parseHTMLInteger() should take a StringView in parameter
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-10  Chris Dumez  <cdumez@apple.com>
2
3         parseHTMLInteger() should take a StringView in parameter
4         https://bugs.webkit.org/show_bug.cgi?id=161669
5
6         Reviewed by Ryosuke Niwa.
7
8         * runtime/DateConversion.cpp:
9         (JSC::formatDateTime):
10         Explicitly construct a String from the const WCHAR* on Windows because
11         it is ambiguous otherwise now that there is a StringBuilder::append()
12         overload taking an AtomicString in.
13
14 2016-09-08  Keith Miller  <keith_miller@apple.com>
15
16         WASM should support if-then-else
17         https://bugs.webkit.org/show_bug.cgi?id=161778
18
19         Reviewed by Michael Saboff.
20
21         This patch makes some major changes to the way that the WASM
22         function parser works. First, the control stack has been moved
23         from the parser's context to the parser itself. This simplifies
24         the way that the parser works and allows us to make the decoder
25         iterative rather than recursive. Since the control stack has been
26         moved to the parser, any context operation that refers to some
27         block now receives that block by reference.
28
29         For any if block, regardless of whether or not it is an
30         if-then-else or not, we will allocate both the entire control flow
31         diamond. This is not a major issue in the if-then case since B3
32         will immediately cleanup these blocks. In order to support if-then
33         and if-then-else we needed to be able to distinguish what the type
34         of the top block on the control stack is. This will be necessary
35         when validating the else opcode in the future. In the B3 IR
36         generator we decide to the type of the block strictly by the
37         shape.
38
39         Currently, if blocks don't handle passed and returned stack values
40         correctly. I plan to fix this when I add support for the block
41         signatures. See: https://github.com/WebAssembly/design/pull/765
42
43         * testWASM.cpp:
44         (runWASMTests):
45         * wasm/WASMB3IRGenerator.cpp:
46         (dumpProcedure):
47         (JSC::WASM::parseAndCompile):
48         * wasm/WASMB3IRGenerator.h:
49         * wasm/WASMFunctionParser.h:
50         (JSC::WASM::FunctionParser<Context>::parseBlock):
51         (JSC::WASM::FunctionParser<Context>::parseExpression):
52         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
53         * wasm/WASMOps.h:
54
55 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
56
57         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
58         https://bugs.webkit.org/show_bug.cgi?id=161801
59
60         Reviewed by Keith Miller.
61         
62         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
63         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
64         that is to call initializeMainThread().
65
66         * jsc.cpp:
67         (jscmain):
68
69 2016-09-09  Saam Barati  <sbarati@apple.com>
70
71         Make hasOwnProperty ALWAYS_INLINE
72         https://bugs.webkit.org/show_bug.cgi?id=161775
73
74         Reviewed by Ryosuke Niwa.
75
76         Speedometer spends around 2.5% of its time in hasOwnProperty.
77         Let's reduce the overhead of calling that function by marking
78         it as inline. Also, it's likely that the function will call into
79         JSObject::getOwnPropertySlot. I added a check to see if that's
80         the function we're calling, if it is, we do a direct call instead
81         of an indirect call.
82
83         * runtime/JSObject.cpp:
84         (JSC::JSObject::hasOwnProperty): Deleted.
85         * runtime/JSObjectInlines.h:
86         (JSC::JSObject::hasOwnProperty):
87
88 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
89
90         HashMapImpl needs to m_buffer.clear() in its constructor
91         https://bugs.webkit.org/show_bug.cgi?id=161796
92
93         Reviewed by Keith Miller.
94         
95         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
96         itself. That seemed like a good idea because maybe sometimes the user knows better how to
97         initialize it. But, it's not worth it if it's a constant source of bugs.
98         
99         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
100         m_value.
101
102         * runtime/AuxiliaryBarrier.h:
103         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
104         * runtime/DirectArguments.cpp:
105         (JSC::DirectArguments::DirectArguments):
106
107 2016-09-09  Youenn Fablet  <youenn@apple.com>
108
109         ASSERTION FAILED: promise.inherits(JSPromise::info())
110         https://bugs.webkit.org/show_bug.cgi?id=161632
111         <rdar://problem/28184743>
112
113         Reviewed by Mark Lam.
114
115         * runtime/JSPromiseDeferred.cpp:
116         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
117
118 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
119
120         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
121         https://bugs.webkit.org/show_bug.cgi?id=161760
122
123         Reviewed by Mark Lam.
124         
125         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
126         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
127         
128         This introduces three unnecessary overheads:
129         
130         - isLive() is not called by marking, so that change was not necessary.
131         
132         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
133           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
134           isMarked().
135         
136         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
137           return false if the flip is necessary.
138         
139         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
140         during marking.
141         
142         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
143         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
144         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
145         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
146         thing.
147
148         * bytecode/CodeBlock.cpp:
149         (JSC::CodeBlock::visitWeakly):
150         (JSC::CodeBlock::shouldJettisonDueToOldAge):
151         (JSC::shouldMarkTransition):
152         (JSC::CodeBlock::propagateTransitions):
153         (JSC::CodeBlock::determineLiveness):
154         * bytecode/PolymorphicAccess.cpp:
155         (JSC::AccessCase::propagateTransitions):
156         * heap/Heap.h:
157         * heap/HeapInlines.h:
158         (JSC::Heap::isLive):
159         (JSC::Heap::isMarked):
160         (JSC::Heap::isMarkedConcurrently):
161         * heap/MarkedBlock.cpp:
162         (JSC::MarkedBlock::flipIfNecessarySlow):
163         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
164         (JSC::MarkedBlock::needsFlip):
165         * heap/MarkedBlock.h:
166         (JSC::MarkedBlock::needsFlip):
167         (JSC::MarkedBlock::flipIfNecessary):
168         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
169         * heap/SlotVisitor.cpp:
170         (JSC::SlotVisitor::appendToMarkStack):
171         (JSC::SlotVisitor::markAuxiliary):
172         (JSC::SlotVisitor::visitChildren):
173         * runtime/Structure.cpp:
174         (JSC::Structure::isCheapDuringGC):
175         (JSC::Structure::markIfCheap):
176
177 2016-09-08  Saam Barati  <sbarati@apple.com>
178
179         We should inline operationConvertJSValueToBoolean into JIT code
180         https://bugs.webkit.org/show_bug.cgi?id=161729
181
182         Reviewed by Filip Pizlo.
183
184         This patch introduces an AssemblyHelpers emitter function
185         that replaces operationConvertJSValueToBoolean. This operation
186         was showing up when I was doing performance analysis for the
187         speedometer benchmark. I saw that it was spending about 1% of
188         its time in this function. Hopefully this patch can help us speedup
189         up speedometer by a little bit.
190
191         * dfg/DFGSpeculativeJIT32_64.cpp:
192         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
193         (JSC::DFG::SpeculativeJIT::emitBranch):
194         * dfg/DFGSpeculativeJIT64.cpp:
195         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
196         (JSC::DFG::SpeculativeJIT::emitBranch):
197         * jit/AssemblyHelpers.cpp:
198         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
199         * jit/AssemblyHelpers.h:
200         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
201         * jit/JIT.cpp:
202         (JSC::JIT::privateCompileSlowCases):
203         * jit/JIT.h:
204         * jit/JITOpcodes.cpp:
205         (JSC::JIT::emit_op_jfalse):
206         (JSC::JIT::emit_op_jtrue):
207         (JSC::JIT::emitSlow_op_jfalse): Deleted.
208         (JSC::JIT::emitSlow_op_jtrue): Deleted.
209         * jit/JITOpcodes32_64.cpp:
210         (JSC::JIT::emit_op_jfalse):
211         (JSC::JIT::emit_op_jtrue):
212         (JSC::JIT::emitSlow_op_jfalse): Deleted.
213         (JSC::JIT::emitSlow_op_jtrue): Deleted.
214         * jit/JITOperations.cpp:
215         * jit/JITOperations.h:
216
217 2016-09-08  Chris Dumez  <cdumez@apple.com>
218
219         Align proto getter / setter behavior with other browsers
220         https://bugs.webkit.org/show_bug.cgi?id=161455
221
222         Reviewed by Saam Barati.
223
224         Drop allowsAccessFrom from the methodTable and delegate cross-origin
225         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
226         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
227
228         * jsc.cpp:
229         * runtime/JSGlobalObject.cpp:
230         * runtime/JSGlobalObject.h:
231         * runtime/JSGlobalObjectFunctions.cpp:
232         (JSC::globalFuncProtoGetter):
233         (JSC::globalFuncProtoSetter):
234         (JSC::globalFuncBuiltinLog): Deleted.
235         * runtime/JSGlobalObjectFunctions.h:
236         * runtime/JSObject.cpp:
237         (JSC::JSObject::setPrototypeWithCycleCheck):
238         Remove check added in r197648. This check was added to match
239         the latest EcmaScript spec:
240         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
241         This check allowed for [[Prototype]] chain cycles if the prototype
242         chain includes objects that do not use the ordinary object definitions
243         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
244         The issue is that the rest of our code base does not properly handle
245         such cycles and we can end up in infinite loops. This became obvious
246         because this patch updates Window / Location so that they no longer
247         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
248         remove this check, I get an infinite loop in
249         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
250         called from JSObject::setPrototypeDirect(), when running the following
251         layout test:
252         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
253         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
254         issue.
255
256         * runtime/JSObject.h:
257         (JSC::JSObject::getArrayLength): Deleted.
258         * runtime/JSProxy.cpp:
259         (JSC::JSProxy::setPrototype):
260         (JSC::JSProxy::getPrototype):
261         * runtime/JSProxy.h:
262         * runtime/ObjectConstructor.cpp:
263         (JSC::objectConstructorGetPrototypeOf):
264         (JSC::objectConstructorSetPrototypeOf):
265         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
266         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
267         * runtime/ObjectConstructor.h:
268         * runtime/ReflectObject.cpp:
269         (JSC::reflectObjectGetPrototypeOf):
270         (JSC::reflectObjectSetPrototypeOf):
271
272 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
273
274         Remove CopiedSpace and use MarkedSpace instead
275         https://bugs.webkit.org/show_bug.cgi?id=159658
276
277         Reviewed by Keith Miller.
278         
279         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
280         is a simple change.
281         
282         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
283         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
284         
285         The rest of this patch is deleting CopiedSpace.
286
287         * API/JSObjectRef.cpp:
288         * CMakeLists.txt:
289         * JavaScriptCore.xcodeproj/project.pbxproj:
290         * dfg/DFGOperations.cpp:
291         * heap/ConservativeRoots.cpp:
292         (JSC::ConservativeRoots::genericAddPointer):
293         * heap/CopiedAllocator.h: Removed.
294         * heap/CopiedBlock.cpp: Removed.
295         * heap/CopiedBlock.h: Removed.
296         * heap/CopiedBlockInlines.h: Removed.
297         * heap/CopiedSpace.cpp: Removed.
298         * heap/CopiedSpace.h: Removed.
299         * heap/CopiedSpaceInlines.h: Removed.
300         * heap/CopyBarrier.h: Removed.
301         * heap/CopyToken.h: Removed.
302         * heap/CopyVisitor.cpp: Removed.
303         * heap/CopyVisitor.h: Removed.
304         * heap/CopyVisitorInlines.h: Removed.
305         * heap/CopyWorkList.h: Removed.
306         * heap/Heap.cpp:
307         (JSC::Heap::Heap):
308         (JSC::Heap::isPagedOut):
309         (JSC::Heap::updateObjectCounts):
310         (JSC::Heap::size):
311         (JSC::Heap::capacity):
312         (JSC::Heap::collectImpl):
313         (JSC::Heap::stopAllocation):
314         (JSC::Heap::updateAllocationLimits):
315         (JSC::Heap::copyBackingStores): Deleted.
316         (JSC::Heap::threadBytesCopied): Deleted.
317         * heap/Heap.h:
318         (JSC::Heap::objectSpace):
319         (JSC::Heap::allocatorForAuxiliaryData):
320         (JSC::Heap::storageSpace): Deleted.
321         (JSC::Heap::storageAllocator): Deleted.
322         * heap/HeapCellInlines.h:
323         * heap/HeapInlines.h:
324         (JSC::Heap::tryAllocateStorage): Deleted.
325         (JSC::Heap::tryReallocateStorage): Deleted.
326         * heap/HeapVerifier.cpp:
327         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
328         (JSC::HeapVerifier::reportObject):
329         (JSC::getButterflyDetails): Deleted.
330         * heap/SlotVisitor.cpp:
331         (JSC::SlotVisitor::copyLater): Deleted.
332         * heap/SlotVisitor.h:
333         * jit/AssemblyHelpers.h:
334         * jit/JITOpcodes.cpp:
335         * jsc.cpp:
336         * runtime/ArrayConstructor.cpp:
337         * runtime/ArrayPrototype.cpp:
338         * runtime/Butterfly.h:
339         * runtime/ButterflyInlines.h:
340         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
341         * runtime/ClassInfo.h:
342         * runtime/DirectArguments.cpp:
343         (JSC::DirectArguments::visitChildren):
344         (JSC::DirectArguments::overrideThings):
345         (JSC::DirectArguments::copyBackingStore): Deleted.
346         * runtime/DirectArguments.h:
347         * runtime/JSArray.cpp:
348         * runtime/JSCell.cpp:
349         (JSC::JSCell::copyBackingStore): Deleted.
350         * runtime/JSCell.h:
351         * runtime/JSLexicalEnvironment.h:
352         * runtime/JSObject.cpp:
353         * runtime/JSTypedArrays.cpp:
354         * runtime/LiteralParser.cpp:
355         * runtime/ObjectConstructor.cpp:
356         * runtime/RegExpObject.cpp:
357         * runtime/StringPrototype.cpp:
358         * runtime/WeakMapData.cpp:
359         * tools/JSDollarVMPrototype.cpp:
360         (JSC::JSDollarVMPrototype::isInStorageSpace):
361
362 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
363
364         Heap version should be 32-bit
365         https://bugs.webkit.org/show_bug.cgi?id=161751
366
367         Reviewed by Mark Lam.
368         
369         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
370         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
371         easy to handle.
372
373         * heap/CellContainer.h:
374         * heap/CellContainerInlines.h:
375         (JSC::CellContainer::flipIfNecessary):
376         * heap/ConservativeRoots.cpp:
377         (JSC::ConservativeRoots::genericAddPointer):
378         (JSC::ConservativeRoots::genericAddSpan):
379         * heap/ConservativeRoots.h:
380         * heap/Heap.h:
381         * heap/HeapInlines.h:
382         (JSC::Heap::testAndSetMarked):
383         * heap/HeapUtil.h:
384         (JSC::HeapUtil::findGCObjectPointersForMarking):
385         * heap/MarkedBlock.cpp:
386         (JSC::MarkedBlock::MarkedBlock):
387         * heap/MarkedBlock.h:
388         (JSC::MarkedBlock::flipIfNecessary):
389         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
390         (JSC::MarkedBlock::Handle::flipIfNecessary):
391         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
392         * heap/MarkedSpace.cpp:
393         (JSC::MarkedSpace::flip):
394         * heap/MarkedSpace.h:
395         (JSC::MarkedSpace::version):
396         * heap/SlotVisitor.cpp:
397         (JSC::SlotVisitor::SlotVisitor):
398         * heap/SlotVisitor.h:
399
400 2016-09-08  Mark Lam  <mark.lam@apple.com>
401
402         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
403         https://bugs.webkit.org/show_bug.cgi?id=161724
404
405         Reviewed by Filip Pizlo.
406
407         ARM architectures support ternary sub instructions.  We should make use of them
408         in emitAllocateWithNonNullAllocator().
409
410         * assembler/MacroAssemblerARM.h:
411         (JSC::MacroAssemblerARM::sub32):
412         * assembler/MacroAssemblerARM64.h:
413         (JSC::MacroAssemblerARM64::sub32):
414         * assembler/MacroAssemblerARMv7.h:
415         (JSC::MacroAssemblerARMv7::sub32):
416         * assembler/MacroAssemblerSH4.h:
417         (JSC::MacroAssemblerSH4::sub32):
418         * assembler/MacroAssemblerX86Common.h:
419         (JSC::MacroAssemblerX86Common::sub32):
420         * b3/air/AirOpcode.opcodes:
421         * b3/testb3.cpp:
422         (JSC::B3::testTernarySubInstructionSelection):
423         (JSC::B3::run):
424         * jit/AssemblyHelpers.h:
425         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
426
427 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
428
429         Move JSMap/JSSet over to Auxiliary MarkedSpace
430         https://bugs.webkit.org/show_bug.cgi?id=161744
431
432         Reviewed by Saam Barati.
433         
434         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
435         
436         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
437         speak of CopiedSpace.
438         
439         This is a purely mechanical change.
440
441         * JavaScriptCore.xcodeproj/project.pbxproj:
442         * heap/CopyToken.h:
443         * runtime/HashMapImpl.cpp:
444         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
445         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
446         * runtime/HashMapImpl.h:
447         (JSC::HashMapBuffer::create):
448         * runtime/JSMapIterator.cpp:
449         * runtime/JSMapIterator.h:
450         * runtime/JSSetIterator.cpp:
451         * runtime/JSSetIterator.h:
452         * runtime/MapBase.cpp:
453         * runtime/MapData.h: Removed.
454         * runtime/MapDataInlines.h: Removed.
455         * runtime/MapPrototype.cpp:
456         * runtime/SetConstructor.cpp:
457         * runtime/SetPrototype.cpp:
458         * runtime/VM.cpp:
459
460 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
461
462         Typed arrays should use MarkedSpace instead of CopiedSpace
463         https://bugs.webkit.org/show_bug.cgi?id=161100
464
465         Reviewed by Geoffrey Garen.
466         
467         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
468         
469         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
470         everything that typed arrays want.
471
472         * dfg/DFGOperations.cpp:
473         (JSC::DFG::newTypedArrayWithSize):
474         * dfg/DFGOperations.h:
475         (JSC::DFG::operationNewTypedArrayWithSizeForType):
476         * dfg/DFGSpeculativeJIT.cpp:
477         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
478         * dfg/DFGSpeculativeJIT.h:
479         (JSC::DFG::SpeculativeJIT::callOperation):
480         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
481         * ftl/FTLLowerDFGToB3.cpp:
482         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
483         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
484         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
485         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
486         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
487         * heap/CopyToken.h:
488         * heap/SlotVisitor.cpp:
489         (JSC::SlotVisitor::markAuxiliary):
490         * jit/JITOperations.h:
491         * runtime/JSArrayBufferView.cpp:
492         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
493         (JSC::JSArrayBufferView::JSArrayBufferView):
494         * runtime/JSArrayBufferView.h:
495         * runtime/JSGenericTypedArrayView.h:
496         * runtime/JSGenericTypedArrayViewInlines.h:
497         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
498         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
499         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
500         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
501
502 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
503
504         [Win64] Compile fixes.
505         https://bugs.webkit.org/show_bug.cgi?id=161682
506
507         Reviewed by Brent Fulgham.
508
509         * dfg/DFGSpeculativeJIT64.cpp:
510         (JSC::DFG::SpeculativeJIT::emitCall):
511         * jit/JITCall.cpp:
512         (JSC::JIT::compileOpCall):
513         * runtime/ArrayConventions.cpp:
514         (JSC::clearArrayMemset):
515
516 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
517
518         [Win] Exception fuzz tests fail
519         https://bugs.webkit.org/show_bug.cgi?id=140928
520
521         Reviewed by Mark Lam.
522
523         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
524         The tests depend on the output to stdout being written in the correct order.
525
526         * runtime/ExceptionFuzz.cpp:
527         (JSC::doExceptionFuzzing):
528
529 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
530
531         Enable the <meter> element on iOS
532         https://bugs.webkit.org/show_bug.cgi?id=161714
533         rdar://problem/8978410
534
535         Reviewed by Tim Horton.
536
537         Define ENABLE_METER_ELEMENT unconditionally now.
538
539         * Configurations/FeatureDefines.xcconfig:
540
541 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
542
543         Modernize Debugger to use nullptr
544         https://bugs.webkit.org/show_bug.cgi?id=161718
545
546         Reviewed by Mark Lam.
547
548         * debugger/Debugger.cpp:
549         (JSC::Debugger::Debugger):
550         (JSC::Debugger::~Debugger):
551         (JSC::Debugger::detach):
552         (JSC::Debugger::stepOutOfFunction):
553         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
554         * debugger/Debugger.h:
555
556 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
557
558         Web Inspector: Remove always false case in Debugger
559         https://bugs.webkit.org/show_bug.cgi?id=161717
560
561         Reviewed by Brian Burg.
562
563         * debugger/Debugger.cpp:
564         (JSC::Debugger::didExecuteProgram):
565         We would have earlier returned a few statements ago if this case was true.
566         And we would have crashed in the previous statement if this case was true.
567
568 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         Unreviewed, build fix after r205569
571
572         Tweak CMakeLists.txt
573
574         * CMakeLists.txt:
575
576 2016-09-07  Mark Lam  <mark.lam@apple.com>
577
578         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
579         https://bugs.webkit.org/show_bug.cgi?id=161498
580
581         Reviewed by Geoffrey Garen.
582
583         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
584         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
585         introduced.
586
587         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
588         which is a more suitable name now.
589
590         Note: exception scope verification is still disabled by default.  There are still
591         many places that need to be fixed up or re-expressed in a way that is friendly
592         to the verification.  I'll address those in subsequent patches.
593
594         After this patch, the code will statically enforce that:
595         1. all calls to throwException() go through a ThrowScope.
596         2. all calls to clearException() go through a CatchScope.
597         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
598            or CatchScope.
599
600         A Summary of how to use ExceptionScopes
601         =======================================
602         1. If a function can throw a JS exception, it should declare a ThrowScope at the
603            top of the function (as early as possible).
604
605         2. If a function can clear JS exceptions, it should declare a CatchScope at the
606            top of the function (as early as possible).
607
608         Declaring a ThrowScope in a function means that the function may throw an exception
609         that its caller will have to handle.  Declaring a CatchScope in a function means
610         that the function intends to clear pending exceptions before returning to its
611         caller. 
612
613         For more details, see the notes below.
614         
615         Everything you may want to know about ExceptionScopes
616         =====================================================
617         ExceptionScope verification works to simulate exception throws and detect cases
618         where exception checks are missing.  The notes below will cover:
619
620             1. The VM::m_needExceptionCheck bit
621             2. ThrowScopes and CatchScopes
622             3. Verification of needed exception checks
623             3. Checking Exceptions
624             4. Simulating throws
625             5. Using ThrowScope::release()
626             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
627             7. Checking exceptions by checking callee results
628             8. Debugging verification errors
629
630         1. The VM::m_needExceptionCheck bit
631
632            The VM has a m_needExceptionCheck bit that indicates when an exception may be
633            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
634            throw.
635
636         2. ThrowScopes and CatchScopes
637
638            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
639
640            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
641            at the top of its function (as early as possible) e.g.
642  
643                 void foo(...)
644                 {
645                     auto scope = DECLARE_THROW_SCOPE(vm);
646                     ...
647                     throwException(exec, scope, ...);
648                 }
649
650            Note: by convention, every throw helper function must take a ThrowScope argument
651            instead of instantiating its own ThrowScope.  This allows the throw to be
652            attributed to the client code rather than the throw helper itself.
653
654            Every catch site (i.e. a site that calls clearException()) must declare a
655            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
656
657            If a function can both throw or clear exceptions, then the ThrowScope should
658            be declared first so that it can simulate a throw to the function's caller.
659
660            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
661            can be aware if there's an enclosing CatchScope between it and the point where
662            C++ code returns to JS code.  This is needed to determine if the ThrowScope
663            should simulate a re-throw or not.  See (4) below for more details on returning
664            to JS code.
665
666         3. Verification of needed exception checks
667
668            a. On construction, each ThrowScope and CatchScope will verify that
669               VM::m_needExceptionCheck is not set.
670  
671               This ensures that the caller of the current function has checked for exceptions
672               where needed before doing more work which lead to calling the current function.
673
674            b. On destruction, each ThrowScope and CatchScope will verify that
675               VM::m_needExceptionCheck is not set. This verification will be skipped if
676               the ThrowScope has been released (see (5) below).
677
678               This ensures that the function that owns this exception scope is not missing
679               any exception checks before returning.
680
681            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
682               is not already set, unless it's been ask to rethrow the same Exception object.
683
684         4. Simulating throws
685
686            Throws are simulated by setting the m_needExceptionCheck bit.
687
688            The bit will only be set in the ThrowScope destructor except when the ThrowScope
689            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
690            check for exceptions after a host C++ function returns to it.  However, they will
691            not clear the m_needExceptionCheck bit.
692
693            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
694            it will just skip the setting of the bit.
695
696            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
697            throwException methods.  This is because, in practice, we always return
698            immediately after throwing an exception.  It doesn't make sense to set the bit in
699            the throw just to have to clear it immediately after before we do verification in
700            the ThrowScope destructor.
701
702         5. Using ThrowScope::release()
703
704            Calling release() means that the scope is released from its obligation to
705            verify the VM::m_needExceptionCheck bit on destruction.
706
707            release() should only be used at the bottom of a function if:
708
709            a. This function is going to let its caller check and handle the exception, e.g.
710
711                 void foo(...)
712                 {
713                     auto scope = DECLARE_THROW_SCOPE(vm);
714                     auto result = goo(); // may throw.
715
716                     ... // Code that will are not affected by a pending exceptions.
717
718                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
719                     return result;
720                 }
721
722            b. This function is going to do a tail call that may throw.
723
724                 void foo(...)
725                 {
726                     auto scope = DECLARE_THROW_SCOPE(vm);
727                     ...
728                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
729                     return goo(); // may throw.
730                 }
731
732               release() should not be used in code paths that branch. For example:
733
734                 void foo(...)
735                 {
736                     auto scope = DECLARE_THROW_SCOPE(vm);
737
738                     auto result = goo1(); // may throw.
739                     scope.release(); // WRONG !!! Don't do this.
740                     if (result)
741                         return;
742
743                     result = goo2(); // may throw.
744                     ...
745                     return result;
746                 }
747
748             The above will result in a verification error in goo2()'s ThrowScope.  The
749             proper way to fix this verification is to do either (6) or (7) below.
750
751          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
752
753             ThrowScope/CatchScope::exception() returns the thrown Exception object if
754             there is one pending.  Else, it returns nullptr.
755
756             It also clears the m_needExceptionCheck bit thereby indicating that we've
757             satisfied the needed exception check.  For example,
758
759                 void foo(...)
760                 {
761                     auto scope = DECLARE_THROW_SCOPE(vm);
762
763                     auto result = goo1(); // may throw.
764                     if (scope.exception())
765                         return;
766
767                     result = goo2(); // may throw.
768                     ...
769                     return result;
770                 }
771
772             But sometimes, for optimization reasons, we may choose to test the result of
773             the callee function instead doing a load of the VM exception value.  See (7)
774             below.
775
776          7. Checking exceptions by checking callee results
777
778             This approach should only be applied when it makes a difference to performance.
779             If we need to do this, we should add an ASSERT() that invokes the scope's
780             exception() method to verify the result.  Since exception scope verification
781             is only done on DEBUG builds, this ASSERT will satisfy the verification
782             requirements without impacting performance.  For example,
783
784                 void foo(...)
785                 {
786                     auto scope = DECLARE_THROW_SCOPE(vm);
787
788                     bool failed = goo1(); // may throw.
789                     ASSERT(!!scope.exception() == failed)
790                     if (failed)
791                         return;
792
793                     result = goo2(); // may throw.
794                     ...
795                     return result;
796                 }
797
798          8. Debugging verification errors
799
800             a. When verification fails, you will see a message followed by an assertion
801                failure.  For example:
802
803             ERROR: Unchecked JS exception:
804                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
805                     (ExceptionScope::m_recursionDepth was ...)
806                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
807                     (ExceptionScope::m_recursionDepth was ...)
808                 [ backtrace here ]
809
810                The message tells you that failure was detected at in varargsSetup() at
811                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
812                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
813                line 1245 and it.
814
815                If that is insufficient information, you can ...
816
817             b. Dump simulated throws
818
819                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
820                back traces at each simulated throw.
821
822             c. Narrowing down the source of a simulated throw
823
824                Another technique for narrowing down the source of simulated throws is by
825                further dividing a function to smaller regions by separating each region
826                with additional local throw scopes.  For example,
827
828                 ... // Region 1
829                 { auto scope = DECLARE_THROW_SCOPE(vm); }
830                 ... // Region 2
831                 { auto scope = DECLARE_THROW_SCOPE(vm); }
832                 ... // Region 3
833
834         * API/APIUtils.h:
835         (handleExceptionIfNeeded):
836         * CMakeLists.txt:
837         * JavaScriptCore.xcodeproj/project.pbxproj:
838         * bindings/ScriptFunctionCall.cpp:
839         (Deprecated::ScriptFunctionCall::call):
840         * bindings/ScriptValue.cpp:
841         (Deprecated::ScriptValue::toString):
842         * debugger/Debugger.cpp:
843         (JSC::Debugger::pauseIfNeeded):
844         * debugger/DebuggerCallFrame.cpp:
845         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
846         * dfg/DFGOSRExitCompiler.cpp:
847         * dfg/DFGOperations.cpp:
848         (JSC::DFG::operationPutByValInternal):
849         * inspector/InjectedScriptManager.cpp:
850         (Inspector::InjectedScriptManager::createInjectedScript):
851         * inspector/JSGlobalObjectInspectorController.cpp:
852         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
853         * inspector/JSInjectedScriptHost.cpp:
854         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
855         (Inspector::JSInjectedScriptHost::getInternalProperties):
856         (Inspector::JSInjectedScriptHost::weakMapEntries):
857         (Inspector::JSInjectedScriptHost::weakSetEntries):
858         (Inspector::JSInjectedScriptHost::iteratorEntries):
859         * inspector/JSJavaScriptCallFrame.cpp:
860         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
861         * inspector/ScriptCallStackFactory.cpp:
862         (Inspector::extractSourceInformationFromException):
863         * interpreter/CachedCall.h:
864         (JSC::CachedCall::CachedCall):
865         * interpreter/CallFrame.h:
866         (JSC::ExecState::clearException): Deleted.
867         (JSC::ExecState::exception): Deleted.
868         (JSC::ExecState::hadException): Deleted.
869         (JSC::ExecState::lastException): Deleted.
870         (JSC::ExecState::clearLastException): Deleted.
871         * interpreter/Interpreter.cpp:
872         (JSC::eval):
873         (JSC::sizeOfVarargs):
874         (JSC::notifyDebuggerOfUnwinding):
875         (JSC::Interpreter::unwind):
876         (JSC::Interpreter::execute):
877         (JSC::Interpreter::executeCall):
878         (JSC::Interpreter::executeConstruct):
879         (JSC::Interpreter::prepareForRepeatCall):
880         (JSC::Interpreter::debug):
881         * interpreter/Interpreter.h:
882         (JSC::SuspendExceptionScope::SuspendExceptionScope):
883         * interpreter/ShadowChicken.cpp:
884         (JSC::ShadowChicken::functionsOnStack):
885         * jit/JITCode.cpp:
886         (JSC::JITCode::execute):
887         * jit/JITExceptions.cpp:
888         (JSC::genericUnwind):
889         * jit/JITOperations.cpp:
890         (JSC::getByVal):
891         * jsc.cpp:
892         (WTF::ImpureGetter::getOwnPropertySlot):
893         (GlobalObject::moduleLoaderResolve):
894         (GlobalObject::moduleLoaderFetch):
895         (functionCreateElement):
896         (functionRun):
897         (functionRunString):
898         (functionLoad):
899         (functionLoadString):
900         (functionReadFile):
901         (functionCheckSyntax):
902         (functionSetRandomSeed):
903         (functionLoadModule):
904         (functionCreateBuiltin):
905         (functionCheckModuleSyntax):
906         (functionGenerateHeapSnapshot):
907         (functionSamplingProfilerStackTraces):
908         (dumpException):
909         (checkUncaughtException):
910         (runWithScripts):
911         (runInteractive):
912         * llint/LLIntExceptions.cpp:
913         (JSC::LLInt::returnToThrow):
914         (JSC::LLInt::callToThrow):
915         * llint/LLIntSlowPaths.cpp:
916         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
917         * profiler/ProfilerBytecodeSequence.cpp:
918         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
919         * profiler/ProfilerCompilation.cpp:
920         (JSC::Profiler::Compilation::toJS):
921         * profiler/ProfilerDatabase.cpp:
922         (JSC::Profiler::Database::toJS):
923         * profiler/ProfilerOSRExitSite.cpp:
924         (JSC::Profiler::OSRExitSite::toJS):
925         * profiler/ProfilerOriginStack.cpp:
926         (JSC::Profiler::OriginStack::toJS):
927         * runtime/ArrayPrototype.cpp:
928         (JSC::speciesConstructArray):
929         (JSC::shift):
930         (JSC::unshift):
931         (JSC::arrayProtoFuncToString):
932         (JSC::arrayProtoFuncToLocaleString):
933         (JSC::slowJoin):
934         (JSC::fastJoin):
935         (JSC::arrayProtoFuncJoin):
936         (JSC::arrayProtoFuncPop):
937         (JSC::arrayProtoFuncPush):
938         (JSC::arrayProtoFuncReverse):
939         (JSC::arrayProtoFuncShift):
940         (JSC::arrayProtoFuncSlice):
941         (JSC::arrayProtoFuncSplice):
942         (JSC::arrayProtoFuncUnShift):
943         (JSC::arrayProtoFuncIndexOf):
944         (JSC::arrayProtoFuncLastIndexOf):
945         (JSC::moveElements):
946         (JSC::concatAppendOne):
947         (JSC::arrayProtoPrivateFuncConcatMemcpy):
948         * runtime/BooleanConstructor.cpp:
949         (JSC::constructWithBooleanConstructor):
950         * runtime/CallData.cpp:
951         (JSC::call):
952         * runtime/CatchScope.cpp: Added.
953         (JSC::CatchScope::CatchScope):
954         (JSC::CatchScope::~CatchScope):
955         * runtime/CatchScope.h: Added.
956         (JSC::CatchScope::clearException):
957         (JSC::CatchScope::CatchScope):
958         * runtime/CommonSlowPaths.cpp:
959         (JSC::SLOW_PATH_DECL):
960         * runtime/CommonSlowPaths.h:
961         (JSC::CommonSlowPaths::opIn):
962         * runtime/CommonSlowPathsExceptions.cpp:
963         (JSC::CommonSlowPaths::interpreterThrowInCaller):
964         * runtime/Completion.cpp:
965         (JSC::evaluate):
966         (JSC::rejectPromise):
967         (JSC::loadAndEvaluateModule):
968         (JSC::loadModule):
969         * runtime/ConsoleObject.cpp:
970         (JSC::consoleProtoFuncAssert):
971         (JSC::consoleProtoFuncProfile):
972         (JSC::consoleProtoFuncProfileEnd):
973         (JSC::consoleProtoFuncTakeHeapSnapshot):
974         (JSC::consoleProtoFuncTime):
975         (JSC::consoleProtoFuncTimeEnd):
976         * runtime/DateConstructor.cpp:
977         (JSC::constructDate):
978         (JSC::dateParse):
979         * runtime/DatePrototype.cpp:
980         (JSC::dateProtoFuncToPrimitiveSymbol):
981         (JSC::dateProtoFuncToJSON):
982         * runtime/ErrorConstructor.cpp:
983         (JSC::Interpreter::constructWithErrorConstructor):
984         * runtime/ErrorInstance.cpp:
985         (JSC::ErrorInstance::sanitizedToString):
986         * runtime/ErrorPrototype.cpp:
987         (JSC::errorProtoFuncToString):
988         * runtime/ExceptionEventLocation.cpp: Added.
989         (WTF::printInternal):
990         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
991         (JSC::ExceptionEventLocation::ExceptionEventLocation):
992         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
993         * runtime/ExceptionHelpers.h:
994         * runtime/ExceptionScope.cpp: Added.
995         (JSC::ExceptionScope::ExceptionScope):
996         (JSC::ExceptionScope::~ExceptionScope):
997         * runtime/ExceptionScope.h: Added.
998         (JSC::ExceptionScope::vm):
999         (JSC::ExceptionScope::recursionDepth):
1000         (JSC::ExceptionScope::exception):
1001         (JSC::ExceptionScope::ExceptionScope):
1002         * runtime/FunctionConstructor.cpp:
1003         (JSC::constructFunctionSkippingEvalEnabledCheck):
1004         * runtime/FunctionPrototype.cpp:
1005         (JSC::functionProtoFuncBind):
1006         * runtime/GenericArgumentsInlines.h:
1007         (JSC::GenericArguments<Type>::copyToArguments):
1008         * runtime/GetterSetter.cpp:
1009         (JSC::callGetter):
1010         * runtime/InspectorInstrumentationObject.cpp:
1011         (JSC::inspectorInstrumentationObjectLog):
1012         * runtime/InternalFunction.cpp:
1013         (JSC::InternalFunction::createSubclassStructure):
1014         * runtime/IntlCollator.cpp:
1015         (JSC::IntlCollator::initializeCollator):
1016         (JSC::IntlCollator::createCollator):
1017         (JSC::IntlCollator::resolvedOptions):
1018         * runtime/IntlCollatorConstructor.cpp:
1019         (JSC::constructIntlCollator):
1020         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1021         * runtime/IntlCollatorPrototype.cpp:
1022         (JSC::IntlCollatorFuncCompare):
1023         (JSC::IntlCollatorPrototypeGetterCompare):
1024         * runtime/IntlDateTimeFormat.cpp:
1025         (JSC::toDateTimeOptionsAnyDate):
1026         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1027         (JSC::IntlDateTimeFormat::resolvedOptions):
1028         (JSC::IntlDateTimeFormat::format):
1029         * runtime/IntlDateTimeFormatConstructor.cpp:
1030         (JSC::constructIntlDateTimeFormat):
1031         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1032         * runtime/IntlDateTimeFormatPrototype.cpp:
1033         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1034         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1035         * runtime/IntlNumberFormat.cpp:
1036         (JSC::IntlNumberFormat::initializeNumberFormat):
1037         (JSC::IntlNumberFormat::createNumberFormat):
1038         (JSC::IntlNumberFormat::resolvedOptions):
1039         * runtime/IntlNumberFormatConstructor.cpp:
1040         (JSC::constructIntlNumberFormat):
1041         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1042         * runtime/IntlNumberFormatPrototype.cpp:
1043         (JSC::IntlNumberFormatFuncFormatNumber):
1044         (JSC::IntlNumberFormatPrototypeGetterFormat):
1045         * runtime/IntlObject.cpp:
1046         (JSC::intlBooleanOption):
1047         (JSC::intlStringOption):
1048         (JSC::intlNumberOption):
1049         (JSC::canonicalizeLocaleList):
1050         (JSC::supportedLocales):
1051         * runtime/IntlObjectInlines.h:
1052         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1053         * runtime/IteratorOperations.cpp:
1054         (JSC::iteratorNext):
1055         (JSC::iteratorStep):
1056         (JSC::iteratorClose):
1057         (JSC::iteratorForIterable):
1058         * runtime/IteratorOperations.h:
1059         (JSC::forEachInIterable):
1060         * runtime/JSArray.cpp:
1061         (JSC::JSArray::pop):
1062         (JSC::JSArray::push):
1063         (JSC::JSArray::copyToArguments):
1064         * runtime/JSArrayBufferConstructor.cpp:
1065         (JSC::constructArrayBuffer):
1066         * runtime/JSArrayBufferPrototype.cpp:
1067         (JSC::arrayBufferProtoFuncSlice):
1068         * runtime/JSArrayInlines.h:
1069         (JSC::getLength):
1070         (JSC::toLength):
1071         * runtime/JSBoundFunction.cpp:
1072         (JSC::getBoundFunctionStructure):
1073         (JSC::JSBoundFunction::create):
1074         * runtime/JSCJSValue.cpp:
1075         (JSC::JSValue::putToPrimitive):
1076         (JSC::JSValue::putToPrimitiveByIndex):
1077         (JSC::JSValue::toStringSlowCase):
1078         * runtime/JSCJSValueInlines.h:
1079         (JSC::toPreferredPrimitiveType):
1080         (JSC::JSValue::getPropertySlot):
1081         (JSC::JSValue::equalSlowCaseInline):
1082         * runtime/JSDataViewPrototype.cpp:
1083         (JSC::getData):
1084         (JSC::setData):
1085         * runtime/JSFunction.cpp:
1086         (JSC::JSFunction::setFunctionName):
1087         * runtime/JSGenericTypedArrayView.h:
1088         (JSC::JSGenericTypedArrayView::setIndex):
1089         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1090         (JSC::constructGenericTypedArrayViewFromIterator):
1091         (JSC::constructGenericTypedArrayViewWithArguments):
1092         (JSC::constructGenericTypedArrayView):
1093         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1094         (JSC::speciesConstruct):
1095         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1096         (JSC::genericTypedArrayViewProtoFuncIncludes):
1097         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1098         (JSC::genericTypedArrayViewProtoFuncJoin):
1099         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1100         (JSC::genericTypedArrayViewProtoFuncSlice):
1101         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1102         * runtime/JSGlobalObject.h:
1103         (JSC::constructEmptyArray):
1104         (JSC::constructArray):
1105         (JSC::constructArrayNegativeIndexed):
1106         * runtime/JSGlobalObjectFunctions.cpp:
1107         (JSC::globalFuncEval):
1108         * runtime/JSJob.cpp:
1109         (JSC::JSJobMicrotask::run):
1110         * runtime/JSModuleEnvironment.cpp:
1111         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1112         * runtime/JSModuleLoader.cpp:
1113         (JSC::JSModuleLoader::fetch):
1114         * runtime/JSModuleNamespaceObject.cpp:
1115         (JSC::JSModuleNamespaceObject::finishCreation):
1116         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1117         * runtime/JSModuleRecord.cpp:
1118         (JSC::JSModuleRecord::instantiateDeclarations):
1119         * runtime/JSONObject.cpp:
1120         (JSC::Stringifier::Stringifier):
1121         (JSC::Stringifier::stringify):
1122         (JSC::Stringifier::toJSON):
1123         (JSC::Stringifier::appendStringifiedValue):
1124         (JSC::Stringifier::Holder::appendNextProperty):
1125         (JSC::Walker::walk):
1126         (JSC::JSONProtoFuncParse):
1127         * runtime/JSObject.cpp:
1128         (JSC::ordinarySetSlow):
1129         (JSC::JSObject::setPrototypeWithCycleCheck):
1130         (JSC::callToPrimitiveFunction):
1131         (JSC::JSObject::ordinaryToPrimitive):
1132         (JSC::JSObject::defaultHasInstance):
1133         (JSC::JSObject::getPropertyNames):
1134         (JSC::JSObject::toNumber):
1135         (JSC::JSObject::toString):
1136         (JSC::JSObject::defineOwnNonIndexProperty):
1137         (JSC::JSObject::getGenericPropertyNames):
1138         (JSC::JSObject::getMethod):
1139         * runtime/JSObjectInlines.h:
1140         (JSC::createListFromArrayLike):
1141         (JSC::JSObject::getPropertySlot):
1142         (JSC::JSObject::getNonIndexPropertySlot):
1143         * runtime/JSPromiseConstructor.cpp:
1144         (JSC::constructPromise):
1145         * runtime/JSPropertyNameEnumerator.h:
1146         (JSC::propertyNameEnumerator):
1147         * runtime/JSPropertyNameIterator.cpp:
1148         (JSC::JSPropertyNameIterator::create):
1149         * runtime/JSScope.cpp:
1150         (JSC::isUnscopable):
1151         (JSC::JSScope::resolve):
1152         * runtime/JSString.cpp:
1153         (JSC::JSString::equalSlowCase):
1154         * runtime/JSStringJoiner.cpp:
1155         (JSC::JSStringJoiner::join):
1156         * runtime/LiteralParser.cpp:
1157         (JSC::LiteralParser<CharType>::parse):
1158         * runtime/MapConstructor.cpp:
1159         (JSC::constructMap):
1160         * runtime/MathObject.cpp:
1161         (JSC::mathProtoFuncClz32):
1162         (JSC::mathProtoFuncHypot):
1163         (JSC::mathProtoFuncIMul):
1164         * runtime/ModuleLoaderPrototype.cpp:
1165         (JSC::moduleLoaderPrototypeParseModule):
1166         (JSC::moduleLoaderPrototypeRequestedModules):
1167         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1168         * runtime/NativeErrorConstructor.cpp:
1169         (JSC::Interpreter::constructWithNativeErrorConstructor):
1170         * runtime/NumberConstructor.cpp:
1171         (JSC::constructWithNumberConstructor):
1172         * runtime/ObjectConstructor.cpp:
1173         (JSC::constructObject):
1174         (JSC::objectConstructorGetPrototypeOf):
1175         (JSC::objectConstructorSetPrototypeOf):
1176         (JSC::objectConstructorGetOwnPropertyDescriptor):
1177         (JSC::objectConstructorGetOwnPropertyDescriptors):
1178         (JSC::objectConstructorGetOwnPropertyNames):
1179         (JSC::objectConstructorGetOwnPropertySymbols):
1180         (JSC::objectConstructorKeys):
1181         (JSC::ownEnumerablePropertyKeys):
1182         (JSC::toPropertyDescriptor):
1183         (JSC::objectConstructorDefineProperty):
1184         (JSC::defineProperties):
1185         (JSC::objectConstructorSeal):
1186         (JSC::objectConstructorFreeze):
1187         (JSC::objectConstructorIsSealed):
1188         (JSC::objectConstructorIsFrozen):
1189         (JSC::objectConstructorIsExtensible):
1190         (JSC::ownPropertyKeys):
1191         * runtime/ObjectConstructor.h:
1192         (JSC::constructObjectFromPropertyDescriptor):
1193         * runtime/ObjectPrototype.cpp:
1194         (JSC::objectProtoFuncHasOwnProperty):
1195         (JSC::objectProtoFuncIsPrototypeOf):
1196         (JSC::objectProtoFuncDefineGetter):
1197         (JSC::objectProtoFuncDefineSetter):
1198         (JSC::objectProtoFuncLookupGetter):
1199         (JSC::objectProtoFuncLookupSetter):
1200         (JSC::objectProtoFuncPropertyIsEnumerable):
1201         (JSC::objectProtoFuncToLocaleString):
1202         (JSC::objectProtoFuncToString):
1203         * runtime/Operations.cpp:
1204         (JSC::jsAddSlowCase):
1205         * runtime/Options.h:
1206         * runtime/PropertyDescriptor.cpp:
1207         (JSC::PropertyDescriptor::slowGetterSetter):
1208         * runtime/ProxyConstructor.cpp:
1209         (JSC::makeRevocableProxy):
1210         * runtime/ProxyObject.cpp:
1211         (JSC::ProxyObject::toStringName):
1212         (JSC::performProxyGet):
1213         (JSC::ProxyObject::performGet):
1214         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1215         (JSC::ProxyObject::performHasProperty):
1216         (JSC::ProxyObject::performPut):
1217         (JSC::ProxyObject::putByIndexCommon):
1218         (JSC::performProxyCall):
1219         (JSC::performProxyConstruct):
1220         (JSC::ProxyObject::performDelete):
1221         (JSC::ProxyObject::performPreventExtensions):
1222         (JSC::ProxyObject::performIsExtensible):
1223         (JSC::ProxyObject::performDefineOwnProperty):
1224         (JSC::ProxyObject::performGetOwnPropertyNames):
1225         (JSC::ProxyObject::performSetPrototype):
1226         (JSC::ProxyObject::performGetPrototype):
1227         * runtime/ReflectObject.cpp:
1228         (JSC::reflectObjectConstruct):
1229         (JSC::reflectObjectDefineProperty):
1230         (JSC::reflectObjectGet):
1231         (JSC::reflectObjectGetOwnPropertyDescriptor):
1232         (JSC::reflectObjectIsExtensible):
1233         (JSC::reflectObjectPreventExtensions):
1234         (JSC::reflectObjectSet):
1235         (JSC::reflectObjectSetPrototypeOf):
1236         * runtime/RegExpConstructor.cpp:
1237         (JSC::toFlags):
1238         (JSC::regExpCreate):
1239         (JSC::constructRegExp):
1240         * runtime/RegExpConstructor.h:
1241         (JSC::isRegExp):
1242         * runtime/RegExpObject.cpp:
1243         (JSC::collectMatches):
1244         (JSC::RegExpObject::matchGlobal):
1245         * runtime/RegExpPrototype.cpp:
1246         (JSC::regExpProtoFuncCompile):
1247         (JSC::flagsString):
1248         (JSC::regExpProtoFuncToString):
1249         (JSC::regExpProtoGetterFlags):
1250         (JSC::regExpProtoFuncSearchFast):
1251         (JSC::regExpProtoFuncSplitFast):
1252         * runtime/SetConstructor.cpp:
1253         (JSC::constructSet):
1254         * runtime/StringConstructor.cpp:
1255         (JSC::stringFromCodePoint):
1256         (JSC::constructWithStringConstructor):
1257         * runtime/StringObject.cpp:
1258         (JSC::StringObject::defineOwnProperty):
1259         * runtime/StringPrototype.cpp:
1260         (JSC::replaceUsingRegExpSearch):
1261         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1262         (JSC::replaceUsingStringSearch):
1263         (JSC::replace):
1264         (JSC::stringProtoFuncReplaceUsingRegExp):
1265         (JSC::stringProtoFuncReplaceUsingStringSearch):
1266         (JSC::stringProtoFuncCodePointAt):
1267         (JSC::stringProtoFuncSlice):
1268         (JSC::stringProtoFuncSplitFast):
1269         (JSC::stringProtoFuncSubstr):
1270         (JSC::stringProtoFuncSubstring):
1271         (JSC::stringProtoFuncLocaleCompare):
1272         (JSC::toLocaleCase):
1273         (JSC::stringProtoFuncBig):
1274         (JSC::stringProtoFuncSmall):
1275         (JSC::stringProtoFuncBlink):
1276         (JSC::stringProtoFuncBold):
1277         (JSC::stringProtoFuncFixed):
1278         (JSC::stringProtoFuncItalics):
1279         (JSC::stringProtoFuncStrike):
1280         (JSC::stringProtoFuncSub):
1281         (JSC::stringProtoFuncSup):
1282         (JSC::stringProtoFuncFontcolor):
1283         (JSC::stringProtoFuncFontsize):
1284         (JSC::stringProtoFuncAnchor):
1285         (JSC::stringProtoFuncLink):
1286         (JSC::trimString):
1287         (JSC::stringProtoFuncStartsWith):
1288         (JSC::stringProtoFuncEndsWith):
1289         (JSC::stringIncludesImpl):
1290         (JSC::stringProtoFuncIncludes):
1291         (JSC::builtinStringIncludesInternal):
1292         (JSC::stringProtoFuncNormalize):
1293         * runtime/SymbolConstructor.cpp:
1294         (JSC::symbolConstructorFor):
1295         * runtime/TemplateRegistry.cpp:
1296         (JSC::TemplateRegistry::getTemplateObject):
1297         * runtime/ThrowScope.cpp:
1298         (JSC::ThrowScope::ThrowScope):
1299         (JSC::ThrowScope::~ThrowScope):
1300         (JSC::ThrowScope::throwException):
1301         (JSC::ThrowScope::simulateThrow):
1302         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1303         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1304         * runtime/ThrowScope.h:
1305         (JSC::ThrowScope::release):
1306         (JSC::ThrowScope::ThrowScope):
1307         (JSC::ThrowScope::throwException):
1308         (JSC::ThrowScope::vm): Deleted.
1309         (JSC::ThrowScope::exception): Deleted.
1310         * runtime/ThrowScopeLocation.h: Removed.
1311         * runtime/VM.cpp:
1312         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1313         * runtime/VM.h:
1314         (JSC::VM::exception):
1315         (JSC::VM::clearException):
1316         (JSC::VM::setException): Deleted.
1317         * runtime/WeakMapConstructor.cpp:
1318         (JSC::constructWeakMap):
1319         * runtime/WeakSetConstructor.cpp:
1320         (JSC::constructWeakSet):
1321         * tools/JSDollarVMPrototype.cpp:
1322         (JSC::functionPrint):
1323
1324 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1325
1326         [INTL] some valid language tags cause errors in Intl constructors
1327         https://bugs.webkit.org/show_bug.cgi?id=161672
1328
1329         Reviewed by Mark Lam.
1330
1331         Fix private use tag parsing to match spec, allowing single character parts.
1332         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1333
1334         ```
1335         privateuse    = "x" 1*("-" (1*8alphanum))
1336         ```
1337
1338         * runtime/IntlObject.cpp:
1339         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1340
1341 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1342
1343         [JSC] Remove a couple of useless forward declaration
1344         https://bugs.webkit.org/show_bug.cgi?id=161676
1345
1346         Reviewed by Mark Lam.
1347
1348         JITMathICForwards.h should take care of declarating the Math ICs.
1349
1350         * bytecode/CodeBlock.h:
1351         * jit/JITOperations.h:
1352
1353 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1354
1355         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1356         https://bugs.webkit.org/show_bug.cgi?id=161706
1357
1358         Reviewed by Geoffrey Garen.
1359         
1360         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1361         have to do something different.
1362
1363         * jit/AssemblyHelpers.h:
1364         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1365
1366 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1367
1368         Unreviewed CMake build fix after r205552
1369
1370         * CMakeLists.txt:
1371
1372 2016-09-03  Keith Miller  <keith_miller@apple.com>
1373
1374         Add support for WASM Loops and Branches
1375         https://bugs.webkit.org/show_bug.cgi?id=161569
1376
1377         Reviewed by Benjamin Poulain.
1378
1379         This patch adds support for loops and branches to WASM. In order
1380         to support loops, we needed to change the way the B3IRGenerator
1381         tracked control information. Now, the control data holds three
1382         pieces of information: The continuation block, the loop branch
1383         target, and variables exiting the block. Whenever we branch to
1384         some control point we first check if it is a loop by checking that
1385         the loop branch target is non-null. If the branch is not targeting
1386         a loop, we map the stack values to the associated B3 variables for
1387         that stack slot.
1388
1389         Another interesting thing of note is that we now only allocate the
1390         continuation basic block lazily. This is beneficial when the
1391         continuation would just fall through to another block anyway. For
1392         example, in code like: (block ... (block (add 1 2) end) end) the
1393         continuation for the inner block just falls through to the outer
1394         block's continuation so we don't need an extra block.
1395
1396         * B3CallingConventions.cpp:
1397         (JSC::B3::jscCallingConvention): Deleted.
1398         * B3CallingConventions.h:
1399         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1400         (JSC::B3::CallingConvention::iterate): Deleted.
1401         (JSC::B3::nextJSCOffset): Deleted.
1402         * JavaScriptCore.xcodeproj/project.pbxproj:
1403         * b3/B3Type.h:
1404         * testWASM.cpp:
1405         (runWASMTests):
1406         * wasm/WASMB3IRGenerator.cpp:
1407         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1408         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1409         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1410         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1411         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1412         (JSC::WASM::B3IRGenerator::ControlData::dump):
1413         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1414         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1415         (JSC::WASM::B3IRGenerator::addLocal):
1416         (JSC::WASM::B3IRGenerator::addArguments):
1417         (JSC::WASM::B3IRGenerator::setLocal):
1418         (JSC::WASM::B3IRGenerator::addBlock):
1419         (JSC::WASM::B3IRGenerator::addLoop):
1420         (JSC::WASM::B3IRGenerator::endBlock):
1421         (JSC::WASM::B3IRGenerator::addReturn):
1422         (JSC::WASM::B3IRGenerator::addBranch):
1423         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1424         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1425         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1426         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1427         (JSC::WASM::parseAndCompile):
1428         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1429         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1430         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1431         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1432         (JSC::WASM::jscCallingConvention):
1433         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1434         (JSC::WASM::CallingConvention::CallingConvention):
1435         (JSC::WASM::CallingConvention::iterate):
1436         (JSC::WASM::nextJSCOffset):
1437         * wasm/WASMFormat.h:
1438         (JSC::WASM::toB3Type):
1439         (JSC::WASM::isValueType):
1440         * wasm/WASMFunctionParser.h:
1441         (JSC::WASM::FunctionParser<Context>::parse):
1442         (JSC::WASM::FunctionParser<Context>::parseExpression):
1443         * wasm/WASMModuleParser.cpp:
1444         (JSC::WASM::ModuleParser::parseFunctionTypes):
1445         * wasm/WASMOps.h:
1446
1447 2016-09-07  Youenn Fablet  <youenn@apple.com>
1448
1449         [Streams API] Separate compile flag for ReadableStream and WritableStream
1450         https://bugs.webkit.org/show_bug.cgi?id=161044
1451
1452         Reviewed by Alex Christensen.
1453
1454         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1455         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1456
1457         * Configurations/FeatureDefines.xcconfig:
1458         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1459         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1460         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1461
1462 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1463
1464         Fix the ENABLE(WEBASSEMBLY) build on Linux
1465         https://bugs.webkit.org/show_bug.cgi?id=161685
1466
1467         Unreviewed buildfix.
1468
1469         * wasm/JSWASMModule.cpp:
1470
1471 2016-09-06  Saam Barati  <sbarati@apple.com>
1472
1473         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1474         https://bugs.webkit.org/show_bug.cgi?id=161558
1475
1476         Reviewed by Benjamin Poulain.
1477
1478         ProxyObject had ObjectPrototype as its direct prototype.
1479         This could lead to infinite loops when doing a getDirectPrototype()
1480         loop.
1481
1482         Fixing this bug revealed another bug, which I made when implementing Proxy.
1483         We should not special case "__proto__" in get and set for Proxy Object's
1484         hooks. "__proto__" should just go through the normal set and get path.
1485
1486         * runtime/JSGlobalObject.cpp:
1487         (JSC::JSGlobalObject::init):
1488         * runtime/ProxyObject.cpp:
1489         (JSC::performProxyGet):
1490         (JSC::ProxyObject::put):
1491
1492 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1493
1494         Make JSC::PrivateName copyable
1495         https://bugs.webkit.org/show_bug.cgi?id=161666
1496
1497         Reviewed by Ryosuke Niwa.
1498
1499         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1500         And since the custom copy constructor deletes the default move constructor, we explcitly define
1501         it by `= default;`.
1502
1503         * runtime/PrivateName.h:
1504         (JSC::PrivateName::PrivateName):
1505
1506 2016-09-06  Daniel Bates  <dabates@apple.com>
1507
1508         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1509         https://bugs.webkit.org/show_bug.cgi?id=161296
1510
1511         Reviewed by Dan Bernstein.
1512
1513         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1514         with the iOS 10 beta SDK.
1515
1516         * Configurations/Base.xcconfig:
1517
1518 2016-09-06  Saam Barati  <sbarati@apple.com>
1519
1520         Unreviewed build fix for 32-bit platforms after r205520.
1521
1522         * dfg/DFGSpeculativeJIT.h:
1523         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1524
1525 2016-09-06  Saam Barati  <sbarati@apple.com>
1526
1527         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1528         https://bugs.webkit.org/show_bug.cgi?id=160870
1529
1530         Reviewed by Darin Adler.
1531
1532         Credit goes to Jonathan Bedard for finding this bug using the undefined
1533         behavior sanitizer.
1534
1535         The rule for MaterializeNewObject inside AI was assuming that the graph
1536         is in SSA form. This used to be true when MaterializeNewObject was only
1537         inserted by the allocation sinking phase. However, Filip added more uses
1538         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1539         the bug by using the structure set inside the Node's OpInfo rather than
1540         generating it from m_phiChildren inside AI.
1541
1542         * dfg/DFGAbstractInterpreterInlines.h:
1543         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1544
1545 2016-09-06  Saam Barati  <sbarati@apple.com>
1546
1547         Make JSMap and JSSet faster
1548         https://bugs.webkit.org/show_bug.cgi?id=160989
1549
1550         Reviewed by Filip Pizlo.
1551
1552         This patch revamps how we implement Map and Set. It uses
1553         a new hash map implementation. The hash map uses linear
1554         probing and it uses Wang's 64 bit hash function for JSValues
1555         that aren't strings. Strings use StringImpl's hash function.
1556         The reason I wanted to roll our own HashTable is twofold:
1557         I didn't want to inline WTF::HashMap's implementation into our
1558         JIT, since that seems error prone and unmaintainable. Also, I wanted
1559         a different structure for hash map buckets where buckets also exist in
1560         a linked list.
1561
1562         The reason for making buckets part of a linked list is that iteration
1563         is now simple. Iteration works by just traversing a linked list.
1564         This design also allows for a simple implementation when doing iteration
1565         while the hash table is mutating. Whenever we remove a bucket from
1566         the hash table, it is removed from the list, meaning items in the
1567         list don't point to it. However, the removed bucket will still point
1568         to things that are either in the list, or have also been removed.
1569         e.g, from a removed bucket, you can always follow pointers until you
1570         either find an item in the list, or you find the tail of the list.
1571         This is a really nice property because it means that a Map or Set
1572         does not need to reason about the all the iterators that point
1573         into its list. Also, whenever we add items to the Map or Set, we
1574         hijack the tail as the new item, and make the new item point to a newly
1575         created tail. This means that any iterator that pointed to the "tail" now
1576         points to non-tail items. This makes the implementation of adding things
1577         to the Map/Set while iterating easy.
1578
1579         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1580         into intrinsics in the DFG. The IR can now reason about hash map
1581         operations and can even do CSE over Wang's hash function, hash map
1582         bucket lookups, hash map bucket loads, and testing if a key is in
1583         the hash table. This makes code patterns for Map like so, super fast
1584         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1585
1586         ```
1587         function getKeyIfPresent(map, key) {
1588             if (map.has(key))
1589                 return map.get(key);
1590         }
1591         ```
1592
1593         This patch is roughly an 8% speedup on ES6SampleBench.
1594
1595
1596         * CMakeLists.txt:
1597         * JavaScriptCore.xcodeproj/project.pbxproj:
1598         * assembler/MacroAssemblerARM64.h:
1599         (JSC::MacroAssemblerARM64::not64):
1600         * bytecode/SpeculatedType.cpp:
1601         (JSC::speculationFromClassInfo):
1602         * bytecode/SpeculatedType.h:
1603         * dfg/DFGAbstractInterpreterInlines.h:
1604         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1606         * dfg/DFGByteCodeParser.cpp:
1607         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1608         * dfg/DFGClobberize.h:
1609         (JSC::DFG::clobberize):
1610         * dfg/DFGDoesGC.cpp:
1611         (JSC::DFG::doesGC):
1612         * dfg/DFGEdge.h:
1613         (JSC::DFG::Edge::shift):
1614         (JSC::DFG::Edge::makeWord):
1615         * dfg/DFGFixupPhase.cpp:
1616         (JSC::DFG::FixupPhase::fixupNode):
1617         * dfg/DFGHeapLocation.cpp:
1618         (WTF::printInternal):
1619         * dfg/DFGHeapLocation.h:
1620         * dfg/DFGNode.h:
1621         (JSC::DFG::Node::hasHeapPrediction):
1622         * dfg/DFGNodeType.h:
1623         * dfg/DFGOperations.cpp:
1624         * dfg/DFGOperations.h:
1625         * dfg/DFGPredictionPropagationPhase.cpp:
1626         * dfg/DFGSafeToExecute.h:
1627         (JSC::DFG::SafeToExecuteEdge::operator()):
1628         (JSC::DFG::safeToExecute):
1629         * dfg/DFGSpeculativeJIT.cpp:
1630         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1631         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1632         (JSC::DFG::SpeculativeJIT::speculate):
1633         * dfg/DFGSpeculativeJIT.h:
1634         (JSC::DFG::SpeculativeJIT::callOperation):
1635         * dfg/DFGSpeculativeJIT32_64.cpp:
1636         (JSC::DFG::SpeculativeJIT::compile):
1637         * dfg/DFGSpeculativeJIT64.cpp:
1638         (JSC::DFG::SpeculativeJIT::compile):
1639         * dfg/DFGUseKind.cpp:
1640         (WTF::printInternal):
1641         * dfg/DFGUseKind.h:
1642         (JSC::DFG::typeFilterFor):
1643         (JSC::DFG::isCell):
1644         * ftl/FTLAbstractHeapRepository.h:
1645         * ftl/FTLCapabilities.cpp:
1646         (JSC::FTL::canCompile):
1647         * ftl/FTLLowerDFGToB3.cpp:
1648         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1649         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1650         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1651         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1652         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1653         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1654         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1655         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1656         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1657         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1658         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1659         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1660         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1661         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1662         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1663         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1664         * jit/AssemblyHelpers.cpp:
1665         (JSC::AssemblyHelpers::wangsInt64Hash):
1666         * jit/AssemblyHelpers.h:
1667         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1668         * jit/JITOperations.h:
1669         * parser/ModuleAnalyzer.cpp:
1670         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1671         * runtime/HashMapImpl.cpp: Added.
1672         (JSC::HashMapBucket<Data>::visitChildren):
1673         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1674         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1675         * runtime/HashMapImpl.h: Added.
1676         (JSC::HashMapBucket::selectStructure):
1677         (JSC::HashMapBucket::createStructure):
1678         (JSC::HashMapBucket::create):
1679         (JSC::HashMapBucket::HashMapBucket):
1680         (JSC::HashMapBucket::setNext):
1681         (JSC::HashMapBucket::setPrev):
1682         (JSC::HashMapBucket::setKey):
1683         (JSC::HashMapBucket::setValue):
1684         (JSC::HashMapBucket::key):
1685         (JSC::HashMapBucket::value):
1686         (JSC::HashMapBucket::next):
1687         (JSC::HashMapBucket::prev):
1688         (JSC::HashMapBucket::deleted):
1689         (JSC::HashMapBucket::setDeleted):
1690         (JSC::HashMapBucket::offsetOfKey):
1691         (JSC::HashMapBucket::offsetOfValue):
1692         (JSC::HashMapBuffer::allocationSize):
1693         (JSC::HashMapBuffer::buffer):
1694         (JSC::HashMapBuffer::create):
1695         (JSC::areKeysEqual):
1696         (JSC::normalizeMapKey):
1697         (JSC::jsMapHash):
1698         (JSC::HashMapImpl::selectStructure):
1699         (JSC::HashMapImpl::createStructure):
1700         (JSC::HashMapImpl::create):
1701         (JSC::HashMapImpl::HashMapImpl):
1702         (JSC::HashMapImpl::buffer):
1703         (JSC::HashMapImpl::finishCreation):
1704         (JSC::HashMapImpl::emptyValue):
1705         (JSC::HashMapImpl::isEmpty):
1706         (JSC::HashMapImpl::deletedValue):
1707         (JSC::HashMapImpl::isDeleted):
1708         (JSC::HashMapImpl::findBucket):
1709         (JSC::HashMapImpl::get):
1710         (JSC::HashMapImpl::has):
1711         (JSC::HashMapImpl::add):
1712         (JSC::HashMapImpl::remove):
1713         (JSC::HashMapImpl::size):
1714         (JSC::HashMapImpl::clear):
1715         (JSC::HashMapImpl::bufferSizeInBytes):
1716         (JSC::HashMapImpl::offsetOfBuffer):
1717         (JSC::HashMapImpl::offsetOfCapacity):
1718         (JSC::HashMapImpl::head):
1719         (JSC::HashMapImpl::tail):
1720         (JSC::HashMapImpl::approximateSize):
1721         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1722         (JSC::HashMapImpl::rehash):
1723         (JSC::HashMapImpl::makeAndSetNewBuffer):
1724         * runtime/Intrinsic.h:
1725         * runtime/JSCJSValue.h:
1726         * runtime/JSCJSValueInlines.h:
1727         (JSC::sameValue):
1728         * runtime/JSGlobalObject.cpp:
1729         (JSC::JSGlobalObject::init):
1730         * runtime/JSMap.cpp:
1731         (JSC::JSMap::destroy): Deleted.
1732         (JSC::JSMap::estimatedSize): Deleted.
1733         (JSC::JSMap::visitChildren): Deleted.
1734         (JSC::JSMap::copyBackingStore): Deleted.
1735         (JSC::JSMap::has): Deleted.
1736         (JSC::JSMap::size): Deleted.
1737         (JSC::JSMap::get): Deleted.
1738         (JSC::JSMap::set): Deleted.
1739         (JSC::JSMap::clear): Deleted.
1740         (JSC::JSMap::remove): Deleted.
1741         * runtime/JSMap.h:
1742         (JSC::JSMap::createStructure):
1743         (JSC::JSMap::create):
1744         (JSC::JSMap::get):
1745         (JSC::JSMap::set):
1746         (JSC::JSMap::JSMap):
1747         (JSC::JSMap::Entry::key): Deleted.
1748         (JSC::JSMap::Entry::value): Deleted.
1749         (JSC::JSMap::Entry::visitChildren): Deleted.
1750         (JSC::JSMap::Entry::setKey): Deleted.
1751         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1752         (JSC::JSMap::Entry::setValue): Deleted.
1753         (JSC::JSMap::Entry::clear): Deleted.
1754         * runtime/JSMapIterator.cpp:
1755         (JSC::JSMapIterator::finishCreation):
1756         (JSC::JSMapIterator::visitChildren):
1757         (JSC::JSMapIterator::clone):
1758         * runtime/JSMapIterator.h:
1759         (JSC::JSMapIterator::advanceIter):
1760         (JSC::JSMapIterator::next):
1761         (JSC::JSMapIterator::nextKeyValue):
1762         (JSC::JSMapIterator::JSMapIterator):
1763         (JSC::JSMapIterator::setIterator):
1764         (JSC::JSMapIterator::finish): Deleted.
1765         (JSC::JSMapIterator::iteratorData): Deleted.
1766         * runtime/JSModuleLoader.cpp:
1767         (JSC::JSModuleLoader::finishCreation):
1768         * runtime/JSModuleLoader.h:
1769         (JSC::JSModuleLoader::create):
1770         * runtime/JSModuleRecord.cpp:
1771         (JSC::JSModuleRecord::finishCreation):
1772         * runtime/JSModuleRecord.h:
1773         (JSC::JSModuleRecord::create):
1774         * runtime/JSSet.cpp:
1775         (JSC::JSSet::destroy): Deleted.
1776         (JSC::JSSet::estimatedSize): Deleted.
1777         (JSC::JSSet::visitChildren): Deleted.
1778         (JSC::JSSet::copyBackingStore): Deleted.
1779         (JSC::JSSet::has): Deleted.
1780         (JSC::JSSet::size): Deleted.
1781         (JSC::JSSet::add): Deleted.
1782         (JSC::JSSet::clear): Deleted.
1783         (JSC::JSSet::remove): Deleted.
1784         * runtime/JSSet.h:
1785         (JSC::JSSet::createStructure):
1786         (JSC::JSSet::create):
1787         (JSC::JSSet::add):
1788         (JSC::JSSet::JSSet):
1789         (JSC::JSSet::Entry::key): Deleted.
1790         (JSC::JSSet::Entry::value): Deleted.
1791         (JSC::JSSet::Entry::visitChildren): Deleted.
1792         (JSC::JSSet::Entry::setKey): Deleted.
1793         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1794         (JSC::JSSet::Entry::setValue): Deleted.
1795         (JSC::JSSet::Entry::clear): Deleted.
1796         * runtime/JSSetIterator.cpp:
1797         (JSC::JSSetIterator::finishCreation):
1798         (JSC::JSSetIterator::visitChildren):
1799         (JSC::JSSetIterator::clone):
1800         * runtime/JSSetIterator.h:
1801         (JSC::JSSetIterator::advanceIter):
1802         (JSC::JSSetIterator::next):
1803         (JSC::JSSetIterator::JSSetIterator):
1804         (JSC::JSSetIterator::setIterator):
1805         (JSC::JSSetIterator::finish): Deleted.
1806         (JSC::JSSetIterator::iteratorData): Deleted.
1807         * runtime/JSType.h:
1808         * runtime/MapBase.cpp: Added.
1809         (JSC::MapBase<HashMapBucketType>::visitChildren):
1810         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1811         * runtime/MapBase.h: Added.
1812         (JSC::MapBase::size):
1813         (JSC::MapBase::has):
1814         (JSC::MapBase::clear):
1815         (JSC::MapBase::remove):
1816         (JSC::MapBase::findBucket):
1817         (JSC::MapBase::offsetOfHashMapImpl):
1818         (JSC::MapBase::impl):
1819         (JSC::MapBase::finishCreation):
1820         (JSC::MapBase::MapBase):
1821         * runtime/MapConstructor.cpp:
1822         (JSC::constructMap):
1823         * runtime/MapIteratorPrototype.cpp:
1824         (JSC::MapIteratorPrototypeFuncNext):
1825         * runtime/MapPrototype.cpp:
1826         (JSC::MapPrototype::finishCreation):
1827         (JSC::getMap):
1828         (JSC::privateFuncIsMap):
1829         (JSC::privateFuncMapIteratorNext):
1830         * runtime/PropertyDescriptor.cpp:
1831         (JSC::sameValue): Deleted.
1832         * runtime/PropertyDescriptor.h:
1833         * runtime/SetConstructor.cpp:
1834         (JSC::constructSet):
1835         * runtime/SetIteratorPrototype.cpp:
1836         (JSC::SetIteratorPrototypeFuncNext):
1837         * runtime/SetPrototype.cpp:
1838         (JSC::SetPrototype::finishCreation):
1839         (JSC::getSet):
1840         (JSC::privateFuncSetIteratorNext):
1841         * runtime/VM.cpp:
1842         (JSC::VM::VM):
1843         * runtime/VM.h:
1844
1845 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1846
1847         [JSC] Make ArithClz32 work with Cell arguments
1848         https://bugs.webkit.org/show_bug.cgi?id=161369
1849
1850         Reviewed by Geoffrey Garen.
1851
1852         ArithClz32 was already working with all primitive types
1853         thanks to the magic of ValueToInt32.
1854         This patch adds support for cell arguments through a function
1855         call.
1856
1857         * dfg/DFGAbstractInterpreterInlines.h:
1858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1859         * dfg/DFGClobberize.h:
1860         (JSC::DFG::clobberize):
1861         * dfg/DFGFixupPhase.cpp:
1862         (JSC::DFG::FixupPhase::fixupNode):
1863         * dfg/DFGNodeType.h:
1864         * dfg/DFGOperations.cpp:
1865         * dfg/DFGOperations.h:
1866         * dfg/DFGSpeculativeJIT.cpp:
1867         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1868         * dfg/DFGSpeculativeJIT.h:
1869         (JSC::DFG::SpeculativeJIT::callOperation):
1870         * ftl/FTLLowerDFGToB3.cpp:
1871         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1872
1873 2016-09-06  Mark Lam  <mark.lam@apple.com>
1874
1875         Gardening: change to use old header guard to appease Win EWS.
1876
1877         Not reviewed.
1878
1879         * runtime/AuxiliaryBarrier.h:
1880
1881 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1882
1883         Unreviewed, rolling out r205494.
1884         https://bugs.webkit.org/show_bug.cgi?id=161646
1885
1886         This change broke the Windows build (Requested by ryanhaddad
1887         on #webkit).
1888
1889         Reverted changeset:
1890
1891         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1892         https://bugs.webkit.org/show_bug.cgi?id=161100
1893         http://trac.webkit.org/changeset/205494
1894
1895 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1896
1897         Unreviewed, rolling out r205504.
1898         https://bugs.webkit.org/show_bug.cgi?id=161645
1899
1900         Broke the iOS device build (Requested by ryanhaddad on
1901         #webkit).
1902
1903         Reverted changeset:
1904
1905         "Make JSMap and JSSet faster"
1906         https://bugs.webkit.org/show_bug.cgi?id=160989
1907         http://trac.webkit.org/changeset/205504
1908
1909 2016-09-06  Saam Barati  <sbarati@apple.com>
1910
1911         Make JSMap and JSSet faster
1912         https://bugs.webkit.org/show_bug.cgi?id=160989
1913
1914         Reviewed by Filip Pizlo.
1915
1916         This patch revamps how we implement Map and Set. It uses
1917         a new hash map implementation. The hash map uses linear
1918         probing and it uses Wang's 64 bit hash function for JSValues
1919         that aren't strings. Strings use StringImpl's hash function.
1920         The reason I wanted to roll our own HashTable is twofold:
1921         I didn't want to inline WTF::HashMap's implementation into our
1922         JIT, since that seems error prone and unmaintainable. Also, I wanted
1923         a different structure for hash map buckets where buckets also exist in
1924         a linked list.
1925
1926         The reason for making buckets part of a linked list is that iteration
1927         is now simple. Iteration works by just traversing a linked list.
1928         This design also allows for a simple implementation when doing iteration
1929         while the hash table is mutating. Whenever we remove a bucket from
1930         the hash table, it is removed from the list, meaning items in the
1931         list don't point to it. However, the removed bucket will still point
1932         to things that are either in the list, or have also been removed.
1933         e.g, from a removed bucket, you can always follow pointers until you
1934         either find an item in the list, or you find the tail of the list.
1935         This is a really nice property because it means that a Map or Set
1936         does not need to reason about the all the iterators that point
1937         into its list. Also, whenever we add items to the Map or Set, we
1938         hijack the tail as the new item, and make the new item point to a newly
1939         created tail. This means that any iterator that pointed to the "tail" now
1940         points to non-tail items. This makes the implementation of adding things
1941         to the Map/Set while iterating easy.
1942
1943         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1944         into intrinsics in the DFG. The IR can now reason about hash map
1945         operations and can even do CSE over Wang's hash function, hash map
1946         bucket lookups, hash map bucket loads, and testing if a key is in
1947         the hash table. This makes code patterns for Map like so, super fast
1948         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1949
1950         ```
1951         function getKeyIfPresent(map, key) {
1952             if (map.has(key))
1953                 return map.get(key);
1954         }
1955         ```
1956
1957         This patch is roughly an 8% speedup on ES6SampleBench.
1958
1959         * CMakeLists.txt:
1960         * JavaScriptCore.xcodeproj/project.pbxproj:
1961         * bytecode/SpeculatedType.cpp:
1962         (JSC::speculationFromClassInfo):
1963         * bytecode/SpeculatedType.h:
1964         * dfg/DFGAbstractInterpreterInlines.h:
1965         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1966         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1967         * dfg/DFGByteCodeParser.cpp:
1968         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1969         * dfg/DFGClobberize.h:
1970         (JSC::DFG::clobberize):
1971         * dfg/DFGDoesGC.cpp:
1972         (JSC::DFG::doesGC):
1973         * dfg/DFGEdge.h:
1974         (JSC::DFG::Edge::shift):
1975         (JSC::DFG::Edge::makeWord):
1976         * dfg/DFGFixupPhase.cpp:
1977         (JSC::DFG::FixupPhase::fixupNode):
1978         * dfg/DFGHeapLocation.cpp:
1979         (WTF::printInternal):
1980         * dfg/DFGHeapLocation.h:
1981         * dfg/DFGNode.h:
1982         (JSC::DFG::Node::hasHeapPrediction):
1983         * dfg/DFGNodeType.h:
1984         * dfg/DFGOperations.cpp:
1985         * dfg/DFGOperations.h:
1986         * dfg/DFGPredictionPropagationPhase.cpp:
1987         * dfg/DFGSafeToExecute.h:
1988         (JSC::DFG::SafeToExecuteEdge::operator()):
1989         (JSC::DFG::safeToExecute):
1990         * dfg/DFGSpeculativeJIT.cpp:
1991         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1992         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1993         (JSC::DFG::SpeculativeJIT::speculate):
1994         * dfg/DFGSpeculativeJIT.h:
1995         (JSC::DFG::SpeculativeJIT::callOperation):
1996         * dfg/DFGSpeculativeJIT32_64.cpp:
1997         (JSC::DFG::SpeculativeJIT::compile):
1998         * dfg/DFGSpeculativeJIT64.cpp:
1999         (JSC::DFG::SpeculativeJIT::compile):
2000         * dfg/DFGUseKind.cpp:
2001         (WTF::printInternal):
2002         * dfg/DFGUseKind.h:
2003         (JSC::DFG::typeFilterFor):
2004         (JSC::DFG::isCell):
2005         * ftl/FTLAbstractHeapRepository.h:
2006         * ftl/FTLCapabilities.cpp:
2007         (JSC::FTL::canCompile):
2008         * ftl/FTLLowerDFGToB3.cpp:
2009         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2010         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2011         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2012         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2013         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2014         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2015         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2016         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2017         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2018         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2019         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2020         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2021         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2022         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2023         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2024         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2025         * jit/AssemblyHelpers.cpp:
2026         (JSC::AssemblyHelpers::wangsInt64Hash):
2027         * jit/AssemblyHelpers.h:
2028         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2029         * jit/JITOperations.h:
2030         * parser/ModuleAnalyzer.cpp:
2031         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2032         * runtime/HashMapImpl.cpp: Added.
2033         (JSC::HashMapBucket<Data>::visitChildren):
2034         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2035         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2036         * runtime/HashMapImpl.h: Added.
2037         (JSC::HashMapBucket::selectStructure):
2038         (JSC::HashMapBucket::createStructure):
2039         (JSC::HashMapBucket::create):
2040         (JSC::HashMapBucket::HashMapBucket):
2041         (JSC::HashMapBucket::setNext):
2042         (JSC::HashMapBucket::setPrev):
2043         (JSC::HashMapBucket::setKey):
2044         (JSC::HashMapBucket::setValue):
2045         (JSC::HashMapBucket::key):
2046         (JSC::HashMapBucket::value):
2047         (JSC::HashMapBucket::next):
2048         (JSC::HashMapBucket::prev):
2049         (JSC::HashMapBucket::deleted):
2050         (JSC::HashMapBucket::setDeleted):
2051         (JSC::HashMapBucket::offsetOfKey):
2052         (JSC::HashMapBucket::offsetOfValue):
2053         (JSC::HashMapBuffer::allocationSize):
2054         (JSC::HashMapBuffer::buffer):
2055         (JSC::HashMapBuffer::create):
2056         (JSC::areKeysEqual):
2057         (JSC::normalizeMapKey):
2058         (JSC::jsMapHash):
2059         (JSC::HashMapImpl::selectStructure):
2060         (JSC::HashMapImpl::createStructure):
2061         (JSC::HashMapImpl::create):
2062         (JSC::HashMapImpl::HashMapImpl):
2063         (JSC::HashMapImpl::buffer):
2064         (JSC::HashMapImpl::finishCreation):
2065         (JSC::HashMapImpl::emptyValue):
2066         (JSC::HashMapImpl::isEmpty):
2067         (JSC::HashMapImpl::deletedValue):
2068         (JSC::HashMapImpl::isDeleted):
2069         (JSC::HashMapImpl::findBucket):
2070         (JSC::HashMapImpl::get):
2071         (JSC::HashMapImpl::has):
2072         (JSC::HashMapImpl::add):
2073         (JSC::HashMapImpl::remove):
2074         (JSC::HashMapImpl::size):
2075         (JSC::HashMapImpl::clear):
2076         (JSC::HashMapImpl::bufferSizeInBytes):
2077         (JSC::HashMapImpl::offsetOfBuffer):
2078         (JSC::HashMapImpl::offsetOfCapacity):
2079         (JSC::HashMapImpl::head):
2080         (JSC::HashMapImpl::tail):
2081         (JSC::HashMapImpl::approximateSize):
2082         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2083         (JSC::HashMapImpl::rehash):
2084         (JSC::HashMapImpl::makeAndSetNewBuffer):
2085         * runtime/Intrinsic.h:
2086         * runtime/JSCJSValue.h:
2087         * runtime/JSCJSValueInlines.h:
2088         (JSC::sameValue):
2089         * runtime/JSGlobalObject.cpp:
2090         (JSC::JSGlobalObject::init):
2091         * runtime/JSMap.cpp:
2092         (JSC::JSMap::destroy): Deleted.
2093         (JSC::JSMap::estimatedSize): Deleted.
2094         (JSC::JSMap::visitChildren): Deleted.
2095         (JSC::JSMap::copyBackingStore): Deleted.
2096         (JSC::JSMap::has): Deleted.
2097         (JSC::JSMap::size): Deleted.
2098         (JSC::JSMap::get): Deleted.
2099         (JSC::JSMap::set): Deleted.
2100         (JSC::JSMap::clear): Deleted.
2101         (JSC::JSMap::remove): Deleted.
2102         * runtime/JSMap.h:
2103         (JSC::JSMap::createStructure):
2104         (JSC::JSMap::create):
2105         (JSC::JSMap::get):
2106         (JSC::JSMap::set):
2107         (JSC::JSMap::JSMap):
2108         (JSC::JSMap::Entry::key): Deleted.
2109         (JSC::JSMap::Entry::value): Deleted.
2110         (JSC::JSMap::Entry::visitChildren): Deleted.
2111         (JSC::JSMap::Entry::setKey): Deleted.
2112         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2113         (JSC::JSMap::Entry::setValue): Deleted.
2114         (JSC::JSMap::Entry::clear): Deleted.
2115         * runtime/JSMapIterator.cpp:
2116         (JSC::JSMapIterator::finishCreation):
2117         (JSC::JSMapIterator::visitChildren):
2118         (JSC::JSMapIterator::clone):
2119         * runtime/JSMapIterator.h:
2120         (JSC::JSMapIterator::advanceIter):
2121         (JSC::JSMapIterator::next):
2122         (JSC::JSMapIterator::nextKeyValue):
2123         (JSC::JSMapIterator::JSMapIterator):
2124         (JSC::JSMapIterator::setIterator):
2125         (JSC::JSMapIterator::finish): Deleted.
2126         (JSC::JSMapIterator::iteratorData): Deleted.
2127         * runtime/JSModuleLoader.cpp:
2128         (JSC::JSModuleLoader::finishCreation):
2129         * runtime/JSModuleLoader.h:
2130         (JSC::JSModuleLoader::create):
2131         * runtime/JSModuleRecord.cpp:
2132         (JSC::JSModuleRecord::finishCreation):
2133         * runtime/JSModuleRecord.h:
2134         (JSC::JSModuleRecord::create):
2135         * runtime/JSSet.cpp:
2136         (JSC::JSSet::destroy): Deleted.
2137         (JSC::JSSet::estimatedSize): Deleted.
2138         (JSC::JSSet::visitChildren): Deleted.
2139         (JSC::JSSet::copyBackingStore): Deleted.
2140         (JSC::JSSet::has): Deleted.
2141         (JSC::JSSet::size): Deleted.
2142         (JSC::JSSet::add): Deleted.
2143         (JSC::JSSet::clear): Deleted.
2144         (JSC::JSSet::remove): Deleted.
2145         * runtime/JSSet.h:
2146         (JSC::JSSet::createStructure):
2147         (JSC::JSSet::create):
2148         (JSC::JSSet::add):
2149         (JSC::JSSet::JSSet):
2150         (JSC::JSSet::Entry::key): Deleted.
2151         (JSC::JSSet::Entry::value): Deleted.
2152         (JSC::JSSet::Entry::visitChildren): Deleted.
2153         (JSC::JSSet::Entry::setKey): Deleted.
2154         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2155         (JSC::JSSet::Entry::setValue): Deleted.
2156         (JSC::JSSet::Entry::clear): Deleted.
2157         * runtime/JSSetIterator.cpp:
2158         (JSC::JSSetIterator::finishCreation):
2159         (JSC::JSSetIterator::visitChildren):
2160         (JSC::JSSetIterator::clone):
2161         * runtime/JSSetIterator.h:
2162         (JSC::JSSetIterator::advanceIter):
2163         (JSC::JSSetIterator::next):
2164         (JSC::JSSetIterator::JSSetIterator):
2165         (JSC::JSSetIterator::setIterator):
2166         (JSC::JSSetIterator::finish): Deleted.
2167         (JSC::JSSetIterator::iteratorData): Deleted.
2168         * runtime/JSType.h:
2169         * runtime/MapBase.cpp: Added.
2170         (JSC::MapBase<HashMapBucketType>::visitChildren):
2171         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2172         * runtime/MapBase.h: Added.
2173         (JSC::MapBase::size):
2174         (JSC::MapBase::has):
2175         (JSC::MapBase::clear):
2176         (JSC::MapBase::remove):
2177         (JSC::MapBase::findBucket):
2178         (JSC::MapBase::offsetOfHashMapImpl):
2179         (JSC::MapBase::impl):
2180         (JSC::MapBase::finishCreation):
2181         (JSC::MapBase::MapBase):
2182         * runtime/MapConstructor.cpp:
2183         (JSC::constructMap):
2184         * runtime/MapIteratorPrototype.cpp:
2185         (JSC::MapIteratorPrototypeFuncNext):
2186         * runtime/MapPrototype.cpp:
2187         (JSC::MapPrototype::finishCreation):
2188         (JSC::getMap):
2189         (JSC::privateFuncIsMap):
2190         (JSC::privateFuncMapIteratorNext):
2191         * runtime/PropertyDescriptor.cpp:
2192         (JSC::sameValue): Deleted.
2193         * runtime/PropertyDescriptor.h:
2194         * runtime/SetConstructor.cpp:
2195         (JSC::constructSet):
2196         * runtime/SetIteratorPrototype.cpp:
2197         (JSC::SetIteratorPrototypeFuncNext):
2198         * runtime/SetPrototype.cpp:
2199         (JSC::SetPrototype::finishCreation):
2200         (JSC::getSet):
2201         (JSC::privateFuncSetIteratorNext):
2202         * runtime/VM.cpp:
2203         (JSC::VM::VM):
2204         * runtime/VM.h:
2205
2206 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2207
2208         Typed arrays should use MarkedSpace instead of CopiedSpace
2209         https://bugs.webkit.org/show_bug.cgi?id=161100
2210
2211         Reviewed by Geoffrey Garen.
2212         
2213         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2214         
2215         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2216         everything that typed arrays want.
2217
2218         * dfg/DFGOperations.cpp:
2219         (JSC::DFG::newTypedArrayWithSize):
2220         * dfg/DFGOperations.h:
2221         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2222         * dfg/DFGSpeculativeJIT.cpp:
2223         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2224         * dfg/DFGSpeculativeJIT.h:
2225         (JSC::DFG::SpeculativeJIT::callOperation):
2226         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2227         * ftl/FTLLowerDFGToB3.cpp:
2228         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2229         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2230         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2231         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2232         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2233         * heap/CopyToken.h:
2234         * heap/SlotVisitor.cpp:
2235         (JSC::SlotVisitor::markAuxiliary):
2236         * jit/JITOperations.h:
2237         * runtime/JSArrayBufferView.cpp:
2238         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2239         (JSC::JSArrayBufferView::JSArrayBufferView):
2240         * runtime/JSArrayBufferView.h:
2241         * runtime/JSGenericTypedArrayView.h:
2242         * runtime/JSGenericTypedArrayViewInlines.h:
2243         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2244         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2245         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2246         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2247
2248 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2249
2250         Silence GCC warning spam introduced in r205462
2251
2252         Rubber-stamped by Filip Pizlo.
2253
2254         * bytecode/Opcode.h:
2255         (JSC::padOpcodeName):
2256
2257 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2258
2259         Heap::isMarked() should use concurrent lazy flipping
2260         https://bugs.webkit.org/show_bug.cgi?id=161613
2261
2262         Reviewed by Michael Catanzaro.
2263         
2264         I found out about this race condition via
2265         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2266         
2267         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2268         phase. So, they need to lazy-flip in a non-racy way.
2269
2270         * heap/HeapInlines.h:
2271         (JSC::Heap::isLive):
2272         (JSC::Heap::isMarked):
2273
2274 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2275
2276         Unreviewed, reset generator test results after the butterflies.
2277
2278         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2279         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2280         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2281         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2282         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2283         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2284         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2285         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2286         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2287         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2288         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2289         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2290         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2291         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2292
2293 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2294
2295         Unreviewed, fix cloop build.
2296
2297         * bytecode/SuperSampler.cpp:
2298
2299 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2300
2301         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2302         https://bugs.webkit.org/show_bug.cgi?id=160125
2303
2304         Reviewed by Geoffrey Garen and Keith Miller.
2305
2306         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2307         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2308         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2309         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2310         to get rid of copied space. This change moves copied space's biggest client over to marked
2311         space.
2312         
2313         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2314         allocation path. This is a fairly mechanical change, but it caused performance regressions
2315         everywhere, so this change also fixes MarkedSpace's performance issues.
2316         
2317         At a high level the mechanical changes are:
2318         
2319         - We use AuxiliaryBarrier instead of CopyBarrier.
2320         
2321         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2322           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2323         
2324         - The JITs have to emit inlined marked space allocations instead of inline copy space
2325           allocations.
2326         
2327         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2328           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2329           space doesn't.
2330         
2331         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2332         optimizations that amounted to a major MarkedSpace rewrite:
2333         
2334         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2335           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2336           size class. I got around this by making array allocations usually round up vectorLength to
2337           the maximum allowed by the size class that we would have allocated in. Also,
2338           ensureLengthSlow() and friends first make sure that the requested length can't just be
2339           fulfilled with the current allocation size. This safeguard means that not every array
2340           allocation has to do size class queries. For example, the fast path of new Array(length)
2341           never does any size class queries, under the assumption that (1) the speed gained from
2342           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2343           size class query, is too small to offset the speed lost by doing the query on every
2344           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2345           likely.
2346         
2347         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2348           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2349           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2350           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2351           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2352           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2353           size (80 bytes), we proceed using a geometric progression, but round up each size to
2354           minimize slop at the end of the block. This naturally causes the geometric progression to
2355           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2356           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2357         
2358         - Large allocations caused massive internal fragmentation, since the smallest large
2359           allocation had to use exactly blockSize, and the largest small allocation used
2360           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2361           also had 50% internal fragmentation. This is because we required large allocations to be
2362           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2363           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2364           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2365           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2366           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2367           out great since (1) typed arrays won't use large allocations anyway since they have their
2368           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2369           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2370           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2371           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2372           must be small allocations. It's also possible to use template tricks to do one check for
2373           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2374           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2375           that get used from functions that are template-specialized like this. That's mostly to
2376           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2377           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2378           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2379           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2380           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2381           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2382           that the MarkedBlock size classes end up being:
2383           
2384           16, 32, 48, 64, 80, 112, 160, 224, 320
2385           
2386           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2387           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2388           size classes you end up with by doing --dumpSizeClasses=true.
2389         
2390         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2391           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2392           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2393           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2394           side, for better locality during a sequential walk. It's no longer necessary to scan
2395           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2396           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2397           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2398           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2399           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2400           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2401           together, these optimizations allowed me to reduce block size to 16KB without losing much
2402           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2403           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2404           progression on membuster. That's not possible yet, since there is still enough per-block
2405           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2406           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2407         
2408         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2409           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2410           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2411           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2412           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2413           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2414           that we walk the block to build a free list. This means walking dead space. The new
2415           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2416           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2417           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2418           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2419           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2420           is completely empty, which is the common case because of the generational hypothesis: the
2421           number of objects that survive an eden collection is a tiny fraction of the number of
2422           objects that had been allocated, and this fraction is so small that there are typically
2423           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2424           win over tip-of-tree.
2425         
2426         - FTL now shares the same allocation fast paths as everything else, which is great, because
2427           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2428           control flow, since it won't be able to improve the machine code we write ourselves. GC
2429           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2430           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2431           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2432           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2433           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2434           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2435           variable-length allocation but then realize that the length is known). I think it makes
2436           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2437           since this makes lowering easier (you can constant fold during lowering more easily) and it
2438           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2439           constant-fold this code. That would require allowing loads to be constant-folded, which is
2440           doable but hella tricky.
2441         
2442         - It used to be that if a logical object allocation required two physical allocations (first
2443           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2444           failure in the second fast path would cause us to forget the successful first physical
2445           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2446           register to storing either the butterfly or null, because the butterfly register is anyway
2447           going to be free inside the first allocation. The only overhead here is zeroing the
2448           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2449           path, which can then either allocate a butterfly or not. So now we never waste a successful
2450           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2451           since we control registers already) and in FTL (where it's annoying, because mutable
2452           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2453           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2454           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2455           benchmark would always allocate N small things followed by one bigger thing. The problem
2456           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2457           the JSObject size class, which both the small and big thing shared for their cell, could
2458           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2459           it allocated the big thing. So, it would end up having to allocate the big thing's large
2460           butterfly twice, every single time! Ouch!
2461         
2462         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2463           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2464           of the allocator to initialize the object to whatever state they need. It used to be that
2465           we would just use a dumb loop. I initially changed this so that we would end up in memset
2466           for large allocations, but this didn't actually help performance that much. I got a much
2467           better result by playing with different memsets written in assembly. First I wrote one
2468           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2469           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2470           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2471           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2472           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2473           of stores (if the size is known), but those paths in the JIT won't trigger for
2474           NewArrayWithSize() if the size is large, since that takes us to the
2475           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2476           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2477           that need to be filled with holes.
2478         
2479         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2480         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2481         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2482         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2483         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2484         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2485         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2486         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2487         marking barrier and we simply won't need a copying barrier. This change gets us there for
2488         the purposes of our benchmarks, since the remaining clients of copied space are not very
2489         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2490         adding back the copy barrier, which costs more perf.
2491         
2492         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2493         typed arrays and a few other weird things over to Aux MarkedSpace.
2494         
2495         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2496         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2497         just including JSCInlines.h (instead of manually including the files that includes) is
2498         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2499         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2500         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2501         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2502         meant having to manually include HeapInlines.h from the places that previously got it
2503         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2504         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2505         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2506         made it impossible to include it from outside JSC. This was a lot of work, but it was
2507         necessary to get the patch to build on all ports. It's also a net win. There were many places
2508         in WebCore that were transitively including a *ton* of JSC headers just because of the
2509         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2510         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2511
2512         * API/JSManagedValue.mm:
2513         (-[JSManagedValue initWithValue:]):
2514         * API/JSTypedArray.cpp:
2515         * API/ObjCCallbackFunction.mm:
2516         * API/tests/testapi.mm:
2517         (testObjectiveCAPI):
2518         (testWeakValue): Deleted.
2519         * CMakeLists.txt:
2520         * JavaScriptCore.xcodeproj/project.pbxproj:
2521         * Scripts/builtins/builtins_generate_combined_implementation.py:
2522         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2523         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2524         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2525         * Scripts/builtins/builtins_generate_separate_implementation.py:
2526         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2527         * assembler/AbstractMacroAssembler.h:
2528         (JSC::AbstractMacroAssembler::JumpList::link):
2529         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2530         * assembler/MacroAssembler.h:
2531         * assembler/MacroAssemblerARM64.h:
2532         (JSC::MacroAssemblerARM64::add32):
2533         * assembler/MacroAssemblerCodeRef.cpp: Added.
2534         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2535         (JSC::MacroAssemblerCodePtr::dumpWithName):
2536         (JSC::MacroAssemblerCodePtr::dump):
2537         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2538         (JSC::MacroAssemblerCodeRef::dump):
2539         * assembler/MacroAssemblerCodeRef.h:
2540         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2541         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2542         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2543         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2544         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2545         * b3/B3BasicBlock.cpp:
2546         (JSC::B3::BasicBlock::appendBoolConstant):
2547         * b3/B3BasicBlock.h:
2548         * b3/B3DuplicateTails.cpp:
2549         * b3/B3StackmapGenerationParams.h:
2550         * b3/testb3.cpp:
2551         (JSC::B3::testPatchpointTerminalReturnValue):
2552         (JSC::B3::run):
2553         * bindings/ScriptValue.cpp:
2554         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2555         * bytecode/BytecodeBasicBlock.cpp:
2556         * bytecode/BytecodeLivenessAnalysis.cpp:
2557         * bytecode/BytecodeUseDef.h:
2558         * bytecode/CallLinkInfo.cpp:
2559         (JSC::CallLinkInfo::callTypeFor):
2560         * bytecode/CallLinkInfo.h:
2561         (JSC::CallLinkInfo::callTypeFor): Deleted.
2562         * bytecode/CallLinkStatus.cpp:
2563         * bytecode/CodeBlock.cpp:
2564         (JSC::CodeBlock::finishCreation):
2565         (JSC::CodeBlock::clearLLIntGetByIdCache):
2566         (JSC::CodeBlock::predictedMachineCodeSize):
2567         * bytecode/CodeBlock.h:
2568         (JSC::CodeBlock::jitCodeMap): Deleted.
2569         (JSC::clearLLIntGetByIdCache): Deleted.
2570         * bytecode/ExecutionCounter.h:
2571         * bytecode/Instruction.h:
2572         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2573         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2574         * bytecode/ObjectAllocationProfile.h:
2575         (JSC::ObjectAllocationProfile::isNull):
2576         (JSC::ObjectAllocationProfile::initialize):
2577         * bytecode/Opcode.h:
2578         (JSC::padOpcodeName):
2579         * bytecode/PolymorphicAccess.cpp:
2580         (JSC::AccessCase::generateImpl):
2581         (JSC::PolymorphicAccess::regenerate):
2582         * bytecode/PolymorphicAccess.h:
2583         * bytecode/PreciseJumpTargets.cpp:
2584         * bytecode/StructureStubInfo.cpp:
2585         * bytecode/StructureStubInfo.h:
2586         * bytecode/UnlinkedCodeBlock.cpp:
2587         (JSC::UnlinkedCodeBlock::vm): Deleted.
2588         * bytecode/UnlinkedCodeBlock.h:
2589         * bytecode/UnlinkedInstructionStream.cpp:
2590         * bytecode/UnlinkedInstructionStream.h:
2591         * dfg/DFGOperations.cpp:
2592         * dfg/DFGSpeculativeJIT.cpp:
2593         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2594         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2595         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2596         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2597         * dfg/DFGSpeculativeJIT.h:
2598         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2599         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2600         * dfg/DFGSpeculativeJIT32_64.cpp:
2601         (JSC::DFG::SpeculativeJIT::compile):
2602         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2603         * dfg/DFGSpeculativeJIT64.cpp:
2604         (JSC::DFG::SpeculativeJIT::compile):
2605         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2606         * dfg/DFGStrengthReductionPhase.cpp:
2607         (JSC::DFG::StrengthReductionPhase::handleNode):
2608         * ftl/FTLAbstractHeapRepository.h:
2609         * ftl/FTLCompile.cpp:
2610         * ftl/FTLJITFinalizer.cpp:
2611         * ftl/FTLLowerDFGToB3.cpp:
2612         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2613         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2614         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2615         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2616         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2617         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2618         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2619         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2620         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2621         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2622         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2623         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2624         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2625         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2626         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2627         * ftl/FTLOutput.cpp:
2628         (JSC::FTL::Output::constBool):
2629         (JSC::FTL::Output::add):
2630         (JSC::FTL::Output::shl):
2631         (JSC::FTL::Output::aShr):
2632         (JSC::FTL::Output::lShr):
2633         (JSC::FTL::Output::zeroExt):
2634         (JSC::FTL::Output::equal):
2635         (JSC::FTL::Output::notEqual):
2636         (JSC::FTL::Output::above):
2637         (JSC::FTL::Output::aboveOrEqual):
2638         (JSC::FTL::Output::below):
2639         (JSC::FTL::Output::belowOrEqual):
2640         (JSC::FTL::Output::greaterThan):
2641         (JSC::FTL::Output::greaterThanOrEqual):
2642         (JSC::FTL::Output::lessThan):
2643         (JSC::FTL::Output::lessThanOrEqual):
2644         (JSC::FTL::Output::select):
2645         (JSC::FTL::Output::appendSuccessor):
2646         (JSC::FTL::Output::addIncomingToPhi):
2647         * ftl/FTLOutput.h:
2648         * ftl/FTLValueFromBlock.h:
2649         (JSC::FTL::ValueFromBlock::operator bool):
2650         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2651         * ftl/FTLWeightedTarget.h:
2652         (JSC::FTL::WeightedTarget::frequentedBlock):
2653         * heap/CellContainer.h: Added.
2654         (JSC::CellContainer::CellContainer):
2655         (JSC::CellContainer::operator bool):
2656         (JSC::CellContainer::isMarkedBlock):
2657         (JSC::CellContainer::isLargeAllocation):
2658         (JSC::CellContainer::markedBlock):
2659         (JSC::CellContainer::largeAllocation):
2660         * heap/CellContainerInlines.h: Added.
2661         (JSC::CellContainer::isMarked):
2662         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2663         (JSC::CellContainer::noteMarked):
2664         (JSC::CellContainer::cellSize):
2665         (JSC::CellContainer::weakSet):
2666         (JSC::CellContainer::flipIfNecessary):
2667         * heap/ConservativeRoots.cpp:
2668         (JSC::ConservativeRoots::ConservativeRoots):
2669         (JSC::ConservativeRoots::~ConservativeRoots):
2670         (JSC::ConservativeRoots::grow):
2671         (JSC::ConservativeRoots::genericAddPointer):
2672         (JSC::ConservativeRoots::genericAddSpan):
2673         * heap/ConservativeRoots.h:
2674         (JSC::ConservativeRoots::roots):
2675         * heap/CopyToken.h:
2676         * heap/FreeList.cpp: Added.
2677         (JSC::FreeList::dump):
2678         * heap/FreeList.h: Added.
2679         (JSC::FreeList::FreeList):
2680         (JSC::FreeList::list):
2681         (JSC::FreeList::bump):
2682         (JSC::FreeList::operator==):
2683         (JSC::FreeList::operator!=):
2684         (JSC::FreeList::operator bool):
2685         (JSC::FreeList::allocationWillFail):
2686         (JSC::FreeList::allocationWillSucceed):
2687         * heap/GCTypeMap.h: Added.
2688         (JSC::GCTypeMap::operator[]):
2689         * heap/Heap.cpp:
2690         (JSC::Heap::Heap):
2691         (JSC::Heap::lastChanceToFinalize):
2692         (JSC::Heap::finalizeUnconditionalFinalizers):
2693         (JSC::Heap::markRoots):
2694         (JSC::Heap::copyBackingStores):
2695         (JSC::Heap::gatherStackRoots):
2696         (JSC::Heap::gatherJSStackRoots):
2697         (JSC::Heap::gatherScratchBufferRoots):
2698         (JSC::Heap::clearLivenessData):
2699         (JSC::Heap::visitSmallStrings):
2700         (JSC::Heap::visitConservativeRoots):
2701         (JSC::Heap::removeDeadCompilerWorklistEntries):
2702         (JSC::Heap::gatherExtraHeapSnapshotData):
2703         (JSC::Heap::removeDeadHeapSnapshotNodes):
2704         (JSC::Heap::visitProtectedObjects):
2705         (JSC::Heap::visitArgumentBuffers):
2706         (JSC::Heap::visitException):
2707         (JSC::Heap::visitStrongHandles):
2708         (JSC::Heap::visitHandleStack):
2709         (JSC::Heap::visitSamplingProfiler):
2710         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2711         (JSC::Heap::converge):
2712         (JSC::Heap::visitWeakHandles):
2713         (JSC::Heap::updateObjectCounts):
2714         (JSC::Heap::clearUnmarkedExecutables):
2715         (JSC::Heap::deleteUnmarkedCompiledCode):
2716         (JSC::Heap::collectAllGarbage):
2717         (JSC::Heap::collect):
2718         (JSC::Heap::collectWithoutAnySweep):
2719         (JSC::Heap::collectImpl):
2720         (JSC::Heap::suspendCompilerThreads):
2721         (JSC::Heap::willStartCollection):
2722         (JSC::Heap::flushOldStructureIDTables):
2723         (JSC::Heap::flushWriteBarrierBuffer):
2724         (JSC::Heap::stopAllocation):
2725         (JSC::Heap::prepareForMarking):
2726         (JSC::Heap::reapWeakHandles):
2727         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2728         (JSC::Heap::sweepArrayBuffers):
2729         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2730         (JSC::MarkedBlockSnapshotFunctor::operator()):
2731         (JSC::Heap::snapshotMarkedSpace):
2732         (JSC::Heap::deleteSourceProviderCaches):
2733         (JSC::Heap::notifyIncrementalSweeper):
2734         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2735         (JSC::Heap::resetAllocators):
2736         (JSC::Heap::updateAllocationLimits):
2737         (JSC::Heap::didFinishCollection):
2738         (JSC::Heap::resumeCompilerThreads):
2739         (JSC::Zombify::visit):
2740         (JSC::Heap::forEachCodeBlockImpl):
2741         * heap/Heap.h:
2742         (JSC::Heap::allocatorForObjectWithoutDestructor):
2743         (JSC::Heap::allocatorForObjectWithDestructor):
2744         (JSC::Heap::allocatorForAuxiliaryData):
2745         (JSC::Heap::jitStubRoutines):
2746         (JSC::Heap::codeBlockSet):
2747         (JSC::Heap::storageAllocator): Deleted.
2748         * heap/HeapCell.h:
2749         (JSC::HeapCell::isZapped): Deleted.
2750         * heap/HeapCellInlines.h: Added.
2751         (JSC::HeapCell::isLargeAllocation):
2752         (JSC::HeapCell::cellContainer):
2753         (JSC::HeapCell::markedBlock):
2754         (JSC::HeapCell::largeAllocation):
2755         (JSC::HeapCell::heap):
2756         (JSC::HeapCell::vm):
2757         (JSC::HeapCell::cellSize):
2758         (JSC::HeapCell::allocatorAttributes):
2759         (JSC::HeapCell::destructionMode):
2760         (JSC::HeapCell::cellKind):
2761         * heap/HeapInlines.h:
2762         (JSC::Heap::heap):
2763         (JSC::Heap::isLive):
2764         (JSC::Heap::isMarked):
2765         (JSC::Heap::testAndSetMarked):
2766         (JSC::Heap::setMarked):
2767         (JSC::Heap::cellSize):
2768         (JSC::Heap::forEachCodeBlock):
2769         (JSC::Heap::allocateObjectOfType):
2770         (JSC::Heap::subspaceForObjectOfType):
2771         (JSC::Heap::allocatorForObjectOfType):
2772         (JSC::Heap::allocateAuxiliary):
2773         (JSC::Heap::tryAllocateAuxiliary):
2774         (JSC::Heap::tryReallocateAuxiliary):
2775         (JSC::Heap::isPointerGCObject): Deleted.
2776         (JSC::Heap::isValueGCObject): Deleted.
2777         * heap/HeapOperation.cpp: Added.
2778         (WTF::printInternal):
2779         * heap/HeapOperation.h:
2780         * heap/HeapUtil.h: Added.
2781         (JSC::HeapUtil::findGCObjectPointersForMarking):
2782         (JSC::HeapUtil::isPointerGCObjectJSCell):
2783         (JSC::HeapUtil::isValueGCObject):
2784         * heap/IncrementalSweeper.cpp:
2785         (JSC::IncrementalSweeper::sweepNextBlock):
2786         * heap/IncrementalSweeper.h:
2787         * heap/LargeAllocation.cpp: Added.
2788         (JSC::LargeAllocation::tryCreate):
2789         (JSC::LargeAllocation::LargeAllocation):
2790         (JSC::LargeAllocation::lastChanceToFinalize):
2791         (JSC::LargeAllocation::shrink):
2792         (JSC::LargeAllocation::visitWeakSet):
2793         (JSC::LargeAllocation::reapWeakSet):
2794         (JSC::LargeAllocation::flip):
2795         (JSC::LargeAllocation::isEmpty):
2796         (JSC::LargeAllocation::sweep):
2797         (JSC::LargeAllocation::destroy):
2798         (JSC::LargeAllocation::dump):
2799         * heap/LargeAllocation.h: Added.
2800         (JSC::LargeAllocation::fromCell):
2801         (JSC::LargeAllocation::cell):
2802         (JSC::LargeAllocation::isLargeAllocation):
2803         (JSC::LargeAllocation::heap):
2804         (JSC::LargeAllocation::vm):
2805         (JSC::LargeAllocation::weakSet):
2806         (JSC::LargeAllocation::clearNewlyAllocated):
2807         (JSC::LargeAllocation::isNewlyAllocated):
2808         (JSC::LargeAllocation::isMarked):
2809         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2810         (JSC::LargeAllocation::isLive):
2811         (JSC::LargeAllocation::hasValidCell):
2812         (JSC::LargeAllocation::cellSize):
2813         (JSC::LargeAllocation::aboveLowerBound):
2814         (JSC::LargeAllocation::belowUpperBound):
2815         (JSC::LargeAllocation::contains):
2816         (JSC::LargeAllocation::attributes):
2817         (JSC::LargeAllocation::flipIfNecessary):
2818         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2819         (JSC::LargeAllocation::testAndSetMarked):
2820         (JSC::LargeAllocation::setMarked):
2821         (JSC::LargeAllocation::clearMarked):
2822         (JSC::LargeAllocation::noteMarked):
2823         (JSC::LargeAllocation::headerSize):
2824         * heap/MarkedAllocator.cpp:
2825         (JSC::MarkedAllocator::MarkedAllocator):
2826         (JSC::MarkedAllocator::isPagedOut):
2827         (JSC::MarkedAllocator::retire):
2828         (JSC::MarkedAllocator::filterNextBlock):
2829         (JSC::MarkedAllocator::setNextBlockToSweep):
2830         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2831         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2832         (JSC::MarkedAllocator::allocateSlowCase):
2833         (JSC::MarkedAllocator::tryAllocateSlowCase):
2834         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2835         (JSC::blockHeaderSize):
2836         (JSC::MarkedAllocator::blockSizeForBytes):
2837         (JSC::MarkedAllocator::tryAllocateBlock):
2838         (JSC::MarkedAllocator::addBlock):
2839         (JSC::MarkedAllocator::removeBlock):
2840         (JSC::MarkedAllocator::stopAllocating):
2841         (JSC::MarkedAllocator::reset):
2842         (JSC::MarkedAllocator::lastChanceToFinalize):
2843         (JSC::MarkedAllocator::setFreeList):
2844         (JSC::isListPagedOut): Deleted.
2845         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2846         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2847         (JSC::MarkedAllocator::tryAllocate): Deleted.
2848         (JSC::MarkedAllocator::allocateBlock): Deleted.
2849         * heap/MarkedAllocator.h:
2850         (JSC::MarkedAllocator::takeLastActiveBlock):
2851         (JSC::MarkedAllocator::offsetOfFreeList):
2852         (JSC::MarkedAllocator::offsetOfCellSize):
2853         (JSC::MarkedAllocator::tryAllocate):
2854         (JSC::MarkedAllocator::allocate):
2855         (JSC::MarkedAllocator::forEachBlock):
2856         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2857         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2858         (JSC::MarkedAllocator::init): Deleted.
2859         (JSC::MarkedAllocator::stopAllocating): Deleted.
2860         * heap/MarkedBlock.cpp:
2861         (JSC::MarkedBlock::tryCreate):
2862         (JSC::MarkedBlock::Handle::Handle):
2863         (JSC::MarkedBlock::Handle::~Handle):
2864         (JSC::MarkedBlock::MarkedBlock):
2865         (JSC::MarkedBlock::Handle::specializedSweep):
2866         (JSC::MarkedBlock::Handle::sweep):
2867         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2868         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2869         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2870         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2871         (JSC::SetNewlyAllocatedFunctor::operator()):
2872         (JSC::MarkedBlock::Handle::stopAllocating):
2873         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2874         (JSC::MarkedBlock::Handle::resumeAllocating):
2875         (JSC::MarkedBlock::Handle::zap):
2876         (JSC::MarkedBlock::Handle::forEachFreeCell):
2877         (JSC::MarkedBlock::flipIfNecessary):
2878         (JSC::MarkedBlock::Handle::flipIfNecessary):
2879         (JSC::MarkedBlock::flipIfNecessarySlow):
2880         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2881         (JSC::MarkedBlock::clearMarks):
2882         (JSC::MarkedBlock::assertFlipped):
2883         (JSC::MarkedBlock::needsFlip):
2884         (JSC::MarkedBlock::Handle::needsFlip):
2885         (JSC::MarkedBlock::Handle::willRemoveBlock):
2886         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2887         (JSC::MarkedBlock::markCount):
2888         (JSC::MarkedBlock::Handle::isEmpty):
2889         (JSC::MarkedBlock::clearHasAnyMarked):
2890         (JSC::MarkedBlock::noteMarkedSlow):
2891         (WTF::printInternal):
2892         (JSC::MarkedBlock::create): Deleted.
2893         (JSC::MarkedBlock::destroy): Deleted.
2894         (JSC::MarkedBlock::callDestructor): Deleted.
2895         (JSC::MarkedBlock::specializedSweep): Deleted.
2896         (JSC::MarkedBlock::sweep): Deleted.
2897         (JSC::MarkedBlock::sweepHelper): Deleted.
2898         (JSC::MarkedBlock::stopAllocating): Deleted.
2899         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2900         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2901         (JSC::MarkedBlock::resumeAllocating): Deleted.
2902         (JSC::MarkedBlock::didRetireBlock): Deleted.
2903         * heap/MarkedBlock.h:
2904         (JSC::MarkedBlock::VoidFunctor::returnValue):
2905         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2906         (JSC::MarkedBlock::CountFunctor::count):
2907         (JSC::MarkedBlock::CountFunctor::returnValue):
2908         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2909         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2910         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2911         (JSC::MarkedBlock::Handle::state):
2912         (JSC::MarkedBlock::needsDestruction):
2913         (JSC::MarkedBlock::handle):
2914         (JSC::MarkedBlock::Handle::block):
2915         (JSC::MarkedBlock::firstAtom):
2916         (JSC::MarkedBlock::atoms):
2917         (JSC::MarkedBlock::isAtomAligned):
2918         (JSC::MarkedBlock::Handle::cellAlign):
2919         (JSC::MarkedBlock::blockFor):
2920         (JSC::MarkedBlock::Handle::allocator):
2921         (JSC::MarkedBlock::Handle::heap):
2922         (JSC::MarkedBlock::Handle::vm):
2923         (JSC::MarkedBlock::vm):
2924         (JSC::MarkedBlock::Handle::weakSet):
2925         (JSC::MarkedBlock::weakSet):
2926         (JSC::MarkedBlock::Handle::shrink):
2927         (JSC::MarkedBlock::Handle::visitWeakSet):
2928         (JSC::MarkedBlock::Handle::reapWeakSet):
2929         (JSC::MarkedBlock::Handle::cellSize):
2930         (JSC::MarkedBlock::cellSize):
2931         (JSC::MarkedBlock::Handle::attributes):
2932         (JSC::MarkedBlock::attributes):
2933         (JSC::MarkedBlock::Handle::needsDestruction):
2934         (JSC::MarkedBlock::Handle::destruction):
2935         (JSC::MarkedBlock::Handle::cellKind):
2936         (JSC::MarkedBlock::Handle::markCount):
2937         (JSC::MarkedBlock::Handle::size):
2938         (JSC::MarkedBlock::atomNumber):
2939         (JSC::MarkedBlock::flipIfNecessary):
2940         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2941         (JSC::MarkedBlock::Handle::flipIfNecessary):
2942         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2943         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2944         (JSC::MarkedBlock::assertFlipped):
2945         (JSC::MarkedBlock::Handle::assertFlipped):
2946         (JSC::MarkedBlock::isMarked):
2947         (JSC::MarkedBlock::testAndSetMarked):
2948         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2949         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2950         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2951         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2952         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2953         (JSC::MarkedBlock::Handle::isLive):
2954         (JSC::MarkedBlock::isAtom):
2955         (JSC::MarkedBlock::Handle::isLiveCell):
2956         (JSC::MarkedBlock::Handle::forEachCell):
2957         (JSC::MarkedBlock::Handle::forEachLiveCell):
2958         (JSC::MarkedBlock::Handle::forEachDeadCell):
2959         (JSC::MarkedBlock::Handle::needsSweeping):
2960         (JSC::MarkedBlock::Handle::isAllocated):
2961         (JSC::MarkedBlock::Handle::isMarked):
2962         (JSC::MarkedBlock::Handle::isFreeListed):
2963         (JSC::MarkedBlock::hasAnyMarked):
2964         (JSC::MarkedBlock::noteMarked):
2965         (WTF::MarkedBlockHash::hash):
2966         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2967         (JSC::MarkedBlock::allocator): Deleted.
2968         (JSC::MarkedBlock::heap): Deleted.
2969         (JSC::MarkedBlock::shrink): Deleted.
2970         (JSC::MarkedBlock::visitWeakSet): Deleted.
2971         (JSC::MarkedBlock::reapWeakSet): Deleted.
2972         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2973         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2974         (JSC::MarkedBlock::markCount): Deleted.
2975         (JSC::MarkedBlock::isEmpty): Deleted.
2976         (JSC::MarkedBlock::destruction): Deleted.
2977         (JSC::MarkedBlock::cellKind): Deleted.
2978         (JSC::MarkedBlock::size): Deleted.
2979         (JSC::MarkedBlock::capacity): Deleted.
2980         (JSC::MarkedBlock::setMarked): Deleted.
2981         (JSC::MarkedBlock::clearMarked): Deleted.
2982         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2983         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2984         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2985         (JSC::MarkedBlock::isLive): Deleted.
2986         (JSC::MarkedBlock::isLiveCell): Deleted.
2987         (JSC::MarkedBlock::forEachCell): Deleted.
2988         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2989         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2990         (JSC::MarkedBlock::needsSweeping): Deleted.
2991         (JSC::MarkedBlock::isAllocated): Deleted.
2992         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2993         * heap/MarkedSpace.cpp:
2994         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2995         (JSC::MarkedSpace::MarkedSpace):
2996         (JSC::MarkedSpace::~MarkedSpace):
2997         (JSC::MarkedSpace::lastChanceToFinalize):
2998         (JSC::MarkedSpace::allocate):
2999         (JSC::MarkedSpace::tryAllocate):
3000         (JSC::MarkedSpace::allocateLarge):
3001         (JSC::MarkedSpace::tryAllocateLarge):
3002         (JSC::MarkedSpace::sweep):
3003         (JSC::MarkedSpace::sweepLargeAllocations):
3004         (JSC::MarkedSpace::zombifySweep):
3005         (JSC::MarkedSpace::resetAllocators):
3006         (JSC::MarkedSpace::visitWeakSets):
3007         (JSC::MarkedSpace::reapWeakSets):
3008         (JSC::MarkedSpace::stopAllocating):
3009         (JSC::MarkedSpace::prepareForMarking):
3010         (JSC::MarkedSpace::resumeAllocating):
3011         (JSC::MarkedSpace::isPagedOut):
3012         (JSC::MarkedSpace::freeBlock):
3013         (JSC::MarkedSpace::freeOrShrinkBlock):
3014         (JSC::MarkedSpace::shrink):
3015         (JSC::MarkedSpace::clearNewlyAllocated):
3016         (JSC::VerifyMarked::operator()):
3017         (JSC::MarkedSpace::flip):
3018         (JSC::MarkedSpace::objectCount):
3019         (JSC::MarkedSpace::size):
3020         (JSC::MarkedSpace::capacity):
3021         (JSC::MarkedSpace::addActiveWeakSet):
3022         (JSC::MarkedSpace::didAddBlock):
3023         (JSC::MarkedSpace::didAllocateInBlock):
3024         (JSC::MarkedSpace::forEachAllocator): Deleted.
3025         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
3026         (JSC::MarkedSpace::clearMarks): Deleted.
3027         * heap/MarkedSpace.h:
3028         (JSC::MarkedSpace::sizeClassToIndex):
3029         (JSC::MarkedSpace::indexToSizeClass):
3030         (JSC::MarkedSpace::version):
3031         (JSC::MarkedSpace::blocksWithNewObjects):
3032         (JSC::MarkedSpace::largeAllocations):
3033         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3034         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3035         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3036         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3037         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3038         (JSC::MarkedSpace::forEachLiveCell):
3039         (JSC::MarkedSpace::forEachDeadCell):
3040         (JSC::MarkedSpace::allocatorFor):
3041         (JSC::MarkedSpace::destructorAllocatorFor):
3042         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3043         (JSC::MarkedSpace::allocateWithoutDestructor):
3044         (JSC::MarkedSpace::allocateWithDestructor):
3045         (JSC::MarkedSpace::allocateAuxiliary):
3046         (JSC::MarkedSpace::tryAllocateAuxiliary):
3047         (JSC::MarkedSpace::forEachBlock):
3048         (JSC::MarkedSpace::forEachAllocator):
3049         (JSC::MarkedSpace::optimalSizeFor):
3050         (JSC::MarkedSpace::didAddBlock): Deleted.
3051         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
3052         (JSC::MarkedSpace::objectCount): Deleted.
3053         (JSC::MarkedSpace::size): Deleted.
3054         (JSC::MarkedSpace::capacity): Deleted.
3055         * heap/SlotVisitor.cpp:
3056         (JSC::SlotVisitor::SlotVisitor):
3057         (JSC::SlotVisitor::didStartMarking):
3058         (JSC::SlotVisitor::reset):
3059         (JSC::SlotVisitor::append):
3060         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3061         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3062         (JSC::SlotVisitor::appendToMarkStack):
3063         (JSC::SlotVisitor::markAuxiliary):
3064         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3065         (JSC::SlotVisitor::visitChildren):
3066         * heap/SlotVisitor.h:
3067         * heap/WeakBlock.cpp:
3068         (JSC::WeakBlock::create):
3069         (JSC::WeakBlock::WeakBlock):
3070         (JSC::WeakBlock::visit):
3071         (JSC::WeakBlock::reap):
3072         * heap/WeakBlock.h:
3073         (JSC::WeakBlock::disconnectContainer):
3074         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3075         * heap/WeakSet.cpp:
3076         (JSC::WeakSet::~WeakSet):
3077         (JSC::WeakSet::sweep):
3078         (JSC::WeakSet::shrink):
3079         (JSC::WeakSet::addAllocator):
3080         * heap/WeakSet.h:
3081         (JSC::WeakSet::container):
3082         (JSC::WeakSet::setContainer):
3083         (JSC::WeakSet::WeakSet):
3084         (JSC::WeakSet::visit):
3085         (JSC::WeakSet::shrink): Deleted.
3086         * heap/WeakSetInlines.h:
3087         (JSC::WeakSet::allocate):
3088         * inspector/InjectedScriptManager.cpp:
3089         * inspector/JSGlobalObjectInspectorController.cpp:
3090         * inspector/JSJavaScriptCallFrame.cpp:
3091         * inspector/ScriptDebugServer.cpp:
3092         * inspector/agents/InspectorDebuggerAgent.cpp:
3093         * interpreter/CachedCall.h:
3094         (JSC::CachedCall::CachedCall):
3095         * interpreter/Interpreter.cpp:
3096         (JSC::loadVarargs):
3097         (JSC::StackFrame::sourceID): Deleted.
3098         (JSC::StackFrame::sourceURL): Deleted.
3099         (JSC::StackFrame::functionName): Deleted.
3100         (JSC::StackFrame::computeLineAndColumn): Deleted.
3101         (JSC::StackFrame::toString): Deleted.
3102         * interpreter/Interpreter.h:
3103         (JSC::StackFrame::isNative): Deleted.
3104         * jit/AssemblyHelpers.h:
3105         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3106         (JSC::AssemblyHelpers::emitAllocate):
3107         (JSC::AssemblyHelpers::emitAllocateJSCell):
3108         (JSC::AssemblyHelpers::emitAllocateJSObject):
3109         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3110         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3111         * jit/GCAwareJITStubRoutine.cpp:
3112         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3113         * jit/JIT.cpp:
3114         (JSC::JIT::compileCTINativeCall):
3115         (JSC::JIT::link):
3116         * jit/JIT.h:
3117         (JSC::JIT::compileCTINativeCall): Deleted.
3118         * jit/JITExceptions.cpp:
3119         (JSC::genericUnwind):
3120         * jit/JITExceptions.h:
3121         * jit/JITOpcodes.cpp:
3122         (JSC::JIT::emit_op_new_object):
3123         (JSC::JIT::emitSlow_op_new_object):
3124         (JSC::JIT::emit_op_create_this):
3125         (JSC::JIT::emitSlow_op_create_this):
3126         * jit/JITOpcodes32_64.cpp:
3127         (JSC::JIT::emit_op_new_object):
3128         (JSC::JIT::emitSlow_op_new_object):
3129         (JSC::JIT::emit_op_create_this):
3130         (JSC::JIT::emitSlow_op_create_this):
3131         * jit/JITOperations.cpp:
3132         * jit/JITOperations.h:
3133         * jit/JITPropertyAccess.cpp:
3134         (JSC::JIT::emitWriteBarrier):
3135         * jit/JITThunks.cpp:
3136         * jit/JITThunks.h:
3137         * jsc.cpp:
3138         (functionDescribeArray):
3139         (main):
3140         * llint/LLIntData.cpp:
3141         (JSC::LLInt::Data::performAssertions):
3142         * llint/LLIntExceptions.cpp:
3143         * llint/LLIntThunks.cpp:
3144         * llint/LLIntThunks.h:
3145         * llint/LowLevelInterpreter.asm:
3146         * llint/LowLevelInterpreter.cpp:
3147         * llint/LowLevelInterpreter32_64.asm:
3148         * llint/LowLevelInterpreter64.asm:
3149         * parser/ModuleAnalyzer.cpp:
3150         * parser/NodeConstructors.h:
3151         * parser/Nodes.h:
3152         * profiler/ProfilerBytecode.cpp:
3153         * profiler/ProfilerBytecode.h:
3154         * profiler/ProfilerBytecodeSequence.cpp:
3155         * runtime/ArrayConventions.h:
3156         (JSC::indexingHeaderForArrayStorage):
3157         (JSC::baseIndexingHeaderForArrayStorage):
3158         (JSC::indexingHeaderForArray): Deleted.
3159         (JSC::baseIndexingHeaderForArray): Deleted.
3160         * runtime/ArrayPrototype.cpp:
3161         (JSC::arrayProtoFuncSplice):
3162         (JSC::concatAppendOne):
3163         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3164         * runtime/ArrayStorage.h:
3165         (JSC::ArrayStorage::vectorLength):
3166         (JSC::ArrayStorage::totalSizeFor):
3167         (JSC::ArrayStorage::totalSize):
3168         (JSC::ArrayStorage::availableVectorLength):
3169         (JSC::ArrayStorage::optimalVectorLength):
3170         (JSC::ArrayStorage::sizeFor): Deleted.
3171         * runtime/AuxiliaryBarrier.h: Added.
3172         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3173         (JSC::AuxiliaryBarrier::clear):
3174         (JSC::AuxiliaryBarrier::get):
3175         (JSC::AuxiliaryBarrier::slot):
3176         (JSC::AuxiliaryBarrier::operator bool):
3177         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3178         * runtime/AuxiliaryBarrierInlines.h: Added.
3179         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3180         (JSC::AuxiliaryBarrier<T>::set):
3181         * runtime/Butterfly.h:
3182         * runtime/ButterflyInlines.h:
3183         (JSC::Butterfly::availableContiguousVectorLength):
3184         (JSC::Butterfly::optimalContiguousVectorLength):
3185         (JSC::Butterfly::createUninitialized):
3186         (JSC::Butterfly::growArrayRight):
3187         * runtime/ClonedArguments.cpp:
3188         (JSC::ClonedArguments::createEmpty):
3189         * runtime/CommonSlowPathsExceptions.cpp:
3190         * runtime/CommonSlowPathsExceptions.h:
3191         * runtime/DataView.cpp:
3192         * runtime/DirectArguments.h:
3193         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3194         * runtime/Error.cpp:
3195         * runtime/Error.h:
3196         * runtime/ErrorInstance.cpp:
3197         * runtime/ErrorInstance.h:
3198         * runtime/Exception.cpp:
3199         * runtime/Exception.h:
3200         * runtime/GeneratorFrame.cpp:
3201         * runtime/GeneratorPrototype.cpp:
3202         * runtime/InternalFunction.cpp:
3203         (JSC::InternalFunction::InternalFunction):
3204         * runtime/IntlCollator.cpp:
3205         * runtime/IntlCollatorConstructor.cpp:
3206         * runtime/IntlCollatorPrototype.cpp:
3207         * runtime/IntlDateTimeFormat.cpp:
3208         * runtime/IntlDateTimeFormatConstructor.cpp:
3209         * runtime/IntlDateTimeFormatPrototype.cpp:
3210         * runtime/IntlNumberFormat.cpp:
3211         * runtime/IntlNumberFormatConstructor.cpp:
3212         * runtime/IntlNumberFormatPrototype.cpp:
3213         * runtime/IntlObject.cpp:
3214         * runtime/IteratorPrototype.cpp:
3215         * runtime/JSArray.cpp:
3216         (JSC::JSArray::tryCreateUninitialized):
3217         (JSC::JSArray::setLengthWritable):
3218         (JSC::JSArray::unshiftCountSlowCase):
3219         (JSC::JSArray::setLengthWithArrayStorage):
3220         (JSC::JSArray::appendMemcpy):
3221         (JSC::JSArray::setLength):
3222         (JSC::JSArray::pop):
3223         (JSC::JSArray::push):
3224         (JSC::JSArray::fastSlice):
3225         (JSC::JSArray::shiftCountWithArrayStorage):
3226         (JSC::JSArray::shiftCountWithAnyIndexingType):
3227         (JSC::JSArray::unshiftCountWithArrayStorage):
3228         (JSC::JSArray::fillArgList):
3229         (JSC::JSArray::copyToArguments):
3230         * runtime/JSArray.h:
3231         (JSC::createContiguousArrayButterfly):
3232         (JSC::createArrayButterfly):
3233         (JSC::JSArray::create):
3234         (JSC::JSArray::tryCreateUninitialized): Deleted.
3235         * runtime/JSArrayBufferView.h:
3236         * runtime/JSCInlines.h:
3237         * runtime/JSCJSValue.cpp:
3238         (JSC::JSValue::dumpInContextAssumingStructure):
3239         * runtime/JSCallee.cpp:
3240         (JSC::JSCallee::JSCallee):
3241         * runtime/JSCell.cpp:
3242         (JSC::JSCell::estimatedSize):
3243         * runtime/JSCell.h:
3244         (JSC::JSCell::cellStateOffset): Deleted.
3245         * runtime/JSCellInlines.h:
3246         (JSC::ExecState::vm):
3247         (JSC::JSCell::classInfo):
3248         (JSC::JSCell::callDestructor):
3249         (JSC::JSCell::vm): Deleted.
3250         * runtime/JSFunction.cpp:
3251         (JSC::JSFunction::create):
3252         (JSC::JSFunction::allocateAndInitializeRareData):
3253         (JSC::JSFunction::initializeRareData):
3254         (JSC::JSFunction::getOwnPropertySlot):
3255         (JSC::JSFunction::put):
3256         (JSC::JSFunction::deleteProperty):
3257         (JSC::JSFunction::defineOwnProperty):
3258         (JSC::JSFunction::setFunctionName):
3259         (JSC::JSFunction::reifyLength):
3260         (JSC::JSFunction::reifyName):
3261         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3262         (JSC::JSFunction::reifyBoundNameIfNeeded):
3263         * runtime/JSFunction.h:
3264         * runtime/JSFunctionInlines.h:
3265         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3266         (JSC::JSFunction::JSFunction):
3267         * runtime/JSGenericTypedArrayViewInlines.h:
3268         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3269         * runtime/JSInternalPromise.cpp:
3270         * runtime/JSInternalPromiseConstructor.cpp:
3271         * runtime/JSInternalPromiseDeferred.cpp:
3272         * runtime/JSInternalPromisePrototype.cpp:
3273         * runtime/JSJob.cpp:
3274         * runtime/JSMapIterator.cpp:
3275         * runtime/JSModuleNamespaceObject.cpp:
3276         * runtime/JSModuleRecord.cpp:
3277         * runtime/JSObject.cpp:
3278         (JSC::JSObject::visitButterfly):
3279         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3280         (JSC::JSObject::createInitialIndexedStorage):
3281         (JSC::JSObject::createInitialUndecided):
3282         (JSC::JSObject::createInitialInt32):
3283         (JSC::JSObject::createInitialDouble):
3284         (JSC::JSObject::createInitialContiguous):
3285         (JSC::JSObject::createArrayStorage):
3286         (JSC::JSObject::createInitialArrayStorage):
3287         (JSC::JSObject::convertUndecidedToInt32):
3288         (JSC::JSObject::convertUndecidedToContiguous):
3289         (JSC::JSObject::convertUndecidedToArrayStorage):
3290         (JSC::JSObject::convertInt32ToDouble):
3291         (JSC::JSObject::convertInt32ToArrayStorage):
3292         (JSC::JSObject::convertDoubleToArrayStorage):
3293         (JSC::JSObject::convertContiguousToArrayStorage):
3294         (JSC::JSObject::putByIndexBeyondVectorLength):
3295         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3296         (JSC::JSObject::getNewVectorLength):
3297         (JSC::JSObject::increaseVectorLength):