlock.cpp:
1290         (JSC::CodeBlock::hash const):
1291         (JSC::CodeBlock::sourceCodeForTools const):
1292         (JSC::CodeBlock::dumpAssumingJITType const):
1293         (JSC::CodeBlock::dumpSource):
1294         (JSC::CodeBlock::CodeBlock):
1295         (JSC::CodeBlock::finishCreation):
1296         (JSC::CodeBlock::propagateTransitions):
1297         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1298         (JSC::CodeBlock::setCalleeSaveRegisters):
1299         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1300         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1301         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1302         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1303         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1304         (JSC::CodeBlock::newReplacement):
1305         (JSC::CodeBlock::replacement):
1306         (JSC::CodeBlock::computeCapabilityLevel):
1307         (JSC::CodeBlock::jettison):
1308         (JSC::CodeBlock::calleeSaveRegisters const):
1309         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1310         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1311         (JSC::CodeBlock::getArrayProfile):
1312         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1313         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1314         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1315         (JSC::CodeBlock::validate):
1316         (JSC::CodeBlock::outOfLineJumpTarget):
1317         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1318         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1319         * bytecode/CodeBlock.h:
1320         (JSC::CodeBlock::specializationKind const):
1321         (JSC::CodeBlock::isStrictMode const):
1322         (JSC::CodeBlock::isConstructor const):
1323         (JSC::CodeBlock::codeType const):
1324         (JSC::CodeBlock::isKnownNotImmediate):
1325         (JSC::CodeBlock::instructions const):
1326         (JSC::CodeBlock::ownerExecutable const):
1327         (JSC::CodeBlock::thisRegister const):
1328         (JSC::CodeBlock::source const):
1329         (JSC::CodeBlock::sourceOffset const):
1330         (JSC::CodeBlock::firstLineColumnOffset const):
1331         (JSC::CodeBlock::createRareDataIfNecessary):
1332         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1333         (JSC::CodeBlock::setThisRegister): Deleted.
1334         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1335         * bytecode/EvalCodeBlock.h:
1336         * bytecode/FunctionCodeBlock.h:
1337         * bytecode/GlobalCodeBlock.h:
1338         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1339         * bytecode/ModuleProgramCodeBlock.h:
1340         * bytecode/ProgramCodeBlock.h:
1341         * debugger/Debugger.cpp:
1342         (JSC::Debugger::toggleBreakpoint):
1343         * debugger/DebuggerCallFrame.cpp:
1344         (JSC::DebuggerCallFrame::sourceID const):
1345         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1346         * debugger/DebuggerScope.cpp:
1347         (JSC::DebuggerScope::location const):
1348         * dfg/DFGByteCodeParser.cpp:
1349         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1350         (JSC::DFG::ByteCodeParser::inliningCost):
1351         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1352         * dfg/DFGCapabilities.cpp:
1353         (JSC::DFG::isSupportedForInlining):
1354         (JSC::DFG::mightCompileEval):
1355         (JSC::DFG::mightCompileProgram):
1356         (JSC::DFG::mightCompileFunctionForCall):
1357         (JSC::DFG::mightCompileFunctionForConstruct):
1358         (JSC::DFG::canUseOSRExitFuzzing):
1359         * dfg/DFGGraph.h:
1360         (JSC::DFG::Graph::executableFor):
1361         * dfg/DFGJITCompiler.cpp:
1362         (JSC::DFG::JITCompiler::compileFunction):
1363         * dfg/DFGOSREntry.cpp:
1364         (JSC::DFG::prepareOSREntry):
1365         * dfg/DFGOSRExit.cpp:
1366         (JSC::DFG::restoreCalleeSavesFor):
1367         (JSC::DFG::saveCalleeSavesFor):
1368         (JSC::DFG::saveOrCopyCalleeSavesFor):
1369         * dfg/DFGOSRExitCompilerCommon.cpp:
1370         (JSC::DFG::handleExitCounts):
1371         * dfg/DFGOperations.cpp:
1372         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1373         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1374         * ftl/FTLCapabilities.cpp:
1375         (JSC::FTL::canCompile):
1376         * ftl/FTLLink.cpp:
1377         (JSC::FTL::link):
1378         * ftl/FTLOSRExitCompiler.cpp:
1379         (JSC::FTL::compileStub):
1380         * interpreter/CallFrame.cpp:
1381         (JSC::CallFrame::callerSourceOrigin):
1382         * interpreter/Interpreter.cpp:
1383         (JSC::eval):
1384         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1385         * interpreter/StackVisitor.cpp:
1386         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1387         (JSC::StackVisitor::Frame::sourceURL const):
1388         (JSC::StackVisitor::Frame::sourceID):
1389         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1390         * interpreter/StackVisitor.h:
1391         * jit/AssemblyHelpers.h:
1392         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1393         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1394         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1395         * jit/CallFrameShuffleData.cpp:
1396         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1397         * jit/JIT.cpp:
1398         (JSC::JIT::compileWithoutLinking):
1399         * jit/JITToDFGDeferredCompilationCallback.cpp:
1400         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1401         * jit/JITWorklist.cpp:
1402         (JSC::JITWorklist::Plan::finalize):
1403         (JSC::JITWorklist::compileNow):
1404         * jit/RegisterAtOffsetList.cpp:
1405         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1406         * jit/RegisterAtOffsetList.h:
1407         (JSC::RegisterAtOffsetList::at const):
1408         * runtime/ErrorInstance.cpp:
1409         (JSC::appendSourceToError):
1410         * runtime/ScriptExecutable.cpp:
1411         (JSC::ScriptExecutable::newCodeBlockFor):
1412         * runtime/StackFrame.cpp:
1413         (JSC::StackFrame::sourceID const):
1414         (JSC::StackFrame::sourceURL const):
1415         (JSC::StackFrame::computeLineAndColumn const):
1416
1417 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1418
1419         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1420         https://bugs.webkit.org/show_bug.cgi?id=194460
1421
1422         Reviewed by Mark Lam.
1423
1424         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1425
1426         * b3/B3LowerMacros.cpp:
1427
1428 2019-02-08  Mark Lam  <mark.lam@apple.com>
1429
1430         Use maxSingleCharacterString in comparisons instead of literal constants.
1431         https://bugs.webkit.org/show_bug.cgi?id=194452
1432
1433         Reviewed by Yusuke Suzuki.
1434
1435         This way, if we ever change maxSingleCharacterString, it won't break all this code
1436         that relies on it being 0xff implicitly.
1437
1438         * dfg/DFGSpeculativeJIT.cpp:
1439         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1440         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1441         * ftl/FTLLowerDFGToB3.cpp:
1442         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1443         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1444         * jit/ThunkGenerators.cpp:
1445         (JSC::stringGetByValGenerator):
1446         (JSC::charToString):
1447
1448 2019-02-08  Mark Lam  <mark.lam@apple.com>
1449
1450         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1451         https://bugs.webkit.org/show_bug.cgi?id=194446
1452         <rdar://problem/47926792>
1453
1454         Reviewed by Saam Barati.
1455
1456         Fix doesGC() for the following nodes:
1457
1458             CheckTierUpAtReturn:
1459                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1460                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1461
1462             CheckTierUpInLoop:
1463                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1464                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1465
1466             CheckTierUpAndOSREnter:
1467                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1468                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1469
1470             GetByVal:
1471                 case Array::String calls operationSingleCharacterString(), which calls
1472                 jsSingleCharacterString(), which can allocate a string.
1473
1474             PutByValDirect:
1475             PutByVal:
1476             PutByValAlias:
1477                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1478                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1479                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1480                 slow paths call putByValInternal(), which may create exception objects, or
1481                 call the generic JSValue::put() which may execute arbitrary code.
1482
1483             StringCharAt:
1484                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1485                 which can allocate a string.
1486
1487         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1488         to use the maxSingleCharacterString constant instead of a literal constant.
1489
1490         * dfg/DFGDoesGC.cpp:
1491         (JSC::DFG::doesGC):
1492         * dfg/DFGSpeculativeJIT.cpp:
1493         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1494         * dfg/DFGSpeculativeJIT64.cpp:
1495         (JSC::DFG::SpeculativeJIT::compile):
1496         * ftl/FTLLowerDFGToB3.cpp:
1497         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1498         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1499         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1500
1501 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1502
1503         [JSC] SourceProviderCacheItem should be small
1504         https://bugs.webkit.org/show_bug.cgi?id=194432
1505
1506         Reviewed by Saam Barati.
1507
1508         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1509         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1510         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1511
1512         * parser/Parser.cpp:
1513         (JSC::Parser<LexerType>::parseFunctionInfo):
1514         * parser/ParserModes.h:
1515         * parser/ParserTokens.h:
1516         * parser/SourceProviderCacheItem.h:
1517         (JSC::SourceProviderCacheItem::endFunctionToken const):
1518         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1519
1520 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1521
1522         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1523         https://bugs.webkit.org/show_bug.cgi?id=194420
1524
1525         Reviewed by Saam Barati.
1526
1527         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1528         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1529         This trivial patch fixes both.
1530
1531         * b3/B3ReduceStrength.cpp:
1532         * b3/testb3.cpp:
1533         (JSC::B3::testAbsNegArg):
1534
1535 2019-02-07  Keith Miller  <keith_miller@apple.com>
1536
1537         Better error messages for module loader SPI
1538         https://bugs.webkit.org/show_bug.cgi?id=194421
1539
1540         Reviewed by Saam Barati.
1541
1542         * API/JSAPIGlobalObject.mm:
1543         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1544
1545 2019-02-07  Mark Lam  <mark.lam@apple.com>
1546
1547         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1548         https://bugs.webkit.org/show_bug.cgi?id=194399
1549         <rdar://problem/47889777>
1550
1551         Reviewed by Yusuke Suzuki.
1552
1553         Fix doesGC() for the following nodes:
1554
1555             CheckTraps:
1556                 We normally will not emit this node because Options::usePollingTraps() is
1557                 false by default.  However, as it is implemented now, CheckTraps can GC
1558                 because it can allocate a TerminatedExecutionException.  If we make the
1559                 TerminatedExecutionException a singleton allocated at initialization time,
1560                 doesGC() can return false for CheckTraps.
1561                 https://bugs.webkit.org/show_bug.cgi?id=194323
1562
1563             GetMapBucket:
1564                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1565                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1566                 can resolve a rope.
1567
1568             Switch:
1569                 If switchData kind is SwitchChar, can call operationResolveRope() .
1570                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1571                     can call operationSwitchString() which resolves ropes.
1572
1573             DirectTailCall:
1574             ForceOSRExit:
1575             Return:
1576             TailCallForwardVarargs:
1577             TailCallVarargs:
1578             Throw:
1579                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1580                 for them, but following our conservative practice, unless we have a good
1581                 reason for doesGC() to return false, we should just return true.
1582
1583         * dfg/DFGDoesGC.cpp:
1584         (JSC::DFG::doesGC):
1585
1586 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1587
1588         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1589         https://bugs.webkit.org/show_bug.cgi?id=194250
1590
1591         Reviewed by Saam Barati.
1592
1593         Adds the following optimizations for integers:
1594         - Sub(x, x) => 0
1595             Already covered by the test testSubArg
1596         - Sub(x1, Neg(x2)) => Add (x1, x2)
1597             Added test: testSubNeg
1598         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1599             Added test: testNegSub
1600         - Add(Neg(x1), x2) => Sub(x2, x1)
1601             Added test: testAddNeg1
1602         - Add(x1, Neg(x2)) => Sub(x1, x2)
1603             Added test: testAddNeg2
1604         Adds the following optimization for floating point values:
1605         - Abs(Neg(x)) => Abs(x)
1606             Added test: testAbsNegArg
1607             Adds the following optimization:
1608
1609         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1610
1611         * b3/B3ReduceStrength.cpp:
1612         * b3/testb3.cpp:
1613         (JSC::B3::testAddNeg1):
1614         (JSC::B3::testAddNeg2):
1615         (JSC::B3::testSubNeg):
1616         (JSC::B3::testNegSub):
1617         (JSC::B3::testAbsAbsArg):
1618         (JSC::B3::testAbsNegArg):
1619         (JSC::B3::run):
1620
1621 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1622
1623         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1624         https://bugs.webkit.org/show_bug.cgi?id=194374
1625
1626         Reviewed by Geoffrey Garen.
1627
1628         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1629         But pointer is larger than single character. BufferInternal StringImpl with single character
1630         is more memory efficient.
1631
1632         * runtime/SmallStrings.cpp:
1633         (JSC::SmallStringsStorage::SmallStringsStorage):
1634         (JSC::SmallStrings::SmallStrings):
1635         * runtime/SmallStrings.h:
1636
1637 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1638
1639         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1640         https://bugs.webkit.org/show_bug.cgi?id=194369
1641         <rdar://problem/47813087>
1642
1643         Reviewed by Saam Barati.
1644
1645         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1646         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1647         constant folding phase.
1648
1649         * dfg/DFGAbstractInterpreterInlines.h:
1650         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1651
1652 2019-02-06  Devin Rousso  <drousso@apple.com>
1653
1654         Web Inspector: DOM: don't send the entire function string with each event listener
1655         https://bugs.webkit.org/show_bug.cgi?id=194293
1656         <rdar://problem/47822809>
1657
1658         Reviewed by Joseph Pecoraro.
1659
1660         * inspector/protocol/DOM.json:
1661
1662         * runtime/JSFunction.h:
1663         Export `calculatedDisplayName`.
1664
1665 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1666
1667         [JSC] PrivateName to PublicName hash table is wasteful
1668         https://bugs.webkit.org/show_bug.cgi?id=194277
1669
1670         Reviewed by Michael Saboff.
1671
1672         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1673         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1674         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1675         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1676
1677         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1678
1679         1. PrivateName's content should be the same to PublicName.
1680         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1681            the public name should be easily crafted from the given PrivateName.
1682
1683         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1684         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1685
1686         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1687         WebCore.
1688
1689         * builtins/BuiltinNames.cpp:
1690         (JSC::BuiltinNames::BuiltinNames):
1691         * builtins/BuiltinNames.h:
1692         (JSC::BuiltinNames::lookUpPrivateName const):
1693         (JSC::BuiltinNames::getPublicName const):
1694         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1695         (JSC::BuiltinNames::appendExternalName):
1696         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1697         * builtins/BuiltinUtils.h:
1698         * bytecode/BytecodeDumper.cpp:
1699         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1700         * bytecompiler/NodesCodegen.cpp:
1701         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1702         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1703         * parser/Lexer.cpp:
1704         (JSC::Lexer<LChar>::parseIdentifier):
1705         (JSC::Lexer<UChar>::parseIdentifier):
1706         * parser/Parser.cpp:
1707         (JSC::Parser<LexerType>::createGeneratorParameters):
1708         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1709         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1710         (JSC::Parser<LexerType>::parseClassDeclaration):
1711         (JSC::Parser<LexerType>::parseExportDeclaration):
1712         (JSC::Parser<LexerType>::parseMemberExpression):
1713         * parser/ParserArena.h:
1714         (JSC::IdentifierArena::makeIdentifier):
1715         * runtime/CachedTypes.cpp:
1716         (JSC::CachedUniquedStringImpl::encode):
1717         (JSC::CachedUniquedStringImpl::decode const):
1718         * runtime/CommonIdentifiers.cpp:
1719         (JSC::CommonIdentifiers::CommonIdentifiers):
1720         (JSC::CommonIdentifiers::lookUpPrivateName const):
1721         (JSC::CommonIdentifiers::getPublicName const):
1722         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1723         * runtime/CommonIdentifiers.h:
1724         * runtime/ExceptionHelpers.cpp:
1725         (JSC::createUndefinedVariableError):
1726         * runtime/Identifier.cpp:
1727         (JSC::Identifier::dump const):
1728         * runtime/Identifier.h:
1729         * runtime/IdentifierInlines.h:
1730         (JSC::Identifier::fromUid):
1731         * runtime/JSTypedArrayViewPrototype.cpp:
1732         (JSC::JSTypedArrayViewPrototype::finishCreation):
1733         * tools/JSDollarVM.cpp:
1734         (JSC::functionGetPrivateProperty):
1735
1736 2019-02-06  Keith Rollin  <krollin@apple.com>
1737
1738         Really enable the automatic checking and regenerations of .xcfilelists during builds
1739         https://bugs.webkit.org/show_bug.cgi?id=194357
1740         <rdar://problem/47861231>
1741
1742         Reviewed by Chris Dumez.
1743
1744         Bug 194124 was supposed to enable the automatic checking and
1745         regenerating of .xcfilelist files during the build. While related
1746         changes were included in that patch, the change to actually enable the
1747         operation somehow was omitted. This patch actually enables the
1748         operation. The check-xcfilelist.sh scripts now check
1749         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1750         from the checking.
1751
1752         * Scripts/check-xcfilelists.sh:
1753
1754 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1755
1756         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1757         https://bugs.webkit.org/show_bug.cgi?id=194339
1758
1759         Reviewed by Michael Saboff.
1760
1761         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1762         They have even the same structure. This patch unifies the subspaces for them.
1763
1764         * runtime/DirectEvalExecutable.h:
1765         * runtime/EvalExecutable.h:
1766         (JSC::EvalExecutable::subspaceFor):
1767         * runtime/IndirectEvalExecutable.h:
1768         * runtime/VM.cpp:
1769         * runtime/VM.h:
1770         (JSC::VM::forEachScriptExecutableSpace):
1771
1772 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1773
1774         [JSC] NativeExecutable should be smaller
1775         https://bugs.webkit.org/show_bug.cgi?id=194331
1776
1777         Reviewed by Michael Saboff.
1778
1779         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1780         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1781         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1782         only takes one MarkedBlock for NativeExecutable.
1783
1784         To make NativeExecutable smaller,
1785
1786         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1787            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1788
1789         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1790            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1791            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1792
1793         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1794            Intrinsic for NativeExecutable.
1795
1796         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1797
1798         * CMakeLists.txt:
1799         * JavaScriptCore.xcodeproj/project.pbxproj:
1800         * bytecode/CallVariant.h:
1801         * interpreter/Interpreter.cpp:
1802         * jit/JITCode.cpp:
1803         (JSC::DirectJITCode::DirectJITCode):
1804         (JSC::NativeJITCode::NativeJITCode):
1805         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1806         * jit/JITCode.h:
1807         (JSC::JITCode::signature const):
1808         (JSC::JITCode::intrinsic):
1809         * jit/JITOperations.cpp:
1810         * jit/JITThunks.cpp:
1811         (JSC::JITThunks::hostFunctionStub):
1812         * jit/Repatch.cpp:
1813         * llint/LLIntSlowPaths.cpp:
1814         * runtime/ExecutableBase.cpp:
1815         (JSC::ExecutableBase::dump const):
1816         (JSC::ExecutableBase::hashFor const):
1817         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1818         (JSC::ExecutableBase::clearCode): Deleted.
1819         * runtime/ExecutableBase.h:
1820         (JSC::ExecutableBase::ExecutableBase):
1821         (JSC::ExecutableBase::isModuleProgramExecutable):
1822         (JSC::ExecutableBase::isHostFunction const):
1823         (JSC::ExecutableBase::generatedJITCodeForCall const):
1824         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1825         (JSC::ExecutableBase::generatedJITCodeFor const):
1826         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1827         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1828         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1829         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1830         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1831         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1832         (JSC::ExecutableBase::intrinsic const): Deleted.
1833         * runtime/ExecutableBaseInlines.h: Added.
1834         (JSC::ExecutableBase::intrinsic const):
1835         (JSC::ExecutableBase::hasJITCodeForCall const):
1836         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1837         * runtime/JSBoundFunction.cpp:
1838         * runtime/JSType.cpp:
1839         (WTF::printInternal):
1840         * runtime/JSType.h:
1841         * runtime/NativeExecutable.cpp:
1842         (JSC::NativeExecutable::create):
1843         (JSC::NativeExecutable::createStructure):
1844         (JSC::NativeExecutable::NativeExecutable):
1845         (JSC::NativeExecutable::signatureFor const):
1846         (JSC::NativeExecutable::intrinsic const):
1847         * runtime/NativeExecutable.h:
1848         * runtime/ScriptExecutable.cpp:
1849         (JSC::ScriptExecutable::ScriptExecutable):
1850         (JSC::ScriptExecutable::clearCode):
1851         (JSC::ScriptExecutable::installCode):
1852         (JSC::ScriptExecutable::hasClearableCode const):
1853         * runtime/ScriptExecutable.h:
1854         (JSC::ScriptExecutable::intrinsic const):
1855         (JSC::ScriptExecutable::hasJITCodeForCall const):
1856         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1857         * runtime/VM.cpp:
1858         (JSC::VM::getHostFunction):
1859
1860 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1861
1862         Build failure after r240431
1863         https://bugs.webkit.org/show_bug.cgi?id=194330
1864
1865         Reviewed by Žan Doberšek.
1866
1867         * API/glib/JSCOptions.cpp:
1868
1869 2019-02-05  Mark Lam  <mark.lam@apple.com>
1870
1871         Fix DFG's doesGC() for a few more nodes.
1872         https://bugs.webkit.org/show_bug.cgi?id=194307
1873         <rdar://problem/47832956>
1874
1875         Reviewed by Yusuke Suzuki.
1876
1877         Fix doesGC() for the following nodes:
1878
1879             NumberToStringWithValidRadixConstant:
1880                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1881                 which can allocate a string.
1882                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1883                 which can allocate a string.
1884                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1885                 which can allocate a string.
1886
1887             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1888                 memory for all kinds of objects.
1889             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1890                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1891                 these allocates memory for the match result.
1892             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1893                 calls RegExpObject's collectMatches(), which allocates an array amongst
1894                 other objects.
1895
1896             StringFromCharCode:
1897                 If the uint32 code to convert is greater than maxSingleCharacterString,
1898                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1899                 which allocates a new string if the code is greater than maxSingleCharacterString.
1900
1901         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1902         to use maxSingleCharacterString instead of a literal constant.
1903
1904         * dfg/DFGDoesGC.cpp:
1905         (JSC::DFG::doesGC):
1906         * dfg/DFGSpeculativeJIT.cpp:
1907         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1908         * ftl/FTLLowerDFGToB3.cpp:
1909         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1910
1911 2019-02-05  Keith Rollin  <krollin@apple.com>
1912
1913         Enable the automatic checking and regenerations of .xcfilelists during builds
1914         https://bugs.webkit.org/show_bug.cgi?id=194124
1915         <rdar://problem/47721277>
1916
1917         Reviewed by Tim Horton.
1918
1919         Bug 193790 add a facility for checking -- during build time -- that
1920         any needed .xcfilelist files are up-to-date and for updating them if
1921         they are not. This facility was initially opt-in by setting
1922         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1923         the process seemed robust. Its now time to enable this facility and
1924         make it opt-out. If there is a need to disable this facility, set and
1925         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1926         running `make` or `build-webkit`, or before running Xcode from the
1927         command line.
1928
1929         Additionally, remove the step that generates a list of source files
1930         going into the UnifiedSources build step. It's only necessarily to
1931         specify Sources.txt and SourcesCocoa.txt as inputs.
1932
1933         * JavaScriptCore.xcodeproj/project.pbxproj:
1934         * UnifiedSources-input.xcfilelist: Removed.
1935
1936 2019-02-05  Keith Rollin  <krollin@apple.com>
1937
1938         Update .xcfilelist files
1939         https://bugs.webkit.org/show_bug.cgi?id=194121
1940         <rdar://problem/47720863>
1941
1942         Reviewed by Tim Horton.
1943
1944         Preparatory to enabling the facility for automatically updating the
1945         .xcfilelist files, check in a freshly-updated set so that not everyone
1946         runs up against having to regenerate them themselves.
1947
1948         * DerivedSources-input.xcfilelist:
1949         * DerivedSources-output.xcfilelist:
1950
1951 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1952
1953         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1954         https://bugs.webkit.org/show_bug.cgi?id=185557
1955
1956         Reviewed by Mark Lam.
1957
1958         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1959         where n is the number of characters in the formatted string.
1960         It may be less memory efficient than the previous impl, since the intermediate Vector
1961         is the length of the string, instead of the count of the fields.
1962
1963         * runtime/IntlNumberFormat.cpp:
1964         (JSC::IntlNumberFormat::formatToParts):
1965         * runtime/IntlNumberFormat.h:
1966
1967 2019-02-05  Mark Lam  <mark.lam@apple.com>
1968
1969         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1970         https://bugs.webkit.org/show_bug.cgi?id=194298
1971         <rdar://problem/47827555>
1972
1973         Reviewed by Saam Barati.
1974
1975         We do this for 3 reasons:
1976         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1977         2. If things change in the future where clobberize() no longer reports these nodes
1978            as write(Heap), each node should be vetted first to make sure that it can never
1979            GC before being moved back to the doesGC() list that returns false.
1980         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1981            correct in its claims about the nodes' GCing possibility.
1982
1983         The list of nodes moved are:
1984
1985             ArrayPush
1986             ArrayPop
1987             Call
1988             CallEval
1989             CallForwardVarargs
1990             CallVarargs
1991             Construct
1992             ConstructForwardVarargs
1993             ConstructVarargs
1994             DefineDataProperty
1995             DefineAccessorProperty
1996             DeleteById
1997             DeleteByVal
1998             DirectCall
1999             DirectConstruct
2000             DirectTailCallInlinedCaller
2001             GetById
2002             GetByIdDirect
2003             GetByIdDirectFlush
2004             GetByIdFlush
2005             GetByIdWithThis
2006             GetByValWithThis
2007             GetDirectPname
2008             GetDynamicVar
2009             HasGenericProperty
2010             HasOwnProperty
2011             HasStructureProperty
2012             InById
2013             InByVal
2014             InstanceOf
2015             InstanceOfCustom
2016             LoadVarargs
2017             NumberToStringWithRadix
2018             PutById
2019             PutByIdDirect
2020             PutByIdFlush
2021             PutByIdWithThis
2022             PutByOffset
2023             PutByValWithThis
2024             PutDynamicVar
2025             PutGetterById
2026             PutGetterByVal
2027             PutGetterSetterById
2028             PutSetterById
2029             PutSetterByVal
2030             PutStack
2031             PutToArguments
2032             RegExpExec
2033             RegExpTest
2034             ResolveScope
2035             ResolveScopeForHoistingFuncDeclInEval
2036             TailCall
2037             TailCallForwardVarargsInlinedCaller
2038             TailCallInlinedCaller
2039             TailCallVarargsInlinedCaller
2040             ToNumber
2041             ToPrimitive
2042             ValueNegate
2043
2044         * dfg/DFGDoesGC.cpp:
2045         (JSC::DFG::doesGC):
2046
2047 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
2048
2049         [JSC] Shrink sizeof(UnlinkedCodeBlock)
2050         https://bugs.webkit.org/show_bug.cgi?id=194281
2051
2052         Reviewed by Michael Saboff.
2053
2054         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
2055         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
2056
2057         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
2058         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
2059         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
2060
2061         * bytecode/CodeBlock.cpp:
2062         (JSC::CodeBlock::finishCreation):
2063         * bytecode/CodeBlock.h:
2064         (JSC::CodeBlock::bitVectors const): Deleted.
2065         * bytecode/CodeType.h:
2066         * bytecode/UnlinkedCodeBlock.cpp:
2067         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2068         (JSC::UnlinkedCodeBlock::shrinkToFit):
2069         * bytecode/UnlinkedCodeBlock.h:
2070         (JSC::UnlinkedCodeBlock::bitVector):
2071         (JSC::UnlinkedCodeBlock::addBitVector):
2072         (JSC::UnlinkedCodeBlock::addSetConstant):
2073         (JSC::UnlinkedCodeBlock::constantRegisters):
2074         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
2075         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2076         (JSC::UnlinkedCodeBlock::codeType const):
2077         (JSC::UnlinkedCodeBlock::didOptimize const):
2078         (JSC::UnlinkedCodeBlock::setDidOptimize):
2079         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
2080         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
2081         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
2082         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
2083         * bytecompiler/BytecodeGenerator.cpp:
2084         (JSC::BytecodeGenerator::emitLoad):
2085         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
2086         * bytecompiler/BytecodeGenerator.h:
2087         * runtime/CachedTypes.cpp:
2088         (JSC::CachedCodeBlockRareData::encode):
2089         (JSC::CachedCodeBlockRareData::decode const):
2090         (JSC::CachedCodeBlock::scopeRegister const):
2091         (JSC::CachedCodeBlock::codeType const):
2092         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2093         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2094         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2095         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
2096
2097 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2098
2099         Unreviewed, add missing exception checks after r240637
2100         https://bugs.webkit.org/show_bug.cgi?id=193546
2101
2102         * tools/JSDollarVM.cpp:
2103         (JSC::functionShadowChickenFunctionsOnStack):
2104
2105 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2106
2107         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
2108         https://bugs.webkit.org/show_bug.cgi?id=193993
2109
2110         Reviewed by Keith Miller.
2111
2112         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
2113         And some of them are rarely used. We should allocate it lazily.
2114
2115         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
2116         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
2117         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
2118         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
2119         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
2120         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
2121         by using WTF::storeStoreFence when lazily allocating it.
2122
2123         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
2124         existence of the space before touching this. This is not racy because the main thread is stopped when
2125         the constraint solving is working.
2126
2127         This changes sizeof(VM) from 64736 to 56472.
2128
2129         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
2130         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
2131         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
2132         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
2133         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
2134         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
2135         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
2136
2137         * API/JSCallbackFunction.h:
2138         * API/ObjCCallbackFunction.h:
2139         (JSC::ObjCCallbackFunction::subspaceFor):
2140         * API/glib/JSCCallbackFunction.h:
2141         * CMakeLists.txt:
2142         * JavaScriptCore.xcodeproj/project.pbxproj:
2143         * bytecode/CodeBlock.cpp:
2144         (JSC::CodeBlock::visitChildren):
2145         (JSC::CodeBlock::finalizeUnconditionally):
2146         * bytecode/CodeBlock.h:
2147         * bytecode/EvalCodeBlock.h:
2148         * bytecode/ExecutableToCodeBlockEdge.h:
2149         * bytecode/FunctionCodeBlock.h:
2150         * bytecode/ModuleProgramCodeBlock.h:
2151         * bytecode/ProgramCodeBlock.h:
2152         * bytecode/UnlinkedFunctionExecutable.cpp:
2153         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2154         * bytecode/UnlinkedFunctionExecutable.h:
2155         * dfg/DFGSpeculativeJIT.cpp:
2156         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2157         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2158         (JSC::DFG::SpeculativeJIT::compileNewObject):
2159         * ftl/FTLLowerDFGToB3.cpp:
2160         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2161         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2162         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2163         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2164         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
2165         * heap/Heap.cpp:
2166         (JSC::Heap::finalizeUnconditionalFinalizers):
2167         (JSC::Heap::deleteAllCodeBlocks):
2168         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2169         (JSC::Heap::addCoreConstraints):
2170         * heap/Subspace.cpp:
2171         (JSC::Subspace::initialize):
2172         * jit/AssemblyHelpers.h:
2173         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2174         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
2175         * jit/JITOpcodes.cpp:
2176         (JSC::JIT::emit_op_new_object):
2177         * jit/JITOpcodes32_64.cpp:
2178         (JSC::JIT::emit_op_new_object):
2179         * runtime/DirectArguments.h:
2180         * runtime/DirectEvalExecutable.h:
2181         * runtime/ErrorInstance.h:
2182         (JSC::ErrorInstance::subspaceFor):
2183         * runtime/ExecutableBase.h:
2184         * runtime/FunctionExecutable.h:
2185         * runtime/IndirectEvalExecutable.h:
2186         * runtime/InferredValue.cpp:
2187         (JSC::InferredValue::visitChildren):
2188         * runtime/InferredValue.h:
2189         * runtime/InferredValueInlines.h:
2190         (JSC::InferredValue::finalizeUnconditionally):
2191         * runtime/InternalFunction.h:
2192         * runtime/JSAsyncFunction.h:
2193         * runtime/JSAsyncGeneratorFunction.h:
2194         * runtime/JSBoundFunction.h:
2195         * runtime/JSCell.h:
2196         (JSC::subspaceFor):
2197         (JSC::subspaceForConcurrently):
2198         * runtime/JSCellInlines.h:
2199         (JSC::allocatorForNonVirtualConcurrently):
2200         * runtime/JSCustomGetterSetterFunction.h:
2201         * runtime/JSDestructibleObject.h:
2202         * runtime/JSFunction.h:
2203         * runtime/JSGeneratorFunction.h:
2204         * runtime/JSImmutableButterfly.h:
2205         * runtime/JSLexicalEnvironment.h:
2206         (JSC::JSLexicalEnvironment::subspaceFor):
2207         * runtime/JSNativeStdFunction.h:
2208         * runtime/JSSegmentedVariableObject.h:
2209         * runtime/JSString.h:
2210         * runtime/ModuleProgramExecutable.h:
2211         * runtime/NativeExecutable.h:
2212         * runtime/ProgramExecutable.h:
2213         * runtime/PropertyMapHashTable.h:
2214         * runtime/ProxyRevoke.h:
2215         * runtime/ScopedArguments.h:
2216         * runtime/ScriptExecutable.cpp:
2217         (JSC::ScriptExecutable::clearCode):
2218         (JSC::ScriptExecutable::installCode):
2219         * runtime/Structure.h:
2220         * runtime/StructureRareData.h:
2221         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
2222         * runtime/VM.cpp:
2223         (JSC::VM::VM):
2224         * runtime/VM.h:
2225         (JSC::VM::SpaceAndSet::SpaceAndSet):
2226         (JSC::VM::SpaceAndSet::setFor):
2227         (JSC::VM::forEachScriptExecutableSpace):
2228         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
2229         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
2230         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2231         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2232         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2233         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2234         * runtime/WeakMapImpl.h:
2235         (JSC::WeakMapImpl::subspaceFor):
2236         * wasm/js/JSWebAssemblyCodeBlock.h:
2237         * wasm/js/JSWebAssemblyMemory.h:
2238         * wasm/js/WebAssemblyFunction.h:
2239         * wasm/js/WebAssemblyWrapperFunction.h:
2240
2241 2019-02-04  Keith Miller  <keith_miller@apple.com>
2242
2243         Change llint operand macros to inline functions
2244         https://bugs.webkit.org/show_bug.cgi?id=194248
2245
2246         Reviewed by Mark Lam.
2247
2248         * llint/LLIntSlowPaths.cpp:
2249         (JSC::LLInt::getNonConstantOperand):
2250         (JSC::LLInt::getOperand):
2251         (JSC::LLInt::llint_trace_value):
2252         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2253         (JSC::LLInt::getByVal):
2254         (JSC::LLInt::genericCall):
2255         (JSC::LLInt::varargsSetup):
2256         (JSC::LLInt::commonCallEval):
2257
2258 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2259
2260         when lowering AssertNotEmpty, create the value before creating the patchpoint
2261         https://bugs.webkit.org/show_bug.cgi?id=194231
2262
2263         Reviewed by Saam Barati.
2264
2265         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2266         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2267
2268         * ftl/FTLLowerDFGToB3.cpp:
2269         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2270
2271 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2272
2273         [JSC] ExecutableToCodeBlockEdge should be smaller
2274         https://bugs.webkit.org/show_bug.cgi?id=194244
2275
2276         Reviewed by Michael Saboff.
2277
2278         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2279         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2280         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2281         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2282
2283         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2284         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2285         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2286
2287         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2288         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2289         does not touch it if it is called in non-main threads).
2290
2291         * bytecode/ExecutableToCodeBlockEdge.cpp:
2292         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2293         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2294         (JSC::ExecutableToCodeBlockEdge::activate):
2295         (JSC::ExecutableToCodeBlockEdge::deactivate):
2296         (JSC::ExecutableToCodeBlockEdge::isActive const):
2297         * bytecode/ExecutableToCodeBlockEdge.h:
2298         * runtime/JSCell.h:
2299         * runtime/JSCellInlines.h:
2300         (JSC::JSCell::perCellBit const):
2301         (JSC::JSCell::setPerCellBit):
2302         (JSC::JSCell::mayBePrototype const): Deleted.
2303         (JSC::JSCell::didBecomePrototype): Deleted.
2304         * runtime/JSObject.cpp:
2305         (JSC::JSObject::setPrototypeDirect):
2306         * runtime/JSObject.h:
2307         * runtime/JSObjectInlines.h:
2308         (JSC::JSObject::mayBePrototype const):
2309         (JSC::JSObject::didBecomePrototype):
2310         * runtime/JSTypeInfo.h:
2311         (JSC::TypeInfo::perCellBit):
2312         (JSC::TypeInfo::mergeInlineTypeFlags):
2313         (JSC::TypeInfo::mayBePrototype): Deleted.
2314
2315 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2316
2317         [JSC] Shrink size of FunctionExecutable
2318         https://bugs.webkit.org/show_bug.cgi?id=194191
2319
2320         Reviewed by Michael Saboff.
2321
2322         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2323         improves the allocation efficiency.
2324
2325         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2326            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2327
2328         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2329            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2330            the size of FunctionExecutable in the common case.
2331
2332         This patch changes the size of FunctionExecutable from 176 to 144.
2333
2334         * bytecode/CodeBlock.cpp:
2335         (JSC::CodeBlock::dumpSource):
2336         (JSC::CodeBlock::finishCreation):
2337         * dfg/DFGNode.h:
2338         (JSC::DFG::Node::OpInfoWrapper::as const):
2339         * interpreter/StackVisitor.cpp:
2340         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2341         * runtime/ExecutableBase.h:
2342         * runtime/FunctionExecutable.cpp:
2343         (JSC::FunctionExecutable::FunctionExecutable):
2344         (JSC::FunctionExecutable::ensureRareDataSlow):
2345         * runtime/FunctionExecutable.h:
2346         * runtime/Intrinsic.h:
2347         * runtime/ModuleProgramExecutable.cpp:
2348         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2349         * runtime/ProgramExecutable.cpp:
2350         (JSC::ProgramExecutable::ProgramExecutable):
2351         * runtime/ScriptExecutable.cpp:
2352         (JSC::ScriptExecutable::ScriptExecutable):
2353         (JSC::ScriptExecutable::overrideLineNumber const):
2354         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2355         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2356         * runtime/ScriptExecutable.h:
2357         (JSC::ScriptExecutable::firstLine const):
2358         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2359         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2360         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2361         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2362         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2363         * runtime/StackFrame.cpp:
2364         (JSC::StackFrame::computeLineAndColumn const):
2365         * tools/JSDollarVM.cpp:
2366         (JSC::functionReturnTypeFor):
2367
2368 2019-02-04  Mark Lam  <mark.lam@apple.com>
2369
2370         DFG's doesGC() is incorrect about the SameValue node's behavior.
2371         https://bugs.webkit.org/show_bug.cgi?id=194211
2372         <rdar://problem/47608913>
2373
2374         Reviewed by Saam Barati.
2375
2376         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2377         it calls operationSameValue() which may allocate memory for resolving ropes.
2378
2379         * dfg/DFGDoesGC.cpp:
2380         (JSC::DFG::doesGC):
2381
2382 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2383
2384         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2385         https://bugs.webkit.org/show_bug.cgi?id=194031
2386
2387         Reviewed by Saam Barati.
2388
2389         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2390         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2391         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2392         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2393
2394         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2395         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2396
2397         * bytecode/MetadataTable.cpp:
2398         (JSC::MetadataTable::MetadataTable):
2399         (JSC::MetadataTable::~MetadataTable):
2400         * bytecode/UnlinkedCodeBlock.cpp:
2401         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2402         (JSC::UnlinkedCodeBlock::visitChildren):
2403         (JSC::UnlinkedCodeBlock::estimatedSize):
2404         (JSC::UnlinkedCodeBlock::setInstructions):
2405         * bytecode/UnlinkedCodeBlock.h:
2406         (JSC::UnlinkedCodeBlock::metadata):
2407         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2408         * bytecode/UnlinkedMetadataTable.h:
2409         (JSC::UnlinkedMetadataTable::create):
2410         * bytecode/UnlinkedMetadataTableInlines.h:
2411         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2412         * runtime/CachedTypes.cpp:
2413         (JSC::CachedMetadataTable::decode const):
2414         (JSC::CachedCodeBlock::metadata const):
2415         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2416         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2417         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2418
2419 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2420
2421         [JSC] Decouple JIT related data from CodeBlock
2422         https://bugs.webkit.org/show_bug.cgi?id=194187
2423
2424         Reviewed by Saam Barati.
2425
2426         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2427         We have three types of data in CodeBlock.
2428
2429         1. The data which is always used. CodeBlock needs to hold it.
2430         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2431         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2432
2433         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2434         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2435         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2436         in both non-JIT and *JIT* modes.
2437
2438         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2439         by the lock of CodeBlock.
2440
2441         The size of CodeBlock is reduced from 512 to 352.
2442
2443         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2444
2445             Footprint geomean: 36696503 (34.997 MB)
2446             Peak Footprint geomean: 38595988 (36.808 MB)
2447             Score: 37634263 (35.891 MB)
2448
2449             Footprint geomean: 37172768 (35.451 MB)
2450             Peak Footprint geomean: 38978288 (37.173 MB)
2451             Score: 38064824 (36.301 MB)
2452
2453         * bytecode/CodeBlock.cpp:
2454         (JSC::CodeBlock::~CodeBlock):
2455         (JSC::CodeBlock::propagateTransitions):
2456         (JSC::CodeBlock::ensureJITDataSlow):
2457         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2458         (JSC::CodeBlock::getICStatusMap):
2459         (JSC::CodeBlock::addStubInfo):
2460         (JSC::CodeBlock::addJITAddIC):
2461         (JSC::CodeBlock::addJITMulIC):
2462         (JSC::CodeBlock::addJITSubIC):
2463         (JSC::CodeBlock::addJITNegIC):
2464         (JSC::CodeBlock::findStubInfo):
2465         (JSC::CodeBlock::addByValInfo):
2466         (JSC::CodeBlock::addCallLinkInfo):
2467         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2468         (JSC::CodeBlock::addRareCaseProfile):
2469         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2470         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2471         (JSC::CodeBlock::resetJITData):
2472         (JSC::CodeBlock::stronglyVisitStrongReferences):
2473         (JSC::CodeBlock::shrinkToFit):
2474         (JSC::CodeBlock::linkIncomingCall):
2475         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2476         (JSC::CodeBlock::unlinkIncomingCalls):
2477         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2478         (JSC::CodeBlock::dumpValueProfiles):
2479         (JSC::CodeBlock::setPCToCodeOriginMap):
2480         (JSC::CodeBlock::findPC):
2481         (JSC::CodeBlock::dumpMathICStats):
2482         * bytecode/CodeBlock.h:
2483         (JSC::CodeBlock::ensureJITData):
2484         (JSC::CodeBlock::setJITCodeMap):
2485         (JSC::CodeBlock::jitCodeMap):
2486         (JSC::CodeBlock::likelyToTakeSlowCase):
2487         (JSC::CodeBlock::couldTakeSlowCase):
2488         (JSC::CodeBlock::lazyOperandValueProfiles):
2489         (JSC::CodeBlock::stubInfoBegin): Deleted.
2490         (JSC::CodeBlock::stubInfoEnd): Deleted.
2491         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2492         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2493         (JSC::CodeBlock::jitCodeMap const): Deleted.
2494         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2495         * bytecode/MethodOfGettingAValueProfile.cpp:
2496         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2497         (JSC::MethodOfGettingAValueProfile::reportValue):
2498         * dfg/DFGByteCodeParser.cpp:
2499         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2500         * jit/JIT.h:
2501         * jit/JITOperations.cpp:
2502         (JSC::tryGetByValOptimize):
2503         * jit/JITPropertyAccess.cpp:
2504         (JSC::JIT::privateCompileGetByVal):
2505         (JSC::JIT::privateCompilePutByVal):
2506
2507 2018-12-16  Darin Adler  <darin@apple.com>
2508
2509         Convert additional String::format clients to alternative approaches
2510         https://bugs.webkit.org/show_bug.cgi?id=192746
2511
2512         Reviewed by Alexey Proskuryakov.
2513
2514         * inspector/agents/InspectorConsoleAgent.cpp:
2515         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2516         and FormattedNumber::fixedWidth.
2517
2518 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2519
2520         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2521         https://bugs.webkit.org/show_bug.cgi?id=194177
2522
2523         Reviewed by Saam Barati.
2524
2525         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2526         We can share the IsoSubspace for JSFunction.
2527
2528         * runtime/JSAsyncFunction.h:
2529         * runtime/JSAsyncGeneratorFunction.h:
2530         * runtime/JSGeneratorFunction.h:
2531         * runtime/VM.cpp:
2532         (JSC::VM::VM):
2533         * runtime/VM.h:
2534
2535 2019-02-01  Mark Lam  <mark.lam@apple.com>
2536
2537         Remove invalid assertion in DFG's compileDoubleRep().
2538         https://bugs.webkit.org/show_bug.cgi?id=194130
2539         <rdar://problem/47699474>
2540
2541         Reviewed by Saam Barati.
2542
2543         * dfg/DFGSpeculativeJIT.cpp:
2544         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2545
2546 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2547
2548         [JSC] Unify CodeBlock IsoSubspaces
2549         https://bugs.webkit.org/show_bug.cgi?id=194167
2550
2551         Reviewed by Saam Barati.
2552
2553         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2554         But this is not necessary since,
2555
2556         1. They do not override the classInfo methods.
2557         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2558
2559         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2560         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2561         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2562
2563         This patch unifies these IsoSubspaces into one.
2564
2565         * bytecode/CodeBlock.cpp:
2566         (JSC::CodeBlock::destroy):
2567         * bytecode/CodeBlock.h:
2568         * bytecode/EvalCodeBlock.cpp:
2569         (JSC::EvalCodeBlock::destroy): Deleted.
2570         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2571         * bytecode/FunctionCodeBlock.cpp:
2572         (JSC::FunctionCodeBlock::destroy): Deleted.
2573         * bytecode/FunctionCodeBlock.h:
2574         * bytecode/GlobalCodeBlock.h:
2575         * bytecode/ModuleProgramCodeBlock.cpp:
2576         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2577         * bytecode/ModuleProgramCodeBlock.h:
2578         * bytecode/ProgramCodeBlock.cpp:
2579         (JSC::ProgramCodeBlock::destroy): Deleted.
2580         * bytecode/ProgramCodeBlock.h:
2581         * interpreter/Interpreter.cpp:
2582         (JSC::Interpreter::execute):
2583         * runtime/VM.cpp:
2584         (JSC::VM::VM):
2585         * runtime/VM.h:
2586         (JSC::VM::forEachCodeBlockSpace):
2587
2588 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2589
2590         Unreviewed, follow-up after r240859
2591         https://bugs.webkit.org/show_bug.cgi?id=194145
2592
2593         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2594         And rename cellDangerousBitsSpace back to cellSpace.
2595
2596         * runtime/JSCellInlines.h:
2597         (JSC::JSCell::subspaceFor):
2598         * runtime/VM.cpp:
2599         (JSC::VM::VM):
2600         * runtime/VM.h:
2601
2602 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2603
2604         [JSC] Remove cellJSValueOOBSpace
2605         https://bugs.webkit.org/show_bug.cgi?id=194145
2606
2607         Reviewed by Mark Lam.
2608
2609         * runtime/JSObject.h:
2610         (JSC::JSObject::subspaceFor): Deleted.
2611         * runtime/VM.cpp:
2612         (JSC::VM::VM):
2613         * runtime/VM.h:
2614
2615 2019-01-31  Mark Lam  <mark.lam@apple.com>
2616
2617         Remove poisoning from CodeBlock and LLInt code.
2618         https://bugs.webkit.org/show_bug.cgi?id=194113
2619
2620         Reviewed by Yusuke Suzuki.
2621
2622         * bytecode/CodeBlock.cpp:
2623         (JSC::CodeBlock::CodeBlock):
2624         (JSC::CodeBlock::~CodeBlock):
2625         (JSC::CodeBlock::setConstantRegisters):
2626         (JSC::CodeBlock::propagateTransitions):
2627         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2628         (JSC::CodeBlock::jettison):
2629         (JSC::CodeBlock::predictedMachineCodeSize):
2630         * bytecode/CodeBlock.h:
2631         (JSC::CodeBlock::vm const):
2632         (JSC::CodeBlock::addConstant):
2633         (JSC::CodeBlock::heap const):
2634         (JSC::CodeBlock::replaceConstant):
2635         * llint/LLIntOfflineAsmConfig.h:
2636         * llint/LLIntSlowPaths.cpp:
2637         (JSC::LLInt::handleHostCall):
2638         (JSC::LLInt::setUpCall):
2639         * llint/LowLevelInterpreter.asm:
2640         * llint/LowLevelInterpreter32_64.asm:
2641         * llint/LowLevelInterpreter64.asm:
2642
2643 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2644
2645         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2646         https://bugs.webkit.org/show_bug.cgi?id=194107
2647
2648         Reviewed by Saam Barati.
2649
2650         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2651         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2652
2653         * CMakeLists.txt:
2654         * DerivedSources.make:
2655         * JavaScriptCore.xcodeproj/project.pbxproj:
2656         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2657         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2658         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2659         (JSC::AsyncFromSyncIteratorPrototype::create):
2660         * runtime/AsyncFromSyncIteratorPrototype.h:
2661
2662 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2663
2664         Fix `runJITThreadLimitTests` in testapi
2665         https://bugs.webkit.org/show_bug.cgi?id=194064
2666         <rdar://problem/46139147>
2667
2668         Reviewed by Mark Lam.
2669
2670         Fix typo where `targetNumberOfThreads` was not being used.
2671
2672         * API/tests/testapi.mm:
2673         (runJITThreadLimitTests):
2674
2675 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2676
2677         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2678         https://bugs.webkit.org/show_bug.cgi?id=194112
2679
2680         Reviewed by Mark Lam.
2681
2682         `testBytecodeCache` does not populate the bytecode cache for the global
2683         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2684
2685         * API/tests/testapi.mm:
2686         (testBytecodeCache):
2687
2688 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2689
2690         Unreviewed, follow-up after r240796
2691
2692         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2693         when allocating InferredValue in FunctionExecutable::finishCreation.
2694
2695         * runtime/FunctionExecutable.cpp:
2696         (JSC::FunctionExecutable::FunctionExecutable):
2697         (JSC::FunctionExecutable::finishCreation):
2698
2699 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2700
2701         [JSC] Do not use InferredValue in non-JIT configuration
2702         https://bugs.webkit.org/show_bug.cgi?id=194084
2703
2704         Reviewed by Saam Barati.
2705
2706         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2707         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2708         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2709         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2710         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2711         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2712         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2713         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2714
2715         * bytecode/ObjectAllocationProfileInlines.h:
2716         (JSC::ObjectAllocationProfile::initializeProfile):
2717         * runtime/FunctionExecutable.cpp:
2718         (JSC::FunctionExecutable::finishCreation):
2719         (JSC::FunctionExecutable::visitChildren):
2720         * runtime/FunctionExecutable.h:
2721         * runtime/InferredValue.cpp:
2722         (JSC::InferredValue::create):
2723         * runtime/JSAsyncFunction.cpp:
2724         (JSC::JSAsyncFunction::create):
2725         * runtime/JSAsyncGeneratorFunction.cpp:
2726         (JSC::JSAsyncGeneratorFunction::create):
2727         * runtime/JSFunction.cpp:
2728         (JSC::JSFunction::create):
2729         * runtime/JSFunctionInlines.h:
2730         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2731         * runtime/JSGeneratorFunction.cpp:
2732         (JSC::JSGeneratorFunction::create):
2733         * runtime/JSSymbolTableObject.h:
2734         (JSC::JSSymbolTableObject::setSymbolTable):
2735         * runtime/SymbolTable.cpp:
2736         (JSC::SymbolTable::finishCreation):
2737         * runtime/VM.cpp:
2738         (JSC::VM::VM):
2739
2740 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2741
2742         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2743         https://bugs.webkit.org/show_bug.cgi?id=194085
2744
2745         Reviewed by Yusuke Suzuki.
2746
2747         r240730 changed ud_itab.py and caused incremental build failures
2748         for Ninja builds.
2749
2750         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2751
2752 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2753
2754         [JSC] Symbol should be in destructibleCellSpace
2755         https://bugs.webkit.org/show_bug.cgi?id=194082
2756
2757         Reviewed by Saam Barati.
2758
2759         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2760         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2761         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2762         Symbol's space destructibleCellSpace to appropriately call the destructor.
2763
2764         * runtime/Symbol.h:
2765
2766 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2767
2768         Unreviewed, rolling out r240755.
2769
2770         This was not correct
2771
2772         Reverted changeset:
2773
2774         "Unreviewed, fix GCC build after r240730"
2775         https://bugs.webkit.org/show_bug.cgi?id=194041
2776         https://trac.webkit.org/changeset/240755
2777
2778 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2779
2780         Unreviewed, fix GCC build after r240730
2781         https://bugs.webkit.org/show_bug.cgi?id=194041
2782         <rdar://problem/47680981>
2783
2784         * disassembler/udis86/ud_itab.py:
2785         (UdItabGenerator.genOpcodeTablesLookupIndex):
2786
2787 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2788
2789         testapi's `testBytecodeCache` does not need to run the code twice
2790         https://bugs.webkit.org/show_bug.cgi?id=194046
2791
2792         Reviewed by Mark Lam.
2793
2794         Since we populate the cache eagerly (unlike the stress tests) we don't
2795         need to run the code twice.
2796
2797         * API/tests/testapi.mm:
2798         (testBytecodeCache):
2799
2800 2019-01-30  Saam barati  <sbarati@apple.com>
2801
2802         [WebAssembly] Change BBQ to generate Air IR
2803         https://bugs.webkit.org/show_bug.cgi?id=191802
2804         <rdar://problem/47651718>
2805
2806         Reviewed by Keith Miller.
2807
2808         This patch adds a new Wasm compiler for the BBQ tier. Instead
2809         of compiling using  B3-01, we now generate Air code directly.
2810         The goal of doing this was to speed up compile times for Wasm
2811         programs.
2812         
2813         This patch provides us with a 20-30% compile time speedup. However, I
2814         have ideas on how to improve compile times even further. For example,
2815         we should probably implement a faster running register allocator:
2816         https://bugs.webkit.org/show_bug.cgi?id=194036
2817         
2818         We can also improve on the code we generate.
2819         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2820         And we should do better instruction selection in various
2821         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2822
2823         * JavaScriptCore.xcodeproj/project.pbxproj:
2824         * Sources.txt:
2825         * b3/B3LowerToAir.cpp:
2826         * b3/B3StackmapSpecial.h:
2827         * b3/air/AirCode.cpp:
2828         (JSC::B3::Air::Code::emitDefaultPrologue):
2829         * b3/air/AirCode.h:
2830         * b3/air/AirTmp.h:
2831         (JSC::B3::Air::Tmp::Tmp):
2832         * runtime/Options.h:
2833         * wasm/WasmAirIRGenerator.cpp: Added.
2834         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2835         (JSC::Wasm::TypedTmp::TypedTmp):
2836         (JSC::Wasm::TypedTmp::operator== const):
2837         (JSC::Wasm::TypedTmp::operator!= const):
2838         (JSC::Wasm::TypedTmp::operator bool const):
2839         (JSC::Wasm::TypedTmp::operator Tmp const):
2840         (JSC::Wasm::TypedTmp::operator Arg const):
2841         (JSC::Wasm::TypedTmp::tmp const):
2842         (JSC::Wasm::TypedTmp::type const):
2843         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2844         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2845         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2846         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2847         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2848         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2849         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2850         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2851         (JSC::Wasm::AirIRGenerator::emptyExpression):
2852         (JSC::Wasm::AirIRGenerator::fail const):
2853         (JSC::Wasm::AirIRGenerator::setParser):
2854         (JSC::Wasm::AirIRGenerator::toTmpVector):
2855         (JSC::Wasm::AirIRGenerator::validateInst):
2856         (JSC::Wasm::AirIRGenerator::extractArg):
2857         (JSC::Wasm::AirIRGenerator::append):
2858         (JSC::Wasm::AirIRGenerator::appendEffectful):
2859         (JSC::Wasm::AirIRGenerator::newTmp):
2860         (JSC::Wasm::AirIRGenerator::g32):
2861         (JSC::Wasm::AirIRGenerator::g64):
2862         (JSC::Wasm::AirIRGenerator::f32):
2863         (JSC::Wasm::AirIRGenerator::f64):
2864         (JSC::Wasm::AirIRGenerator::tmpForType):
2865         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2866         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2867         (JSC::Wasm::AirIRGenerator::emitCheck):
2868         (JSC::Wasm::AirIRGenerator::emitCCall):
2869         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2870         (JSC::Wasm::AirIRGenerator::instanceValue):
2871         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2872         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2873         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2874         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2875         (JSC::Wasm::AirIRGenerator::emitThrowException):
2876         (JSC::Wasm::AirIRGenerator::addLocal):
2877         (JSC::Wasm::AirIRGenerator::addConstant):
2878         (JSC::Wasm::AirIRGenerator::addArguments):
2879         (JSC::Wasm::AirIRGenerator::getLocal):
2880         (JSC::Wasm::AirIRGenerator::addUnreachable):
2881         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2882         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2883         (JSC::Wasm::AirIRGenerator::setLocal):
2884         (JSC::Wasm::AirIRGenerator::getGlobal):
2885         (JSC::Wasm::AirIRGenerator::setGlobal):
2886         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2887         (JSC::Wasm::sizeOfLoadOp):
2888         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2889         (JSC::Wasm::AirIRGenerator::load):
2890         (JSC::Wasm::sizeOfStoreOp):
2891         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2892         (JSC::Wasm::AirIRGenerator::store):
2893         (JSC::Wasm::AirIRGenerator::addSelect):
2894         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2895         (JSC::Wasm::AirIRGenerator::addLoop):
2896         (JSC::Wasm::AirIRGenerator::addTopLevel):
2897         (JSC::Wasm::AirIRGenerator::addBlock):
2898         (JSC::Wasm::AirIRGenerator::addIf):
2899         (JSC::Wasm::AirIRGenerator::addElse):
2900         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2901         (JSC::Wasm::AirIRGenerator::addReturn):
2902         (JSC::Wasm::AirIRGenerator::addBranch):
2903         (JSC::Wasm::AirIRGenerator::addSwitch):
2904         (JSC::Wasm::AirIRGenerator::endBlock):
2905         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2906         (JSC::Wasm::AirIRGenerator::addCall):
2907         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2908         (JSC::Wasm::AirIRGenerator::unify):
2909         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2910         (JSC::Wasm::AirIRGenerator::dump):
2911         (JSC::Wasm::AirIRGenerator::origin):
2912         (JSC::Wasm::parseAndCompileAir):
2913         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2914         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2915         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2916         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2917         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2918         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2919         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2920         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2921         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2922         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2923         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2924         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2925         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2926         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2927         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2928         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2929         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2930         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2931         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2932         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2933         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2934         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2935         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2936         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2937         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2938         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2939         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2940         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2941         (JSC::Wasm::AirIRGenerator::addShift):
2942         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2943         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2944         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2945         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2946         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2947         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2948         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2949         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2950         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2951         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2952         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2953         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2954         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2955         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2956         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2957         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2958         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2959         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2960         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2961         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2962         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2963         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2964         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2965         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2966         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2967         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2968         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2969         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2970         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2971         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2972         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2973         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2974         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2975         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2976         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2977         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2978         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2979         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2980         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2981         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2982         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2983         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2984         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2985         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2986         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2987         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2988         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2989         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2990         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2991         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2992         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2993         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2994         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2995         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2996         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2997         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2998         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2999         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
3000         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
3001         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
3002         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
3003         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
3004         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
3005         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
3006         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
3007         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
3008         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
3009         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
3010         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
3011         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
3012         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
3013         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
3014         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
3015         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
3016         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
3017         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
3018         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
3019         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
3020         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
3021         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
3022         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
3023         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
3024         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
3025         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
3026         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
3027         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
3028         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
3029         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
3030         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
3031         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
3032         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
3033         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
3034         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
3035         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
3036         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
3037         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
3038         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
3039         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
3040         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
3041         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
3042         * wasm/WasmAirIRGenerator.h: Added.
3043         * wasm/WasmB3IRGenerator.cpp:
3044         (JSC::Wasm::B3IRGenerator::emptyExpression):
3045         * wasm/WasmBBQPlan.cpp:
3046         (JSC::Wasm::BBQPlan::compileFunctions):
3047         * wasm/WasmCallingConvention.cpp:
3048         (JSC::Wasm::jscCallingConventionAir):
3049         (JSC::Wasm::wasmCallingConventionAir):
3050         * wasm/WasmCallingConvention.h:
3051         (JSC::Wasm::CallingConvention::CallingConvention):
3052         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
3053         (JSC::Wasm::CallingConvention::marshallArgument const):
3054         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
3055         (JSC::Wasm::CallingConventionAir::prologueScratch const):
3056         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
3057         (JSC::Wasm::CallingConventionAir::marshallArgument const):
3058         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
3059         (JSC::Wasm::CallingConventionAir::loadArguments const):
3060         (JSC::Wasm::CallingConventionAir::setupCall const):
3061         (JSC::Wasm::nextJSCOffset):
3062         * wasm/WasmFunctionParser.h:
3063         (JSC::Wasm::FunctionParser<Context>::parseExpression):
3064         * wasm/WasmValidate.cpp:
3065         (JSC::Wasm::Validate::emptyExpression):
3066
3067 2019-01-30  Robin Morisset  <rmorisset@apple.com>
3068
3069         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
3070         https://bugs.webkit.org/show_bug.cgi?id=194050
3071         <rdar://problem/47595592>
3072
3073         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
3074         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
3075
3076         Reviewed by Yusuke Suzuki.
3077
3078         * ftl/FTLOperations.cpp:
3079         (JSC::FTL::operationMaterializeObjectInOSR):
3080
3081 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3082
3083         Remove assertion that CachedSymbolTables should have no RareData
3084         https://bugs.webkit.org/show_bug.cgi?id=194037
3085
3086         Reviewed by Mark Lam.
3087
3088         It turns out that we don't need to cache the SymbolTableRareData and
3089         we should not assert that it's empty.
3090
3091         * runtime/CachedTypes.cpp:
3092         (JSC::CachedSymbolTable::encode):
3093
3094 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
3095
3096         CachedBytecode's move constructor should not call `freeDataIfOwned`
3097         https://bugs.webkit.org/show_bug.cgi?id=194045
3098
3099         Reviewed by Mark Lam.
3100
3101         That might result in freeing a garbage value
3102
3103         * parser/SourceProvider.h:
3104         (JSC::CachedBytecode::CachedBytecode):
3105
3106 2019-01-30  Keith Miller  <keith_miller@apple.com>
3107
3108         mul32 should convert powers of 2 to an lshift
3109         https://bugs.webkit.org/show_bug.cgi?id=193957
3110
3111         Reviewed by Yusuke Suzuki.
3112
3113         * assembler/MacroAssembler.h:
3114         (JSC::MacroAssembler::mul32):
3115         * assembler/testmasm.cpp:
3116         (JSC::int32Operands):
3117         (JSC::testMul32WithImmediates):
3118         (JSC::run):
3119
3120 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3121
3122         [JSC] Make disassembler data structures constant read-only data
3123         https://bugs.webkit.org/show_bug.cgi?id=194041
3124
3125         Reviewed by Mark Lam.
3126
3127         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
3128         This patch makes them "const".
3129
3130         * disassembler/ARM64/A64DOpcode.cpp:
3131         * disassembler/udis86/ud_itab.py:
3132         (UdItabGenerator.genOpcodeTablesLookupIndex):
3133         (UdItabGenerator.genInsnTable):
3134         (UdItabGenerator.genMnemonicsList):
3135         (genItabH):
3136         * disassembler/udis86/udis86_decode.h:
3137         * disassembler/udis86/udis86_syn.c:
3138         * disassembler/udis86/udis86_syn.h:
3139         * disassembler/udis86/udis86_types.h:
3140
3141 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
3142
3143         Unreviewed, update the builtin test results
3144         https://bugs.webkit.org/show_bug.cgi?id=194015
3145
3146         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3147         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3148         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3149         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3150         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3151         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3152         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3153         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3154         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3155         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3156         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3157         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3158         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3159
3160 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3161
3162         [JSC] Make global static variables "const" as much as possible
3163         https://bugs.webkit.org/show_bug.cgi?id=194015
3164
3165         Reviewed by Mark Lam.
3166
3167         Some of global static variables are not "const". For example, `static const char* name = ...`
3168         is not constant variable. We should make it `static const char* const name = ...`.
3169
3170         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
3171         (generate_externs_for_object):
3172         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
3173         (generate_externs_for_object):
3174         * Scripts/wkbuiltins/builtins_generator.py:
3175         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
3176         * assembler/MacroAssembler.h:
3177         (JSC::MacroAssembler::additionBlindedConstant):
3178         * b3/air/AirFormTable.h:
3179         * b3/air/opcode_generator.rb:
3180         * runtime/JSObject.cpp:
3181         (JSC::JSObject::visitButterfly):
3182         * tools/CodeProfile.cpp:
3183         * tools/CodeProfile.h:
3184
3185 2019-01-29  Keith Miller  <keith_miller@apple.com>
3186
3187         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
3188         https://bugs.webkit.org/show_bug.cgi?id=194000
3189         <rdar://problem/47642894>
3190
3191         Reviewed by Mark Lam.
3192
3193         default constructor is unused and
3194         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
3195         data member which causes sadness.
3196
3197         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3198
3199 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
3200
3201         Remove FIXME for Annex B.3.5's "for-of var" subcase.
3202
3203         Rubber-stamped by Yusuke Suzuki.
3204
3205         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
3206
3207         * parser/Parser.h:
3208         (JSC::Parser::declareHoistedVariable):
3209
3210 2019-01-29  Mark Lam  <mark.lam@apple.com>
3211
3212         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
3213         https://bugs.webkit.org/show_bug.cgi?id=132333
3214
3215         Reviewed by Yusuke Suzuki.
3216
3217         * bytecode/InstructionStream.h:
3218         (JSC::InstructionStreamWriter::write):
3219         - The 32-bit write() function need not invert the order of the bytes written to
3220           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
3221           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
3222
3223         * llint/LLIntOfflineAsmConfig.h:
3224         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
3225
3226 2019-01-29  Mark Lam  <mark.lam@apple.com>
3227
3228         ValueRecovery::recover() should purify NaN values it recovers.
3229         https://bugs.webkit.org/show_bug.cgi?id=193978
3230         <rdar://problem/47625488>
3231
3232         Reviewed by Saam Barati.
3233
3234         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3235         recovered DoubleDisplacedInJSStack values need to be purified.
3236         ValueRecovery::recover() should do the same.
3237
3238         * bytecode/ValueRecovery.cpp:
3239         (JSC::ValueRecovery::recover const):
3240
3241 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3242
3243         [JSC] FTL should handle LocalAllocator*
3244         https://bugs.webkit.org/show_bug.cgi?id=193980
3245
3246         Reviewed by Saam Barati.
3247
3248         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3249         because the FTL still use the incoming value as 32bit integer there.
3250
3251         * ftl/FTLLowerDFGToB3.cpp:
3252         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3253
3254 2019-01-29  Keith Rollin  <krollin@apple.com>
3255
3256         Add .xcfilelists to Run Script build phases
3257         https://bugs.webkit.org/show_bug.cgi?id=193792
3258         <rdar://problem/47201785>
3259
3260         Reviewed by Alex Christensen.
3261
3262         As part of supporting XCBuild, update the necessary Run Script build
3263         phases in their Xcode projects to refer to their associated
3264         .xcfilelist files.
3265
3266         Note that the addition of these files bumps the Xcode project version
3267         number to something that's Xcode 10 compatible. This change means that
3268         older versions of the Xcode IDE can't read these projects. Nor can it
3269         fully load workspaces that refer to these projects (the updated
3270         projects are shown as non-expandable placeholders). `xcodebuild` can
3271         still build these projects; it's just that the IDE can't open them.
3272
3273         * JavaScriptCore.xcodeproj/project.pbxproj:
3274
3275 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3276
3277         [ARM] Check for negative zero instead of just zero
3278         https://bugs.webkit.org/show_bug.cgi?id=193689
3279
3280         Reviewed by Mark Lam.
3281
3282         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3283         of just bailing out for zero.
3284
3285         * assembler/MacroAssemblerARMv7.h:
3286         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3287
3288 2019-01-28  Devin Rousso  <drousso@apple.com>
3289
3290         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3291         https://bugs.webkit.org/show_bug.cgi?id=193863
3292         <rdar://problem/47572764>
3293
3294         Reviewed by Joseph Pecoraro.
3295
3296         * inspector/protocol/Page.json:
3297         Add more values to the `Setting` enum type:
3298          - `ICECandidateFilteringEnabled`
3299          - `MediaCaptureRequiresSecureConnection`
3300          - `MockCaptureDevicesEnabled`
3301
3302 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3303
3304         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3305         https://bugs.webkit.org/show_bug.cgi?id=193941
3306
3307         Reviewed by Alex Christensen.
3308
3309         * API/JSWeakObjectMapRefPrivate.cpp:
3310         * bytecompiler/NodesCodegen.cpp:
3311         * heap/MachineStackMarker.cpp:
3312         * jit/ExecutableAllocator.cpp:
3313         * jsc.cpp:
3314         * parser/Nodes.cpp:
3315         * runtime/DateConstructor.cpp:
3316         * runtime/DateConversion.cpp:
3317         * runtime/DateInstance.cpp:
3318         * runtime/DatePrototype.cpp:
3319         * runtime/InitializeThreading.cpp:
3320         * runtime/IteratorOperations.cpp:
3321         * runtime/JSDateMath.cpp:
3322         * runtime/JSGlobalObjectFunctions.cpp:
3323         * runtime/StringPrototype.cpp:
3324         * runtime/VM.cpp:
3325         * testRegExp.cpp:
3326         * tools/JSDollarVM.cpp:
3327         * yarr/YarrInterpreter.cpp:
3328         * yarr/YarrJIT.cpp:
3329         * yarr/YarrPattern.cpp:
3330         * yarr/YarrUnicodeProperties.cpp:
3331
3332 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3333
3334         [JSC] Reduce size of memory used for ShadowChicken
3335         https://bugs.webkit.org/show_bug.cgi?id=193546
3336
3337         Reviewed by Mark Lam.
3338
3339         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3340         The removal of ShadowChicken saves 55KB memory.
3341
3342         * debugger/DebuggerCallFrame.cpp:
3343         (JSC::DebuggerCallFrame::create):
3344         * ftl/FTLLowerDFGToB3.cpp:
3345         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3346         * heap/Heap.cpp:
3347         (JSC::Heap::stopThePeriphery):
3348         (JSC::Heap::addCoreConstraints):
3349         * jit/CCallHelpers.cpp:
3350         (JSC::CCallHelpers::ensureShadowChickenPacket):
3351         * jit/JITExceptions.cpp:
3352         (JSC::genericUnwind):
3353         * jit/JITOpcodes.cpp:
3354         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3355         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3356         * jit/JITOpcodes32_64.cpp:
3357         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3358         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3359         * jit/JITOperations.cpp:
3360         * llint/LLIntSlowPaths.cpp:
3361         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3362         * runtime/JSGlobalObject.cpp:
3363         (JSC::JSGlobalObject::setDebugger):
3364         * runtime/JSGlobalObject.h:
3365         (JSC::JSGlobalObject::setDebugger): Deleted.
3366         * runtime/VM.cpp:
3367         (JSC::VM::VM):
3368         (JSC::VM::ensureShadowChicken):
3369         * runtime/VM.h:
3370         (JSC::VM::shadowChicken):
3371         * tools/JSDollarVM.cpp:
3372         (JSC::functionShadowChickenFunctionsOnStack):
3373         (JSC::changeDebuggerModeWhenIdle):
3374
3375 2019-01-28  Andy Estes  <aestes@apple.com>
3376
3377         [watchOS] Enable Parental Controls content filtering
3378         https://bugs.webkit.org/show_bug.cgi?id=193939
3379         <rdar://problem/46641912>
3380
3381         Reviewed by Ryosuke Niwa.
3382
3383         * Configurations/FeatureDefines.xcconfig:
3384
3385 2019-01-28  Mark Lam  <mark.lam@apple.com>
3386
3387         ToString node actually does GC.
3388         https://bugs.webkit.org/show_bug.cgi?id=193920
3389         <rdar://problem/46695900>
3390
3391         Reviewed by Yusuke Suzuki.
3392
3393         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3394         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3395
3396         * dfg/DFGDoesGC.cpp:
3397         (JSC::DFG::doesGC):
3398
3399 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3400
3401         [JSC] RegExpConstructor should not have own IsoSubspace
3402         https://bugs.webkit.org/show_bug.cgi?id=193801
3403
3404         Reviewed by Mark Lam.
3405
3406         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3407         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3408         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3409         it from RegExpConstructor members.
3410
3411         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3412         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3413         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3414
3415         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3416
3417         * CMakeLists.txt:
3418         * JavaScriptCore.xcodeproj/project.pbxproj:
3419         * Sources.txt:
3420         * dfg/DFGOperations.cpp:
3421         * dfg/DFGSpeculativeJIT.cpp:
3422         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3423         * dfg/DFGStrengthReductionPhase.cpp:
3424         (JSC::DFG::StrengthReductionPhase::handleNode):
3425         * ftl/FTLAbstractHeapRepository.cpp:
3426         * ftl/FTLAbstractHeapRepository.h:
3427         * ftl/FTLLowerDFGToB3.cpp:
3428         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3429         * runtime/JSGlobalObject.cpp:
3430         (JSC::JSGlobalObject::init):
3431         (JSC::JSGlobalObject::visitChildren):
3432         * runtime/JSGlobalObject.h:
3433         (JSC::JSGlobalObject::regExpGlobalData):
3434         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3435         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3436         * runtime/RegExpCache.cpp:
3437         (JSC::RegExpCache::initialize):
3438         * runtime/RegExpCache.h:
3439         (JSC::RegExpCache::emptyRegExp const):
3440         * runtime/RegExpCachedResult.cpp:
3441         (JSC::RegExpCachedResult::visitAggregate):
3442         (JSC::RegExpCachedResult::visitChildren): Deleted.
3443         * runtime/RegExpCachedResult.h:
3444         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3445         * runtime/RegExpConstructor.cpp:
3446         (JSC::RegExpConstructor::RegExpConstructor):
3447         (JSC::regExpConstructorDollar):
3448         (JSC::regExpConstructorInput):
3449         (JSC::regExpConstructorMultiline):
3450         (JSC::regExpConstructorLastMatch):
3451         (JSC::regExpConstructorLastParen):
3452         (JSC::regExpConstructorLeftContext):
3453         (JSC::regExpConstructorRightContext):
3454         (JSC::setRegExpConstructorInput):
3455         (JSC::setRegExpConstructorMultiline):
3456         (JSC::RegExpConstructor::destroy): Deleted.
3457         (JSC::RegExpConstructor::visitChildren): Deleted.
3458         (JSC::RegExpConstructor::getBackref): Deleted.
3459         (JSC::RegExpConstructor::getLastParen): Deleted.
3460         (JSC::RegExpConstructor::getLeftContext): Deleted.
3461         (JSC::RegExpConstructor::getRightContext): Deleted.
3462         * runtime/RegExpConstructor.h:
3463         (JSC::RegExpConstructor::performMatch): Deleted.
3464         (JSC::RegExpConstructor::recordMatch): Deleted.
3465         * runtime/RegExpGlobalData.cpp: Added.
3466         (JSC::RegExpGlobalData::visitAggregate):
3467         (JSC::RegExpGlobalData::getBackref):
3468         (JSC::RegExpGlobalData::getLastParen):
3469         (JSC::RegExpGlobalData::getLeftContext):
3470         (JSC::RegExpGlobalData::getRightContext):
3471         * runtime/RegExpGlobalData.h: Added.
3472         (JSC::RegExpGlobalData::cachedResult):
3473         (JSC::RegExpGlobalData::setMultiline):
3474         (JSC::RegExpGlobalData::multiline const):
3475         (JSC::RegExpGlobalData::input):
3476         (JSC::RegExpGlobalData::offsetOfCachedResult):
3477         * runtime/RegExpGlobalDataInlines.h: Added.
3478         (JSC::RegExpGlobalData::setInput):
3479         (JSC::RegExpGlobalData::performMatch):
3480         (JSC::RegExpGlobalData::recordMatch):
3481         * runtime/RegExpObject.cpp:
3482         (JSC::RegExpObject::matchGlobal):
3483         * runtime/RegExpObjectInlines.h:
3484         (JSC::RegExpObject::execInline):
3485         (JSC::RegExpObject::matchInline):
3486         (JSC::collectMatches):
3487         * runtime/RegExpPrototype.cpp:
3488         (JSC::RegExpPrototype::finishCreation):
3489         (JSC::regExpProtoFuncSearchFast):
3490         (JSC::RegExpPrototype::visitChildren): Deleted.
3491         * runtime/RegExpPrototype.h:
3492         * runtime/StringPrototype.cpp:
3493         (JSC::removeUsingRegExpSearch):
3494         (JSC::replaceUsingRegExpSearch):
3495         * runtime/VM.cpp:
3496         (JSC::VM::VM):
3497         * runtime/VM.h:
3498
3499 2018-12-15  Darin Adler  <darin@apple.com>
3500
3501         Replace many uses of String::format with more type-safe alternatives
3502         https://bugs.webkit.org/show_bug.cgi?id=192742
3503
3504         Reviewed by Mark Lam.
3505
3506         * inspector/InjectedScriptBase.cpp:
3507         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3508         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3509         * inspector/InspectorBackendDispatcher.cpp:
3510         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3511         * inspector/agents/InspectorConsoleAgent.cpp:
3512         (Inspector::InspectorConsoleAgent::enable): Ditto.
3513         * jsc.cpp:
3514         (FunctionJSCStackFunctor::operator() const): Ditto.
3515
3516         * runtime/CodeCache.cpp:
3517         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3518         using String::number.
3519
3520         * runtime/IntlDateTimeFormat.cpp:
3521         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3522         * runtime/IntlObject.cpp:
3523         (JSC::canonicalizeLocaleList): Ditto.
3524
3525 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3526
3527         AX: Introduce a static accessibility tree
3528         https://bugs.webkit.org/show_bug.cgi?id=193348
3529         <rdar://problem/47203295>
3530
3531         Reviewed by Ryosuke Niwa.
3532
3533         * Configurations/FeatureDefines.xcconfig:
3534
3535 2019-01-26  Devin Rousso  <drousso@apple.com>
3536
3537         Web Inspector: provide a way to edit the user agent of a remote target
3538         https://bugs.webkit.org/show_bug.cgi?id=193862
3539         <rdar://problem/47359292>
3540
3541         Reviewed by Joseph Pecoraro.
3542
3543         * inspector/protocol/Page.json:
3544         Add `overrideUserAgent` command.
3545
3546 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3547
3548         [JSC] NativeErrorConstructor should not have own IsoSubspace
3549         https://bugs.webkit.org/show_bug.cgi?id=193713
3550
3551         Reviewed by Saam Barati.
3552
3553         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3554         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3555         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3556         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3557         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3558         referenced.
3559
3560         * CMakeLists.txt:
3561         * JavaScriptCore.xcodeproj/project.pbxproj:
3562         * Sources.txt:
3563         * builtins/BuiltinNames.h:
3564         * interpreter/Interpreter.h:
3565         * runtime/Error.cpp:
3566         (JSC::createEvalError):
3567         (JSC::createRangeError):
3568         (JSC::createReferenceError):
3569         (JSC::createSyntaxError):
3570         (JSC::createTypeError):
3571         (JSC::createURIError):
3572         (WTF::printInternal): Deleted.
3573         * runtime/Error.h:
3574         * runtime/ErrorPrototype.cpp:
3575         (JSC::ErrorPrototype::create):
3576         (JSC::ErrorPrototype::finishCreation):
3577         * runtime/ErrorPrototype.h:
3578         (JSC::ErrorPrototype::create): Deleted.
3579         * runtime/ErrorType.cpp: Added.
3580         (JSC::errorTypeName):
3581         (WTF::printInternal):
3582         * runtime/ErrorType.h: Added.
3583         * runtime/JSGlobalObject.cpp:
3584         (JSC::JSGlobalObject::initializeErrorConstructor):
3585         (JSC::JSGlobalObject::init):
3586         (JSC::JSGlobalObject::visitChildren):
3587         * runtime/JSGlobalObject.h:
3588         (JSC::JSGlobalObject::internalPromiseConstructor const):
3589         (JSC::JSGlobalObject::errorStructure const):
3590         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3591         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3592         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3593         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3594         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3595         (JSC::JSGlobalObject::URIErrorConstructor const): Deleted.
3596         * runtime/NativeErrorConstructor.cpp:
3597         (JSC::NativeErrorConstructor<errorType>::NativeErrorConstructor):
3598         (JSC::NativeErrorConstructorBase::finishCreation):
3599         (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
3600         (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
3601         (JSC::NativeErrorConstructor::NativeErrorConstructor): Deleted.
3602         (JSC::NativeErrorConstructor::finishCreation): Deleted.
3603         (JSC::NativeErrorConstructor::visitChildren): Deleted.
3604         (JSC::Interpreter::constructWithNativeErrorConstructor): Deleted.
3605         (JSC::Interpreter::callNativeErrorConstructor): Deleted.
3606         * runtime/NativeErrorConstructor.h:
3607         (JSC::NativeErrorConstructorBase::createStructure):
3608         (JSC::NativeErrorConstructorBase::NativeErrorConstructorBase):
3609         * runtime/NativeErrorPrototype.cpp:
3610         (JSC::NativeErrorPrototype::finishCreation): Deleted.
3611         * runtime/NativeErrorPrototype.h:
3612         * runtime/VM.cpp:
3613         (JSC::VM::VM):
3614         * runtime/VM.h:
3615         * wasm/js/WasmToJS.cpp:
3616         (JSC::Wasm::handleBadI64Use):
3617
3618 2019-01-25  Devin Rousso  <drousso@apple.com>
3619
3620         Web Inspector: provide a way to edit page settings on a remote target
3621         https://bugs.webkit.org/show_bug.cgi?id=193813
3622         <rdar://problem/47359510>
3623
3624         Reviewed by Joseph Pecoraro.
3625
3626         * inspector/protocol/Page.json:
3627         Add `overrideSetting` command with supporting `Setting` enum type.
3628
3629 2019-01-25  Keith Rollin  <krollin@apple.com>
3630
3631         Update Xcode projects with "Check .xcfilelists" build phase
3632         https://bugs.webkit.org/show_bug.cgi?id=193790
3633         <rdar://problem/47201374>
3634
3635         Reviewed by Alex Christensen.
3636
3637         Support for XCBuild includes specifying inputs and outputs to various
3638         Run Script build phases. These inputs and outputs are specified as
3639         .xcfilelist files. Once created, these .xcfilelist files need to be
3640         kept up-to-date. In order to check that they are up-to-date or not,
3641         add an Xcode build step that invokes an external script that performs
3642         the checking. If the .xcfilelists are found to be out-of-date, update
3643         them, halt the build, and instruct the developer to restart the build
3644         with up-to-date files.
3645
3646         At this time, the checking and regenerating is performed only if the
3647         WK_ENABLE_CHECK_XCFILELISTS environment variable is set to 1. People
3648         who want to use this facility can set this variable and test out the
3649         checking/regenerating. Once it seems like there are no egregious
3650         issues that upset a developer's workflow, we'll unconditionally enable
3651         this facility.
3652
3653         * JavaScriptCore.xcodeproj/project.pbxproj:
3654         * Scripts/check-xcfilelists.sh: Added.
3655
3656 2019-01-25  Joseph Pecoraro  <pecoraro@apple.com>
3657
3658         Web Inspector: Exclude Debugger Threads from CPU Usage values in Web Inspector
3659         https://bugs.webkit.org/show_bug.cgi?id=193796
3660         <rdar://problem/47532910>
3661
3662         Reviewed by Devin Rousso.
3663
3664         * runtime/SamplingProfiler.cpp:
3665         (JSC::SamplingProfiler::machThread):
3666         * runtime/SamplingProfiler.h:
3667         Expose the mach_port_t of the SamplingProfiler thread
3668         so it can be tested against later.
3669
3670 2019-01-25  Alex Christensen  <achristensen@webkit.org>
3671
3672         Fix Windows build after r240511
3673
3674         * bytecode/UnlinkedFunctionExecutable.cpp:
3675         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3676
3677 2019-01-25  Keith Rollin  <krollin@apple.com>
3678
3679         Update Xcode projects with "Apply Configuration to XCFileLists" build target
3680         https://bugs.webkit.org/show_bug.cgi?id=193781
3681         <rdar://problem/47201153>
3682
3683         Reviewed by Alex Christensen.
3684
3685         Part of generating the .xcfilelists used as part of adopting XCBuild
3686         includes running `make DerivedSources.make` from a standalone script.
3687         It’s important for this invocation to have the same environment as
3688         when the actual build invokes `make DerivedSources.make`. If the
3689         environments are different, then the two invocations will provide
3690         different results. In order to get the same environment in the
3691         standalone script, have the script launch xcodebuild targeting the
3692         "Apply Configuration to XCFileLists" build target, which will then
3693         re-invoke our standalone script. The script is now running again, this
3694         time in an environment with all workspace, project, target, xcconfig
3695         and other environment variables established.
3696
3697         The "Apply Configuration to XCFileLists" build target accomplishes
3698         this task via a small embedded shell script that consists only of:
3699
3700             eval "${WK_SUBLAUNCH_SCRIPT_PARAMETERS[@]}"
3701
3702         The process that invokes "Apply Configuration to XCFileLists" first
3703         sets WK_SUBLAUNCH_SCRIPT_PARAMETERS to an array of commands to be
3704         evaluated and exports it into the shell environment. When xcodebuild
3705         is invoked, it inherits the value of this variable and can `eval` the
3706         contents of that variable. Our external standalone script can then set
3707         WK_SUBLAUNCH_SCRIPT_PARAMETERS to the path to itself, along with a set
3708         of command-line parameters needed to restart itself in the appropriate
3709         state.
3710
3711         * JavaScriptCore.xcodeproj/project.pbxproj:
3712
3713 2019-01-25  Tadeu Zagallo  <tzagallo@apple.com>
3714
3715         Add API to generate and consume cached bytecode
3716         https://bugs.webkit.org/show_bug.cgi?id=193401
3717         <rdar://problem/47514099>
3718
3719         Reviewed by Keith Miller.
3720
3721         Add the `generateBytecode` and `generateModuleBytecode` functions to
3722         generate serialized bytecode for a given `SourceCode`. These functions
3723         will eagerly generate code for all the nested functions.
3724
3725         Additionally, update the API methods in JSScript to generate and use the
3726         bytecode when the bytecodeCache path is provided.
3727
3728         * API/JSAPIGlobalObject.mm:
3729         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3730         * API/JSContext.mm:
3731         (-[JSContext wrapperMap]):
3732         * API/JSContextInternal.h:
3733         * API/JSScript.mm:
3734         (+[JSScript scriptWithSource:inVirtualMachine:]):
3735         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
3736         (-[JSScript dealloc]):
3737         (-[JSScript readCache]):
3738         (-[JSScript writeCache]):
3739         (-[JSScript hash]):
3740         (-[JSScript source]):
3741         (-[JSScript cachedBytecode]):
3742         (-[JSScript jsSourceCode:]):
3743         * API/JSScriptInternal.h:
3744         * API/JSScriptSourceProvider.h: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3745         (JSScriptSourceProvider::create):
3746         (JSScriptSourceProvider::JSScriptSourceProvider):
3747         * API/JSScriptSourceProvider.mm: Copied from Source/JavaScriptCore/API/JSScriptInternal.h.
3748         (JSScriptSourceProvider::hash const):
3749         (JSScriptSourceProvider::source const):
3750         (JSScriptSourceProvider::cachedBytecode const):
3751         * API/JSVirtualMachine.mm:
3752         (-[JSVirtualMachine vm]):
3753         * API/JSVirtualMachineInternal.h:
3754         * API/tests/testapi.mm:
3755         (testBytecodeCache):
3756         (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
3757         (testObjectiveCAPI):
3758         * JavaScriptCore.xcodeproj/project.pbxproj:
3759         * SourcesCocoa.txt:
3760         * bytecode/UnlinkedFunctionExecutable.cpp:
3761         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3762         * bytecode/UnlinkedFunctionExecutable.h:
3763         * parser/SourceCodeKey.h:
3764         (JSC::SourceCodeKey::source const):
3765         * parser/SourceProvider.h:
3766         (JSC::CachedBytecode::CachedBytecode):
3767         (JSC::CachedBytecode::operator=):
3768         (JSC::CachedBytecode::data const):
3769         (JSC::CachedBytecode::size const):
3770         (JSC::CachedBytecode::owned const):
3771         (JSC::CachedBytecode::~CachedBytecode):
3772         (JSC::CachedBytecode::freeDataIfOwned):
3773         (JSC::SourceProvider::cachedBytecode const):
3774         * parser/UnlinkedSourceCode.h:
3775         (JSC::UnlinkedSourceCode::provider const):
3776         * runtime/CodeCache.cpp:
3777         (JSC::generateUnlinkedCodeBlockForFunctions):
3778         (JSC::writeCodeBlock):
3779         (JSC::serializeBytecode):
3780         * runtime/CodeCache.h:
3781         (JSC::CodeCacheMap::fetchFromDiskImpl):
3782         (JSC::CodeCacheMap::findCacheAndUpdateAge):
3783         (JSC::generateUnlinkedCodeBlockImpl):
3784         (JSC::generateUnlinkedCodeBlock):
3785         * runtime/Completion.cpp:
3786         (JSC::generateBytecode):
3787         (JSC::generateModuleBytecode):
3788         * runtime/Completion.h:
3789         * runtime/Options.cpp:
3790         (JSC::recomputeDependentOptions):
3791
3792 2019-01-25  Keith Rollin  <krollin@apple.com>
3793
3794         Update WebKitAdditions.xcconfig with correct order of variable definitions
3795         https://bugs.webkit.org/show_bug.cgi?id=193793
3796         <rdar://problem/47532439>
3797
3798         Reviewed by Alex Christensen.
3799
3800         XCBuild changes the way xcconfig variables are evaluated. In short,
3801         all config file assignments are now considered in part of the
3802         evaluation. When using the new build system and an .xcconfig file
3803         contains multiple assignments of the same build setting:
3804
3805         - Later assignments using $(inherited) will inherit from earlier
3806           assignments in the xcconfig file.
3807         - Later assignments not using $(inherited) will take precedence over
3808           earlier assignments. An assignment to a more general setting will
3809           mask an earlier assignment to a less general setting. For example,
3810           an assignment without a condition ('FOO = bar') will completely mask
3811           an earlier assignment with a condition ('FOO[sdk=macos*] = quux').
3812
3813         This affects some of our .xcconfig files, in that sometimes platform-
3814         or sdk-specific definitions appear before the general definitions.
3815         Under the new evaluations rules, the general definitions alway take
3816         effect because they always overwrite the more-specific definitions. The
3817         solution is to swap the order, so that the general definitions are
3818         established first, and then conditionally overwritten by the
3819         more-specific definitions.
3820
3821         * Configurations/Version.xcconfig:
3822
3823 2019-01-25  Keith Rollin  <krollin@apple.com>
3824
3825         Update existing .xcfilelists
3826         https://bugs.webkit.org/show_bug.cgi?id=193791
3827         <rdar://problem/47201706>
3828
3829         Reviewed by Alex Christensen.
3830
3831         Many .xcfilelist files were added in r238824 in order to support
3832         XCBuild. Update these with recent changes to the set of build files
3833         and with the current generate-xcfilelist script.
3834
3835         * DerivedSources-input.xcfilelist:
3836         * DerivedSources-output.xcfilelist:
3837         * UnifiedSources-input.xcfilelist:
3838         * UnifiedSources-output.xcfilelist:
3839
3840 2019-01-25  Jon Davis  <jond@apple.com>
3841
3842         Update JavaScriptCore feature status entries.
3843         https://bugs.webkit.org/show_bug.cgi?id=193797
3844
3845         Reviewed by Mark Lam.
3846         
3847         Updated feature status for Async Iteration, and Object rest/spread.
3848
3849         * features.json:
3850
3851 2019-01-24  Keith Miller  <keith_miller@apple.com>
3852
3853         Remove usage of internal macro from private header
3854         https://bugs.webkit.org/show_bug.cgi?id=193809
3855
3856         Reviewed by Saam Barati.
3857
3858         Also, add a new file to include all of our API headers to make sure
3859         they don't accidentally include C++ or internal values.
3860
3861         * API/JSScript.h:
3862         * API/tests/testIncludes.m: Added.
3863         * JavaScriptCore.xcodeproj/project.pbxproj:
3864
3865 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
3866
3867         [JSC] ErrorConstructor should not have own IsoSubspace
3868         https://bugs.webkit.org/show_bug.cgi?id=193800
3869
3870         Reviewed by Saam Barati.
3871
3872         Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
3873         IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
3874         too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
3875         JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
3876         ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
3877         into IsoSubspaces) described,
3878
3879             "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
3880             appear to just override methods, which are called dynamically via the structure or class of the object.
3881             So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
3882
3883         Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
3884         This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
3885         This reduces the memory usage.
3886
3887         * interpreter/Interpreter.h:
3888         * runtime/Error.cpp:
3889         (JSC::getStackTrace):
3890         * runtime/ErrorConstructor.cpp:
3891         (JSC::ErrorConstructor::ErrorConstructor):
3892         (JSC::ErrorConstructor::finishCreation):
3893         (JSC::constructErrorConstructor):
3894         (JSC::callErrorConstructor):
3895         (JSC::ErrorConstructor::put):
3896         (JSC::ErrorConstructor::deleteProperty):
3897         (JSC::Interpreter::constructWithErrorConstructor): Deleted.
3898         (JSC::Interpreter::callErrorConstructor): Deleted.
3899         * runtime/ErrorConstructor.h: