02f68e993d88ba34903290eafa5d7d3272a05693
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2
3         Silence GCC warning spam introduced in r205462
4
5         Rubber-stamped by Filip Pizlo.
6
7         * bytecode/Opcode.h:
8         (JSC::padOpcodeName):
9
10 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
11
12         Heap::isMarked() should use concurrent lazy flipping
13         https://bugs.webkit.org/show_bug.cgi?id=161613
14
15         Reviewed by Michael Catanzaro.
16         
17         I found out about this race condition via
18         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
19         
20         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
21         phase. So, they need to lazy-flip in a non-racy way.
22
23         * heap/HeapInlines.h:
24         (JSC::Heap::isLive):
25         (JSC::Heap::isMarked):
26
27 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
28
29         Unreviewed, reset generator test results after the butterflies.
30
31         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
32         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
33         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
34         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
35         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
36         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
37         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
38         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
39         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
40         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
41         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
42         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
43         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
44         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
45
46 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
47
48         Unreviewed, fix cloop build.
49
50         * bytecode/SuperSampler.cpp:
51
52 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
53
54         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
55         https://bugs.webkit.org/show_bug.cgi?id=160125
56
57         Reviewed by Geoffrey Garen and Keith Miller.
58
59         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
60         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
61         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
62         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
63         to get rid of copied space. This change moves copied space's biggest client over to marked
64         space.
65         
66         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
67         allocation path. This is a fairly mechanical change, but it caused performance regressions
68         everywhere, so this change also fixes MarkedSpace's performance issues.
69         
70         At a high level the mechanical changes are:
71         
72         - We use AuxiliaryBarrier instead of CopyBarrier.
73         
74         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
75           CheckedBoolean stuff, since it's so much more trouble than it's worth.
76         
77         - The JITs have to emit inlined marked space allocations instead of inline copy space
78           allocations.
79         
80         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
81           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
82           space doesn't.
83         
84         That's about 1/3 of this change. But this led to performance problems, which I fixed with
85         optimizations that amounted to a major MarkedSpace rewrite:
86         
87         - MarkedSpace always causes internal fragmentation for array allocations because the vector
88           length we choose when we resize usually leads to a cell size that doesn't correspond to any
89           size class. I got around this by making array allocations usually round up vectorLength to
90           the maximum allowed by the size class that we would have allocated in. Also,
91           ensureLengthSlow() and friends first make sure that the requested length can't just be
92           fulfilled with the current allocation size. This safeguard means that not every array
93           allocation has to do size class queries. For example, the fast path of new Array(length)
94           never does any size class queries, under the assumption that (1) the speed gained from
95           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
96           size class query, is too small to offset the speed lost by doing the query on every
97           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
98           likely.
99         
100         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
101           changes MarkedSpace size classes to use a linear progression for very small sizes followed
102           by a geometric progression that naturally transitions to a hyperbolic progression. We want
103           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
104           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
105           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
106           size (80 bytes), we proceed using a geometric progression, but round up each size to
107           minimize slop at the end of the block. This naturally causes the geometric progression to
108           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
109           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
110         
111         - Large allocations caused massive internal fragmentation, since the smallest large
112           allocation had to use exactly blockSize, and the largest small allocation used
113           blockSize / 2. The next size up - the first large allocation size to require two blocks -
114           also had 50% internal fragmentation. This is because we required large allocations to be
115           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
116           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
117           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
118           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
119           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
120           out great since (1) typed arrays won't use large allocations anyway since they have their
121           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
122           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
123           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
124           rare as possible; for example, ExecState::vm() skips the check because we know that callees
125           must be small allocations. It's also possible to use template tricks to do one check for
126           cell container kind, and then invoke a function specialized for MarkedBlock or a function
127           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
128           that get used from functions that are template-specialized like this. That's mostly to
129           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
130           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
131           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
132           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
133           cutoff for large allocations is runtime-configurable, so long as you don't choose something
134           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
135           that the MarkedBlock size classes end up being:
136           
137           16, 32, 48, 64, 80, 112, 160, 224, 320
138           
139           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
140           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
141           size classes you end up with by doing --dumpSizeClasses=true.
142         
143         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
144           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
145           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
146           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
147           side, for better locality during a sequential walk. It's no longer necessary to scan
148           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
149           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
150           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
151           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
152           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
153           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
154           together, these optimizations allowed me to reduce block size to 16KB without losing much
155           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
156           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
157           progression on membuster. That's not possible yet, since there is still enough per-block
158           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
159           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
160         
161         - Even after all of that, copying butterflies was still faster because it allowed us to skip
162           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
163           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
164           larger than O(live), especially in an eden collection. Copying satisfies this premise while
165           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
166           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
167           that we walk the block to build a free list. This means walking dead space. The new
168           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
169           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
170           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
171           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
172           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
173           is completely empty, which is the common case because of the generational hypothesis: the
174           number of objects that survive an eden collection is a tiny fraction of the number of
175           objects that had been allocated, and this fraction is so small that there are typically
176           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
177           win over tip-of-tree.
178         
179         - FTL now shares the same allocation fast paths as everything else, which is great, because
180           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
181           control flow, since it won't be able to improve the machine code we write ourselves. GC
182           fast paths are best written in assembly. So, I've empowered B3 to have even better support
183           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
184           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
185           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
186           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
187           ability to constant-fold some allocator logic (in case we first assume that we're doing a
188           variable-length allocation but then realize that the length is known). I think it makes
189           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
190           since this makes lowering easier (you can constant fold during lowering more easily) and it
191           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
192           constant-fold this code. That would require allowing loads to be constant-folded, which is
193           doable but hella tricky.
194         
195         - It used to be that if a logical object allocation required two physical allocations (first
196           the butterfly and then the cell), then the JIT would emit the code in such a way that a
197           failure in the second fast path would cause us to forget the successful first physical
198           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
199           register to storing either the butterfly or null, because the butterfly register is anyway
200           going to be free inside the first allocation. The only overhead here is zeroing the
201           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
202           path, which can then either allocate a butterfly or not. So now we never waste a successful
203           allocation. This patch implements such a solution both in DFG (where it's easy to do this
204           since we control registers already) and in FTL (where it's annoying, because mutable
205           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
206           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
207           one version of this patch, this wastage would resonate with some Kraken benchmark: the
208           benchmark would always allocate N small things followed by one bigger thing. The problem
209           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
210           the JSObject size class, which both the small and big thing shared for their cell, could
211           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
212           it allocated the big thing. So, it would end up having to allocate the big thing's large
213           butterfly twice, every single time! Ouch!
214         
215         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
216           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
217           of the allocator to initialize the object to whatever state they need. It used to be that
218           we would just use a dumb loop. I initially changed this so that we would end up in memset
219           for large allocations, but this didn't actually help performance that much. I got a much
220           better result by playing with different memsets written in assembly. First I wrote one
221           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
222           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
223           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
224           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
225           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
226           of stores (if the size is known), but those paths in the JIT won't trigger for
227           NewArrayWithSize() if the size is large, since that takes us to the
228           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
229           optimizations here are all in JSArray::create() - that's the hot place for large arrays
230           that need to be filled with holes.
231         
232         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
233         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
234         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
235         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
236         difference, but take the hit for now because it's a crazy corner case. By comparison, the
237         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
238         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
239         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
240         marking barrier and we simply won't need a copying barrier. This change gets us there for
241         the purposes of our benchmarks, since the remaining clients of copied space are not very
242         important. On the other hand, if we keep copying, then getting barrier-ready would mean
243         adding back the copy barrier, which costs more perf.
244         
245         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
246         typed arrays and a few other weird things over to Aux MarkedSpace.
247         
248         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
249         and CellContainer meant that I had to include those files from everywhere. Fortunately,
250         just including JSCInlines.h (instead of manually including the files that includes) is
251         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
252         that we were already basically doing. In places where JSCInlines.h would be too much, I just
253         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
254         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
255         meant having to manually include HeapInlines.h from the places that previously got it
256         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
257         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
258         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
259         made it impossible to include it from outside JSC. This was a lot of work, but it was
260         necessary to get the patch to build on all ports. It's also a net win. There were many places
261         in WebCore that were transitively including a *ton* of JSC headers just because of the
262         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
263         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
264
265         * API/JSManagedValue.mm:
266         (-[JSManagedValue initWithValue:]):
267         * API/JSTypedArray.cpp:
268         * API/ObjCCallbackFunction.mm:
269         * API/tests/testapi.mm:
270         (testObjectiveCAPI):
271         (testWeakValue): Deleted.
272         * CMakeLists.txt:
273         * JavaScriptCore.xcodeproj/project.pbxproj:
274         * Scripts/builtins/builtins_generate_combined_implementation.py:
275         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
276         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
277         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
278         * Scripts/builtins/builtins_generate_separate_implementation.py:
279         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
280         * assembler/AbstractMacroAssembler.h:
281         (JSC::AbstractMacroAssembler::JumpList::link):
282         (JSC::AbstractMacroAssembler::JumpList::linkTo):
283         * assembler/MacroAssembler.h:
284         * assembler/MacroAssemblerARM64.h:
285         (JSC::MacroAssemblerARM64::add32):
286         * assembler/MacroAssemblerCodeRef.cpp: Added.
287         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
288         (JSC::MacroAssemblerCodePtr::dumpWithName):
289         (JSC::MacroAssemblerCodePtr::dump):
290         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
291         (JSC::MacroAssemblerCodeRef::dump):
292         * assembler/MacroAssemblerCodeRef.h:
293         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
294         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
295         (JSC::MacroAssemblerCodePtr::dump): Deleted.
296         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
297         (JSC::MacroAssemblerCodeRef::dump): Deleted.
298         * b3/B3BasicBlock.cpp:
299         (JSC::B3::BasicBlock::appendBoolConstant):
300         * b3/B3BasicBlock.h:
301         * b3/B3DuplicateTails.cpp:
302         * b3/B3StackmapGenerationParams.h:
303         * b3/testb3.cpp:
304         (JSC::B3::testPatchpointTerminalReturnValue):
305         (JSC::B3::run):
306         * bindings/ScriptValue.cpp:
307         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
308         * bytecode/BytecodeBasicBlock.cpp:
309         * bytecode/BytecodeLivenessAnalysis.cpp:
310         * bytecode/BytecodeUseDef.h:
311         * bytecode/CallLinkInfo.cpp:
312         (JSC::CallLinkInfo::callTypeFor):
313         * bytecode/CallLinkInfo.h:
314         (JSC::CallLinkInfo::callTypeFor): Deleted.
315         * bytecode/CallLinkStatus.cpp:
316         * bytecode/CodeBlock.cpp:
317         (JSC::CodeBlock::finishCreation):
318         (JSC::CodeBlock::clearLLIntGetByIdCache):
319         (JSC::CodeBlock::predictedMachineCodeSize):
320         * bytecode/CodeBlock.h:
321         (JSC::CodeBlock::jitCodeMap): Deleted.
322         (JSC::clearLLIntGetByIdCache): Deleted.
323         * bytecode/ExecutionCounter.h:
324         * bytecode/Instruction.h:
325         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
326         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
327         * bytecode/ObjectAllocationProfile.h:
328         (JSC::ObjectAllocationProfile::isNull):
329         (JSC::ObjectAllocationProfile::initialize):
330         * bytecode/Opcode.h:
331         (JSC::padOpcodeName):
332         * bytecode/PolymorphicAccess.cpp:
333         (JSC::AccessCase::generateImpl):
334         (JSC::PolymorphicAccess::regenerate):
335         * bytecode/PolymorphicAccess.h:
336         * bytecode/PreciseJumpTargets.cpp:
337         * bytecode/StructureStubInfo.cpp:
338         * bytecode/StructureStubInfo.h:
339         * bytecode/UnlinkedCodeBlock.cpp:
340         (JSC::UnlinkedCodeBlock::vm): Deleted.
341         * bytecode/UnlinkedCodeBlock.h:
342         * bytecode/UnlinkedInstructionStream.cpp:
343         * bytecode/UnlinkedInstructionStream.h:
344         * dfg/DFGOperations.cpp:
345         * dfg/DFGSpeculativeJIT.cpp:
346         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
347         (JSC::DFG::SpeculativeJIT::compileMakeRope):
348         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
349         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
350         * dfg/DFGSpeculativeJIT.h:
351         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
352         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
353         * dfg/DFGSpeculativeJIT32_64.cpp:
354         (JSC::DFG::SpeculativeJIT::compile):
355         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
356         * dfg/DFGSpeculativeJIT64.cpp:
357         (JSC::DFG::SpeculativeJIT::compile):
358         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
359         * dfg/DFGStrengthReductionPhase.cpp:
360         (JSC::DFG::StrengthReductionPhase::handleNode):
361         * ftl/FTLAbstractHeapRepository.h:
362         * ftl/FTLCompile.cpp:
363         * ftl/FTLJITFinalizer.cpp:
364         * ftl/FTLLowerDFGToB3.cpp:
365         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
366         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
367         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
368         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
369         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
370         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
371         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
372         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
373         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
374         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
375         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
376         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
377         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
378         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
379         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
380         * ftl/FTLOutput.cpp:
381         (JSC::FTL::Output::constBool):
382         (JSC::FTL::Output::add):
383         (JSC::FTL::Output::shl):
384         (JSC::FTL::Output::aShr):
385         (JSC::FTL::Output::lShr):
386         (JSC::FTL::Output::zeroExt):
387         (JSC::FTL::Output::equal):
388         (JSC::FTL::Output::notEqual):
389         (JSC::FTL::Output::above):
390         (JSC::FTL::Output::aboveOrEqual):
391         (JSC::FTL::Output::below):
392         (JSC::FTL::Output::belowOrEqual):
393         (JSC::FTL::Output::greaterThan):
394         (JSC::FTL::Output::greaterThanOrEqual):
395         (JSC::FTL::Output::lessThan):
396         (JSC::FTL::Output::lessThanOrEqual):
397         (JSC::FTL::Output::select):
398         (JSC::FTL::Output::appendSuccessor):
399         (JSC::FTL::Output::addIncomingToPhi):
400         * ftl/FTLOutput.h:
401         * ftl/FTLValueFromBlock.h:
402         (JSC::FTL::ValueFromBlock::operator bool):
403         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
404         * ftl/FTLWeightedTarget.h:
405         (JSC::FTL::WeightedTarget::frequentedBlock):
406         * heap/CellContainer.h: Added.
407         (JSC::CellContainer::CellContainer):
408         (JSC::CellContainer::operator bool):
409         (JSC::CellContainer::isMarkedBlock):
410         (JSC::CellContainer::isLargeAllocation):
411         (JSC::CellContainer::markedBlock):
412         (JSC::CellContainer::largeAllocation):
413         * heap/CellContainerInlines.h: Added.
414         (JSC::CellContainer::isMarked):
415         (JSC::CellContainer::isMarkedOrNewlyAllocated):
416         (JSC::CellContainer::noteMarked):
417         (JSC::CellContainer::cellSize):
418         (JSC::CellContainer::weakSet):
419         (JSC::CellContainer::flipIfNecessary):
420         * heap/ConservativeRoots.cpp:
421         (JSC::ConservativeRoots::ConservativeRoots):
422         (JSC::ConservativeRoots::~ConservativeRoots):
423         (JSC::ConservativeRoots::grow):
424         (JSC::ConservativeRoots::genericAddPointer):
425         (JSC::ConservativeRoots::genericAddSpan):
426         * heap/ConservativeRoots.h:
427         (JSC::ConservativeRoots::roots):
428         * heap/CopyToken.h:
429         * heap/FreeList.cpp: Added.
430         (JSC::FreeList::dump):
431         * heap/FreeList.h: Added.
432         (JSC::FreeList::FreeList):
433         (JSC::FreeList::list):
434         (JSC::FreeList::bump):
435         (JSC::FreeList::operator==):
436         (JSC::FreeList::operator!=):
437         (JSC::FreeList::operator bool):
438         (JSC::FreeList::allocationWillFail):
439         (JSC::FreeList::allocationWillSucceed):
440         * heap/GCTypeMap.h: Added.
441         (JSC::GCTypeMap::operator[]):
442         * heap/Heap.cpp:
443         (JSC::Heap::Heap):
444         (JSC::Heap::lastChanceToFinalize):
445         (JSC::Heap::finalizeUnconditionalFinalizers):
446         (JSC::Heap::markRoots):
447         (JSC::Heap::copyBackingStores):
448         (JSC::Heap::gatherStackRoots):
449         (JSC::Heap::gatherJSStackRoots):
450         (JSC::Heap::gatherScratchBufferRoots):
451         (JSC::Heap::clearLivenessData):
452         (JSC::Heap::visitSmallStrings):
453         (JSC::Heap::visitConservativeRoots):
454         (JSC::Heap::removeDeadCompilerWorklistEntries):
455         (JSC::Heap::gatherExtraHeapSnapshotData):
456         (JSC::Heap::removeDeadHeapSnapshotNodes):
457         (JSC::Heap::visitProtectedObjects):
458         (JSC::Heap::visitArgumentBuffers):
459         (JSC::Heap::visitException):
460         (JSC::Heap::visitStrongHandles):
461         (JSC::Heap::visitHandleStack):
462         (JSC::Heap::visitSamplingProfiler):
463         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
464         (JSC::Heap::converge):
465         (JSC::Heap::visitWeakHandles):
466         (JSC::Heap::updateObjectCounts):
467         (JSC::Heap::clearUnmarkedExecutables):
468         (JSC::Heap::deleteUnmarkedCompiledCode):
469         (JSC::Heap::collectAllGarbage):
470         (JSC::Heap::collect):
471         (JSC::Heap::collectWithoutAnySweep):
472         (JSC::Heap::collectImpl):
473         (JSC::Heap::suspendCompilerThreads):
474         (JSC::Heap::willStartCollection):
475         (JSC::Heap::flushOldStructureIDTables):
476         (JSC::Heap::flushWriteBarrierBuffer):
477         (JSC::Heap::stopAllocation):
478         (JSC::Heap::prepareForMarking):
479         (JSC::Heap::reapWeakHandles):
480         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
481         (JSC::Heap::sweepArrayBuffers):
482         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
483         (JSC::MarkedBlockSnapshotFunctor::operator()):
484         (JSC::Heap::snapshotMarkedSpace):
485         (JSC::Heap::deleteSourceProviderCaches):
486         (JSC::Heap::notifyIncrementalSweeper):
487         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
488         (JSC::Heap::resetAllocators):
489         (JSC::Heap::updateAllocationLimits):
490         (JSC::Heap::didFinishCollection):
491         (JSC::Heap::resumeCompilerThreads):
492         (JSC::Zombify::visit):
493         (JSC::Heap::forEachCodeBlockImpl):
494         * heap/Heap.h:
495         (JSC::Heap::allocatorForObjectWithoutDestructor):
496         (JSC::Heap::allocatorForObjectWithDestructor):
497         (JSC::Heap::allocatorForAuxiliaryData):
498         (JSC::Heap::jitStubRoutines):
499         (JSC::Heap::codeBlockSet):
500         (JSC::Heap::storageAllocator): Deleted.
501         * heap/HeapCell.h:
502         (JSC::HeapCell::isZapped): Deleted.
503         * heap/HeapCellInlines.h: Added.
504         (JSC::HeapCell::isLargeAllocation):
505         (JSC::HeapCell::cellContainer):
506         (JSC::HeapCell::markedBlock):
507         (JSC::HeapCell::largeAllocation):
508         (JSC::HeapCell::heap):
509         (JSC::HeapCell::vm):
510         (JSC::HeapCell::cellSize):
511         (JSC::HeapCell::allocatorAttributes):
512         (JSC::HeapCell::destructionMode):
513         (JSC::HeapCell::cellKind):
514         * heap/HeapInlines.h:
515         (JSC::Heap::heap):
516         (JSC::Heap::isLive):
517         (JSC::Heap::isMarked):
518         (JSC::Heap::testAndSetMarked):
519         (JSC::Heap::setMarked):
520         (JSC::Heap::cellSize):
521         (JSC::Heap::forEachCodeBlock):
522         (JSC::Heap::allocateObjectOfType):
523         (JSC::Heap::subspaceForObjectOfType):
524         (JSC::Heap::allocatorForObjectOfType):
525         (JSC::Heap::allocateAuxiliary):
526         (JSC::Heap::tryAllocateAuxiliary):
527         (JSC::Heap::tryReallocateAuxiliary):
528         (JSC::Heap::isPointerGCObject): Deleted.
529         (JSC::Heap::isValueGCObject): Deleted.
530         * heap/HeapOperation.cpp: Added.
531         (WTF::printInternal):
532         * heap/HeapOperation.h:
533         * heap/HeapUtil.h: Added.
534         (JSC::HeapUtil::findGCObjectPointersForMarking):
535         (JSC::HeapUtil::isPointerGCObjectJSCell):
536         (JSC::HeapUtil::isValueGCObject):
537         * heap/IncrementalSweeper.cpp:
538         (JSC::IncrementalSweeper::sweepNextBlock):
539         * heap/IncrementalSweeper.h:
540         * heap/LargeAllocation.cpp: Added.
541         (JSC::LargeAllocation::tryCreate):
542         (JSC::LargeAllocation::LargeAllocation):
543         (JSC::LargeAllocation::lastChanceToFinalize):
544         (JSC::LargeAllocation::shrink):
545         (JSC::LargeAllocation::visitWeakSet):
546         (JSC::LargeAllocation::reapWeakSet):
547         (JSC::LargeAllocation::flip):
548         (JSC::LargeAllocation::isEmpty):
549         (JSC::LargeAllocation::sweep):
550         (JSC::LargeAllocation::destroy):
551         (JSC::LargeAllocation::dump):
552         * heap/LargeAllocation.h: Added.
553         (JSC::LargeAllocation::fromCell):
554         (JSC::LargeAllocation::cell):
555         (JSC::LargeAllocation::isLargeAllocation):
556         (JSC::LargeAllocation::heap):
557         (JSC::LargeAllocation::vm):
558         (JSC::LargeAllocation::weakSet):
559         (JSC::LargeAllocation::clearNewlyAllocated):
560         (JSC::LargeAllocation::isNewlyAllocated):
561         (JSC::LargeAllocation::isMarked):
562         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
563         (JSC::LargeAllocation::isLive):
564         (JSC::LargeAllocation::hasValidCell):
565         (JSC::LargeAllocation::cellSize):
566         (JSC::LargeAllocation::aboveLowerBound):
567         (JSC::LargeAllocation::belowUpperBound):
568         (JSC::LargeAllocation::contains):
569         (JSC::LargeAllocation::attributes):
570         (JSC::LargeAllocation::flipIfNecessary):
571         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
572         (JSC::LargeAllocation::testAndSetMarked):
573         (JSC::LargeAllocation::setMarked):
574         (JSC::LargeAllocation::clearMarked):
575         (JSC::LargeAllocation::noteMarked):
576         (JSC::LargeAllocation::headerSize):
577         * heap/MarkedAllocator.cpp:
578         (JSC::MarkedAllocator::MarkedAllocator):
579         (JSC::MarkedAllocator::isPagedOut):
580         (JSC::MarkedAllocator::retire):
581         (JSC::MarkedAllocator::filterNextBlock):
582         (JSC::MarkedAllocator::setNextBlockToSweep):
583         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
584         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
585         (JSC::MarkedAllocator::allocateSlowCase):
586         (JSC::MarkedAllocator::tryAllocateSlowCase):
587         (JSC::MarkedAllocator::allocateSlowCaseImpl):
588         (JSC::blockHeaderSize):
589         (JSC::MarkedAllocator::blockSizeForBytes):
590         (JSC::MarkedAllocator::tryAllocateBlock):
591         (JSC::MarkedAllocator::addBlock):
592         (JSC::MarkedAllocator::removeBlock):
593         (JSC::MarkedAllocator::stopAllocating):
594         (JSC::MarkedAllocator::reset):
595         (JSC::MarkedAllocator::lastChanceToFinalize):
596         (JSC::MarkedAllocator::setFreeList):
597         (JSC::isListPagedOut): Deleted.
598         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
599         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
600         (JSC::MarkedAllocator::tryAllocate): Deleted.
601         (JSC::MarkedAllocator::allocateBlock): Deleted.
602         * heap/MarkedAllocator.h:
603         (JSC::MarkedAllocator::takeLastActiveBlock):
604         (JSC::MarkedAllocator::offsetOfFreeList):
605         (JSC::MarkedAllocator::offsetOfCellSize):
606         (JSC::MarkedAllocator::tryAllocate):
607         (JSC::MarkedAllocator::allocate):
608         (JSC::MarkedAllocator::forEachBlock):
609         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
610         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
611         (JSC::MarkedAllocator::init): Deleted.
612         (JSC::MarkedAllocator::stopAllocating): Deleted.
613         * heap/MarkedBlock.cpp:
614         (JSC::MarkedBlock::tryCreate):
615         (JSC::MarkedBlock::Handle::Handle):
616         (JSC::MarkedBlock::Handle::~Handle):
617         (JSC::MarkedBlock::MarkedBlock):
618         (JSC::MarkedBlock::Handle::specializedSweep):
619         (JSC::MarkedBlock::Handle::sweep):
620         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
621         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
622         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
623         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
624         (JSC::SetNewlyAllocatedFunctor::operator()):
625         (JSC::MarkedBlock::Handle::stopAllocating):
626         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
627         (JSC::MarkedBlock::Handle::resumeAllocating):
628         (JSC::MarkedBlock::Handle::zap):
629         (JSC::MarkedBlock::Handle::forEachFreeCell):
630         (JSC::MarkedBlock::flipIfNecessary):
631         (JSC::MarkedBlock::Handle::flipIfNecessary):
632         (JSC::MarkedBlock::flipIfNecessarySlow):
633         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
634         (JSC::MarkedBlock::clearMarks):
635         (JSC::MarkedBlock::assertFlipped):
636         (JSC::MarkedBlock::needsFlip):
637         (JSC::MarkedBlock::Handle::needsFlip):
638         (JSC::MarkedBlock::Handle::willRemoveBlock):
639         (JSC::MarkedBlock::Handle::didConsumeFreeList):
640         (JSC::MarkedBlock::markCount):
641         (JSC::MarkedBlock::Handle::isEmpty):
642         (JSC::MarkedBlock::clearHasAnyMarked):
643         (JSC::MarkedBlock::noteMarkedSlow):
644         (WTF::printInternal):
645         (JSC::MarkedBlock::create): Deleted.
646         (JSC::MarkedBlock::destroy): Deleted.
647         (JSC::MarkedBlock::callDestructor): Deleted.
648         (JSC::MarkedBlock::specializedSweep): Deleted.
649         (JSC::MarkedBlock::sweep): Deleted.
650         (JSC::MarkedBlock::sweepHelper): Deleted.
651         (JSC::MarkedBlock::stopAllocating): Deleted.
652         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
653         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
654         (JSC::MarkedBlock::resumeAllocating): Deleted.
655         (JSC::MarkedBlock::didRetireBlock): Deleted.
656         * heap/MarkedBlock.h:
657         (JSC::MarkedBlock::VoidFunctor::returnValue):
658         (JSC::MarkedBlock::CountFunctor::CountFunctor):
659         (JSC::MarkedBlock::CountFunctor::count):
660         (JSC::MarkedBlock::CountFunctor::returnValue):
661         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
662         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
663         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
664         (JSC::MarkedBlock::Handle::state):
665         (JSC::MarkedBlock::needsDestruction):
666         (JSC::MarkedBlock::handle):
667         (JSC::MarkedBlock::Handle::block):
668         (JSC::MarkedBlock::firstAtom):
669         (JSC::MarkedBlock::atoms):
670         (JSC::MarkedBlock::isAtomAligned):
671         (JSC::MarkedBlock::Handle::cellAlign):
672         (JSC::MarkedBlock::blockFor):
673         (JSC::MarkedBlock::Handle::allocator):
674         (JSC::MarkedBlock::Handle::heap):
675         (JSC::MarkedBlock::Handle::vm):
676         (JSC::MarkedBlock::vm):
677         (JSC::MarkedBlock::Handle::weakSet):
678         (JSC::MarkedBlock::weakSet):
679         (JSC::MarkedBlock::Handle::shrink):
680         (JSC::MarkedBlock::Handle::visitWeakSet):
681         (JSC::MarkedBlock::Handle::reapWeakSet):
682         (JSC::MarkedBlock::Handle::cellSize):
683         (JSC::MarkedBlock::cellSize):
684         (JSC::MarkedBlock::Handle::attributes):
685         (JSC::MarkedBlock::attributes):
686         (JSC::MarkedBlock::Handle::needsDestruction):
687         (JSC::MarkedBlock::Handle::destruction):
688         (JSC::MarkedBlock::Handle::cellKind):
689         (JSC::MarkedBlock::Handle::markCount):
690         (JSC::MarkedBlock::Handle::size):
691         (JSC::MarkedBlock::atomNumber):
692         (JSC::MarkedBlock::flipIfNecessary):
693         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
694         (JSC::MarkedBlock::Handle::flipIfNecessary):
695         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
696         (JSC::MarkedBlock::Handle::flipForEdenCollection):
697         (JSC::MarkedBlock::assertFlipped):
698         (JSC::MarkedBlock::Handle::assertFlipped):
699         (JSC::MarkedBlock::isMarked):
700         (JSC::MarkedBlock::testAndSetMarked):
701         (JSC::MarkedBlock::Handle::isNewlyAllocated):
702         (JSC::MarkedBlock::Handle::setNewlyAllocated):
703         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
704         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
705         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
706         (JSC::MarkedBlock::Handle::isLive):
707         (JSC::MarkedBlock::isAtom):
708         (JSC::MarkedBlock::Handle::isLiveCell):
709         (JSC::MarkedBlock::Handle::forEachCell):
710         (JSC::MarkedBlock::Handle::forEachLiveCell):
711         (JSC::MarkedBlock::Handle::forEachDeadCell):
712         (JSC::MarkedBlock::Handle::needsSweeping):
713         (JSC::MarkedBlock::Handle::isAllocated):
714         (JSC::MarkedBlock::Handle::isMarked):
715         (JSC::MarkedBlock::Handle::isFreeListed):
716         (JSC::MarkedBlock::hasAnyMarked):
717         (JSC::MarkedBlock::noteMarked):
718         (WTF::MarkedBlockHash::hash):
719         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
720         (JSC::MarkedBlock::allocator): Deleted.
721         (JSC::MarkedBlock::heap): Deleted.
722         (JSC::MarkedBlock::shrink): Deleted.
723         (JSC::MarkedBlock::visitWeakSet): Deleted.
724         (JSC::MarkedBlock::reapWeakSet): Deleted.
725         (JSC::MarkedBlock::willRemoveBlock): Deleted.
726         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
727         (JSC::MarkedBlock::markCount): Deleted.
728         (JSC::MarkedBlock::isEmpty): Deleted.
729         (JSC::MarkedBlock::destruction): Deleted.
730         (JSC::MarkedBlock::cellKind): Deleted.
731         (JSC::MarkedBlock::size): Deleted.
732         (JSC::MarkedBlock::capacity): Deleted.
733         (JSC::MarkedBlock::setMarked): Deleted.
734         (JSC::MarkedBlock::clearMarked): Deleted.
735         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
736         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
737         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
738         (JSC::MarkedBlock::isLive): Deleted.
739         (JSC::MarkedBlock::isLiveCell): Deleted.
740         (JSC::MarkedBlock::forEachCell): Deleted.
741         (JSC::MarkedBlock::forEachLiveCell): Deleted.
742         (JSC::MarkedBlock::forEachDeadCell): Deleted.
743         (JSC::MarkedBlock::needsSweeping): Deleted.
744         (JSC::MarkedBlock::isAllocated): Deleted.
745         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
746         * heap/MarkedSpace.cpp:
747         (JSC::MarkedSpace::initializeSizeClassForStepSize):
748         (JSC::MarkedSpace::MarkedSpace):
749         (JSC::MarkedSpace::~MarkedSpace):
750         (JSC::MarkedSpace::lastChanceToFinalize):
751         (JSC::MarkedSpace::allocate):
752         (JSC::MarkedSpace::tryAllocate):
753         (JSC::MarkedSpace::allocateLarge):
754         (JSC::MarkedSpace::tryAllocateLarge):
755         (JSC::MarkedSpace::sweep):
756         (JSC::MarkedSpace::sweepLargeAllocations):
757         (JSC::MarkedSpace::zombifySweep):
758         (JSC::MarkedSpace::resetAllocators):
759         (JSC::MarkedSpace::visitWeakSets):
760         (JSC::MarkedSpace::reapWeakSets):
761         (JSC::MarkedSpace::stopAllocating):
762         (JSC::MarkedSpace::prepareForMarking):
763         (JSC::MarkedSpace::resumeAllocating):
764         (JSC::MarkedSpace::isPagedOut):
765         (JSC::MarkedSpace::freeBlock):
766         (JSC::MarkedSpace::freeOrShrinkBlock):
767         (JSC::MarkedSpace::shrink):
768         (JSC::MarkedSpace::clearNewlyAllocated):
769         (JSC::VerifyMarked::operator()):
770         (JSC::MarkedSpace::flip):
771         (JSC::MarkedSpace::objectCount):
772         (JSC::MarkedSpace::size):
773         (JSC::MarkedSpace::capacity):
774         (JSC::MarkedSpace::addActiveWeakSet):
775         (JSC::MarkedSpace::didAddBlock):
776         (JSC::MarkedSpace::didAllocateInBlock):
777         (JSC::MarkedSpace::forEachAllocator): Deleted.
778         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
779         (JSC::MarkedSpace::clearMarks): Deleted.
780         * heap/MarkedSpace.h:
781         (JSC::MarkedSpace::sizeClassToIndex):
782         (JSC::MarkedSpace::indexToSizeClass):
783         (JSC::MarkedSpace::version):
784         (JSC::MarkedSpace::blocksWithNewObjects):
785         (JSC::MarkedSpace::largeAllocations):
786         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
787         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
788         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
789         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
790         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
791         (JSC::MarkedSpace::forEachLiveCell):
792         (JSC::MarkedSpace::forEachDeadCell):
793         (JSC::MarkedSpace::allocatorFor):
794         (JSC::MarkedSpace::destructorAllocatorFor):
795         (JSC::MarkedSpace::auxiliaryAllocatorFor):
796         (JSC::MarkedSpace::allocateWithoutDestructor):
797         (JSC::MarkedSpace::allocateWithDestructor):
798         (JSC::MarkedSpace::allocateAuxiliary):
799         (JSC::MarkedSpace::tryAllocateAuxiliary):
800         (JSC::MarkedSpace::forEachBlock):
801         (JSC::MarkedSpace::forEachAllocator):
802         (JSC::MarkedSpace::optimalSizeFor):
803         (JSC::MarkedSpace::didAddBlock): Deleted.
804         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
805         (JSC::MarkedSpace::objectCount): Deleted.
806         (JSC::MarkedSpace::size): Deleted.
807         (JSC::MarkedSpace::capacity): Deleted.
808         * heap/SlotVisitor.cpp:
809         (JSC::SlotVisitor::SlotVisitor):
810         (JSC::SlotVisitor::didStartMarking):
811         (JSC::SlotVisitor::reset):
812         (JSC::SlotVisitor::append):
813         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
814         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
815         (JSC::SlotVisitor::appendToMarkStack):
816         (JSC::SlotVisitor::markAuxiliary):
817         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
818         (JSC::SlotVisitor::visitChildren):
819         * heap/SlotVisitor.h:
820         * heap/WeakBlock.cpp:
821         (JSC::WeakBlock::create):
822         (JSC::WeakBlock::WeakBlock):
823         (JSC::WeakBlock::visit):
824         (JSC::WeakBlock::reap):
825         * heap/WeakBlock.h:
826         (JSC::WeakBlock::disconnectContainer):
827         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
828         * heap/WeakSet.cpp:
829         (JSC::WeakSet::~WeakSet):
830         (JSC::WeakSet::sweep):
831         (JSC::WeakSet::shrink):
832         (JSC::WeakSet::addAllocator):
833         * heap/WeakSet.h:
834         (JSC::WeakSet::container):
835         (JSC::WeakSet::setContainer):
836         (JSC::WeakSet::WeakSet):
837         (JSC::WeakSet::visit):
838         (JSC::WeakSet::shrink): Deleted.
839         * heap/WeakSetInlines.h:
840         (JSC::WeakSet::allocate):
841         * inspector/InjectedScriptManager.cpp:
842         * inspector/JSGlobalObjectInspectorController.cpp:
843         * inspector/JSJavaScriptCallFrame.cpp:
844         * inspector/ScriptDebugServer.cpp:
845         * inspector/agents/InspectorDebuggerAgent.cpp:
846         * interpreter/CachedCall.h:
847         (JSC::CachedCall::CachedCall):
848         * interpreter/Interpreter.cpp:
849         (JSC::loadVarargs):
850         (JSC::StackFrame::sourceID): Deleted.
851         (JSC::StackFrame::sourceURL): Deleted.
852         (JSC::StackFrame::functionName): Deleted.
853         (JSC::StackFrame::computeLineAndColumn): Deleted.
854         (JSC::StackFrame::toString): Deleted.
855         * interpreter/Interpreter.h:
856         (JSC::StackFrame::isNative): Deleted.
857         * jit/AssemblyHelpers.h:
858         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
859         (JSC::AssemblyHelpers::emitAllocate):
860         (JSC::AssemblyHelpers::emitAllocateJSCell):
861         (JSC::AssemblyHelpers::emitAllocateJSObject):
862         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
863         (JSC::AssemblyHelpers::emitAllocateVariableSized):
864         * jit/GCAwareJITStubRoutine.cpp:
865         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
866         * jit/JIT.cpp:
867         (JSC::JIT::compileCTINativeCall):
868         (JSC::JIT::link):
869         * jit/JIT.h:
870         (JSC::JIT::compileCTINativeCall): Deleted.
871         * jit/JITExceptions.cpp:
872         (JSC::genericUnwind):
873         * jit/JITExceptions.h:
874         * jit/JITOpcodes.cpp:
875         (JSC::JIT::emit_op_new_object):
876         (JSC::JIT::emitSlow_op_new_object):
877         (JSC::JIT::emit_op_create_this):
878         (JSC::JIT::emitSlow_op_create_this):
879         * jit/JITOpcodes32_64.cpp:
880         (JSC::JIT::emit_op_new_object):
881         (JSC::JIT::emitSlow_op_new_object):
882         (JSC::JIT::emit_op_create_this):
883         (JSC::JIT::emitSlow_op_create_this):
884         * jit/JITOperations.cpp:
885         * jit/JITOperations.h:
886         * jit/JITPropertyAccess.cpp:
887         (JSC::JIT::emitWriteBarrier):
888         * jit/JITThunks.cpp:
889         * jit/JITThunks.h:
890         * jsc.cpp:
891         (functionDescribeArray):
892         (main):
893         * llint/LLIntData.cpp:
894         (JSC::LLInt::Data::performAssertions):
895         * llint/LLIntExceptions.cpp:
896         * llint/LLIntThunks.cpp:
897         * llint/LLIntThunks.h:
898         * llint/LowLevelInterpreter.asm:
899         * llint/LowLevelInterpreter.cpp:
900         * llint/LowLevelInterpreter32_64.asm:
901         * llint/LowLevelInterpreter64.asm:
902         * parser/ModuleAnalyzer.cpp:
903         * parser/NodeConstructors.h:
904         * parser/Nodes.h:
905         * profiler/ProfilerBytecode.cpp:
906         * profiler/ProfilerBytecode.h:
907         * profiler/ProfilerBytecodeSequence.cpp:
908         * runtime/ArrayConventions.h:
909         (JSC::indexingHeaderForArrayStorage):
910         (JSC::baseIndexingHeaderForArrayStorage):
911         (JSC::indexingHeaderForArray): Deleted.
912         (JSC::baseIndexingHeaderForArray): Deleted.
913         * runtime/ArrayPrototype.cpp:
914         (JSC::arrayProtoFuncSplice):
915         (JSC::concatAppendOne):
916         (JSC::arrayProtoPrivateFuncConcatMemcpy):
917         * runtime/ArrayStorage.h:
918         (JSC::ArrayStorage::vectorLength):
919         (JSC::ArrayStorage::totalSizeFor):
920         (JSC::ArrayStorage::totalSize):
921         (JSC::ArrayStorage::availableVectorLength):
922         (JSC::ArrayStorage::optimalVectorLength):
923         (JSC::ArrayStorage::sizeFor): Deleted.
924         * runtime/AuxiliaryBarrier.h: Added.
925         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
926         (JSC::AuxiliaryBarrier::clear):
927         (JSC::AuxiliaryBarrier::get):
928         (JSC::AuxiliaryBarrier::slot):
929         (JSC::AuxiliaryBarrier::operator bool):
930         (JSC::AuxiliaryBarrier::setWithoutBarrier):
931         * runtime/AuxiliaryBarrierInlines.h: Added.
932         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
933         (JSC::AuxiliaryBarrier<T>::set):
934         * runtime/Butterfly.h:
935         * runtime/ButterflyInlines.h:
936         (JSC::Butterfly::availableContiguousVectorLength):
937         (JSC::Butterfly::optimalContiguousVectorLength):
938         (JSC::Butterfly::createUninitialized):
939         (JSC::Butterfly::growArrayRight):
940         * runtime/ClonedArguments.cpp:
941         (JSC::ClonedArguments::createEmpty):
942         * runtime/CommonSlowPathsExceptions.cpp:
943         * runtime/CommonSlowPathsExceptions.h:
944         * runtime/DataView.cpp:
945         * runtime/DirectArguments.h:
946         * runtime/ECMAScriptSpecInternalFunctions.cpp:
947         * runtime/Error.cpp:
948         * runtime/Error.h:
949         * runtime/ErrorInstance.cpp:
950         * runtime/ErrorInstance.h:
951         * runtime/Exception.cpp:
952         * runtime/Exception.h:
953         * runtime/GeneratorFrame.cpp:
954         * runtime/GeneratorPrototype.cpp:
955         * runtime/InternalFunction.cpp:
956         (JSC::InternalFunction::InternalFunction):
957         * runtime/IntlCollator.cpp:
958         * runtime/IntlCollatorConstructor.cpp:
959         * runtime/IntlCollatorPrototype.cpp:
960         * runtime/IntlDateTimeFormat.cpp:
961         * runtime/IntlDateTimeFormatConstructor.cpp:
962         * runtime/IntlDateTimeFormatPrototype.cpp:
963         * runtime/IntlNumberFormat.cpp:
964         * runtime/IntlNumberFormatConstructor.cpp:
965         * runtime/IntlNumberFormatPrototype.cpp:
966         * runtime/IntlObject.cpp:
967         * runtime/IteratorPrototype.cpp:
968         * runtime/JSArray.cpp:
969         (JSC::JSArray::tryCreateUninitialized):
970         (JSC::JSArray::setLengthWritable):
971         (JSC::JSArray::unshiftCountSlowCase):
972         (JSC::JSArray::setLengthWithArrayStorage):
973         (JSC::JSArray::appendMemcpy):
974         (JSC::JSArray::setLength):
975         (JSC::JSArray::pop):
976         (JSC::JSArray::push):
977         (JSC::JSArray::fastSlice):
978         (JSC::JSArray::shiftCountWithArrayStorage):
979         (JSC::JSArray::shiftCountWithAnyIndexingType):
980         (JSC::JSArray::unshiftCountWithArrayStorage):
981         (JSC::JSArray::fillArgList):
982         (JSC::JSArray::copyToArguments):
983         * runtime/JSArray.h:
984         (JSC::createContiguousArrayButterfly):
985         (JSC::createArrayButterfly):
986         (JSC::JSArray::create):
987         (JSC::JSArray::tryCreateUninitialized): Deleted.
988         * runtime/JSArrayBufferView.h:
989         * runtime/JSCInlines.h:
990         * runtime/JSCJSValue.cpp:
991         (JSC::JSValue::dumpInContextAssumingStructure):
992         * runtime/JSCallee.cpp:
993         (JSC::JSCallee::JSCallee):
994         * runtime/JSCell.cpp:
995         (JSC::JSCell::estimatedSize):
996         * runtime/JSCell.h:
997         (JSC::JSCell::cellStateOffset): Deleted.
998         * runtime/JSCellInlines.h:
999         (JSC::ExecState::vm):
1000         (JSC::JSCell::classInfo):
1001         (JSC::JSCell::callDestructor):
1002         (JSC::JSCell::vm): Deleted.
1003         * runtime/JSFunction.cpp:
1004         (JSC::JSFunction::create):
1005         (JSC::JSFunction::allocateAndInitializeRareData):
1006         (JSC::JSFunction::initializeRareData):
1007         (JSC::JSFunction::getOwnPropertySlot):
1008         (JSC::JSFunction::put):
1009         (JSC::JSFunction::deleteProperty):
1010         (JSC::JSFunction::defineOwnProperty):
1011         (JSC::JSFunction::setFunctionName):
1012         (JSC::JSFunction::reifyLength):
1013         (JSC::JSFunction::reifyName):
1014         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1015         (JSC::JSFunction::reifyBoundNameIfNeeded):
1016         * runtime/JSFunction.h:
1017         * runtime/JSFunctionInlines.h:
1018         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1019         (JSC::JSFunction::JSFunction):
1020         * runtime/JSGenericTypedArrayViewInlines.h:
1021         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1022         * runtime/JSInternalPromise.cpp:
1023         * runtime/JSInternalPromiseConstructor.cpp:
1024         * runtime/JSInternalPromiseDeferred.cpp:
1025         * runtime/JSInternalPromisePrototype.cpp:
1026         * runtime/JSJob.cpp:
1027         * runtime/JSMapIterator.cpp:
1028         * runtime/JSModuleNamespaceObject.cpp:
1029         * runtime/JSModuleRecord.cpp:
1030         * runtime/JSObject.cpp:
1031         (JSC::JSObject::visitButterfly):
1032         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1033         (JSC::JSObject::createInitialIndexedStorage):
1034         (JSC::JSObject::createInitialUndecided):
1035         (JSC::JSObject::createInitialInt32):
1036         (JSC::JSObject::createInitialDouble):
1037         (JSC::JSObject::createInitialContiguous):
1038         (JSC::JSObject::createArrayStorage):
1039         (JSC::JSObject::createInitialArrayStorage):
1040         (JSC::JSObject::convertUndecidedToInt32):
1041         (JSC::JSObject::convertUndecidedToContiguous):
1042         (JSC::JSObject::convertUndecidedToArrayStorage):
1043         (JSC::JSObject::convertInt32ToDouble):
1044         (JSC::JSObject::convertInt32ToArrayStorage):
1045         (JSC::JSObject::convertDoubleToArrayStorage):
1046         (JSC::JSObject::convertContiguousToArrayStorage):
1047         (JSC::JSObject::putByIndexBeyondVectorLength):
1048         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1049         (JSC::JSObject::getNewVectorLength):
1050         (JSC::JSObject::increaseVectorLength):
1051         (JSC::JSObject::ensureLengthSlow):
1052         (JSC::JSObject::growOutOfLineStorage):
1053         (JSC::JSObject::copyButterfly): Deleted.
1054         (JSC::JSObject::copyBackingStore): Deleted.
1055         * runtime/JSObject.h:
1056         (JSC::JSObject::globalObject):
1057         (JSC::JSObject::putDirectInternal):
1058         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
1059         * runtime/JSObjectInlines.h:
1060         * runtime/JSPromise.cpp:
1061         * runtime/JSPromiseConstructor.cpp:
1062         * runtime/JSPromiseDeferred.cpp:
1063         * runtime/JSPromisePrototype.cpp:
1064         * runtime/JSPropertyNameIterator.cpp:
1065         * runtime/JSScope.cpp:
1066         (JSC::JSScope::resolve):
1067         * runtime/JSScope.h:
1068         (JSC::JSScope::globalObject):
1069         (JSC::JSScope::vm): Deleted.
1070         * runtime/JSSetIterator.cpp:
1071         * runtime/JSStringIterator.cpp:
1072         * runtime/JSTemplateRegistryKey.cpp:
1073         * runtime/JSTypedArrayViewConstructor.cpp:
1074         * runtime/JSTypedArrayViewPrototype.cpp:
1075         * runtime/JSWeakMap.cpp:
1076         * runtime/JSWeakSet.cpp:
1077         * runtime/MapConstructor.cpp:
1078         * runtime/MapIteratorPrototype.cpp:
1079         * runtime/MapPrototype.cpp:
1080         * runtime/NativeErrorConstructor.cpp:
1081         * runtime/NativeStdFunctionCell.cpp:
1082         * runtime/Operations.h:
1083         (JSC::scribbleFreeCells):
1084         (JSC::scribble):
1085         * runtime/Options.h:
1086         * runtime/PropertyTable.cpp:
1087         * runtime/ProxyConstructor.cpp:
1088         * runtime/ProxyObject.cpp:
1089         * runtime/ProxyRevoke.cpp:
1090         * runtime/RegExp.cpp:
1091         (JSC::RegExp::match):
1092         (JSC::RegExp::matchConcurrently):
1093         (JSC::RegExp::matchCompareWithInterpreter):
1094         * runtime/RegExp.h:
1095         * runtime/RegExpConstructor.h:
1096         * runtime/RegExpInlines.h:
1097         (JSC::RegExp::matchInline):
1098         * runtime/RegExpMatchesArray.h:
1099         (JSC::tryCreateUninitializedRegExpMatchesArray):
1100         (JSC::createRegExpMatchesArray):
1101         * runtime/RegExpPrototype.cpp:
1102         (JSC::genericSplit):
1103         * runtime/RuntimeType.cpp:
1104         * runtime/SamplingProfiler.cpp:
1105         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1106         * runtime/SetConstructor.cpp:
1107         * runtime/SetIteratorPrototype.cpp:
1108         * runtime/SetPrototype.cpp:
1109         * runtime/StackFrame.cpp: Added.
1110         (JSC::StackFrame::sourceID):
1111         (JSC::StackFrame::sourceURL):
1112         (JSC::StackFrame::functionName):
1113         (JSC::StackFrame::computeLineAndColumn):
1114         (JSC::StackFrame::toString):
1115         * runtime/StackFrame.h: Added.
1116         (JSC::StackFrame::isNative):
1117         * runtime/StringConstructor.cpp:
1118         * runtime/StringIteratorPrototype.cpp:
1119         * runtime/StructureInlines.h:
1120         (JSC::Structure::propertyTable):
1121         * runtime/TemplateRegistry.cpp:
1122         * runtime/TestRunnerUtils.cpp:
1123         (JSC::finalizeStatsAtEndOfTesting):
1124         * runtime/TestRunnerUtils.h:
1125         * runtime/TypeProfilerLog.cpp:
1126         * runtime/TypeSet.cpp:
1127         * runtime/VM.cpp:
1128         (JSC::VM::VM):
1129         (JSC::VM::ensureStackCapacityForCLoop):
1130         (JSC::VM::isSafeToRecurseSoftCLoop):
1131         * runtime/VM.h:
1132         * runtime/VMEntryScope.h:
1133         * runtime/VMInlines.h:
1134         (JSC::VM::ensureStackCapacityFor):
1135         (JSC::VM::isSafeToRecurseSoft):
1136         * runtime/WeakMapConstructor.cpp:
1137         * runtime/WeakMapData.cpp:
1138         * runtime/WeakMapPrototype.cpp:
1139         * runtime/WeakSetConstructor.cpp:
1140         * runtime/WeakSetPrototype.cpp:
1141         * testRegExp.cpp:
1142         (testOneRegExp):
1143         * tools/JSDollarVM.cpp:
1144         * tools/JSDollarVMPrototype.cpp:
1145         (JSC::JSDollarVMPrototype::isInObjectSpace):
1146
1147 2016-09-04  Commit Queue  <commit-queue@webkit.org>
1148
1149         Unreviewed, rolling out r205415.
1150         https://bugs.webkit.org/show_bug.cgi?id=161573
1151
1152         Many bots see inspector test failures, rolling out now and
1153         investigating later. (Requested by brrian on #webkit).
1154
1155         Reverted changeset:
1156
1157         "Web Inspector: unify Main.html and Test.html sources and
1158         generate different copies with the preprocessor"
1159         https://bugs.webkit.org/show_bug.cgi?id=161212
1160         http://trac.webkit.org/changeset/205415
1161
1162 2016-09-01  Brian Burg  <bburg@apple.com>
1163
1164         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
1165         https://bugs.webkit.org/show_bug.cgi?id=161212
1166         <rdar://problem/28017961>
1167
1168         Reviewed by Joseph Pecoraro.
1169
1170         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
1171
1172 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1173
1174         Use ASCIILiteral in some more places
1175         https://bugs.webkit.org/show_bug.cgi?id=161557
1176
1177         Reviewed by Darin Adler.
1178
1179         * runtime/TypeSet.h:
1180         (JSC::StructureShape::setConstructorName):
1181
1182 2016-09-01  Michael Saboff  <msaboff@apple.com>
1183
1184         Import Chakra tests to JSC
1185         https://bugs.webkit.org/show_bug.cgi?id=154697
1186
1187         Reviewed by Saam Barati.
1188
1189         Added --dumpException option to jsc command line utility to dump uncaught exception
1190         text even for the last exception that matches --exception.  This is used to
1191         check the exception text for a text that is expected to end on an exception.
1192         Chakra has several tests of this form and does the same thing when such a test
1193         ends with an exception.  Tests that rely on this behavior have had their expected
1194         output updated for JSC specific text.
1195
1196         * jsc.cpp:
1197
1198 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
1199
1200         [JSC] Remove some more useless cases from FTL Capabilities
1201         https://bugs.webkit.org/show_bug.cgi?id=161466
1202
1203         Reviewed by Geoffrey Garen.
1204
1205         Some cases do not make sense:
1206         -In: Fixup only generate CellUse.
1207         -PutByIdXXX: same.
1208         -GetIndexedPropertyStorage: those cases are the only ones supported
1209          by DFG. We would have crashed in SpeculativeJIT if other modes
1210          were generated.
1211
1212         * ftl/FTLCapabilities.cpp:
1213         (JSC::FTL::canCompile):
1214         * ftl/FTLLowerDFGToB3.cpp:
1215         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1216         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1217         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1218
1219 2016-09-02  Chris Dumez  <cdumez@apple.com>
1220
1221         Unreviewed, roll out r205354 because it caused JSC test failures
1222
1223         * jsc.cpp:
1224         * runtime/JSGlobalObject.cpp:
1225         * runtime/JSGlobalObject.h:
1226         (JSC::JSGlobalObject::allowsAccessFrom):
1227         (JSC::JSGlobalObject::setDebugger): Deleted.
1228         * runtime/JSGlobalObjectFunctions.cpp:
1229         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1230         (JSC::GlobalFuncProtoGetterFunctor::result):
1231         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1232         (JSC::globalFuncProtoGetter):
1233         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
1234         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1235         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1236         (JSC::checkProtoSetterAccessAllowed):
1237         (JSC::globalFuncProtoSetter):
1238         * runtime/JSGlobalObjectFunctions.h:
1239         * runtime/JSObject.cpp:
1240         (JSC::JSObject::setPrototypeWithCycleCheck):
1241         (JSC::JSObject::allowsAccessFrom):
1242         * runtime/JSObject.h:
1243         * runtime/JSProxy.cpp:
1244         * runtime/JSProxy.h:
1245         * runtime/ObjectConstructor.cpp:
1246         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1247         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1248         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1249         (JSC::objectConstructorGetPrototypeOf):
1250         (JSC::objectConstructorSetPrototypeOf):
1251         * runtime/ObjectConstructor.h:
1252         * runtime/ReflectObject.cpp:
1253         (JSC::reflectObjectGetPrototypeOf):
1254         (JSC::reflectObjectSetPrototypeOf):
1255
1256 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
1257
1258         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
1259         https://bugs.webkit.org/show_bug.cgi?id=160802
1260
1261         Reviewed by Saam Barati.
1262
1263         This patch is fixing a broken mechanism of MathIC that avoids allocate
1264         a register to LHS or RHS if one of these operands are proven as valid
1265         constant for JIT*Generator. In previous implementation, even if the
1266         JIT*Generator was not using an operand register because it was proven as a
1267         constant, compileMathIC and emitICFast were allocating a register for
1268         it. This was broken because mathIC->isLeftOperandValidConstant and
1269         mathIC->isLeftOperandValidConstant were being called before its Generator be
1270         properly initialized. We changed this mechanism to enable Generators write
1271         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
1272         and isRightOperandValidConstant(SnippetOperand).
1273
1274         * dfg/DFGSpeculativeJIT.cpp:
1275         (JSC::DFG::SpeculativeJIT::compileMathIC):
1276         * jit/JITAddGenerator.h:
1277         (JSC::JITAddGenerator::JITAddGenerator):
1278         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1279         (JSC::JITAddGenerator::isRightOperandValidConstant):
1280         * jit/JITArithmetic.cpp:
1281         (JSC::JIT::emitMathICFast):
1282         * jit/JITMathIC.h:
1283         * jit/JITMulGenerator.h:
1284         (JSC::JITMulGenerator::JITMulGenerator):
1285         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1286         (JSC::JITMulGenerator::isRightOperandValidConstant):
1287         * jit/JITSubGenerator.h:
1288         (JSC::JITSubGenerator::isLeftOperandValidConstant):
1289         (JSC::JITSubGenerator::isRightOperandValidConstant):
1290
1291 2016-09-02  JF Bastien  <jfbastien@apple.com>
1292
1293         GetByValWithThis: fix opInfo in DFG creation
1294         https://bugs.webkit.org/show_bug.cgi?id=161541
1295
1296         Reviewed by Saam Barati.
1297
1298         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
1299
1300         * dfg/DFGByteCodeParser.cpp:
1301         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
1302
1303 2016-09-02  Chris Dumez  <cdumez@apple.com>
1304
1305         Object.preventExtensions() should throw cross-origin
1306         https://bugs.webkit.org/show_bug.cgi?id=161486
1307
1308         Reviewed by Geoffrey Garen.
1309
1310         Update JSProxy to forward preventExtensions() calls to its target.
1311
1312         * runtime/JSProxy.cpp:
1313         (JSC::JSProxy::preventExtensions):
1314         * runtime/JSProxy.h:
1315
1316 2016-09-02  Chris Dumez  <cdumez@apple.com>
1317
1318         Align proto getter / setter behavior with other browsers
1319         https://bugs.webkit.org/show_bug.cgi?id=161455
1320
1321         Reviewed by Mark Lam.
1322
1323         Drop allowsAccessFrom from the methodTable and delegate cross-origin
1324         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
1325         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
1326
1327         * jsc.cpp:
1328         * runtime/JSGlobalObject.cpp:
1329         * runtime/JSGlobalObject.h:
1330         * runtime/JSGlobalObjectFunctions.cpp:
1331         (JSC::globalFuncProtoGetter):
1332         (JSC::globalFuncProtoSetter):
1333         (JSC::globalFuncBuiltinLog): Deleted.
1334         * runtime/JSGlobalObjectFunctions.h:
1335         * runtime/JSObject.h:
1336         (JSC::JSObject::getArrayLength): Deleted.
1337         * runtime/JSProxy.cpp:
1338         (JSC::JSProxy::setPrototype):
1339         (JSC::JSProxy::getPrototype):
1340         * runtime/JSProxy.h:
1341         * runtime/ObjectConstructor.cpp:
1342         (JSC::objectConstructorGetPrototypeOf):
1343         (JSC::objectConstructorSetPrototypeOf):
1344         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
1345         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
1346         * runtime/ObjectConstructor.h:
1347         * runtime/ReflectObject.cpp:
1348         (JSC::reflectObjectGetPrototypeOf):
1349         (JSC::reflectObjectSetPrototypeOf):
1350
1351         * runtime/JSObject.cpp:
1352         (JSC::JSObject::setPrototypeWithCycleCheck):
1353         Comment out check added in r197648. This check was added to match
1354         the latest EcmaScript spec:
1355         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
1356         This check allowed for [[Prototype]] chain cycles if the prototype
1357         chain includes objects that do not use the ordinary object definitions
1358         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
1359         The issue is that the rest of our code base does not properly handle
1360         such cycles and we can end up in infinite loops. This became obvious
1361         because this patch updates Window / Location so that they no longer
1362         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
1363         comment out this check, I get an infinite loop in
1364         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
1365         called from JSObject::setPrototypeDirect(), when running the following
1366         layout test:
1367         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
1368         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
1369         issue.
1370
1371 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1372
1373         Add toJS for JSC::PrivateName
1374         https://bugs.webkit.org/show_bug.cgi?id=161522
1375
1376         Reviewed by Ryosuke Niwa.
1377
1378         Add the export annotation.
1379         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
1380         since PrivateName never holds null SymbolImpl pointer. And along with this change,
1381         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
1382
1383         * runtime/Completion.cpp:
1384         (JSC::createSymbolForEntryPointModule):
1385         * runtime/IdentifierInlines.h:
1386         (JSC::Identifier::fromUid):
1387         * runtime/JSFunction.cpp:
1388         (JSC::JSFunction::setFunctionName):
1389         * runtime/PrivateName.h:
1390         (JSC::PrivateName::PrivateName):
1391         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
1392         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
1393         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
1394         (JSC::PrivateName::operator==):
1395         (JSC::PrivateName::operator!=):
1396         * runtime/PropertyName.h:
1397         (JSC::PropertyName::PropertyName):
1398         * runtime/Symbol.cpp:
1399         (JSC::Symbol::finishCreation):
1400         * runtime/Symbol.h:
1401         * runtime/SymbolConstructor.cpp:
1402         (JSC::symbolConstructorKeyFor):
1403
1404 2016-09-01  Dan Bernstein  <mitz@apple.com>
1405
1406         Build fix.
1407
1408         * Configurations/FeatureDefines.xcconfig:
1409
1410 2016-09-01  JF Bastien  <jfbastien@apple.com>
1411
1412         jsc: fix cmake build missing symbol getPropertySlot
1413         https://bugs.webkit.org/show_bug.cgi?id=161521
1414
1415         Reviewed by Saam Barati.
1416
1417         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
1418         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
1419
1420 2016-09-01  JF Bastien  <jfbastien@apple.com>
1421
1422         jsc: provide printErr()
1423         https://bugs.webkit.org/show_bug.cgi?id=161513
1424
1425         Reviewed by Mark Lam.
1426
1427         * jsc.cpp:
1428         (GlobalObject::finishCreation):
1429         (printInternal): renamed from functionPrint, add error checking
1430         (functionPrintStdOut): punt to printInternal
1431         (functionPrintStdErr): punt to printInternal
1432         (functionPrint): Deleted.
1433
1434 2016-09-01  Mark Lam  <mark.lam@apple.com>
1435
1436         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
1437         https://bugs.webkit.org/show_bug.cgi?id=161499
1438
1439         Reviewed by Saam Barati.
1440
1441         This is just a refactoring patch to move some inline functions to their Inlines.h
1442         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
1443         later.
1444
1445         * bindings/ScriptValue.cpp:
1446         * interpreter/Interpreter.cpp:
1447         * runtime/IntlDateTimeFormatPrototype.cpp:
1448         * runtime/IntlNumberFormatPrototype.cpp:
1449         * runtime/JSArray.cpp:
1450         * runtime/JSArray.h:
1451         (JSC::getLength): Deleted.
1452         (JSC::toLength): Deleted.
1453         * runtime/JSArrayInlines.h:
1454         (JSC::JSArray::mergeIndexingTypeForCopying):
1455         (JSC::JSArray::canFastCopy):
1456         (JSC::getLength):
1457         (JSC::toLength):
1458         * runtime/JSInternalPromise.cpp:
1459         * runtime/JSInternalPromiseDeferred.cpp:
1460         * runtime/JSJob.cpp:
1461         * runtime/JSModuleRecord.cpp:
1462         * runtime/JSObject.h:
1463         (JSC::JSObject::getPropertySlot): Deleted.
1464         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
1465         * runtime/JSObjectInlines.h:
1466         (JSC::JSObject::getPropertySlot):
1467         (JSC::JSObject::getNonIndexPropertySlot):
1468         * runtime/JSPromiseDeferred.cpp:
1469         * runtime/JSTypedArrayViewPrototype.cpp:
1470         * runtime/MapConstructor.cpp:
1471         * runtime/SamplingProfiler.cpp:
1472         * runtime/SetConstructor.cpp:
1473         * runtime/WeakMapConstructor.cpp:
1474         * runtime/WeakSetConstructor.cpp:
1475
1476 2016-09-01  JF Bastien  <jfbastien@apple.com>
1477
1478         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
1479         https://bugs.webkit.org/show_bug.cgi?id=160922
1480
1481         Reviewed by Keith Miller.
1482
1483         Add value profiling to GetBy{Id,Val}WithThis.
1484
1485         * bytecode/BytecodeList.json:
1486         * bytecode/CodeBlock.cpp:
1487         (JSC::CodeBlock::dumpBytecode):
1488         (JSC::CodeBlock::finishCreation):
1489         * bytecompiler/BytecodeGenerator.cpp:
1490         (JSC::BytecodeGenerator::emitGetById):
1491         (JSC::BytecodeGenerator::emitGetByVal):
1492         * dfg/DFGByteCodeParser.cpp:
1493         (JSC::DFG::ByteCodeParser::parseBlock):
1494         * dfg/DFGNode.h:
1495         (JSC::DFG::Node::hasHeapPrediction):
1496         * dfg/DFGPredictionPropagationPhase.cpp:
1497         * llint/LowLevelInterpreter.asm:
1498         * runtime/CommonSlowPaths.cpp:
1499         (JSC::SLOW_PATH_DECL):
1500
1501 2016-09-01  Keith Miller  <keith_miller@apple.com>
1502
1503         WASM functions should be able to use arguments
1504         https://bugs.webkit.org/show_bug.cgi?id=161471
1505
1506         Reviewed by Benjamin Poulain.
1507
1508         This patch does a couple of changes:
1509
1510         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
1511
1512         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
1513
1514         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
1515
1516         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
1517         (JSC::B3::jscCallingConvention):
1518         * B3CallingConventions.h: Added.
1519         (JSC::B3::CallingConvention::CallingConvention):
1520         (JSC::B3::CallingConvention::iterate):
1521         (JSC::B3::nextJSCOffset):
1522         * JavaScriptCore.xcodeproj/project.pbxproj:
1523         * interpreter/ProtoCallFrame.h:
1524         * llint/LLIntThunks.cpp:
1525         (JSC::vmEntryToWASM):
1526         * llint/LLIntThunks.h:
1527         * testWASM.cpp:
1528         (invoke):
1529         (box):
1530         (runWASMTests):
1531         * wasm/WASMB3IRGenerator.cpp:
1532         (JSC::WASM::B3IRGenerator::addLocal):
1533         (JSC::WASM::B3IRGenerator::addArguments):
1534         (JSC::WASM::B3IRGenerator::getLocal):
1535         * wasm/WASMFormat.h:
1536         * wasm/WASMFunctionParser.h:
1537         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1538         (JSC::WASM::FunctionParser<Context>::parseExpression):
1539         * wasm/WASMModuleParser.cpp:
1540         (JSC::WASM::ModuleParser::parseFunctionTypes):
1541         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1542         * wasm/WASMModuleParser.h:
1543         * wasm/WASMOps.h:
1544
1545 2016-09-01  Keith Miller  <keith_miller@apple.com>
1546
1547         Rename WASM classes dropping the WASM prefix
1548         https://bugs.webkit.org/show_bug.cgi?id=161500
1549
1550         Reviewed by Mark Lam.
1551
1552         Having to write WASM::WASMModule seems silly. Also, this patch
1553         merges WASMFunctionReturnType and WASMValueType into one type
1554         that is a typedef of B3::Type. Using B3::Type as the WASM
1555         primitive type makes it trivial to convert a Vector of WASM
1556         types into a Vector of B3 types.
1557
1558         * b3/B3Type.h:
1559         * wasm/JSWASMModule.h:
1560         (JSC::JSWASMModule::signatures):
1561         (JSC::JSWASMModule::functionImports):
1562         (JSC::JSWASMModule::functionImportSignatures):
1563         (JSC::JSWASMModule::globalVariableTypes):
1564         (JSC::JSWASMModule::functionDeclarations):
1565         (JSC::JSWASMModule::functionPointerTables):
1566         * wasm/WASMB3IRGenerator.cpp:
1567         (JSC::WASM::toB3Op):
1568         (JSC::WASM::B3IRGenerator::addLocal):
1569         (JSC::WASM::B3IRGenerator::unaryOp):
1570         (JSC::WASM::B3IRGenerator::binaryOp):
1571         (JSC::WASM::B3IRGenerator::addConstant):
1572         (JSC::WASM::parseAndCompile):
1573         * wasm/WASMB3IRGenerator.h:
1574         * wasm/WASMFormat.h:
1575         * wasm/WASMFunctionParser.h:
1576         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1577         (JSC::WASM::FunctionParser<Context>::parse):
1578         (JSC::WASM::FunctionParser<Context>::parseBlock):
1579         (JSC::WASM::FunctionParser<Context>::parseExpression):
1580         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
1581         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
1582         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
1583         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
1584         * wasm/WASMModuleParser.cpp:
1585         (JSC::WASM::ModuleParser::parse):
1586         (JSC::WASM::ModuleParser::parseFunctionTypes):
1587         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1588         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
1589         (JSC::WASM::WASMModuleParser::parse): Deleted.
1590         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
1591         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
1592         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
1593         * wasm/WASMModuleParser.h:
1594         (JSC::WASM::ModuleParser::ModuleParser):
1595         (JSC::WASM::ModuleParser::functionInformation):
1596         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
1597         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
1598         * wasm/WASMOps.h:
1599         * wasm/WASMParser.h:
1600         (JSC::WASM::Parser::Parser):
1601         (JSC::WASM::Parser::consumeCharacter):
1602         (JSC::WASM::Parser::consumeString):
1603         (JSC::WASM::Parser::parseUInt32):
1604         (JSC::WASM::Parser::parseUInt7):
1605         (JSC::WASM::Parser::parseVarUInt1):
1606         (JSC::WASM::Parser::parseValueType):
1607         (JSC::WASM::WASMParser::WASMParser): Deleted.
1608         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
1609         (JSC::WASM::WASMParser::consumeString): Deleted.
1610         (JSC::WASM::WASMParser::parseUInt32): Deleted.
1611         (JSC::WASM::WASMParser::parseUInt7): Deleted.
1612         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
1613         (JSC::WASM::WASMParser::parseValueType): Deleted.
1614         * wasm/WASMPlan.cpp:
1615         (JSC::WASM::Plan::Plan):
1616         * wasm/WASMSections.cpp:
1617         (JSC::WASM::Sections::lookup):
1618         (JSC::WASM::WASMSections::lookup): Deleted.
1619         * wasm/WASMSections.h:
1620         (JSC::WASM::Sections::validateOrder):
1621         (JSC::WASM::WASMSections::validateOrder): Deleted.
1622
1623 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
1624
1625         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
1626         https://bugs.webkit.org/show_bug.cgi?id=161492
1627
1628         Reviewed by Mark Lam.
1629         
1630         If you materialize a sunken object that is referenced from another sunken object, then you
1631         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
1632         object rather than to the old sunken one.
1633         
1634         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
1635         did it when the PromotedLocationDescriptor for the field used for referring to the other
1636         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
1637         I can sort of imagine why we thought that would be right - neededForMaterialization() means
1638         it's a special meta-data field initialized on construction. But just because it's immutable
1639         and special doesn't mean that materialization can't change its physical representation.
1640         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
1641         regress anything.
1642
1643         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1644
1645 2016-09-01  Chris Dumez  <cdumez@apple.com>
1646
1647         Unreviewed, rolling out r205297.
1648
1649         Caused some JSC test failures
1650
1651         Reverted changeset:
1652
1653         "Align cross-origin proto getter / setter behavior with the
1654         specification"
1655         https://bugs.webkit.org/show_bug.cgi?id=161455
1656         http://trac.webkit.org/changeset/205297
1657
1658 2016-09-01  Chris Dumez  <cdumez@apple.com>
1659
1660         Align cross-origin proto getter / setter behavior with the specification
1661         https://bugs.webkit.org/show_bug.cgi?id=161455
1662
1663         Reviewed by Mark Lam.
1664
1665         Align cross-origin proto getter / setter behavior with the specification:
1666
1667         The setter should throw a TypeError:
1668         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
1669         - https://html.spec.whatwg.org/#location-setprototypeof
1670         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
1671
1672         The getter should return null:
1673         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
1674         - https://html.spec.whatwg.org/#location-getprototypeof
1675
1676         I have verified that this aligns our behavior with Firefox and Chrome.
1677
1678         * runtime/JSGlobalObjectFunctions.cpp:
1679         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1680         (JSC::globalFuncProtoSetter):
1681
1682 2016-09-01  Csaba Osztrogonác  <ossy@webkit.org>
1683
1684         Unreviewed ARM buildfix after r205283.
1685
1686         * assembler/ARMAssembler.h:
1687         (JSC::ARMAssembler::patchableJumpSize):
1688         * assembler/MacroAssemblerARM.h:
1689         (JSC::MacroAssemblerARM::patchableJumpSize):
1690
1691 2016-09-01  Saam Barati  <sbarati@apple.com>
1692
1693         JITMathIC was misusing maxJumpReplacementSize
1694         https://bugs.webkit.org/show_bug.cgi?id=161356
1695         <rdar://problem/28065560>
1696
1697         Reviewed by Benjamin Poulain.
1698
1699         JITMathIC was assuming that maxJumpReplacementSize is the size
1700         you'd get if you emitted a patchableJump() using the macro assembler.
1701         This is not true, however. It happens to be true on arm64, x86 and x86-64,
1702         however, it is not true on armv7. This patch introduces an alternative to
1703         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
1704         to use that number instead.
1705
1706         * assembler/ARM64Assembler.h:
1707         (JSC::ARM64Assembler::patchableJumpSize):
1708         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
1709         * assembler/ARMv7Assembler.h:
1710         (JSC::ARMv7Assembler::patchableJumpSize):
1711         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
1712         * assembler/MacroAssemblerARM64.h:
1713         (JSC::MacroAssemblerARM64::patchableJumpSize):
1714         * assembler/MacroAssemblerARMv7.h:
1715         (JSC::MacroAssemblerARMv7::patchableJumpSize):
1716         * assembler/MacroAssemblerX86Common.h:
1717         (JSC::MacroAssemblerX86Common::patchableJumpSize):
1718         * assembler/X86Assembler.h:
1719         (JSC::X86Assembler::patchableJumpSize):
1720         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
1721         * jit/JITMathIC.h:
1722         (JSC::JITMathIC::generateInline):
1723
1724 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1725
1726         [JSC] Add initiator parameter to module pipeline
1727         https://bugs.webkit.org/show_bug.cgi?id=161470
1728
1729         Reviewed by Saam Barati.
1730
1731         The fetching semantics of the <script type="module"> tag has per module-tag context.
1732         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
1733         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
1734         to the module loader pipeline. We are planning to transfer information by this parameter.
1735
1736         At the same time, we also perform some clean up.
1737
1738         - Use arrow function in ModuleLoaderPrototype.js.
1739         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
1740
1741         * builtins/ModuleLoaderPrototype.js:
1742         (newRegistryEntry):
1743         (commitInstantiated):
1744         (requestFetch):
1745         (requestTranslate):
1746         (requestInstantiate):
1747         (requestSatisfy):
1748         (requestInstantiateAll):
1749         (requestLink):
1750         (moduleEvaluation):
1751         (provide):
1752         (loadAndEvaluateModule):
1753         (requestResolveDependencies.): Deleted.
1754         (requestResolveDependencies): Deleted.
1755         (requestReady): Deleted.
1756         (link): Deleted.
1757         (loadModule): Deleted.
1758         (linkAndEvaluateModule): Deleted.
1759         * bytecode/BytecodeIntrinsicRegistry.cpp:
1760         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1761         * bytecode/BytecodeIntrinsicRegistry.h:
1762         * jsc.cpp:
1763         (GlobalObject::moduleLoaderResolve):
1764         (GlobalObject::moduleLoaderFetch):
1765         * runtime/Completion.cpp:
1766         (JSC::loadAndEvaluateModule):
1767         (JSC::loadModule):
1768         (JSC::linkAndEvaluateModule):
1769         * runtime/Completion.h:
1770         * runtime/JSGlobalObject.h:
1771         * runtime/JSModuleLoader.cpp:
1772         (JSC::JSModuleLoader::loadAndEvaluateModule):
1773         (JSC::JSModuleLoader::loadModule):
1774         (JSC::JSModuleLoader::linkAndEvaluateModule):
1775         (JSC::JSModuleLoader::resolve):
1776         (JSC::JSModuleLoader::fetch):
1777         (JSC::JSModuleLoader::translate):
1778         (JSC::JSModuleLoader::instantiate):
1779         (JSC::JSModuleLoader::evaluate):
1780         * runtime/JSModuleLoader.h:
1781         * runtime/ModuleLoaderPrototype.cpp:
1782         (JSC::moduleLoaderPrototypeResolve):
1783         (JSC::moduleLoaderPrototypeFetch):
1784         (JSC::moduleLoaderPrototypeTranslate):
1785         (JSC::moduleLoaderPrototypeInstantiate):
1786         (JSC::moduleLoaderPrototypeEvaluate):
1787
1788 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1789
1790         [JSC] linking and evaluating the modules are done in a sync manner
1791         https://bugs.webkit.org/show_bug.cgi?id=161467
1792
1793         Reviewed by Saam Barati.
1794
1795         While the fetching and the other stages are done in an asynchronous manner,
1796         linking and evaluating are done in a sync manner.
1797         Just return the result value and do not wrap them with the internal promise.
1798
1799         * builtins/ModuleLoaderPrototype.js:
1800         (linkAndEvaluateModule):
1801         * runtime/Completion.cpp:
1802         (JSC::linkAndEvaluateModule):
1803         * runtime/Completion.h:
1804         * runtime/JSModuleLoader.cpp:
1805         (JSC::JSModuleLoader::linkAndEvaluateModule):
1806         * runtime/JSModuleLoader.h:
1807
1808 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1809
1810         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
1811         https://bugs.webkit.org/show_bug.cgi?id=161436
1812
1813         Reviewed by Filip Pizlo.
1814
1815         * jsc.cpp:
1816         (GlobalObject::finishCreation):
1817         (functionGetRandomSeed):
1818         (functionSetRandomSeed):
1819         * runtime/JSGlobalObject.h:
1820         (JSC::JSGlobalObject::weakRandom):
1821         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
1822
1823 2016-08-31  Chris Dumez  <cdumez@apple.com>
1824
1825         Object.getPrototypeOf() should return null cross-origin
1826         https://bugs.webkit.org/show_bug.cgi?id=161393
1827
1828         Reviewed by Geoffrey Garen.
1829
1830         Object.getPrototypeOf() should return null cross-origin:
1831         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
1832         - https://html.spec.whatwg.org/#location-getprototypeof
1833
1834         Firefox and Chrome return null. However, WebKit was returning undefined.
1835
1836         * runtime/ObjectConstructor.cpp:
1837         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1838
1839 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1840
1841         [JSC] AbstractValue can contain padding which is not zero-filled
1842         https://bugs.webkit.org/show_bug.cgi?id=161427
1843
1844         Reviewed by Saam Barati.
1845
1846         We checked that AbstractValue is zero-filled when initializing it to ensure
1847         that zero-filled memory can be used as the initialized AbstractValue.
1848         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
1849         padding now. And this padding is not ensured that it is initialized with zeros.
1850         So debug assertion fails when building with GCC.
1851
1852         This patch changes the strategy. Instead of checking the initialized
1853         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
1854         considered to be equal to the initialized AbstractValue.
1855
1856         * dfg/DFGAbstractValue.cpp:
1857         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
1858         * dfg/DFGAbstractValue.h:
1859         (JSC::DFG::AbstractValue::AbstractValue):
1860
1861 2016-08-31  Brady Eidson  <beidson@apple.com>
1862
1863         WK2 Gamepad provider on iOS.
1864         https://bugs.webkit.org/show_bug.cgi?id=161412
1865
1866         Reviewed by Tim Horton.
1867
1868         * Configurations/FeatureDefines.xcconfig:
1869
1870 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
1871
1872         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
1873         https://bugs.webkit.org/show_bug.cgi?id=161410
1874
1875         Reviewed by Geoffrey Garen.
1876
1877         * dfg/DFGFixupPhase.cpp:
1878         (JSC::DFG::FixupPhase::fixupNode):
1879         DoubleRep is able to convert numbers, undefined, booleans and null.
1880         I was too pessimistic when I gated the double implementations
1881         on number-or-boolean speculation. We can just let DoubleRep convert
1882         the other cases as long as it is not a Cell.
1883
1884 2016-08-30  Chris Dumez  <cdumez@apple.com>
1885
1886         Unreviewed, fix build after r205205.
1887
1888         * runtime/ObjectConstructor.cpp:
1889         (JSC::objectConstructorSetPrototypeOf):
1890
1891 2016-08-30  Chris Dumez  <cdumez@apple.com>
1892
1893         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
1894         https://bugs.webkit.org/show_bug.cgi?id=161396
1895
1896         Reviewed by Ryosuke Niwa.
1897
1898         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
1899         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
1900         - https://html.spec.whatwg.org/#location-setprototypeof
1901         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
1902
1903         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
1904
1905         Note that technically, we should also throw in the same origin case.
1906         However, not all browsers agree on this yet so I haven't not changed
1907         the behavior for the same origin case.
1908
1909         * runtime/ObjectConstructor.cpp:
1910         (JSC::objectConstructorSetPrototypeOf):
1911
1912 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
1913
1914         [JSC] Clean up the remaining compare nodes in FTLCapabilities
1915         https://bugs.webkit.org/show_bug.cgi?id=161400
1916
1917         Reviewed by Geoffrey Garen.
1918
1919         It looks like we implemented all the cases without realizing it.
1920
1921         * ftl/FTLCapabilities.cpp:
1922         (JSC::FTL::canCompile):
1923         * ftl/FTLLowerDFGToB3.cpp:
1924         (JSC::FTL::DFG::LowerDFGToB3::compare):
1925
1926 2016-08-30  Mark Lam  <mark.lam@apple.com>
1927
1928         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
1929         https://bugs.webkit.org/show_bug.cgi?id=161171
1930
1931         Reviewed by Filip Pizlo and Geoffrey Garen.
1932
1933         This is the first step towards having a mechanism (using the ThrowScope) to
1934         verify that we're properly checking for exceptions in all the needed places.
1935         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
1936
1937         This patch only introduces the ThrowScope, and changes all throw sites to throw
1938         using a ThrowScope instance.  VM::throwException() functions are now private, and
1939         cannot be accessed directly.  All throws must now go through a ThrowScope.
1940
1941         Verification is disabled for the moment until we can fix all the verification
1942         failures that will show up.
1943
1944         I also did a smoke test of the ThrowScope mechanisms by running verification on
1945         the JSTests/stress/op-add-exceptions.js test with a local build with verification
1946         turned on.
1947
1948         Performance is neutral on aggregate with this patch.
1949
1950         Misc other changes:
1951         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
1952         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
1953
1954         * API/APICallbackFunction.h:
1955         (JSC::APICallbackFunction::call):
1956         (JSC::APICallbackFunction::construct):
1957         * API/JSCallbackObjectFunctions.h:
1958         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
1959         (JSC::JSCallbackObject<Parent>::defaultValue):
1960         (JSC::JSCallbackObject<Parent>::put):
1961         (JSC::JSCallbackObject<Parent>::putByIndex):
1962         (JSC::JSCallbackObject<Parent>::deleteProperty):
1963         (JSC::JSCallbackObject<Parent>::construct):
1964         (JSC::JSCallbackObject<Parent>::customHasInstance):
1965         (JSC::JSCallbackObject<Parent>::call):
1966         (JSC::JSCallbackObject<Parent>::getStaticValue):
1967         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1968         (JSC::JSCallbackObject<Parent>::callbackGetter):
1969         * API/JSTypedArray.cpp:
1970         (createTypedArray):
1971         * CMakeLists.txt:
1972         * JavaScriptCore.xcodeproj/project.pbxproj:
1973         * dfg/DFGOperations.cpp:
1974         (JSC::DFG::newTypedArrayWithSize):
1975         * inspector/JSInjectedScriptHost.cpp:
1976         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1977         * inspector/JSInjectedScriptHostPrototype.cpp:
1978         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
1979         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
1980         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
1981         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
1982         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
1983         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
1984         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
1985         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
1986         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
1987         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
1988         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
1989         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
1990         * inspector/JSJavaScriptCallFrame.cpp:
1991         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1992         * inspector/JSJavaScriptCallFramePrototype.cpp:
1993         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1994         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
1995         (Inspector::jsJavaScriptCallFrameAttributeCaller):
1996         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
1997         (Inspector::jsJavaScriptCallFrameAttributeLine):
1998         (Inspector::jsJavaScriptCallFrameAttributeColumn):
1999         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
2000         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
2001         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
2002         (Inspector::jsJavaScriptCallFrameAttributeType):
2003         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
2004         * interpreter/CachedCall.h:
2005         (JSC::CachedCall::CachedCall):
2006         * interpreter/Interpreter.cpp:
2007         (JSC::eval):
2008         (JSC::sizeOfVarargs):
2009         (JSC::sizeFrameForForwardArguments):
2010         (JSC::sizeFrameForVarargs):
2011         (JSC::Interpreter::execute):
2012         (JSC::Interpreter::executeCall):
2013         (JSC::Interpreter::executeConstruct):
2014         (JSC::Interpreter::prepareForRepeatCall):
2015         * jit/JITOperations.cpp:
2016         * jsc.cpp:
2017         (WTF::CustomGetter::customGetter):
2018         (WTF::RuntimeArray::lengthGetter):
2019         (functionCreateElement):
2020         (functionRun):
2021         (functionRunString):
2022         (functionLoad):
2023         (functionLoadString):
2024         (functionReadFile):
2025         (functionCheckSyntax):
2026         (functionTransferArrayBuffer):
2027         (functionLoadModule):
2028         (functionCheckModuleSyntax):
2029         (functionSamplingProfilerStackTraces):
2030         * llint/LLIntSlowPaths.cpp:
2031         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2032         (JSC::LLInt::getByVal):
2033         (JSC::LLInt::handleHostCall):
2034         (JSC::LLInt::setUpCall):
2035         (JSC::LLInt::llint_throw_stack_overflow_error):
2036         * runtime/ArrayConstructor.cpp:
2037         (JSC::constructArrayWithSizeQuirk):
2038         * runtime/ArrayConstructor.h:
2039         (JSC::isArray):
2040         * runtime/ArrayPrototype.cpp:
2041         (JSC::shift):
2042         (JSC::unshift):
2043         (JSC::arrayProtoFuncToString):
2044         (JSC::arrayProtoFuncPop):
2045         (JSC::arrayProtoFuncReverse):
2046         (JSC::arrayProtoFuncSplice):
2047         (JSC::concatAppendOne):
2048         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2049         * runtime/BooleanPrototype.cpp:
2050         (JSC::booleanProtoFuncToString):
2051         (JSC::booleanProtoFuncValueOf):
2052         * runtime/CommonSlowPaths.cpp:
2053         * runtime/CommonSlowPaths.h:
2054         (JSC::CommonSlowPaths::opIn):
2055         * runtime/CommonSlowPathsExceptions.cpp:
2056         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2057         * runtime/ConstructData.cpp:
2058         (JSC::construct):
2059         * runtime/DatePrototype.cpp:
2060         (JSC::formateDateInstance):
2061         (JSC::dateProtoFuncToISOString):
2062         (JSC::dateProtoFuncToLocaleString):
2063         (JSC::dateProtoFuncToLocaleDateString):
2064         (JSC::dateProtoFuncToLocaleTimeString):
2065         (JSC::dateProtoFuncToPrimitiveSymbol):
2066         (JSC::dateProtoFuncGetTime):
2067         (JSC::dateProtoFuncGetFullYear):
2068         (JSC::dateProtoFuncGetUTCFullYear):
2069         (JSC::dateProtoFuncGetMonth):
2070         (JSC::dateProtoFuncGetUTCMonth):
2071         (JSC::dateProtoFuncGetDate):
2072         (JSC::dateProtoFuncGetUTCDate):
2073         (JSC::dateProtoFuncGetDay):
2074         (JSC::dateProtoFuncGetUTCDay):
2075         (JSC::dateProtoFuncGetHours):
2076         (JSC::dateProtoFuncGetUTCHours):
2077         (JSC::dateProtoFuncGetMinutes):
2078         (JSC::dateProtoFuncGetUTCMinutes):
2079         (JSC::dateProtoFuncGetSeconds):
2080         (JSC::dateProtoFuncGetUTCSeconds):
2081         (JSC::dateProtoFuncGetMilliSeconds):
2082         (JSC::dateProtoFuncGetUTCMilliseconds):
2083         (JSC::dateProtoFuncGetTimezoneOffset):
2084         (JSC::dateProtoFuncSetTime):
2085         (JSC::setNewValueFromTimeArgs):
2086         (JSC::setNewValueFromDateArgs):
2087         (JSC::dateProtoFuncSetYear):
2088         (JSC::dateProtoFuncGetYear):
2089         (JSC::dateProtoFuncToJSON):
2090         * runtime/Error.cpp:
2091         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2092         (JSC::throwTypeError):
2093         (JSC::throwSyntaxError):
2094         * runtime/Error.h:
2095         (JSC::throwRangeError):
2096         (JSC::throwVMError):
2097         (JSC::throwVMTypeError):
2098         (JSC::throwVMRangeError):
2099         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2100         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2101         * runtime/ErrorPrototype.cpp:
2102         (JSC::errorProtoFuncToString):
2103         * runtime/ExceptionFuzz.cpp:
2104         (JSC::doExceptionFuzzing):
2105         * runtime/ExceptionHelpers.cpp:
2106         (JSC::throwOutOfMemoryError):
2107         (JSC::throwStackOverflowError):
2108         (JSC::throwTerminatedExecutionException):
2109         * runtime/ExceptionHelpers.h:
2110         * runtime/Executable.cpp:
2111         (JSC::ScriptExecutable::newCodeBlockFor):
2112         (JSC::EvalExecutable::create):
2113         * runtime/FunctionConstructor.cpp:
2114         (JSC::constructFunction):
2115         (JSC::constructFunctionSkippingEvalEnabledCheck):
2116         * runtime/FunctionPrototype.cpp:
2117         (JSC::functionProtoFuncToString):
2118         (JSC::functionProtoFuncBind):
2119         * runtime/GetterSetter.cpp:
2120         (JSC::callSetter):
2121         * runtime/IntlCollator.cpp:
2122         (JSC::IntlCollator::compareStrings):
2123         * runtime/IntlCollatorPrototype.cpp:
2124         (JSC::IntlCollatorPrototypeGetterCompare):
2125         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2126         * runtime/IntlDateTimeFormat.cpp:
2127         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2128         (JSC::IntlDateTimeFormat::format):
2129         * runtime/IntlDateTimeFormatPrototype.cpp:
2130         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2131         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2132         * runtime/IntlNumberFormat.cpp:
2133         (JSC::IntlNumberFormat::initializeNumberFormat):
2134         (JSC::IntlNumberFormat::formatNumber):
2135         * runtime/IntlNumberFormatPrototype.cpp:
2136         (JSC::IntlNumberFormatPrototypeGetterFormat):
2137         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2138         * runtime/IntlObject.cpp:
2139         (JSC::intlStringOption):
2140         (JSC::intlNumberOption):
2141         (JSC::canonicalizeLocaleList):
2142         (JSC::lookupSupportedLocales):
2143         * runtime/IteratorOperations.cpp:
2144         (JSC::iteratorNext):
2145         (JSC::iteratorClose):
2146         (JSC::createIteratorResultObject):
2147         (JSC::iteratorForIterable):
2148         * runtime/JSArray.cpp:
2149         (JSC::JSArray::defineOwnProperty):
2150         (JSC::JSArray::put):
2151         (JSC::JSArray::appendMemcpy):
2152         (JSC::JSArray::setLength):
2153         (JSC::JSArray::pop):
2154         (JSC::JSArray::push):
2155         (JSC::JSArray::unshiftCountWithArrayStorage):
2156         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2157         * runtime/JSArrayBufferConstructor.cpp:
2158         (JSC::constructArrayBuffer):
2159         (JSC::callArrayBuffer):
2160         * runtime/JSArrayBufferPrototype.cpp:
2161         (JSC::arrayBufferProtoFuncSlice):
2162         * runtime/JSCInlines.h:
2163         * runtime/JSCJSValue.cpp:
2164         (JSC::JSValue::toObjectSlowCase):
2165         (JSC::JSValue::synthesizePrototype):
2166         (JSC::JSValue::putToPrimitive):
2167         (JSC::JSValue::putToPrimitiveByIndex):
2168         (JSC::JSValue::toStringSlowCase):
2169         * runtime/JSCJSValueInlines.h:
2170         (JSC::toPreferredPrimitiveType):
2171         (JSC::JSValue::requireObjectCoercible):
2172         * runtime/JSDataView.cpp:
2173         (JSC::JSDataView::create):
2174         * runtime/JSDataViewPrototype.cpp:
2175         (JSC::getData):
2176         (JSC::setData):
2177         (JSC::dataViewProtoGetterBuffer):
2178         (JSC::dataViewProtoGetterByteLength):
2179         (JSC::dataViewProtoGetterByteOffset):
2180         * runtime/JSFunction.cpp:
2181         (JSC::callHostFunctionAsConstructor):
2182         (JSC::JSFunction::callerGetter):
2183         (JSC::JSFunction::put):
2184         (JSC::JSFunction::defineOwnProperty):
2185         * runtime/JSGenericTypedArrayView.h:
2186         (JSC::JSGenericTypedArrayView::setIndex):
2187         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2188         (JSC::constructGenericTypedArrayViewFromIterator):
2189         (JSC::constructGenericTypedArrayViewWithArguments):
2190         (JSC::constructGenericTypedArrayView):
2191         (JSC::callGenericTypedArrayView):
2192         * runtime/JSGenericTypedArrayViewInlines.h:
2193         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2194         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2195         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
2196         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
2197         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2198         (JSC::speciesConstruct):
2199         (JSC::genericTypedArrayViewProtoFuncSet):
2200         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2201         (JSC::genericTypedArrayViewProtoFuncIncludes):
2202         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2203         (JSC::genericTypedArrayViewProtoFuncJoin):
2204         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2205         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
2206         (JSC::genericTypedArrayViewProtoGetterFuncLength):
2207         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
2208         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
2209         (JSC::genericTypedArrayViewProtoFuncReverse):
2210         (JSC::genericTypedArrayViewPrivateFuncSort):
2211         (JSC::genericTypedArrayViewProtoFuncSlice):
2212         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2213         * runtime/JSGlobalObject.cpp:
2214         (JSC::JSGlobalObject::createEvalCodeBlock):
2215         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2216         * runtime/JSGlobalObjectFunctions.cpp:
2217         (JSC::encode):
2218         (JSC::decode):
2219         (JSC::globalFuncEval):
2220         (JSC::globalFuncThrowTypeError):
2221         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
2222         (JSC::globalFuncProtoGetter):
2223         (JSC::globalFuncProtoSetter):
2224         * runtime/JSModuleEnvironment.cpp:
2225         (JSC::JSModuleEnvironment::put):
2226         * runtime/JSModuleNamespaceObject.cpp:
2227         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2228         (JSC::JSModuleNamespaceObject::put):
2229         (JSC::JSModuleNamespaceObject::putByIndex):
2230         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2231         (JSC::moduleNamespaceObjectSymbolIterator):
2232         * runtime/JSModuleRecord.cpp:
2233         (JSC::JSModuleRecord::getModuleNamespace):
2234         (JSC::JSModuleRecord::link):
2235         (JSC::JSModuleRecord::instantiateDeclarations):
2236         * runtime/JSONObject.cpp:
2237         (JSC::Stringifier::appendStringifiedValue):
2238         (JSC::Walker::walk):
2239         (JSC::JSONProtoFuncParse):
2240         (JSC::JSONProtoFuncStringify):
2241         * runtime/JSObject.cpp:
2242         (JSC::JSObject::setPrototypeWithCycleCheck):
2243         (JSC::callToPrimitiveFunction):
2244         (JSC::JSObject::ordinaryToPrimitive):
2245         (JSC::JSObject::hasInstance):
2246         (JSC::JSObject::defaultHasInstance):
2247         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2248         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2249         (JSC::validateAndApplyPropertyDescriptor):
2250         (JSC::JSObject::getMethod):
2251         * runtime/JSObject.h:
2252         (JSC::createListFromArrayLike): Deleted.
2253         * runtime/JSObjectInlines.h:
2254         (JSC::createListFromArrayLike):
2255         (JSC::JSObject::putInline):
2256         * runtime/JSPromiseConstructor.cpp:
2257         (JSC::constructPromise):
2258         (JSC::callPromise):
2259         * runtime/JSPropertyNameIterator.cpp:
2260         (JSC::propertyNameIteratorFuncNext):
2261         * runtime/JSString.cpp:
2262         (JSC::JSRopeString::outOfMemory):
2263         * runtime/JSStringBuilder.h:
2264         (JSC::JSStringBuilder::build):
2265         (JSC::jsMakeNontrivialString):
2266         * runtime/JSStringJoiner.cpp:
2267         (JSC::JSStringJoiner::joinedLength):
2268         (JSC::JSStringJoiner::join):
2269         * runtime/JSStringJoiner.h:
2270         (JSC::JSStringJoiner::JSStringJoiner):
2271         * runtime/JSSymbolTableObject.h:
2272         (JSC::symbolTablePut):
2273         * runtime/JSTypedArrayViewConstructor.cpp:
2274         (JSC::constructTypedArrayView):
2275         * runtime/JSTypedArrayViewPrototype.cpp:
2276         (JSC::typedArrayViewPrivateFuncLength):
2277         (JSC::typedArrayViewPrivateFuncSort):
2278         (JSC::typedArrayViewProtoFuncSet):
2279         (JSC::typedArrayViewProtoFuncCopyWithin):
2280         (JSC::typedArrayViewProtoFuncIncludes):
2281         (JSC::typedArrayViewProtoFuncLastIndexOf):
2282         (JSC::typedArrayViewProtoFuncIndexOf):
2283         (JSC::typedArrayViewProtoFuncJoin):
2284         (JSC::typedArrayViewProtoGetterFuncBuffer):
2285         (JSC::typedArrayViewProtoGetterFuncLength):
2286         (JSC::typedArrayViewProtoGetterFuncByteLength):
2287         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2288         (JSC::typedArrayViewProtoFuncReverse):
2289         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2290         (JSC::typedArrayViewProtoFuncSlice):
2291         * runtime/MapConstructor.cpp:
2292         (JSC::callMap):
2293         (JSC::constructMap):
2294         * runtime/MapDataInlines.h:
2295         (JSC::JSIterator>::ensureSpaceForAppend):
2296         * runtime/MapIteratorPrototype.cpp:
2297         (JSC::MapIteratorPrototypeFuncNext):
2298         * runtime/MapPrototype.cpp:
2299         (JSC::getMap):
2300         (JSC::mapProtoFuncValues):
2301         (JSC::mapProtoFuncEntries):
2302         (JSC::mapProtoFuncKeys):
2303         * runtime/ModuleLoaderPrototype.cpp:
2304         (JSC::moduleLoaderPrototypeParseModule):
2305         * runtime/NullSetterFunction.cpp:
2306         (JSC::callReturnUndefined):
2307         * runtime/NumberPrototype.cpp:
2308         (JSC::numberProtoFuncToExponential):
2309         (JSC::numberProtoFuncToFixed):
2310         (JSC::numberProtoFuncToPrecision):
2311         (JSC::numberProtoFuncToString):
2312         (JSC::numberProtoFuncToLocaleString):
2313         (JSC::numberProtoFuncValueOf):
2314         * runtime/ObjectConstructor.cpp:
2315         (JSC::objectConstructorSetPrototypeOf):
2316         (JSC::toPropertyDescriptor):
2317         (JSC::objectConstructorDefineProperty):
2318         (JSC::objectConstructorDefineProperties):
2319         (JSC::objectConstructorCreate):
2320         * runtime/ObjectPrototype.cpp:
2321         (JSC::objectProtoFuncDefineGetter):
2322         (JSC::objectProtoFuncDefineSetter):
2323         (JSC::objectProtoFuncToString):
2324         * runtime/Operations.h:
2325         (JSC::jsString):
2326         (JSC::jsStringFromRegisterArray):
2327         (JSC::jsStringFromArguments):
2328         * runtime/ProxyConstructor.cpp:
2329         (JSC::makeRevocableProxy):
2330         (JSC::proxyRevocableConstructorThrowError):
2331         (JSC::constructProxyObject):
2332         (JSC::callProxy):
2333         * runtime/ProxyObject.cpp:
2334         (JSC::ProxyObject::finishCreation):
2335         (JSC::performProxyGet):
2336         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2337         (JSC::ProxyObject::performHasProperty):
2338         (JSC::ProxyObject::getOwnPropertySlotCommon):
2339         (JSC::ProxyObject::performPut):
2340         (JSC::performProxyCall):
2341         (JSC::performProxyConstruct):
2342         (JSC::ProxyObject::performDelete):
2343         (JSC::ProxyObject::performPreventExtensions):
2344         (JSC::ProxyObject::performIsExtensible):
2345         (JSC::ProxyObject::performDefineOwnProperty):
2346         (JSC::ProxyObject::performGetOwnPropertyNames):
2347         (JSC::ProxyObject::performSetPrototype):
2348         (JSC::ProxyObject::performGetPrototype):
2349         * runtime/ReflectObject.cpp:
2350         (JSC::reflectObjectConstruct):
2351         (JSC::reflectObjectDefineProperty):
2352         (JSC::reflectObjectEnumerate):
2353         (JSC::reflectObjectGet):
2354         (JSC::reflectObjectGetOwnPropertyDescriptor):
2355         (JSC::reflectObjectGetPrototypeOf):
2356         (JSC::reflectObjectIsExtensible):
2357         (JSC::reflectObjectOwnKeys):
2358         (JSC::reflectObjectPreventExtensions):
2359         (JSC::reflectObjectSet):
2360         (JSC::reflectObjectSetPrototypeOf):
2361         * runtime/RegExpConstructor.cpp:
2362         (JSC::toFlags):
2363         (JSC::regExpCreate):
2364         * runtime/RegExpObject.cpp:
2365         (JSC::collectMatches):
2366         * runtime/RegExpObject.h:
2367         (JSC::RegExpObject::setLastIndex):
2368         * runtime/RegExpPrototype.cpp:
2369         (JSC::regExpProtoFuncTestFast):
2370         (JSC::regExpProtoFuncExec):
2371         (JSC::regExpProtoFuncMatchFast):
2372         (JSC::regExpProtoFuncCompile):
2373         (JSC::regExpProtoFuncToString):
2374         (JSC::regExpProtoGetterGlobal):
2375         (JSC::regExpProtoGetterIgnoreCase):
2376         (JSC::regExpProtoGetterMultiline):
2377         (JSC::regExpProtoGetterSticky):
2378         (JSC::regExpProtoGetterUnicode):
2379         (JSC::regExpProtoGetterFlags):
2380         (JSC::regExpProtoGetterSource):
2381         (JSC::regExpProtoFuncSplitFast):
2382         * runtime/Reject.h:
2383         (JSC::reject):
2384         * runtime/SetConstructor.cpp:
2385         (JSC::callSet):
2386         (JSC::constructSet):
2387         * runtime/SetIteratorPrototype.cpp:
2388         (JSC::SetIteratorPrototypeFuncNext):
2389         * runtime/SetPrototype.cpp:
2390         (JSC::getSet):
2391         (JSC::setProtoFuncValues):
2392         (JSC::setProtoFuncEntries):
2393         * runtime/SparseArrayValueMap.cpp:
2394         (JSC::SparseArrayValueMap::putEntry):
2395         (JSC::SparseArrayEntry::put):
2396         * runtime/StringConstructor.cpp:
2397         (JSC::stringFromCodePoint):
2398         * runtime/StringObject.cpp:
2399         (JSC::StringObject::put):
2400         (JSC::StringObject::putByIndex):
2401         * runtime/StringPrototype.cpp:
2402         (JSC::jsSpliceSubstrings):
2403         (JSC::jsSpliceSubstringsWithSeparators):
2404         (JSC::repeatCharacter):
2405         (JSC::replace):
2406         (JSC::stringProtoFuncToString):
2407         (JSC::stringProtoFuncCharAt):
2408         (JSC::stringProtoFuncCharCodeAt):
2409         (JSC::stringProtoFuncCodePointAt):
2410         (JSC::stringProtoFuncConcat):
2411         (JSC::stringProtoFuncIndexOf):
2412         (JSC::stringProtoFuncLastIndexOf):
2413         (JSC::stringProtoFuncSlice):
2414         (JSC::stringProtoFuncSubstr):
2415         (JSC::stringProtoFuncSubstring):
2416         (JSC::stringProtoFuncToLowerCase):
2417         (JSC::stringProtoFuncToUpperCase):
2418         (JSC::stringProtoFuncLocaleCompare):
2419         (JSC::toLocaleCase):
2420         (JSC::stringProtoFuncBig):
2421         (JSC::stringProtoFuncSmall):
2422         (JSC::stringProtoFuncBlink):
2423         (JSC::stringProtoFuncBold):
2424         (JSC::stringProtoFuncFixed):
2425         (JSC::stringProtoFuncItalics):
2426         (JSC::stringProtoFuncStrike):
2427         (JSC::stringProtoFuncSub):
2428         (JSC::stringProtoFuncSup):
2429         (JSC::stringProtoFuncFontcolor):
2430         (JSC::stringProtoFuncFontsize):
2431         (JSC::stringProtoFuncAnchor):
2432         (JSC::stringProtoFuncLink):
2433         (JSC::trimString):
2434         (JSC::stringProtoFuncStartsWith):
2435         (JSC::stringProtoFuncEndsWith):
2436         (JSC::stringProtoFuncIncludes):
2437         (JSC::stringProtoFuncIterator):
2438         (JSC::normalize):
2439         (JSC::stringProtoFuncNormalize):
2440         * runtime/StringRecursionChecker.cpp:
2441         (JSC::StringRecursionChecker::throwStackOverflowError):
2442         * runtime/Symbol.cpp:
2443         (JSC::Symbol::toNumber):
2444         * runtime/SymbolConstructor.cpp:
2445         (JSC::symbolConstructorKeyFor):
2446         * runtime/SymbolPrototype.cpp:
2447         (JSC::symbolProtoFuncToString):
2448         (JSC::symbolProtoFuncValueOf):
2449         * runtime/ThrowScope.cpp: Added.
2450         (JSC::ThrowScope::ThrowScope):
2451         (JSC::ThrowScope::~ThrowScope):
2452         (JSC::ThrowScope::throwException):
2453         (JSC::ThrowScope::printIfNeedCheck):
2454         (JSC::ThrowScope::simulateThrow):
2455         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
2456         * runtime/ThrowScope.h: Added.
2457         (JSC::ThrowScope::vm):
2458         (JSC::ThrowScope::exception):
2459         (JSC::ThrowScope::release):
2460         (JSC::ThrowScope::ThrowScope):
2461         (JSC::ThrowScope::throwException):
2462         (JSC::throwException):
2463         * runtime/ThrowScopeLocation.h: Added.
2464         (JSC::ThrowScopeLocation::ThrowScopeLocation):
2465         * runtime/VM.h:
2466         * runtime/VMEntryScope.h:
2467         (JSC::VMEntryScope::vm):
2468         * runtime/WeakMapConstructor.cpp:
2469         (JSC::callWeakMap):
2470         (JSC::constructWeakMap):
2471         * runtime/WeakMapPrototype.cpp:
2472         (JSC::getWeakMapData):
2473         (JSC::protoFuncWeakMapSet):
2474         * runtime/WeakSetConstructor.cpp:
2475         (JSC::callWeakSet):
2476         (JSC::constructWeakSet):
2477         * runtime/WeakSetPrototype.cpp:
2478         (JSC::getWeakMapData):
2479         (JSC::protoFuncWeakSetAdd):
2480
2481 2016-08-30  Alex Christensen  <achristensen@webkit.org>
2482
2483         Fix WebInspectorUI in internal Windows build
2484         https://bugs.webkit.org/show_bug.cgi?id=161221
2485         rdar://problem/28019023
2486
2487         Reviewed by Brent Fulgham and Joseph Pecoraro.
2488
2489         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2490
2491 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
2492
2493         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
2494         https://bugs.webkit.org/show_bug.cgi?id=161263
2495         <rdar://problem/28035849>
2496
2497         Reviewed by Matt Baker.
2498
2499         * inspector/InjectedScriptSource.js:
2500         (InjectedScript.prototype._propertyDescriptors):
2501         Previously we only took the "numeric index fast path" if an object was
2502         array like with length > 100. When we dropped the length check we
2503         ended up breaking our display of Array prototype, because [].__proto__
2504         is an array instance. Get it back by just doing a check of length > 0.
2505         We may want to address this differently in the future by knowing if
2506         we are getting properties for a prototype or not.
2507
2508 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2509
2510         [JSC] Clean up FTL Capabilities for CompareEq
2511         https://bugs.webkit.org/show_bug.cgi?id=161353
2512
2513         Reviewed by Geoffrey Garen.
2514
2515         It looks like we already have code for every case.
2516         This patch removes the tests from FTLCapabilities
2517         and move the generic case last as usual.
2518
2519         * ftl/FTLCapabilities.cpp:
2520         (JSC::FTL::canCompile):
2521         * ftl/FTLLowerDFGToB3.cpp:
2522         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
2523
2524 2016-08-29  Keith Miller  <keith_miller@apple.com>
2525
2526         Fix toStringName for Proxies and add support for normal instances
2527         https://bugs.webkit.org/show_bug.cgi?id=161275
2528
2529         Reviewed by Saam Barati.
2530
2531         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
2532         Additionally, there are a couple of other classes that need to return "Object" for their
2533         toStringName. Since this isn't tested by test262 I will propose a new test there.
2534
2535         * runtime/ClassInfo.h:
2536         * runtime/JSArrayBufferView.cpp:
2537         (JSC::JSArrayBufferView::toStringName):
2538         * runtime/JSArrayBufferView.h:
2539         * runtime/JSCell.cpp:
2540         (JSC::JSCell::toStringName):
2541         * runtime/JSCell.h:
2542         * runtime/JSMap.cpp:
2543         (JSC::JSMap::toStringName):
2544         * runtime/JSMap.h:
2545         * runtime/JSObject.cpp:
2546         (JSC::JSObject::toStringName):
2547         * runtime/JSObject.h:
2548         * runtime/JSSet.cpp:
2549         (JSC::JSSet::destroy):
2550         (JSC::JSSet::toStringName):
2551         * runtime/JSSet.h:
2552         * runtime/JSWeakMap.cpp:
2553         (JSC::JSWeakMap::toStringName):
2554         * runtime/JSWeakMap.h:
2555         * runtime/JSWeakSet.cpp:
2556         (JSC::JSWeakSet::toStringName):
2557         * runtime/JSWeakSet.h:
2558         * runtime/ObjectPrototype.cpp:
2559         (JSC::objectProtoFuncToString):
2560         * runtime/ProxyObject.cpp:
2561         (JSC::ProxyObject::toStringName):
2562         * runtime/ProxyObject.h:
2563         * runtime/SymbolObject.cpp:
2564         (JSC::SymbolObject::toStringName):
2565         * runtime/SymbolObject.h:
2566         (JSC::SymbolObject::internalValue):
2567
2568 2016-08-29  Youenn Fablet  <youenn@apple.com>
2569
2570         [Fetch API] Response cloning should structureClone when teeing Response stream
2571         https://bugs.webkit.org/show_bug.cgi?id=161147
2572
2573         Reviewed by Darin Adler.
2574
2575         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
2576         * runtime/JSArrayBufferConstructor.cpp:
2577         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
2578         * runtime/JSDataView.h: Exporting create method.
2579
2580 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2581
2582         [JSC] Improve ArithAbs with polymorphic input
2583         https://bugs.webkit.org/show_bug.cgi?id=161286
2584
2585         Reviewed by Saam Barati.
2586
2587         This is similar to the previous patches: if we have polymorphic
2588         input, do a function call.
2589
2590         I also discovered a few problems with the tests and fixed them:
2591         -I forgot to add NodeMustGenerate to the previous nodes I changed.
2592          They could have been eliminated by DCE.
2593         -ArithAbs was always exiting if the input types do not include numbers.
2594          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
2595          instead of isInt32OrBooleanSpeculation(). The test of
2596          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
2597          contains double or int52. If we were in that case, we were always speculating
2598          Int32. That always fails and we were recompiling the same code over and over.
2599
2600         * dfg/DFGAbstractInterpreterInlines.h:
2601         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2602         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
2603
2604         * dfg/DFGClobberize.h:
2605         (JSC::DFG::clobberize):
2606         * dfg/DFGFixupPhase.cpp:
2607         (JSC::DFG::FixupPhase::fixupNode):
2608         * dfg/DFGNode.h:
2609         (JSC::DFG::Node::hasResult):
2610         (JSC::DFG::Node::hasHeapPrediction):
2611         (JSC::DFG::Node::hasInt32Result): Deleted.
2612         The accessor hasInt32Result() was unused.
2613
2614         * dfg/DFGNodeType.h:
2615         * dfg/DFGOperations.cpp:
2616         * dfg/DFGOperations.h:
2617         * dfg/DFGPredictionPropagationPhase.cpp:
2618         * dfg/DFGSpeculativeJIT.cpp:
2619         (JSC::DFG::SpeculativeJIT::compileArithAbs):
2620         * dfg/DFGSpeculativeJIT.h:
2621         * dfg/DFGSpeculativeJIT32_64.cpp:
2622         (JSC::DFG::SpeculativeJIT::compile):
2623         * dfg/DFGSpeculativeJIT64.cpp:
2624         (JSC::DFG::SpeculativeJIT::compile):
2625         * ftl/FTLLowerDFGToB3.cpp:
2626         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
2627
2628 2016-08-28  Saam Barati  <sbarati@apple.com>
2629
2630         Make SpeculatedType a 64-bit integer
2631         https://bugs.webkit.org/show_bug.cgi?id=161268
2632
2633         Reviewed by Filip Pizlo and Benjamin Poulain.
2634
2635         I'm going to introduce two new types into this and we only
2636         have room for one in 32-bits. So, this patch widens SpeculatedType
2637         to 64 bits. This also pulls this information through the DFG where
2638         we needed to change DFGNode to support this.
2639
2640         * bytecode/SpeculatedType.h:
2641         * dfg/DFGNode.cpp:
2642         (JSC::DFG::Node::convertToPutHint):
2643         (JSC::DFG::Node::promotedLocationDescriptor):
2644         * dfg/DFGNode.h:
2645         (JSC::DFG::Node::Node):
2646         (JSC::DFG::Node::convertToCheckStructure):
2647         (JSC::DFG::Node::constant):
2648         (JSC::DFG::Node::convertToConstant):
2649         (JSC::DFG::Node::convertToConstantStoragePointer):
2650         (JSC::DFG::Node::convertToPutStack):
2651         (JSC::DFG::Node::convertToGetStack):
2652         (JSC::DFG::Node::convertToGetByOffset):
2653         (JSC::DFG::Node::convertToMultiGetByOffset):
2654         (JSC::DFG::Node::convertToPutByOffset):
2655         (JSC::DFG::Node::convertToMultiPutByOffset):
2656         (JSC::DFG::Node::convertToPhantomNewObject):
2657         (JSC::DFG::Node::convertToPhantomNewFunction):
2658         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
2659         (JSC::DFG::Node::convertToPhantomCreateActivation):
2660         (JSC::DFG::Node::convertToGetLocal):
2661         (JSC::DFG::Node::lazyJSValue):
2662         (JSC::DFG::Node::initializationValueForActivation):
2663         (JSC::DFG::Node::tryGetVariableAccessData):
2664         (JSC::DFG::Node::variableAccessData):
2665         (JSC::DFG::Node::unlinkedLocal):
2666         (JSC::DFG::Node::unlinkedMachineLocal):
2667         (JSC::DFG::Node::stackAccessData):
2668         (JSC::DFG::Node::phi):
2669         (JSC::DFG::Node::identifierNumber):
2670         (JSC::DFG::Node::getPutInfo):
2671         (JSC::DFG::Node::accessorAttributes):
2672         (JSC::DFG::Node::newArrayBufferData):
2673         (JSC::DFG::Node::indexingType):
2674         (JSC::DFG::Node::typedArrayType):
2675         (JSC::DFG::Node::inlineCapacity):
2676         (JSC::DFG::Node::scopeOffset):
2677         (JSC::DFG::Node::capturedArgumentsOffset):
2678         (JSC::DFG::Node::variablePointer):
2679         (JSC::DFG::Node::callVarargsData):
2680         (JSC::DFG::Node::loadVarargsData):
2681         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
2682         (JSC::DFG::Node::targetBlock):
2683         (JSC::DFG::Node::branchData):
2684         (JSC::DFG::Node::switchData):
2685         (JSC::DFG::Node::getHeapPrediction):
2686         (JSC::DFG::Node::cellOperand):
2687         (JSC::DFG::Node::watchpointSet):
2688         (JSC::DFG::Node::storagePointer):
2689         (JSC::DFG::Node::uidOperand):
2690         (JSC::DFG::Node::typeInfoOperand):
2691         (JSC::DFG::Node::transition):
2692         (JSC::DFG::Node::structureSet):
2693         (JSC::DFG::Node::structure):
2694         (JSC::DFG::Node::storageAccessData):
2695         (JSC::DFG::Node::multiGetByOffsetData):
2696         (JSC::DFG::Node::multiPutByOffsetData):
2697         (JSC::DFG::Node::objectMaterializationData):
2698         (JSC::DFG::Node::arrayMode):
2699         (JSC::DFG::Node::arithMode):
2700         (JSC::DFG::Node::arithRoundingMode):
2701         (JSC::DFG::Node::setArithRoundingMode):
2702         (JSC::DFG::Node::executionCounter):
2703         (JSC::DFG::Node::typeLocation):
2704         (JSC::DFG::Node::basicBlockLocation):
2705         (JSC::DFG::Node::numberOfArgumentsToSkip):
2706         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
2707         (JSC::DFG::Node::OpInfoWrapper::operator=):
2708         * dfg/DFGOpInfo.h:
2709         (JSC::DFG::OpInfo::OpInfo):
2710         * dfg/DFGPromotedHeapLocation.h:
2711         (JSC::DFG::PromotedLocationDescriptor::imm1):
2712         (JSC::DFG::PromotedLocationDescriptor::imm2):
2713
2714 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
2715
2716         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
2717         https://bugs.webkit.org/show_bug.cgi?id=161120
2718
2719         Reviewed by Darin Adler.
2720
2721         * inspector/JSGlobalObjectInspectorController.cpp:
2722
2723 2016-08-26  Sam Weinig  <sam@webkit.org>
2724
2725         Remove support for ENABLE_LEGACY_WEB_AUDIO
2726         https://bugs.webkit.org/show_bug.cgi?id=161262
2727
2728         Reviewed by Anders Carlsson.
2729
2730         * Configurations/FeatureDefines.xcconfig:
2731         Remove ENABLE_LEGACY_WEB_AUDIO
2732
2733 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
2734
2735         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
2736         https://bugs.webkit.org/show_bug.cgi?id=161229
2737
2738         Reviewed by Geoffrey Garen.
2739
2740         Add (String, Untyped) uses to FTL CompareStrictEq.
2741         This was the last use type not implemented, the node is fully
2742         supported by FTL after this patch.
2743
2744         * ftl/FTLCapabilities.cpp:
2745         (JSC::FTL::canCompile):
2746         * ftl/FTLLowerDFGToB3.cpp:
2747         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2748         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
2749
2750         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
2751         Remove the type checks when possible.
2752
2753 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
2754
2755         Web Inspector: Frontend should have access to Resource Timing information
2756         https://bugs.webkit.org/show_bug.cgi?id=160095
2757
2758         Reviewed by Alex Christensen.
2759
2760         Rename ResourceTiming property.
2761
2762         * inspector/protocol/Network.json:
2763         Rename navigationStart to startTime so it's applicable
2764         for all resources and not just the main resource.
2765
2766 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
2767
2768         Web Inspector: Provide a way to clear an IndexedDB object store
2769         https://bugs.webkit.org/show_bug.cgi?id=161167
2770         <rdar://problem/27996932>
2771
2772         Reviewed by Brian Burg.
2773
2774         * inspector/protocol/IndexedDB.json:
2775         Cleanup the protocol file.
2776
2777 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
2778
2779         Web Inspector: Some CSS selectors in the UI aren't escaped
2780         https://bugs.webkit.org/show_bug.cgi?id=151378
2781
2782         Reviewed by Joseph Pecoraro.
2783
2784         Change ElementData from sending a className string to using an array of
2785         classes, allowing for proper escaping of each class value.
2786
2787         * inspector/protocol/OverlayTypes.json:
2788
2789 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
2790
2791         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
2792         https://bugs.webkit.org/show_bug.cgi?id=161213
2793         <rdar://problem/28017986>
2794
2795         Reviewed by Brian Burg.
2796
2797         * inspector/agents/InspectorHeapAgent.cpp:
2798         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
2799         Don't take a final snapshot when disconnecting.
2800
2801         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2802         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
2803         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
2804         * inspector/agents/InspectorScriptProfilerAgent.h:
2805         * runtime/SamplingProfiler.h:
2806         Don't process samples when disconnecting.
2807
2808 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
2809
2810         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
2811         https://bugs.webkit.org/show_bug.cgi?id=161027
2812         <rdar://problem/27871349>
2813
2814         Reviewed by Mark Lam.
2815
2816         For JSContext inspection, when a frontend connects keep the target alive.
2817         This means ref'ing the JSGlobalObject / VM when the first frontend
2818         connects and deref'ing when the last frontend disconnects.
2819
2820         * inspector/JSGlobalObjectInspectorController.h:
2821         * inspector/JSGlobalObjectInspectorController.cpp:
2822         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2823         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
2824         Now that frontends keep the global object alive, when the global object
2825         is destroyed that must mean that no frontends exist. Remove the now
2826         stale code path.
2827
2828         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2829         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2830         Ref the target when the first frontend connects, deref when the last disconnects.
2831
2832 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2833
2834         [ES6] newPromiseCapabilities should check the given argument is constructor
2835         https://bugs.webkit.org/show_bug.cgi?id=161226
2836
2837         Reviewed by Mark Lam.
2838
2839         Use @isConstructor.
2840
2841         * builtins/PromiseOperations.js:
2842
2843 2016-08-25  Keith Miller  <keith_miller@apple.com>
2844
2845         toString called on proxies returns incorrect tag
2846         https://bugs.webkit.org/show_bug.cgi?id=161111
2847
2848         Reviewed by Benjamin Poulain.
2849
2850         This patch adds a new Method table function toStringName. This function
2851         is used by Object.prototype.toString to create the string tag that it
2852         inserts. Right now it only changes the stringification of proxy objects.
2853         In future patches I plan to make it work for other classes of objects as
2854         well.
2855
2856         * runtime/ClassInfo.h:
2857         * runtime/JSCell.cpp:
2858         (JSC::JSCell::toStringName):
2859         * runtime/JSCell.h:
2860         * runtime/JSObject.cpp:
2861         (JSC::JSObject::toStringName):
2862         * runtime/JSObject.h:
2863         * runtime/ObjectPrototype.cpp:
2864         (JSC::objectProtoFuncToString):
2865         * runtime/ProxyObject.cpp:
2866         (JSC::ProxyObject::toStringName):
2867         * runtime/ProxyObject.h:
2868
2869 2016-08-26  Csaba Osztrogonác  <ossy@webkit.org>
2870
2871         Fix the ENABLE(WEBASSEMBLY) build on Linux
2872         https://bugs.webkit.org/show_bug.cgi?id=161197
2873
2874         Reviewed by Mark Lam.
2875
2876         * CMakeLists.txt:
2877         * b3/B3Common.cpp:
2878         (JSC::B3::shouldDumpIR):
2879         * shell/CMakeLists.txt:
2880         * wasm/JSWASMModule.h:
2881         * wasm/WASMB3IRGenerator.cpp:
2882         (JSC::WASM::toB3Op):
2883         * wasm/WASMB3IRGenerator.h:
2884         * wasm/WASMFormat.h:
2885         * wasm/WASMFunctionParser.h:
2886         * wasm/WASMModuleParser.cpp:
2887         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
2888         * wasm/WASMModuleParser.h:
2889         * wasm/WASMParser.h:
2890         * wasm/WASMPlan.cpp:
2891         * wasm/WASMPlan.h:
2892         * wasm/WASMSections.cpp:
2893
2894 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
2895
2896         [Win] Compile fix.
2897         https://bugs.webkit.org/show_bug.cgi?id=161235
2898
2899         Reviewed by Brent Fulgham.
2900
2901         YarrPattern::errorMessage has inconsistent dll linkage.
2902
2903         * yarr/YarrPattern.h:
2904
2905 2016-08-25  Alex Christensen  <achristensen@webkit.org>
2906
2907         CMake build fix.
2908
2909         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
2910         This is needed for the internal Windows build.
2911
2912 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
2913
2914         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
2915         https://bugs.webkit.org/show_bug.cgi?id=161181
2916
2917         Reviewed by Geoffrey Garen.
2918
2919         All the nodes are doing the exact same thing with a single
2920         difference: how to process constants. I made that into a separate
2921         function called from each node.
2922
2923         I also generalized the constant-to-number code of DoubleRep
2924         to make it available for all those nodes.
2925
2926         * dfg/DFGAbstractInterpreter.h:
2927         * dfg/DFGAbstractInterpreterInlines.h:
2928         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2929         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2930         * runtime/JSCJSValue.cpp:
2931         (JSC::JSValue::toNumberFromPrimitive):
2932         * runtime/JSCJSValue.h:
2933
2934 2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2935
2936         [DFG][FTL] Implement ES6 Generators in DFG / FTL
2937         https://bugs.webkit.org/show_bug.cgi?id=152723
2938
2939         Reviewed by Filip Pizlo.
2940
2941         This patch introduces DFG and FTL support for ES6 generators.
2942         ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
2943         In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
2944         here. Those are emitted by the generatorification phase.
2945
2946         So the graph is super simple! Before the generatorification, the graph looks like this.
2947
2948              op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...
2949
2950         Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
2951         This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
2952         op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
2953         perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
2954         special generator frame scope. And we also set up the global switch for the generator.
2955
2956         In the generatorification phase,
2957
2958         1. We construct the BytecodeGraph from the unlinked instructions. This constructs the basic blocks, and it is used in the subsequent analysis.
2959         2. We perform the analysis onto the unlinked code. We extract the live variables at each op_yield.
2960         3. We insert the get_from_scope and put_to_scope at each op_yield. Which registers should be saved and resumed is offered by (2).
2961            Then, clip the op_yield themselves. And we also insert the switch_imm. The jump targets of this switch are just after this op_switch_imm and each op_yield point.
2962
2963         One interesting point is the try-range. We split the try-range at the op_yield point in BytecodeGenerator phase.
2964         This drops the hacky thing that is introduced in [1].
2965         If the try-range covers the resume sequences, the exception handler's use-registers are incorrectly transferred to the entry block.
2966         For example,
2967
2968             handler uses r2
2969                                                              try-range
2970             label:(entry block can jump here)                 ^
2971                 r1 = get_from_scope # resume sequence starts  | use r2 is transferred to the entry block!
2972                 r2 = get_from_scope                           |
2973                 starts usual sequences                        |
2974                 ...                                           |
2975
2976         Handler's r2 use should be considered at the `r1 = get_from_scope` point.
2977         Previously, we handle this edge case by treating op_resume specially in the liveness analysis[1].
2978         To drop this workaround, we split the try-range not to cover this resume sequence.
2979
2980             handler uses r2
2981                                                              try-range
2982             label:(entry block can jump here)
2983                 r1 = get_from_scope # resume sequence starts
2984                 r2 = get_from_scope
2985                 starts usual sequences                        ^ try-range should start from here.
2986                 ...                                           |
2987
2988         OK. Let's show the detailed example.
2989
2990             1. First, there is the normal bytecode sequence. Here, | represents the offsets, and [] represents the bytecodes.
2991
2992                 bytecodes   | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
2993                 try-range   <----------------------------------->
2994
2995             2. When we emit the op_yield in the bytecode generator, we carefully split the try-range.
2996
2997                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
2998                 try-range   <----------->            <----------------->
2999
3000             3. And in the generatorification phase, we insert the switch's jump target and save & resume sequences. And we also drop op_yield.
3001
3002                         Insert save seq  Insert resume seq
3003                         before op_yield. after op_yield's point.
3004                                        v v
3005                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
3006                 try-range   <----------->     ^      <----------------->
3007                                         ^     |
3008                              Jump to here.    Drop this op_yield.
3009
3010             4. The final layout is the following.
3011
3012                 bytecodes   | [ ] | [ ][save seq][op_ret] | [resume seq] | [ ] | [ ] | [ ] |
3013                 try-range   <----------------------------->               <---------------->
3014                                                           ^
3015                                               Jump to here.
3016
3017         The rewriting done by the BytecodeRewriter is executed in a batch manner. Since these modification changes the basic blocks and size of unlinked instructions,
3018         BytecodeRewriter also performs the offset adjustment for UnlinkedCodeBlock. So, this rewriting is performed onto the BytecodeGraph rather than BytecodeBasicBlock.
3019         The reason why we take this design is simple: we don't want to newly create the basic blocks and opcodes for this early phase like DFG. Instead, we perform the
3020         modification and adjustment to the unlinked instructions and UnlinkedCodeBlock in a in-place manner.
3021
3022         Bytecode rewriting functionality is offered by BytecodeRewriter. BytecodeRewriter allows us to insert any bytecodes to any places
3023         in a in-place manner. BytecodeRewriter handles the original bytecode offsets as labels. And you can insert bytecodes before and after
3024         these labels. You can also insert any jumps to any places. When you insert jumps, you need to specify jump target with this labels.
3025         These labels (original bytecode offsets) are automatically converted to the appropriate offsets by BytecodeRewriter.
3026
3027         After that phase, the data flow of the generator-saved-and-resumed-registers are explicitly represented by the get_from_scope and put_to_scope.
3028         And the switch is inserted to represent the actual control flow for the generator. And op_yield is removed. Since we use the existing bytecodes (op_switch_imm, op_put_to_scope
3029         op_ret, and op_get_from_scope), DFG and FTL changes are not necessary. This patch also drops data structures and implementations for the old generator,
3030         op_resume, op_save implementations and GeneratorFrame.
3031
3032         Note that this patch does not leverage the recent multi entrypoints support in B3. After this patch is introduced, we will submit a new patch that leverages the multi
3033         entrypoints for generator's resume and sees the performance gain.
3034
3035         Microbenchmarks related to generators show up to 2.9x improvements.
3036
3037                                                         Baseline                  Patched
3038
3039             generator-fib                          102.0116+-3.2880     ^     34.9670+-0.2221        ^ definitely 2.9174x faster
3040             generator-sunspider-access-nsieve        5.8596+-0.0371     ^      4.9051+-0.0720        ^ definitely 1.1946x faster
3041             generator-with-several-types           332.1478+-4.2425     ^    124.6642+-2.4826        ^ definitely 2.6643x faster
3042
3043             <geometric>                             58.2998+-0.7758     ^     27.7425+-0.2577        ^ definitely 2.1015x faster
3044
3045         In ES6SampleBench's Basic, we can observe 41% improvement (Macbook Pro).
3046
3047             Baseline:
3048                 Geometric Mean Result: 133.55 ms +- 4.49 ms
3049
3050                 Benchmark    First Iteration        Worst 2%               Steady State
3051                 Air          54.03 ms +- 7.51 ms    29.06 ms +- 3.13 ms    2276.59 ms +- 61.17 ms
3052                 Basic        30.18 ms +- 1.86 ms    18.85 ms +- 0.45 ms    2851.16 ms +- 41.87 ms
3053
3054             Patched:
3055                 Geometric Mean Result: 121.78 ms +- 3.96 ms
3056
3057                 Benchmark    First Iteration        Worst 2%               Steady State
3058                 Air          52.09 ms +- 6.89 ms    29.59 ms +- 3.16 ms    2239.90 ms +- 54.60 ms
3059                 Basic        29.28 ms +- 1.46 ms    16.26 ms +- 0.66 ms    2025.15 ms +- 38.56 ms
3060
3061         [1]: https://bugs.webkit.org/show_bug.cgi?id=159281
3062
3063         * CMakeLists.txt:
3064         * JavaScriptCore.xcodeproj/project.pbxproj:
3065         * builtins/GeneratorPrototype.js:
3066         (globalPrivate.generatorResume):
3067         * bytecode/BytecodeBasicBlock.cpp:
3068         (JSC::BytecodeBasicBlock::shrinkToFit):
3069         (JSC::BytecodeBasicBlock::computeImpl):
3070         (JSC::BytecodeBasicBlock::compute):
3071         (JSC::isBranch): Deleted.
3072         (JSC::isUnconditionalBranch): Deleted.
3073         (JSC::isTerminal): Deleted.
3074         (JSC::isThrow): Deleted.
3075         (JSC::linkBlocks): Deleted.
3076         (JSC::computeBytecodeBasicBlocks): Deleted.
3077         * bytecode/BytecodeBasicBlock.h:
3078         (JSC::BytecodeBasicBlock::isEntryBlock):
3079         (JSC::BytecodeBasicBlock::isExitBlock):
3080         (JSC::BytecodeBasicBlock::leaderOffset):
3081         (JSC::BytecodeBasicBlock::totalLength):
3082         (JSC::BytecodeBasicBlock::offsets):
3083         (JSC::BytecodeBasicBlock::successors):
3084         (JSC::BytecodeBasicBlock::index):
3085         (JSC::BytecodeBasicBlock::addSuccessor):
3086         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3087         (JSC::BytecodeBasicBlock::addLength):
3088         (JSC::BytecodeBasicBlock::leaderBytecodeOffset): Deleted.
3089         (JSC::BytecodeBasicBlock::totalBytecodeLength): Deleted.
3090         (JSC::BytecodeBasicBlock::bytecodeOffsets): Deleted.
3091         (JSC::BytecodeBasicBlock::addBytecodeLength): Deleted.
3092         * bytecode/BytecodeGeneratorification.cpp: Added.
3093         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3094         (JSC::BytecodeGeneratorification::graph):
3095         (JSC::BytecodeGeneratorification::yields):
3096         (JSC::BytecodeGeneratorification::enterPoint):
3097         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3098         (JSC::GeneratorLivenessAnalysis::GeneratorLivenessAnalysis):
3099         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset):
3100         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset):
3101         (JSC::GeneratorLivenessAnalysis::run):
3102         (JSC::BytecodeGeneratorification::run):
3103         (JSC::performGeneratorification):
3104         * bytecode/BytecodeGeneratorification.h: Copied from Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysisInlines.h.
3105         * bytecode/BytecodeGraph.h: Added.
3106         (JSC::BytecodeGraph::codeBlock):
3107         (JSC::BytecodeGraph::instructions):
3108         (JSC::BytecodeGraph::basicBlocksInReverseOrder):
3109         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3110         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3111         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3112         (JSC::BytecodeGraph::size):
3113         (JSC::BytecodeGraph::at):
3114         (JSC::BytecodeGraph::operator[]):
3115         (JSC::BytecodeGraph::begin):
3116         (JSC::BytecodeGraph::end):
3117         (JSC::BytecodeGraph::first):
3118         (JSC::BytecodeGraph::last):
3119         (JSC::BytecodeGraph<Block>::BytecodeGraph):
3120         * bytecode/BytecodeList.json:
3121         * bytecode/BytecodeLivenessAnalysis.cpp:
3122         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
3123         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset):
3124         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset):
3125         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3126         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3127         (JSC::BytecodeLivenessAnalysis::computeKills):
3128         (JSC::BytecodeLivenessAnalysis::dumpResults):
3129         (JSC::BytecodeLivenessAnalysis::compute):
3130         (JSC::isValidRegisterForLiveness): Deleted.
3131         (JSC::getLeaderOffsetForBasicBlock): Deleted.
3132         (JSC::findBasicBlockWithLeaderOffset): Deleted.
3133         (JSC::blockContainsBytecodeOffset): Deleted.
3134         (JSC::findBasicBlockForBytecodeOffset): Deleted.
3135         (JSC::stepOverInstruction): Deleted.
3136         (JSC::computeLocalLivenessForBytecodeOffset): Deleted.
3137         (JSC::computeLocalLivenessForBlock): Deleted.
3138         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Deleted.
3139         * bytecode/BytecodeLivenessAnalysis.h:
3140         * bytecode/BytecodeLivenessAnalysisInlines.h:
3141         (JSC::isValidRegisterForLiveness):
3142         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3143         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset):
3144         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock):
3145         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset):
3146         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
3147         * bytecode/BytecodeRewriter.cpp: Added.
3148         (JSC::BytecodeRewriter::applyModification):
3149         (JSC::BytecodeRewriter::execute):
3150         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3151         (JSC::BytecodeRewriter::insertImpl):
3152         (JSC::BytecodeRewriter::adjustJumpTarget):
3153         * bytecode/BytecodeRewriter.h: Added.
3154         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
3155         (JSC::BytecodeRewriter::InsertionPoint::operator<):
3156         (JSC::BytecodeRewriter::InsertionPoint::operator==):
3157         (JSC::BytecodeRewriter::Insertion::length):
3158         (JSC::BytecodeRewriter::Fragment::Fragment):
3159         (JSC::BytecodeRewriter::Fragment::appendInstruction):
3160         (JSC::BytecodeRewriter::BytecodeRewriter):
3161         (JSC::BytecodeRewriter::insertFragmentBefore):
3162         (JSC::BytecodeRewriter::insertFragmentAfter):
3163         (JSC::BytecodeRewriter::removeBytecode):
3164         (JSC::BytecodeRewriter::graph):
3165         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
3166         (JSC::BytecodeRewriter::adjustJumpTarget):
3167         (JSC::BytecodeRewriter::calculateDifference):
3168         * bytecode/BytecodeUseDef.h:
3169         (JSC::computeUsesForBytecodeOffset):
3170         (JSC::computeDefsForBytecodeOffset):
3171         * bytecode/CodeBlock.cpp:
3172         (JSC::CodeBlock::dumpBytecode):
3173         (JSC::CodeBlock::finishCreation):
3174         (JSC::CodeBlock::handlerForIndex):
3175         (JSC::CodeBlock::shrinkToFit):
3176         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3177         (JSC::CodeBlock::livenessAnalysisSlow):
3178         * bytecode/CodeBlock.h:
3179         (JSC::CodeBlock::isConstantRegisterIndex):
3180         (JSC::CodeBlock::livenessAnalysis):
3181         (JSC::CodeBlock::liveCalleeLocalsAtYield): Deleted.
3182         * bytecode/HandlerInfo.h:
3183         (JSC::HandlerInfoBase::handlerForIndex):
3184         * bytecode/Opcode.h:
3185         (JSC::isBranch):
3186         (JSC::isUnconditionalBranch):
3187         (JSC::isTerminal):
3188         (JSC::isThrow):
3189         * bytecode/PreciseJumpTargets.cpp:
3190         (JSC::getJumpTargetsForBytecodeOffset):
3191         (JSC::computePreciseJumpTargetsInternal):
3192         (JSC::computePreciseJumpTargets):
3193         (JSC::recomputePreciseJumpTargets):
3194         (JSC::findJumpTargetsForBytecodeOffset):
3195         * bytecode/PreciseJumpTargets.h:
3196         * bytecode/PreciseJumpTargetsInlines.h: Added.
3197         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3198         * bytecode/UnlinkedCodeBlock.cpp:
3199         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset):
3200         (JSC::UnlinkedCodeBlock::handlerForIndex):
3201         (JSC::UnlinkedCodeBlock::applyModification):
3202         * bytecode/UnlinkedCodeBlock.h:
3203         (JSC::UnlinkedStringJumpTable::offsetForValue):
3204         (JSC::UnlinkedCodeBlock::numCalleeLocals):
3205         * bytecode/VirtualRegister.h:
3206         * bytecompiler/BytecodeGenerator.cpp:
3207         (JSC::BytecodeGenerator::generate):
3208         (JSC::BytecodeGenerator::BytecodeGenerator):
3209         (JSC::BytecodeGenerator::emitComplexPopScopes):
3210         (JSC::prepareJumpTableForStringSwitch):
3211         (JSC::BytecodeGenerator::emitYieldPoint):
3212         (JSC::BytecodeGenerator::emitSave): Deleted.
3213         (JSC::BytecodeGenerator::emitResume): Deleted.
3214         (JSC::BytecodeGenerator::emitGeneratorStateLabel): Deleted.
3215         (JSC::BytecodeGenerator::beginGenerator): Deleted.
3216         (JSC::BytecodeGenerator::endGenerator): Deleted.
3217         * bytecompiler/BytecodeGenerator.h:
3218         (JSC::BytecodeGenerator::generatorStateRegister):
3219         (JSC::BytecodeGenerator::generatorValueRegister):
3220         (JSC::BytecodeGenerator::generatorResumeModeRegister):
3221         (JSC::BytecodeGenerator::generatorFrameRegister):
3222         * bytecompiler/NodesCodegen.cpp:
3223         (JSC::FunctionNode::emitBytecode):
3224         * dfg/DFGOperations.cpp:
3225         * interpreter/Interpreter.cpp:
3226         (JSC::findExceptionHandler):
3227         (JSC::GetCatchHandlerFunctor::operator()):
3228         (JSC::UnwindFunctor::operator()):
3229         * interpreter/Interpreter.h:
3230         * interpreter/InterpreterInlines.h: Copied from Source/JavaScriptCore/bytecode/PreciseJumpTargets.h.
3231         (JSC::Interpreter::getOpcodeID):
3232         * jit/JIT.cpp:
3233         (JSC::JIT::privateCompileMainPass):
3234         * jit/JIT.h:
3235         * jit/JITOpcodes.cpp:
3236         (JSC::JIT::emit_op_save): Deleted.
3237         (JSC::JIT::emit_op_resume): Deleted.
3238         * llint/LowLevelInterpreter.asm:
3239         * parser/Parser.cpp:
3240         (JSC::Parser<LexerType>::parseInner):
3241         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
3242         (JSC::Parser<LexerType>::createGeneratorParameters):
3243         * parser/Parser.h:
3244         * runtime/CommonSlowPaths.cpp:
3245         (JSC::SLOW_PATH_DECL): Deleted.
3246         * runtime/CommonSlowPaths.h:
3247         * runtime/GeneratorFrame.cpp: Removed.
3248         (JSC::GeneratorFrame::GeneratorFrame): Deleted.
3249         (JSC::GeneratorFrame::finishCreation): Deleted.
3250         (JSC::GeneratorFrame::createStructure): Deleted.
3251         (JSC::GeneratorFrame::create): Deleted.
3252         (JSC::GeneratorFrame::save): Deleted.
3253         (JSC::GeneratorFrame::resume): Deleted.
3254         (JSC::GeneratorFrame::visitChildren): Deleted.
3255         * runtime/GeneratorFrame.h: Removed.
3256         (JSC::GeneratorFrame::locals): Deleted.
3257         (JSC::GeneratorFrame::localAt): Deleted.
3258         (JSC::GeneratorFrame::offsetOfLocals): Deleted.
3259         (JSC::GeneratorFrame::allocationSizeForLocals): Deleted.
3260         * runtime/JSGeneratorFunction.h:
3261         * runtime/VM.cpp:
3262         (JSC::VM::VM):
3263         * runtime/VM.h:
3264
3265 2016-08-25  JF Bastien  <jfbastien@apple.com>
3266
3267         TryGetById should have a ValueProfile so that it can predict its output type
3268         https://bugs.webkit.org/show_bug.cgi?id=160921
3269
3270         Reviewed by Saam Barati.
3271
3272         Add a ValueProfile to TryGetById, and make sure DFG picks it up.
3273
3274         A microbenchmark for perfectly predicted computation shows a 20%
3275         runtime reduction with no hit if the prediction goes polymorphic.
3276
3277         * bytecode/BytecodeList.json:
3278         * bytecode/CodeBlock.cpp:
3279         (JSC::CodeBlock::dumpBytecode):
3280         (JSC::CodeBlock::finishCreation):
3281         * bytecompiler/BytecodeGenerator.cpp:
3282         (JSC::BytecodeGenerator::emitTryGetById):
3283         * dfg/DFGByteCodeParser.cpp:
3284         (JSC::DFG::ByteCodeParser::parseBlock):
3285         * dfg/DFGNode.h:
3286         (JSC::DFG::Node::hasHeapPrediction):
3287         * dfg/DFGPredictionPropagationPhase.cpp:
3288         * dfg/DFGSpeculativeJIT32_64.cpp:
3289         (JSC::DFG::SpeculativeJIT::compile):
3290         * dfg/DFGSpeculativeJIT64.cpp:
3291         (JSC::DFG::SpeculativeJIT::compile):
3292         * jit/JITPropertyAccess.cpp:
3293         (JSC::JIT::emit_op_try_get_by_id):
3294         * jit/JITPropertyAccess32_64.cpp:
3295         (JSC::JIT::emit_op_try_get_by_id):
3296         * llint/LLIntSlowPaths.cpp:
3297         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3298         * llint/LowLevelInterpreter.asm:
3299
3300 2016-08-25  Csaba Osztrogonác  <ossy@webkit.org>
3301
3302         generate-js-builtins.py should generate platform independent files
3303         https://bugs.webkit.org/show_bug.cgi?id=161196
3304
3305         Reviewed by Mark Lam.
3306
3307         * Scripts/generate-js-builtins.py: Files should be processed in fixed order.
3308
3309 2016-08-25  Caio Lima  <ticaiolima@gmail.com>
3310
3311         NewRegexp should not prevent inlining
3312         https://bugs.webkit.org/show_bug.cgi?id=154808
3313
3314         Reviewed by Geoffrey Garen.
3315
3316         In this patch we are changing the current mechanism used to represent
3317         RegExp in NewRegexp nodes. We are changing the use of a index
3318         pointing to RegExp in
3319         CodeBlock->m_unlinkedCodeBlock->m_rareData->m_regexps as the operand of
3320         NewRegexp node to RegExp address as the operand. To make sure that RegExp* is
3321         pointing to a valid object, we are using m_graph.freezeStrong
3322         mechanism.
3323
3324         * dfg/DFGByteCodeParser.cpp:
3325         (JSC::DFG::ByteCodeParser::parseBlock):
3326         * dfg/DFGCapabilities.cpp:
3327         (JSC::DFG::capabilityLevel):
3328         * dfg/DFGNode.h:
3329         (JSC::DFG::Node::hasCellOperand):
3330         (JSC::DFG::Node::hasRegexpIndex): Deleted.
3331         (JSC::DFG::Node::regexpIndex): Deleted.
3332         * dfg/DFGSpeculativeJIT32_64.cpp:
3333         (JSC::DFG::SpeculativeJIT::compile):
3334         * dfg/DFGSpeculativeJIT64.cpp:
3335         (JSC::DFG::SpeculativeJIT::compile):
3336         * dfg/DFGStrengthReductionPhase.cpp:
3337         (JSC::DFG::StrengthReductionPhase::handleNode):
3338         * ftl/FTLLowerDFGToB3.cpp:
3339         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3340
3341 2016-08-24  Benjamin Poulain  <benjamin@webkit.org>
3342
3343         [JSC] Make FRound work with any type
3344         https://bugs.webkit.org/show_bug.cgi?id=161129
3345
3346         Reviewed by Geoffrey Garen.
3347
3348         Math.fround() does nothing with arguments past the first one
3349         (https://tc39.github.io/ecma262/#sec-math.fround).
3350         We can unify ArithFRound with the other single-input intrinsics.
3351
3352         Everything else is same old: if the input type is not a number,
3353         be pessimistic about everything and do a C call.
3354
3355         * dfg/DFGAbstractInterpreterInlines.h:
3356         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3357         * dfg/DFGByteCodeParser.cpp:
3358         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3359         * dfg/DFGClobberize.h:
3360         (JSC::DFG::clobberize):
3361         * dfg/DFGFixupPhase.cpp:
3362         (JSC::DFG::FixupPhase::fixupNode):
3363         * dfg/DFGNodeType.h:
3364         * dfg/DFGOperations.cpp:
3365         * dfg/DFGOperations.h:
3366         * dfg/DFGSpeculativeJIT.cpp:
3367         (JSC::DFG::SpeculativeJIT::compileArithFRound):
3368         * dfg/DFGSpeculativeJIT.h:
3369         * dfg/DFGSpeculativeJIT32_64.cpp:
3370         (JSC::DFG::SpeculativeJIT::compile):
3371         * dfg/DFGSpeculativeJIT64.cpp:
3372         (JSC::DFG::SpeculativeJIT::compile):
3373         * ftl/FTLLowerDFGToB3.cpp:
3374         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
3375
3376 2016-08-24  Andreas Kling  <akling@apple.com>
3377
3378         Shrink DFG::OSRExit a bit.
3379         <https://webkit.org/b/161169>
3380
3381         Reviewed by Geoffrey Garen.
3382
3383         Rearrange the members of OSRExitBase and DFG::OSRExit to save 16 bytes per instance.
3384
3385         * dfg/DFGOSRExit.cpp:
3386         (JSC::DFG::OSRExit::OSRExit):
3387         * dfg/DFGOSRExit.h:
3388         * dfg/DFGOSRExitBase.h:
3389         (JSC::DFG::OSRExitBase::OSRExitBase):
3390
3391 2016-08-24  Ryan Haddad  <ryanhaddad@apple.com>
3392
3393         Rebaseline builtins-generator-tests since r204854 was rolled out.
3394
3395         Unreviewed test gardening.
3396
3397         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3398         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3399         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3400         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3401         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3402         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3403         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3404         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3405         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3406         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3407         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3408         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3409         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3410         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
3411
3412 2016-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3413
3414         [JSC] Move generic data structures out of B3
3415         https://bugs.webkit.org/show_bug.cgi?id=161155
3416
3417         Reviewed by Saam Barati.
3418
3419         Move B3's good generic data structures to WTF.
3420         They can be used for the other kind of basic blocks and nodes.
3421         For example, the generator patch[1] will make BytecodeBasicBlock usable with these structures.
3422
3423         [1]: https://bugs.webkit.org/show_bug.cgi?id=152723
3424
3425         * JavaScriptCore.xcodeproj/project.pbxproj:
3426         * b3/B3BasicBlockUtils.h:
3427         * b3/B3BlockWorklist.h:
3428         * b3/B3CFG.h:
3429         * b3/B3DuplicateTails.cpp:
3430         * b3/B3FixSSA.cpp:
3431         * b3/B3FixSSA.h:
3432         * b3/B3IndexMap.h:
3433         (JSC::B3::IndexMap::IndexMap): Deleted.
3434         (JSC::B3::IndexMap::resize): Deleted.
3435         (JSC::B3::IndexMap::clear): Deleted.
3436         (JSC::B3::IndexMap::size): Deleted.
3437         (JSC::B3::IndexMap::operator[]): Deleted.
3438         * b3/B3IndexSet.h:
3439         (JSC::B3::IndexSet::IndexSet): Deleted.
3440         (JSC::B3::IndexSet::add): Deleted.
3441         (JSC::B3::IndexSet::addAll): Deleted.
3442         (JSC::B3::IndexSet::remove): Deleted.
3443         (JSC::B3::IndexSet::contains): Deleted.
3444         (JSC::B3::IndexSet::size): Deleted.
3445         (JSC::B3::IndexSet::isEmpty): Deleted.
3446         (JSC::B3::IndexSet::Iterable::Iterable): Deleted.
3447         (JSC::B3::IndexSet::Iterable::iterator::iterator): Deleted.
3448         (JSC::B3::IndexSet::Iterable::iterator::operator*): Deleted.
3449         (JSC::B3::IndexSet::Iterable::iterator::operator++): Deleted.
3450         (JSC::B3::IndexSet::Iterable::iterator::operator==): Deleted.
3451         (JSC::B3::IndexSet::Iterable::iterator::operator!=): Deleted.
3452         (JSC::B3::IndexSet::Iterable::begin): Deleted.
3453         (JSC::B3::IndexSet::Iterable::end): Deleted.
3454         (JSC::B3::IndexSet::values): Deleted.
3455         (JSC::B3::IndexSet::indices): Deleted.
3456         (JSC::B3::IndexSet::dump): Deleted.
3457         * b3/B3LowerToAir.cpp:
3458         * b3/B3PhiChildren.h:
3459         * b3/B3Procedure.h:
3460         (JSC::B3::Procedure::iterator::iterator): Deleted.
3461         (JSC::B3::Procedure::iterator::operator*): Deleted.
3462         (JSC::B3::Procedure::iterator::operator++): Deleted.
3463         (JSC::B3::Procedure::iterator::operator==): Deleted.
3464         (JSC::B3::Procedure::iterator::operator!=): Deleted.
3465         (JSC::B3::Procedure::iterator::findNext): Deleted.
3466         * b3/B3ReduceDoubleToFloat.cpp:
3467         * b3/B3ReduceStrength.cpp:
3468         * b3/B3SSACalculator.h:
3469         * b3/B3UseCounts.h:
3470         * b3/air/AirCode.h:
3471         * b3/air/AirEliminateDeadCode.cpp:
3472         * b3/air/AirFixObviousSpills.cpp:
3473         * b3/air/AirFixPartialRegisterStalls.cpp:
3474         * b3/air/AirGenerate.cpp:
3475         * b3/air/AirGenerationContext.h:
3476         * b3/air/AirLiveness.h:
3477         * b3/air/AirSpillEverything.cpp:
3478
3479 2016-08-24  Filip Pizlo  <fpizlo@apple.com>
3480
3481         Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
3482
3483         * API/JSTypedArray.cpp:
3484         * API/ObjCCallbackFunction.mm:
3485         * CMakeLists.txt:
3486         * JavaScriptCore.xcodeproj/project.pbxproj:
3487         * Scripts/builtins/builtins_generate_combined_implementation.py:
3488         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3489         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
3490         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
3491         * Scripts/builtins/builtins_generate_separate_implementation.py:
3492         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3493         * assembler/AbstractMacroAssembler.h:
3494         (JSC::AbstractMacroAssembler::JumpList::link):
3495         (JSC::AbstractMacroAssembler::JumpList::linkTo):
3496         * assembler/MacroAssembler.h:
3497         * assembler/MacroAssemblerARM64.h:
3498         (JSC::MacroAssemblerARM64::add32):
3499         * assembler/MacroAssemblerCodeRef.cpp: Removed.
3500         * assembler/MacroAssemblerCodeRef.h:
3501         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
3502         (JSC::MacroAssemblerCodePtr::dumpWithName):
3503         (JSC::MacroAssemblerCodePtr::dump):
3504         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
3505         (JSC::MacroAssemblerCodeRef::dump):
3506         * b3/B3BasicBlock.cpp:
3507         (JSC::B3::BasicBlock::appendBoolConstant): Deleted.
3508         * b3/B3BasicBlock.h:
3509         * b3/B3DuplicateTails.cpp:
3510         * b3/B3StackmapGenerationParams.h:
3511         * b3/testb3.cpp:
3512         (JSC::B3::run):
3513         (JSC::B3::testPatchpointTerminalReturnValue): Deleted.
3514         * bindings/ScriptValue.cpp:
3515         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3516         * bytecode/BytecodeBasicBlock.cpp:
3517         * bytecode/BytecodeLivenessAnalysis.cpp:
3518         * bytecode/BytecodeUseDef.h:
3519         * bytecode/CallLinkInfo.cpp:
3520         (JSC::CallLinkInfo::callTypeFor): Deleted.
3521         * bytecode/CallLinkInfo.h:
3522         (JSC::CallLinkInfo::callTypeFor):
3523         * bytecode/CallLinkStatus.cpp:
3524         * bytecode/CodeBlock.cpp:
3525         (JSC::CodeBlock::finishCreation):
3526         (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
3527         * bytecode/CodeBlock.h:
3528         (JSC::CodeBlock::jitCodeMap):
3529         (JSC::clearLLIntGetByIdCache):
3530         * bytecode/Instruction.h:
3531         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3532         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3533         * bytecode/ObjectAllocationProfile.h:
3534         (JSC::ObjectAllocationProfile::isNull):
3535         (JSC::ObjectAllocationProfile::initialize):
3536         * bytecode/Opcode.h:
3537         (JSC::padOpcodeName):
3538         * bytecode/PolymorphicAccess.cpp:
3539         (JSC::AccessCase::generateImpl):
3540         (JSC::PolymorphicAccess::regenerate):
3541         * bytecode/PolymorphicAccess.h:
3542         * bytecode/PreciseJumpTargets.cpp:
3543         * bytecode/StructureStubInfo.cpp:
3544         * bytecode/StructureStubInfo.h:
3545         * bytecode/UnlinkedCodeBlock.cpp:
3546         (JSC::UnlinkedCodeBlock::vm):
3547         * bytecode/UnlinkedCodeBlock.h:
3548         * bytecode/UnlinkedInstructionStream.cpp:
3549         * bytecode/UnlinkedInstructionStream.h:
3550         * dfg/DFGOperations.cpp:
3551         * dfg/DFGSpeculativeJIT.cpp:
3552         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3553         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3554         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3555         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3556         * dfg/DFGSpeculativeJIT.h:
3557         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3558         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3559         * dfg/DFGSpeculativeJIT32_64.cpp:
3560         (JSC::DFG::SpeculativeJIT::compile):
3561         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3562         * dfg/DFGSpeculativeJIT64.cpp:
3563         (JSC::DFG::SpeculativeJIT::compile):
3564         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3565         * dfg/DFGStrengthReductionPhase.cpp:
3566         (JSC::DFG::StrengthReductionPhase::handleNode):
3567         * ftl/FTLAbstractHeapRepository.h:
3568         * ftl/FTLCompile.cpp:
3569         * ftl/FTLJITFinalizer.cpp:
3570         * ftl/FTLLowerDFGToB3.cpp:
3571         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3572         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3573         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
3574         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3575         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3576         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3577         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3578         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3579         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3580         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3581         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3582         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3583         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
3584         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
3585         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
3586         * ftl/FTLOutput.cpp:
3587         (JSC::FTL::Output::constBool):
3588         (JSC::FTL::Output::add):
3589         (JSC::FTL::Output::shl):
3590         (JSC::FTL::Output::aShr):
3591         (JSC::FTL::Output::lShr):
3592         (JSC::FTL::Output::zeroExt):
3593         (JSC::FTL::Output::equal):
3594         (JSC::FTL::Output::notEqual):
3595         (JSC::FTL::Output::above):
3596         (JSC::FTL::Output::aboveOrEqual):
3597         (JSC::FTL::Output::below):
3598         (JSC::FTL::Output::belowOrEqual):
3599         (JSC::FTL::Output::greaterThan):
3600         (JSC::FTL::Output::greaterThanOrEqual):
3601         (JSC::FTL::Output::lessThan):
3602         (JSC::FTL::Output::lessThanOrEqual):
3603         (JSC::FTL::Output::select):
3604         (JSC::FTL::Output::addIncomingToPhi):
3605         (JSC::FTL::Output::appendSuccessor): Deleted.
3606         * ftl/FTLOutput.h:
3607         * ftl/FTLValueFromBlock.h:
3608         (JSC::FTL::ValueFromBlock::ValueFromBlock):
3609         (JSC::FTL::ValueFromBlock::operator bool): Deleted.
3610         * ftl/FTLWeightedTarget.h:
3611         (JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
3612         * heap/CellContainer.h: Removed.
3613         * heap/CellContainerInlines.h: Removed.
3614         * heap/ConservativeRoots.cpp:
3615         (JSC::ConservativeRoots::ConservativeRoots):
3616         (JSC::ConservativeRoots::~ConservativeRoots):
3617         (JSC::ConservativeRoots::grow):
3618         (JSC::ConservativeRoots::genericAddPointer):
3619         (JSC::ConservativeRoots::genericAddSpan):
3620         * heap/ConservativeRoots.h:
3621         (JSC::ConservativeRoots::roots):
3622         * heap/CopyToken.h:
3623         * heap/FreeList.cpp: Removed.
3624         * heap/FreeList.h: Removed.
3625         * heap/Heap.cpp:
3626         (JSC::Heap::Heap):
3627         (JSC::Heap::lastChanceToFinalize):
3628         (JSC::Heap::finalizeUnconditionalFinalizers):
3629         (JSC::Heap::markRoots):
3630         (JSC::Heap::copyBackingStores):
3631         (JSC::Heap::gatherStackRoots):
3632         (JSC::Heap::gatherJSStackRoots):
3633         (JSC::Heap::gatherScratchBufferRoots):
3634         (JSC::Heap::clearLivenessData):
3635         (JSC::Heap::visitSmallStrings):
3636         (JSC::Heap::visitConservativeRoots):
3637         (JSC::Heap::removeDeadCompilerWorklistEntries):
3638         (JSC::Heap::gatherExtraHeapSnapshotData):
3639         (JSC::Heap::removeDeadHeapSnapshotNodes):
3640         (JSC::Heap::visitProtectedObjects):
3641         (JSC::Heap::visitArgumentBuffers):
3642         (JSC::Heap::visitException):
3643         (JSC::Heap::visitStrongHandles):
3644         (JSC::Heap::visitHandleStack):
3645         (JSC::Heap::visitSamplingProfiler):
3646         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3647         (JSC::Heap::converge):
3648         (JSC::Heap::visitWeakHandles):
3649         (JSC::Heap::updateObjectCounts):
3650         (JSC::Heap::clearUnmarkedExecutables):
3651         (JSC::Heap::deleteUnmarkedCompiledCode):
3652         (JSC::Heap::collectAllGarbage):
3653         (JSC::Heap::collect):
3654         (JSC::Heap::collectImpl):
3655         (JSC::Heap::suspendCompilerThreads):
3656         (JSC::Heap::willStartCollection):
3657         (JSC::Heap::flushOldStructureIDTables):
3658         (JSC::Heap::flushWriteBarrierBuffer):
3659         (JSC::Heap::stopAllocation):
3660         (JSC::Heap::reapWeakHandles):
3661         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3662         (JSC::Heap::sweepArrayBuffers):
3663         (JSC::Heap::snapshotMarkedSpace):
3664         (JSC::Heap::deleteSourceProviderCaches):
3665         (JSC::Heap::notifyIncrementalSweeper):
3666         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3667         (JSC::Heap::resetAllocators):
3668         (JSC::Heap::updateAllocationLimits):
3669         (JSC::Heap::didFinishCollection):
3670         (JSC::Heap::resumeCompilerThreads):
3671         (JSC::Zombify::visit):
3672         (JSC::Heap::collectWithoutAnySweep): Deleted.
3673         (JSC::Heap::prepareForMarking): Deleted.
3674         (JSC::Heap::forEachCodeBlockImpl): Deleted.
3675         * heap/Heap.h:
3676         (JSC::Heap::allocatorForObjectWithoutDestructor):
3677         (JSC::Heap::allocatorForObjectWithDestructor):
3678         (JSC::Heap::storageAllocator):
3679         (JSC::Heap::jitStubRoutines):
3680         (JSC::Heap::codeBlockSet):
3681         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
3682         * heap/HeapCell.h:
3683         (JSC::HeapCell::isZapped):
3684         * heap/HeapCellInlines.h: Removed.
3685         * heap/HeapInlines.h:
3686         (JSC::Heap::heap):
3687         (JSC::Heap::isLive):
3688         (JSC::Heap::isMarked):
3689         (JSC::Heap::testAndSetMarked):
3690         (JSC::Heap::setMarked):
3691         (JSC::Heap::forEachCodeBlock):
3692         (JSC::Heap::allocateObjectOfType):
3693         (JSC::Heap::subspaceForObjectOfType):
3694         (JSC::Heap::allocatorForObjectOfType):
3695         (JSC::Heap::isPointerGCObject):
3696         (JSC::Heap::isValueGCObject):
3697         (JSC::Heap::cellSize): Deleted.
3698         (JSC::Heap::allocateAuxiliary): Deleted.
3699         (JSC::Heap::tryAllocateAuxiliary): Deleted.
3700         (JSC::Heap::tryReallocateAuxiliary): Deleted.
3701         * heap/HeapUtil.h: Removed.
3702         * heap/LargeAllocation.cpp: Removed.
3703         * heap/LargeAllocation.h: Removed.
3704         * heap/MarkedAllocator.cpp:
3705         (JSC::MarkedAllocator::retire):
3706         (JSC::MarkedAllocator::tryAllocateHelper):
3707         (JSC::MarkedAllocator::tryPopFreeList):
3708         (JSC::MarkedAllocator::tryAllocate):
3709         (JSC::MarkedAllocator::allocateSlowCase):
3710         (JSC::MarkedAllocator::allocateBlock):
3711         (JSC::MarkedAllocator::addBlock):
3712         (JSC::MarkedAllocator::removeBlock):
3713         (JSC::MarkedAllocator::reset):
3714         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3715         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
3716         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
3717         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3718         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3719         (JSC::blockHeaderSize): Deleted.
3720         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
3721         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
3722         (JSC::MarkedAllocator::setFreeList): Deleted.
3723         * heap/MarkedAllocator.h:
3724         (JSC::MarkedAllocator::offsetOfFreeListHead):
3725         (JSC::MarkedAllocator::MarkedAllocator):
3726         (JSC::MarkedAllocator::init):
3727         (JSC::MarkedAllocator::allocate):
3728         (JSC::MarkedAllocator::stopAllocating):
3729         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
3730         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
3731         (JSC::MarkedAllocator::tryAllocate): Deleted.
3732         * heap/MarkedBlock.cpp:
3733         (JSC::MarkedBlock::create):
3734         (JSC::MarkedBlock::MarkedBlock):
3735         (JSC::MarkedBlock::callDestructor):
3736         (JSC::MarkedBlock::specializedSweep):
3737         (JSC::MarkedBlock::sweep):
3738         (JSC::MarkedBlock::sweepHelper):
3739         (JSC::MarkedBlock::stopAllocating):
3740         (JSC::MarkedBlock::clearMarksWithCollectionType):
3741         (JSC::MarkedBlock::resumeAllocating):
3742         (JSC::MarkedBlock::didRetireBlock):
3743         (JSC::MarkedBlock::tryCreate): Deleted.
3744         (JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
3745         (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
3746         (JSC::MarkedBlock::forEachFreeCell): Deleted.
3747         * heap/MarkedBlock.h:
3748         (JSC::MarkedBlock::FreeList::FreeList):
3749         (JSC::MarkedBlock::isEmpty):
3750         (JSC::MarkedBlock::setHasAnyMarked): Deleted.
3751         (JSC::MarkedBlock::hasAnyMarked): Deleted.
3752         (JSC::MarkedBlock::clearHasAnyMarked): Deleted.
3753         (JSC::MarkedBlock::cellAlign): Deleted.
3754         * heap/MarkedSpace.cpp:
3755         (JSC::MarkedSpace::MarkedSpace):
3756         (JSC::MarkedSpace::lastChanceToFinalize):
3757         (JSC::MarkedSpace::sweep):
3758         (JSC::MarkedSpace::zombifySweep):
3759         (JSC::MarkedSpace::resetAllocators):
3760         (JSC::MarkedSpace::visitWeakSets):
3761         (JSC::MarkedSpace::reapWeakSets):
3762         (JSC::MarkedSpace::forEachAllocator):
3763         (JSC::MarkedSpace::stopAllocating):
3764         (JSC::MarkedSpace::resumeAllocating):
3765         (JSC::MarkedSpace::isPagedOut):
3766         (JSC::MarkedSpace::shrink):
3767         (JSC::MarkedSpace::clearNewlyAllocated):
3768         (JSC::MarkedSpace::clearMarks):
3769         (JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
3770         (JSC::MarkedSpace::allocate): Deleted.
3771         (JSC::MarkedSpace::tryAllocate): Deleted.
3772         (JSC::MarkedSpace::allocateLarge): Deleted.
3773         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
3774         (JSC::MarkedSpace::sweepLargeAllocations): Deleted.
3775         (JSC::MarkedSpace::prepareForMarking): Deleted.
3776         (JSC::MarkedSpace::objectCount): Deleted.
3777         (JSC::MarkedSpace::size): Deleted.
3778         (JSC::MarkedSpace::capacity): Deleted.
3779         * heap/MarkedSpace.h:
3780         (JSC::MarkedSpace::blocksWithNewObjects):
3781         (JSC::MarkedSpace::forEachLiveCell):
3782         (JSC::MarkedSpace::forEachDeadCell):
3783         (JSC::MarkedSpace::allocatorFor):
3784         (JSC::MarkedSpace::destructorAllocatorFor):
3785         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3786         (JSC::MarkedSpace::allocateWithoutDestructor):
3787         (JSC::MarkedSpace::allocateWithDestructor):
3788         (JSC::MarkedSpace::allocateAuxiliary):
3789         (JSC::MarkedSpace::forEachBlock):
3790         (JSC::MarkedSpace::objectCount):
3791         (JSC::MarkedSpace::size):
3792         (JSC::MarkedSpace::capacity):
3793         (JSC::MarkedSpace::sizeClassToIndex): Deleted.
3794         (JSC::MarkedSpace::indexToSizeClass): Deleted.
3795         (JSC::MarkedSpace::largeAllocations): Deleted.
3796         (JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
3797         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
3798         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
3799         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
3800         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
3801         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
3802         (JSC::MarkedSpace::forEachAllocator): Deleted.
3803         (JSC::MarkedSpace::optimalSizeFor): Deleted.
3804         * heap/SlotVisitor.cpp:
3805         (JSC::SlotVisitor::didStartMarking):
3806         (JSC::SlotVisitor::reset):
3807         (JSC::SlotVisitor::append):
3808         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3809         (JSC::SlotVisitor::appendToMarkStack):
3810         (JSC::SlotVisitor::visitChildren):
3811         (JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
3812         (JSC::SlotVisitor::markAuxiliary): Deleted.
3813         (JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
3814         * heap/SlotVisitor.h:
3815         * heap/WeakBlock.cpp:
3816         (JSC::WeakBlock::create):
3817         (JSC::WeakBlock::WeakBlock):
3818         (JSC::WeakBlock::visit):
3819         (JSC::WeakBlock::reap):
3820         * heap/WeakBlock.h:
3821         (JSC::WeakBlock::disconnectMarkedBlock):
3822         (JSC::WeakBlock::disconnectContainer): Deleted.
3823         * heap/WeakSet.cpp:
3824         (JSC::WeakSet::sweep):
3825         (JSC::WeakSet::addAllocator):
3826         * heap/WeakSet.h:
3827         (JSC::WeakSet::WeakSet):
3828         * heap/WeakSetInlines.h:
3829         (JSC::WeakSet::allocate):
3830         * inspector/InjectedScriptManager.cpp:
3831         * inspector/JSGlobalObjectInspectorController.cpp:
3832         * inspector/JSJavaScriptCallFrame.cpp:
3833         * inspector/ScriptDebugServer.cpp:
3834         * inspector/agents/InspectorDebuggerAgent.cpp:
3835         * interpreter/CachedCall.h:
3836         (JSC::CachedCall::CachedCall):
3837         * interpreter/Interpreter.cpp:
3838         (JSC::StackFrame::sourceID):
3839         (JSC::StackFrame::sourceURL):
3840         (JSC::StackFrame::functionName):
3841         (JSC::loadVarargs):
3842         (JSC::StackFrame::computeLineAndColumn):
3843         (JSC::StackFrame::toString):
3844         * interpreter/Interpreter.h:
3845      &n