Changeset 245040 in webkit

Timestamp:

May 7, 2019 3:15:59 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

TemplateObject passed to template literal tags are not always identical for the same source location.
​https://bugs.webkit.org/show_bug.cgi?id=190756

Reviewed by Saam Barati.

JSTests:

• complex.yaml:
• complex/tagged-template-regeneration-after.js: Added.

(shouldBe):

• complex/tagged-template-regeneration.js: Added.

(call):
(test):

• modules/tagged-template-inside-module.js: Added.

(from.string_appeared_here.call):

• modules/tagged-template-inside-module/other-tagged-templates.js: Added.

(call):
(export.otherTaggedTemplates):

• stress/call-and-construct-should-return-same-tagged-templates.js: Added.

(shouldBe):
(call):
(poly):

• stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.

(shouldBe):
(call):

• stress/tagged-templates-in-function-in-direct-eval.js: Added.

(shouldBe):
(call):
(test):

• stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.

(shouldBe):
(call):

• stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.

(shouldBe):
(call):

• stress/tagged-templates-in-multiple-functions.js: Added.

(shouldBe):
(call):
(a):
(b):
(c):

• stress/tagged-templates-with-same-start-offset.js: Added.

(shouldBe):

Source/JavaScriptCore:

Tagged template literal requires that the site object is allocated per source location. Previously, we create the site object
when linking CodeBlock and cache it in CodeBlock. But this is wrong because,

1. CodeBlock can be jettisoned and regenerated. So every time CodeBlock is regenerated, we get the different site object.
2. Call and Construct can have different CodeBlock. Even if the function is called in call-form or construct-form, we should return the same site object.

In this patch, we start caching these site objects in the top-level ScriptExecutable, this matches the spec's per source location since the only one top-level
ScriptExecutable is created for the given script code. Each ScriptExecutable of JSFunction can be created multiple times because CodeBlock creates it.
But the top-level one is not created by CodeBlock. This top-level ScriptExecutable is well-aligned to the Script itself. The top-level ScriptExecutable now has HashMap,
which maps source locations to cached site objects.

1. This patch threads the top-level ScriptExecutable to each FunctionExecutable creation. Each FunctionExecutable has a reference to the top-level ScriptExecutable.
2. We put TemplateObjectMap in ScriptExecutable, which manages cached template objects.
3. We move FunctionExecutable::m_cachedPolyProtoStructure to the FunctionExecutable::RareDate to keep FunctionExecutable 128 bytes.
4. TemplateObjectMap is indexed with endOffset of TaggedTemplate.

• Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
• Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
• Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
• Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
• Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
• Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
• Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
• Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
• Scripts/wkbuiltins/builtins_templates.py:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):

• bytecode/CodeBlock.h:
• bytecode/UnlinkedFunctionExecutable.cpp:

(JSC::UnlinkedFunctionExecutable::link):

• bytecode/UnlinkedFunctionExecutable.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):

• bytecompiler/BytecodeGenerator.h:
• parser/ASTBuilder.h:

(JSC::ASTBuilder::createTaggedTemplate):

• runtime/CachedTypes.cpp:

(JSC::CachedTemplateObjectDescriptor::encode):
(JSC::CachedTemplateObjectDescriptor::decode const):
(JSC::CachedJSValue::encode):
(JSC::CachedJSValue::decode const):

• runtime/EvalExecutable.cpp:

(JSC::EvalExecutable::ensureTemplateObjectMap):
(JSC::EvalExecutable::visitChildren):

• runtime/EvalExecutable.h:
• runtime/FunctionExecutable.cpp:

(JSC::FunctionExecutable::finishCreation):
(JSC::FunctionExecutable::visitChildren):
(JSC::FunctionExecutable::fromGlobalCode):
(JSC::FunctionExecutable::ensureRareDataSlow):
(JSC::FunctionExecutable::ensureTemplateObjectMap):

• runtime/FunctionExecutable.h:
• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::instantiateDeclarations):

• runtime/JSTemplateObjectDescriptor.cpp:

(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):

• runtime/JSTemplateObjectDescriptor.h:
• runtime/ModuleProgramExecutable.cpp:

(JSC::ModuleProgramExecutable::ensureTemplateObjectMap):
(JSC::ModuleProgramExecutable::visitChildren):

• runtime/ModuleProgramExecutable.h:
• runtime/ProgramExecutable.cpp:

(JSC::ProgramExecutable::ensureTemplateObjectMap):
(JSC::ProgramExecutable::visitChildren):

• runtime/ProgramExecutable.h:
• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::topLevelExecutable):
(JSC::ScriptExecutable::createTemplateObject):
(JSC::ScriptExecutable::ensureTemplateObjectMapImpl):
(JSC::ScriptExecutable::ensureTemplateObjectMap):

• runtime/ScriptExecutable.h:
• tools/JSDollarVM.cpp:

(JSC::functionCreateBuiltin):
(JSC::functionDeleteAllCodeWhenIdle):
(JSC::JSDollarVM::finishCreation):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/complex.yaml (modified) (1 diff)
• JSTests/complex/tagged-template-regeneration-after.js (added)
• JSTests/complex/tagged-template-regeneration.js (added)
• JSTests/modules/tagged-template-inside-module (added)
• JSTests/modules/tagged-template-inside-module.js (added)
• JSTests/modules/tagged-template-inside-module/other-tagged-templates.js (added)
• JSTests/stress/call-and-construct-should-return-same-tagged-templates.js (added)
• JSTests/stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js (added)
• JSTests/stress/tagged-templates-in-function-in-direct-eval.js (added)
• JSTests/stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js (added)
• JSTests/stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js (added)
• JSTests/stress/tagged-templates-in-multiple-functions.js (added)
• JSTests/stress/tagged-templates-with-same-start-offset.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result (modified) (1 diff)
• Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (5 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (3 diffs)
• Source/JavaScriptCore/parser/ASTBuilder.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/CachedTypes.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/EvalExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/EvalExecutable.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/FunctionExecutable.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/FunctionExecutable.h (modified) (7 diffs)
• Source/JavaScriptCore/runtime/JSModuleRecord.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ModuleProgramExecutable.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ProgramExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ProgramExecutable.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ScriptExecutable.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ScriptExecutable.h (modified) (5 diffs)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        TemplateObject passed to template literal tags are not always identical for the same source location.
+        https://bugs.webkit.org/show_bug.cgi?id=190756
+
+        Reviewed by Saam Barati.
+
+        * complex.yaml:
+        * complex/tagged-template-regeneration-after.js: Added.
+        (shouldBe):
+        * complex/tagged-template-regeneration.js: Added.
+        (call):
+        (test):
+        * modules/tagged-template-inside-module.js: Added.
+        (from.string_appeared_here.call):
+        * modules/tagged-template-inside-module/other-tagged-templates.js: Added.
+        (call):
+        (export.otherTaggedTemplates):
+        * stress/call-and-construct-should-return-same-tagged-templates.js: Added.
+        (shouldBe):
+        (call):
+        (poly):
+        * stress/tagged-templates-in-direct-eval-should-not-produce-same-site-object.js: Added.
+        (shouldBe):
+        (call):
+        * stress/tagged-templates-in-function-in-direct-eval.js: Added.
+        (shouldBe):
+        (call):
+        (test):
+        * stress/tagged-templates-in-global-function-should-not-produce-same-site-object.js: Added.
+        (shouldBe):
+        (call):
+        * stress/tagged-templates-in-indirect-eval-should-not-produce-same-site-object.js: Added.
+        (shouldBe):
+        (call):
+        * stress/tagged-templates-in-multiple-functions.js: Added.
+        (shouldBe):
+        (call):
+        (a):
+        (b):
+        (c):
+        * stress/tagged-templates-with-same-start-offset.js: Added.
+        (shouldBe):
+
 2019-05-07  Robin Morisset  <rmorisset@apple.com>
 

trunk/JSTests/complex.yaml

@@ -26 +26 @@
 - path: complex/generator-regeneration.js
   cmd: runComplexTest [], ["generator-regeneration-after.js"], "--useDollarVM=1"
+
+- path: complex/tagged-template-regeneration.js
+  cmd: runComplexTest [], ["tagged-template-regeneration-after.js"], "--useDollarVM=1"

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        TemplateObject passed to template literal tags are not always identical for the same source location.
+        https://bugs.webkit.org/show_bug.cgi?id=190756
+
+        Reviewed by Saam Barati.
+
+        Tagged template literal requires that the site object is allocated per source location. Previously, we create the site object
+        when linking CodeBlock and cache it in CodeBlock. But this is wrong because,
+
+        1. CodeBlock can be jettisoned and regenerated. So every time CodeBlock is regenerated, we get the different site object.
+        2. Call and Construct can have different CodeBlock. Even if the function is called in call-form or construct-form, we should return the same site object.
+
+        In this patch, we start caching these site objects in the top-level ScriptExecutable, this matches the spec's per source location since the only one top-level
+        ScriptExecutable is created for the given script code. Each ScriptExecutable of JSFunction can be created multiple times because CodeBlock creates it.
+        But the top-level one is not created by CodeBlock. This top-level ScriptExecutable is well-aligned to the Script itself. The top-level ScriptExecutable now has HashMap,
+        which maps source locations to cached site objects.
+
+        1. This patch threads the top-level ScriptExecutable to each FunctionExecutable creation. Each FunctionExecutable has a reference to the top-level ScriptExecutable.
+        2. We put TemplateObjectMap in ScriptExecutable, which manages cached template objects.
+        3. We move FunctionExecutable::m_cachedPolyProtoStructure to the FunctionExecutable::RareDate to keep FunctionExecutable 128 bytes.
+        4. TemplateObjectMap is indexed with endOffset of TaggedTemplate.
+
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        * Scripts/wkbuiltins/builtins_templates.py:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::link):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createTaggedTemplate):
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedTemplateObjectDescriptor::encode):
+        (JSC::CachedTemplateObjectDescriptor::decode const):
+        (JSC::CachedJSValue::encode):
+        (JSC::CachedJSValue::decode const):
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::ensureTemplateObjectMap):
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/EvalExecutable.h:
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::finishCreation):
+        (JSC::FunctionExecutable::visitChildren):
+        (JSC::FunctionExecutable::fromGlobalCode):
+        (JSC::FunctionExecutable::ensureRareDataSlow):
+        (JSC::FunctionExecutable::ensureTemplateObjectMap):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSTemplateObjectDescriptor.cpp:
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        * runtime/JSTemplateObjectDescriptor.h:
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::topLevelExecutable):
+        (JSC::ScriptExecutable::createTemplateObject):
+        (JSC::ScriptExecutable::ensureTemplateObjectMapImpl):
+        (JSC::ScriptExecutable::ensureTemplateObjectMap):
+        * runtime/ScriptExecutable.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCreateBuiltin):
+        (JSC::functionDeleteAllCodeWhenIdle):
+        (JSC::JSDollarVM::finishCreation):
+
 2019-05-07  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result

@@ -142 +142 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result

@@ -159 +159 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN.PROMISE_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result

@@ -168 +168 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result

@@ -283 +283 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN.PROTOTYPE_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result

@@ -140 +140 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result

@@ -213 +213 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTINCONSTRUCTOR_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result

@@ -141 +141 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \
 {\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); }
 JSC_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
 #undef DEFINE_BUILTIN_GENERATOR

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result

@@ -221 +221 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().anotherGuardedInternalBuiltinBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().anotherGuardedInternalBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().anotherGuardedInternalBuiltinBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().anotherGuardedInternalBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_ANOTHERGUARDEDINTERNALBUILTIN_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result

@@ -191 +191 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().arbitraryConditionalGuardBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().arbitraryConditionalGuardBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().arbitraryConditionalGuardBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().arbitraryConditionalGuardBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_ARBITRARYCONDITIONALGUARD_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result

@@ -191 +191 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().guardedBuiltinBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().guardedBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().guardedBuiltinBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().guardedBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_GUARDEDBUILTIN_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result

@@ -223 +223 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().guardedInternalBuiltinBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().guardedInternalBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().guardedInternalBuiltinBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().guardedInternalBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_GUARDEDINTERNALBUILTIN_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result

@@ -185 +185 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().unguardedBuiltinBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().unguardedBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().unguardedBuiltinBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().unguardedBuiltinBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_UNGUARDEDBUILTIN_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result

@@ -276 +276 @@
 {\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \
-    return clientData->builtinFunctions().xmlCasingTestBuiltins().codeName##Executable()->link(vm, clientData->builtinFunctions().xmlCasingTestBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return clientData->builtinFunctions().xmlCasingTestBuiltins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().xmlCasingTestBuiltins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 WEBCORE_FOREACH_XMLCASINGTEST_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py

@@ -86 +86 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \\
 {\\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 ${macroPrefix}_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
@@ -97 +97 @@
 JSC::FunctionExecutable* codeName##Generator(JSC::VM& vm) \\
 {\\
-    return vm.builtinExecutables()->codeName##Executable()->link(vm, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
+    return vm.builtinExecutables()->codeName##Executable()->link(vm, nullptr, vm.builtinExecutables()->codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \
 }
 ${macroPrefix}_FOREACH_${objectMacro}_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
@@ -109 +109 @@
 {\\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \\
-    return clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Executable()->link(vm, clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \\
+    return clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \\
 }
 ${macroPrefix}_FOREACH_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)
@@ -121 +121 @@
 {\\
     JSVMClientData* clientData = static_cast<JSVMClientData*>(vm.clientData); \\
-    return clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Executable()->link(vm, clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \\
+    return clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Executable()->link(vm, nullptr, clientData->builtinFunctions().${objectNameLC}Builtins().codeName##Source(), WTF::nullopt, s_##codeName##Intrinsic); \\
 }
 ${macroPrefix}_FOREACH_${objectMacro}_BUILTIN_CODE(DEFINE_BUILTIN_GENERATOR)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -396 +396 @@
         vm.functionHasExecutedCache()->removeUnexecutedRange(ownerExecutable->sourceID(), ownerExecutable->typeProfilingStartOffset(vm), ownerExecutable->typeProfilingEndOffset(vm));
 
-    setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation());
+    ScriptExecutable* topLevelExecutable = ownerExecutable->topLevelExecutable();
+    setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation(), topLevelExecutable);
     RETURN_IF_EXCEPTION(throwScope, false);
 
@@ -422 +423 @@
         if (shouldUpdateFunctionHasExecutedCache)
             vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionDecls[i].set(vm, this, unlinkedExecutable->link(vm, ownerExecutable->source()));
+        m_functionDecls[i].set(vm, this, unlinkedExecutable->link(vm, topLevelExecutable, ownerExecutable->source()));
     }
 
@@ -430 +431 @@
         if (shouldUpdateFunctionHasExecutedCache)
             vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionExprs[i].set(vm, this, unlinkedExecutable->link(vm, ownerExecutable->source()));
+        m_functionExprs[i].set(vm, this, unlinkedExecutable->link(vm, topLevelExecutable, ownerExecutable->source()));
     }
 
@@ -871 +872 @@
 }
 
-void CodeBlock::setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation)
+void CodeBlock::setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation, ScriptExecutable* topLevelExecutable)
 {
     VM& vm = *m_vm;
@@ -899 +900 @@
                     constant = clone;
                 } else if (auto* descriptor = jsDynamicCast<JSTemplateObjectDescriptor*>(vm, cell)) {
-                    auto* templateObject = descriptor->createTemplateObject(exec);
+                    auto* templateObject = topLevelExecutable->createTemplateObject(exec, descriptor);
                     RETURN_IF_EXCEPTION(scope, void());
                     constant = templateObject;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -912 +912 @@
     void setConstantIdentifierSetRegisters(VM&, const Vector<ConstantIdentifierSetEntry>& constants);
 
-    void setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation);
+    void setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation, ScriptExecutable* topLevelExecutable);
 
     void replaceConstant(int index, JSValue value)

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp

@@ -159 +159 @@
 }
 
-FunctionExecutable* UnlinkedFunctionExecutable::link(VM& vm, const SourceCode& passedParentSource, Optional<int> overrideLineNumber, Intrinsic intrinsic)
+FunctionExecutable* UnlinkedFunctionExecutable::link(VM& vm, ScriptExecutable* topLevelExecutable, const SourceCode& passedParentSource, Optional<int> overrideLineNumber, Intrinsic intrinsic)
 {
     SourceCode source = linkedSourceCode(passedParentSource);
@@ -167 +167 @@
         hasFunctionOverride = FunctionOverrides::initializeOverrideFor(source, overrideInfo);
 
-    FunctionExecutable* result = FunctionExecutable::create(vm, source, this, intrinsic);
+    FunctionExecutable* result = FunctionExecutable::create(vm, topLevelExecutable, source, this, intrinsic);
     if (overrideLineNumber)
         result->setOverrideLineNumber(*overrideLineNumber);

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h

@@ -127 +127 @@
 
     SourceCode linkedSourceCode(const SourceCode&) const;
-    JS_EXPORT_PRIVATE FunctionExecutable* link(VM&, const SourceCode& parentSource, Optional<int> overrideLineNumber = WTF::nullopt, Intrinsic = NoIntrinsic);
+    JS_EXPORT_PRIVATE FunctionExecutable* link(VM&, ScriptExecutable* topLevelExecutable, const SourceCode& parentSource, Optional<int> overrideLineNumber = WTF::nullopt, Intrinsic = NoIntrinsic);
 
     void clearCode(VM& vm)

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2949 +2949 @@
 }
 
-RegisterID* BytecodeGenerator::addTemplateObjectConstant(Ref<TemplateObjectDescriptor>&& descriptor)
-{
-    JSTemplateObjectDescriptor* descriptorValue = m_templateObjectDescriptorMap.ensure(descriptor.copyRef(), [&] {
-        return JSTemplateObjectDescriptor::create(*vm(), WTFMove(descriptor));
+RegisterID* BytecodeGenerator::addTemplateObjectConstant(Ref<TemplateObjectDescriptor>&& descriptor, int endOffset)
+{
+    auto result = m_templateObjectDescriptorSet.add(WTFMove(descriptor));
+    JSTemplateObjectDescriptor* descriptorValue = m_templateDescriptorMap.ensure(endOffset, [&] {
+        return JSTemplateObjectDescriptor::create(*vm(), result.iterator->copyRef(), endOffset);
     }).iterator->value;
-
     int index = addConstantIndex();
     m_codeBlock->addConstant(descriptorValue);
@@ -4142 +4142 @@
             cookedStrings.append(string->cooked()->impl());
     }
-    RefPtr<RegisterID> constant = addTemplateObjectConstant(TemplateObjectDescriptor::create(WTFMove(rawStrings), WTFMove(cookedStrings)));
+    RefPtr<RegisterID> constant = addTemplateObjectConstant(TemplateObjectDescriptor::create(WTFMove(rawStrings), WTFMove(cookedStrings)), taggedTemplate->endOffset());
     if (!dst)
         return constant.get();

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -1061 +1061 @@
         using IdentifierStringMap = HashMap<UniquedStringImpl*, JSString*, IdentifierRepHash>;
         using IdentifierBigIntMap = HashMap<BigIntMapEntry, JSBigInt*>;
-        using TemplateObjectDescriptorMap = HashMap<Ref<TemplateObjectDescriptor>, JSTemplateObjectDescriptor*>;
+        using TemplateObjectDescriptorSet = HashSet<Ref<TemplateObjectDescriptor>>;
+        using TemplateDescriptorMap = HashMap<uint64_t, JSTemplateObjectDescriptor*, WTF::IntHash<uint64_t>, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>>;
 
         // Helper for emitCall() and emitConstruct(). This works because the set of
@@ -1153 +1154 @@
         JSString* addStringConstant(const Identifier&);
         JSValue addBigIntConstant(const Identifier&, uint8_t radix, bool sign);
-        RegisterID* addTemplateObjectConstant(Ref<TemplateObjectDescriptor>&&);
+        RegisterID* addTemplateObjectConstant(Ref<TemplateObjectDescriptor>&&, int);
 
         const InstructionStream& instructions() const { return m_writer; }
@@ -1271 +1272 @@
         IdentifierStringMap m_stringMap;
         IdentifierBigIntMap m_bigIntMap;
-        TemplateObjectDescriptorMap m_templateObjectDescriptorMap;
+        TemplateObjectDescriptorSet m_templateObjectDescriptorSet;
+        TemplateDescriptorMap m_templateDescriptorMap;
 
         StaticPropertyAnalyzer m_staticPropertyAnalyzer;

trunk/Source/JavaScriptCore/parser/ASTBuilder.h

@@ -332 +332 @@
         auto node = new (m_parserArena) TaggedTemplateNode(location, base, templateLiteral);
         setExceptionLocation(node, start, divot, end);
+        setEndOffset(node, end.offset);
         return node;
     }

trunk/Source/JavaScriptCore/runtime/CachedTypes.cpp

@@ -1153 +1153 @@
 class CachedTemplateObjectDescriptor : public CachedObject<TemplateObjectDescriptor> {
 public:
-    void encode(Encoder& encoder, const TemplateObjectDescriptor& templateObjectDescriptor)
-    {
-        m_rawStrings.encode(encoder, templateObjectDescriptor.rawStrings());
-        m_cookedStrings.encode(encoder, templateObjectDescriptor.cookedStrings());
-    }
-
-    Ref<TemplateObjectDescriptor> decode(Decoder& decoder) const
+    void encode(Encoder& encoder, const JSTemplateObjectDescriptor& descriptor)
+    {
+        m_rawStrings.encode(encoder, descriptor.descriptor().rawStrings());
+        m_cookedStrings.encode(encoder, descriptor.descriptor().cookedStrings());
+        m_endOffset = descriptor.endOffset();
+    }
+
+    JSTemplateObjectDescriptor* decode(Decoder& decoder) const
     {
         TemplateObjectDescriptor::StringVector decodedRawStrings;
@@ -1165 +1166 @@
         m_rawStrings.decode(decoder, decodedRawStrings);
         m_cookedStrings.decode(decoder, decodedCookedStrings);
-        return TemplateObjectDescriptor::create(WTFMove(decodedRawStrings), WTFMove(decodedCookedStrings));
+        return JSTemplateObjectDescriptor::create(decoder.vm(), TemplateObjectDescriptor::create(WTFMove(decodedRawStrings), WTFMove(decodedCookedStrings)), m_endOffset);
     }
 
@@ -1171 +1172 @@
     CachedVector<CachedString, 4> m_rawStrings;
     CachedVector<CachedOptional<CachedString>, 4> m_cookedStrings;
+    int m_endOffset;
 };
 
@@ -1244 +1246 @@
         if (auto* templateObjectDescriptor = jsDynamicCast<JSTemplateObjectDescriptor*>(vm, cell)) {
             m_type = EncodedType::TemplateObjectDescriptor;
-            this->allocate<CachedTemplateObjectDescriptor>(encoder)->encode(encoder, templateObjectDescriptor->descriptor());
+            this->allocate<CachedTemplateObjectDescriptor>(encoder)->encode(encoder, *templateObjectDescriptor);
             return;
         }
@@ -1279 +1281 @@
             break;
         case EncodedType::TemplateObjectDescriptor:
-            v = JSTemplateObjectDescriptor::create(decoder.vm(), this->buffer<CachedTemplateObjectDescriptor>()->decode(decoder));
+            v = this->buffer<CachedTemplateObjectDescriptor>()->decode(decoder);
             break;
         case EncodedType::BigInt:

trunk/Source/JavaScriptCore/runtime/EvalExecutable.cpp

@@ -45 +45 @@
 }
 
+auto EvalExecutable::ensureTemplateObjectMap(VM&) -> TemplateObjectMap&
+{
+    return ensureTemplateObjectMapImpl(m_templateObjectMap);
+}
+
 void EvalExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
@@ -52 +57 @@
     visitor.append(thisObject->m_unlinkedEvalCodeBlock);
     visitor.append(thisObject->m_evalCodeBlock);
+    if (TemplateObjectMap* map = thisObject->m_templateObjectMap.get()) {
+        auto locker = holdLock(thisObject->cellLock());
+        for (auto& entry : *map)
+            visitor.append(entry.value);
+    }
 }
 

trunk/Source/JavaScriptCore/runtime/EvalExecutable.h

@@ -70 +70 @@
     bool allowDirectEvalCache() const { return m_unlinkedEvalCodeBlock->allowDirectEvalCache(); }
 
+    TemplateObjectMap& ensureTemplateObjectMap(VM&);
+
 protected:
     friend class ExecutableBase;
@@ -81 +83 @@
     WriteBarrier<ExecutableToCodeBlockEdge> m_evalCodeBlock;
     WriteBarrier<UnlinkedEvalCodeBlock> m_unlinkedEvalCodeBlock;
+    std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
 };
 

trunk/Source/JavaScriptCore/runtime/FunctionExecutable.cpp

@@ -55 +55 @@
 }
 
-void FunctionExecutable::finishCreation(VM& vm)
+void FunctionExecutable::finishCreation(VM& vm, ScriptExecutable* topLevelExecutable)
 {
     Base::finishCreation(vm);
+    m_topLevelExecutable.set(vm, this, topLevelExecutable ? topLevelExecutable : this);
     if (VM::canUseJIT())
         m_singletonFunction.set(vm, this, InferredValue::create(vm));
@@ -86 +87 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
+    visitor.append(thisObject->m_topLevelExecutable);
     visitor.append(thisObject->m_codeBlockForCall);
     visitor.append(thisObject->m_codeBlockForConstruct);
@@ -91 +93 @@
     if (VM::canUseJIT())
         visitor.append(thisObject->m_singletonFunction);
-    visitor.append(thisObject->m_cachedPolyProtoStructure);
+    if (RareData* rareData = thisObject->m_rareData.get()) {
+        visitor.append(rareData->m_cachedPolyProtoStructure);
+        if (TemplateObjectMap* map = rareData->m_templateObjectMap.get()) {
+            auto locker = holdLock(thisObject->cellLock());
+            for (auto& entry : *map)
+                visitor.append(entry.value);
+        }
+    }
 }
 
@@ -104 +113 @@
         return nullptr;
 
-    return unlinkedExecutable->link(exec.vm(), source, overrideLineNumber);
+    return unlinkedExecutable->link(exec.vm(), nullptr, source, overrideLineNumber);
 }
 
@@ -116 +125 @@
     rareData->m_typeProfilingStartOffset = typeProfilingStartOffset();
     rareData->m_typeProfilingEndOffset = typeProfilingEndOffset();
+    WTF::storeStoreFence();
     m_rareData = WTFMove(rareData);
     return *m_rareData;
@@ -131 +141 @@
 }
 
+auto FunctionExecutable::ensureTemplateObjectMap(VM&) -> TemplateObjectMap&
+{
+    RareData& rareData = ensureRareData();
+    return ensureTemplateObjectMapImpl(rareData.m_templateObjectMap);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h

@@ -49 +49 @@
     }
 
-    static FunctionExecutable* create(VM& vm, const SourceCode& source, UnlinkedFunctionExecutable* unlinkedExecutable, Intrinsic intrinsic)
+    static FunctionExecutable* create(VM& vm, ScriptExecutable* topLevelExecutable, const SourceCode& source, UnlinkedFunctionExecutable* unlinkedExecutable, Intrinsic intrinsic)
     {
         FunctionExecutable* executable = new (NotNull, allocateCell<FunctionExecutable>(vm.heap)) FunctionExecutable(vm, source, unlinkedExecutable, intrinsic);
-        executable->finishCreation(vm);
+        executable->finishCreation(vm, topLevelExecutable);
         return executable;
     }
@@ -283 +283 @@
 
     // Cached poly proto structure for the result of constructing this executable.
-    Structure* cachedPolyProtoStructure() { return m_cachedPolyProtoStructure.get(); }
-    void setCachedPolyProtoStructure(VM& vm, Structure* structure) { m_cachedPolyProtoStructure.set(vm, this, structure); }
+    Structure* cachedPolyProtoStructure()
+    {
+        if (UNLIKELY(m_rareData))
+            return m_rareData->m_cachedPolyProtoStructure.get();
+        return nullptr;
+    }
+    void setCachedPolyProtoStructure(VM& vm, Structure* structure)
+    {
+        ensureRareData().m_cachedPolyProtoStructure.set(vm, this, structure);
+    }
 
     InlineWatchpointSet& ensurePolyProtoWatchpoint()
@@ -294 +302 @@
 
     Box<InlineWatchpointSet> sharedPolyProtoWatchpoint() const { return m_polyProtoWatchpoint; }
+
+    ScriptExecutable* topLevelExecutable() const { return m_topLevelExecutable.get(); }
+
+    TemplateObjectMap& ensureTemplateObjectMap(VM&);
 
 private:
@@ -299 +311 @@
     FunctionExecutable(VM&, const SourceCode&, UnlinkedFunctionExecutable*, Intrinsic);
     
-    void finishCreation(VM&);
+    void finishCreation(VM&, ScriptExecutable* topLevelExecutable);
 
     friend class ScriptExecutable;
@@ -312 +324 @@
         unsigned m_typeProfilingStartOffset { UINT_MAX };
         unsigned m_typeProfilingEndOffset { UINT_MAX };
+        std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
+        WriteBarrier<Structure> m_cachedPolyProtoStructure;
     };
 
@@ -322 +336 @@
     RareData& ensureRareDataSlow();
 
+    // FIXME: We can merge rareData pointer and top-level executable pointer. First time, setting parent.
+    // If RareData is required, materialize RareData, swap it, and store top-level executable pointer inside RareData.
+    // https://bugs.webkit.org/show_bug.cgi?id=197625
     std::unique_ptr<RareData> m_rareData;
+    WriteBarrier<ScriptExecutable> m_topLevelExecutable;
     WriteBarrier<UnlinkedFunctionExecutable> m_unlinkedExecutable;
     WriteBarrier<ExecutableToCodeBlockEdge> m_codeBlockForCall;
@@ -330 +348 @@
         WatchpointState m_singletonFunctionState;
     };
-    WriteBarrier<Structure> m_cachedPolyProtoStructure;
     Box<InlineWatchpointSet> m_polyProtoWatchpoint;
 };

trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp

@@ -201 +201 @@
                     unlinkedFunctionExecutable->typeProfilingEndOffset());
             }
-            JSFunction* function = JSFunction::create(vm, unlinkedFunctionExecutable->link(vm, moduleProgramExecutable->source()), moduleEnvironment);
+            JSFunction* function = JSFunction::create(vm, unlinkedFunctionExecutable->link(vm, moduleProgramExecutable, moduleProgramExecutable->source()), moduleEnvironment);
             bool putResult = false;
             symbolTablePutTouchWatchpointSet(moduleEnvironment, exec, unlinkedFunctionExecutable->name(), function, /* shouldThrowReadOnlyError */ false, /* ignoreReadOnlyErrors */ true, putResult);

trunk/Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.cpp

@@ -37 +37 @@
 
 
-JSTemplateObjectDescriptor::JSTemplateObjectDescriptor(VM& vm, Ref<TemplateObjectDescriptor>&& descriptor)
+JSTemplateObjectDescriptor::JSTemplateObjectDescriptor(VM& vm, Ref<TemplateObjectDescriptor>&& descriptor, int endOffset)
     : Base(vm, vm.templateObjectDescriptorStructure.get())
     , m_descriptor(WTFMove(descriptor))
+    , m_endOffset(endOffset)
 {
 }
 
-JSTemplateObjectDescriptor* JSTemplateObjectDescriptor::create(VM& vm, Ref<TemplateObjectDescriptor>&& descriptor)
+JSTemplateObjectDescriptor* JSTemplateObjectDescriptor::create(VM& vm, Ref<TemplateObjectDescriptor>&& descriptor, int endOffset)
 {
-    JSTemplateObjectDescriptor* result = new (NotNull, allocateCell<JSTemplateObjectDescriptor>(vm.heap)) JSTemplateObjectDescriptor(vm, WTFMove(descriptor));
+    JSTemplateObjectDescriptor* result = new (NotNull, allocateCell<JSTemplateObjectDescriptor>(vm.heap)) JSTemplateObjectDescriptor(vm, WTFMove(descriptor), endOffset);
     result->finishCreation(vm);
     return result;

trunk/Source/JavaScriptCore/runtime/JSTemplateObjectDescriptor.h

@@ -39 +39 @@
     DECLARE_INFO;
 
-    static JSTemplateObjectDescriptor* create(VM&, Ref<TemplateObjectDescriptor>&&);
+    static JSTemplateObjectDescriptor* create(VM&, Ref<TemplateObjectDescriptor>&&, int);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
@@ -50 +50 @@
     JSArray* createTemplateObject(ExecState*);
 
+    int endOffset() const { return m_endOffset; }
+
 protected:
     static void destroy(JSCell*);
 
 private:
-    JSTemplateObjectDescriptor(VM&, Ref<TemplateObjectDescriptor>&&);
+    JSTemplateObjectDescriptor(VM&, Ref<TemplateObjectDescriptor>&&, int);
 
     Ref<TemplateObjectDescriptor> m_descriptor;
+    int m_endOffset { 0 };
 };
 

trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp

@@ -86 +86 @@
 }
 
+auto ModuleProgramExecutable::ensureTemplateObjectMap(VM&) -> TemplateObjectMap&
+{
+    return ensureTemplateObjectMapImpl(m_templateObjectMap);
+}
+
 void ModuleProgramExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
@@ -94 +99 @@
     visitor.append(thisObject->m_moduleEnvironmentSymbolTable);
     visitor.append(thisObject->m_moduleProgramCodeBlock);
+    if (TemplateObjectMap* map = thisObject->m_templateObjectMap.get()) {
+        auto locker = holdLock(thisObject->cellLock());
+        for (auto& entry : *map)
+            visitor.append(entry.value);
+    }
 }
 

trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h

@@ -70 +70 @@
     SymbolTable* moduleEnvironmentSymbolTable() { return m_moduleEnvironmentSymbolTable.get(); }
 
+    TemplateObjectMap& ensureTemplateObjectMap(VM&);
+
 private:
     friend class ExecutableBase;
@@ -81 +83 @@
     WriteBarrier<SymbolTable> m_moduleEnvironmentSymbolTable;
     WriteBarrier<ExecutableToCodeBlockEdge> m_moduleProgramCodeBlock;
+    std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
 };
 

trunk/Source/JavaScriptCore/runtime/ProgramExecutable.cpp

@@ -217 +217 @@
 }
 
+auto ProgramExecutable::ensureTemplateObjectMap(VM&) -> TemplateObjectMap&
+{
+    return ensureTemplateObjectMapImpl(m_templateObjectMap);
+}
+
 void ProgramExecutable::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
@@ -224 +229 @@
     visitor.append(thisObject->m_unlinkedProgramCodeBlock);
     visitor.append(thisObject->m_programCodeBlock);
+    if (TemplateObjectMap* map = thisObject->m_templateObjectMap.get()) {
+        auto locker = holdLock(thisObject->cellLock());
+        for (auto& entry : *map)
+            visitor.append(entry.value);
+    }
 }
 

trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h

@@ -74 +74 @@
     ExecutableInfo executableInfo() const { return ExecutableInfo(usesEval(), isStrictMode(), false, false, ConstructorKind::None, JSParserScriptMode::Classic, SuperBinding::NotNeeded, SourceParseMode::ProgramMode, derivedContextType(), isArrowFunctionContext(), false, EvalContextType::None); }
 
+    TemplateObjectMap& ensureTemplateObjectMap(VM&);
+
 private:
     friend class ExecutableBase;
@@ -84 +86 @@
     WriteBarrier<UnlinkedProgramCodeBlock> m_unlinkedProgramCodeBlock;
     WriteBarrier<ExecutableToCodeBlockEdge> m_programCodeBlock;
+    std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
 };
 

trunk/Source/JavaScriptCore/runtime/ScriptExecutable.cpp

@@ -35 +35 @@
 #include "JIT.h"
 #include "JSCInlines.h"
+#include "JSTemplateObjectDescriptor.h"
 #include "LLIntEntrypoint.h"
 #include "ModuleProgramCodeBlock.h"
@@ -436 +437 @@
 }
 
+ScriptExecutable* ScriptExecutable::topLevelExecutable()
+{
+    switch (type()) {
+    case FunctionExecutableType:
+        return jsCast<FunctionExecutable*>(this)->topLevelExecutable();
+    default:
+        return this;
+    }
+}
+
+JSArray* ScriptExecutable::createTemplateObject(ExecState* exec, JSTemplateObjectDescriptor* descriptor)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    TemplateObjectMap& templateObjectMap = ensureTemplateObjectMap(vm);
+    TemplateObjectMap::AddResult result;
+    {
+        auto locker = holdLock(cellLock());
+        result = templateObjectMap.add(descriptor->endOffset(), WriteBarrier<JSArray>());
+    }
+    if (JSArray* array = result.iterator->value.get())
+        return array;
+    JSArray* templateObject = descriptor->createTemplateObject(exec);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    result.iterator->value.set(vm, this, templateObject);
+    return templateObject;
+}
+
+auto ScriptExecutable::ensureTemplateObjectMapImpl(std::unique_ptr<TemplateObjectMap>& dest) -> TemplateObjectMap&
+{
+    if (dest)
+        return *dest;
+    auto result = std::make_unique<TemplateObjectMap>();
+    WTF::storeStoreFence();
+    dest = WTFMove(result);
+    return *dest;
+}
+
+auto ScriptExecutable::ensureTemplateObjectMap(VM& vm) -> TemplateObjectMap&
+{
+    switch (type()) {
+    case FunctionExecutableType:
+        return static_cast<FunctionExecutable*>(this)->ensureTemplateObjectMap(vm);
+    case EvalExecutableType:
+        return static_cast<EvalExecutable*>(this)->ensureTemplateObjectMap(vm);
+    case ProgramExecutableType:
+        return static_cast<ProgramExecutable*>(this)->ensureTemplateObjectMap(vm);
+    case ModuleProgramExecutableType:
+    default:
+        ASSERT(type() == ModuleProgramExecutableType);
+        return static_cast<ModuleProgramExecutable*>(this)->ensureTemplateObjectMap(vm);
+    }
+}
+
 CodeBlockHash ScriptExecutable::hashFor(CodeSpecializationKind kind) const
 {

trunk/Source/JavaScriptCore/runtime/ScriptExecutable.h

@@ -30 +30 @@
 namespace JSC {
 
+class JSArray;
+class JSTemplateObjectDescriptor;
 class IsoCellSet;
 
@@ -38 +40 @@
 
     static void destroy(JSCell*);
+
+    using TemplateObjectMap = HashMap<uint64_t, WriteBarrier<JSArray>, WTF::IntHash<uint64_t>, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>>;
         
     CodeBlockHash hashFor(CodeSpecializationKind) const;
@@ -113 +117 @@
     Exception* prepareForExecution(VM&, JSFunction*, JSScope*, CodeSpecializationKind, CodeBlock*& resultCodeBlock);
 
+    ScriptExecutable* topLevelExecutable();
+    JSArray* createTemplateObject(ExecState*, JSTemplateObjectDescriptor*);
+
 private:
     friend class ExecutableBase;
@@ -118 +125 @@
 
     bool hasClearableCode(VM&) const;
+
+    TemplateObjectMap& ensureTemplateObjectMap(VM&);
 
 protected:
@@ -138 +147 @@
     }
 
+    static TemplateObjectMap& ensureTemplateObjectMapImpl(std::unique_ptr<TemplateObjectMap>& dest);
+
     SourceCode m_source;
     Intrinsic m_intrinsic { NoIntrinsic };

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -1847 +1847 @@
 
     const SourceCode& source = makeSource(functionText, { });
-    JSFunction* func = JSFunction::create(vm, createBuiltinExecutable(vm, source, Identifier::fromString(&vm, "foo"), ConstructorKind::None, ConstructAbility::CannotConstruct)->link(vm, source), exec->lexicalGlobalObject());
+    JSFunction* func = JSFunction::create(vm, createBuiltinExecutable(vm, source, Identifier::fromString(&vm, "foo"), ConstructorKind::None, ConstructAbility::CannotConstruct)->link(vm, nullptr, source), exec->lexicalGlobalObject());
 
     return JSValue::encode(func);
@@ -2086 +2086 @@
 {
     return changeDebuggerModeWhenIdle(exec, { });
+}
+
+static EncodedJSValue JSC_HOST_CALL functionDeleteAllCodeWhenIdle(ExecState* exec)
+{
+    VM* vm = &exec->vm();
+    vm->whenIdle([=] () {
+        vm->deleteAllCode(PreventCollectionAndDeleteAllCode);
+    });
+    return JSValue::encode(jsUndefined());
 }
 
@@ -2277 +2286 @@
     addFunction(vm, "disableDebuggerModeWhenIdle", functionDisableDebuggerModeWhenIdle, 0);
 
+    addFunction(vm, "deleteAllCodeWhenIdle", functionDeleteAllCodeWhenIdle, 0);
+
     addFunction(vm, "globalObjectCount", functionGlobalObjectCount, 0);
     addFunction(vm, "globalObjectForObject", functionGlobalObjectForObject, 1);