Typed arrays should use MarkedSpace instead of CopiedSpace
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2
3         Typed arrays should use MarkedSpace instead of CopiedSpace
4         https://bugs.webkit.org/show_bug.cgi?id=161100
5
6         Reviewed by Geoffrey Garen.
7         
8         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
9         
10         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
11         everything that typed arrays want.
12
13         * dfg/DFGOperations.cpp:
14         (JSC::DFG::newTypedArrayWithSize):
15         * dfg/DFGOperations.h:
16         (JSC::DFG::operationNewTypedArrayWithSizeForType):
17         * dfg/DFGSpeculativeJIT.cpp:
18         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
19         * dfg/DFGSpeculativeJIT.h:
20         (JSC::DFG::SpeculativeJIT::callOperation):
21         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
22         * ftl/FTLLowerDFGToB3.cpp:
23         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
24         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
25         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
26         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
27         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
28         * heap/CopyToken.h:
29         * heap/SlotVisitor.cpp:
30         (JSC::SlotVisitor::markAuxiliary):
31         * jit/JITOperations.h:
32         * runtime/JSArrayBufferView.cpp:
33         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
34         (JSC::JSArrayBufferView::JSArrayBufferView):
35         * runtime/JSArrayBufferView.h:
36         * runtime/JSGenericTypedArrayView.h:
37         * runtime/JSGenericTypedArrayViewInlines.h:
38         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
39         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
40         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
41         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
42
43 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
44
45         Silence GCC warning spam introduced in r205462
46
47         Rubber-stamped by Filip Pizlo.
48
49         * bytecode/Opcode.h:
50         (JSC::padOpcodeName):
51
52 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
53
54         Heap::isMarked() should use concurrent lazy flipping
55         https://bugs.webkit.org/show_bug.cgi?id=161613
56
57         Reviewed by Michael Catanzaro.
58         
59         I found out about this race condition via
60         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
61         
62         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
63         phase. So, they need to lazy-flip in a non-racy way.
64
65         * heap/HeapInlines.h:
66         (JSC::Heap::isLive):
67         (JSC::Heap::isMarked):
68
69 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
70
71         Unreviewed, reset generator test results after the butterflies.
72
73         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
74         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
75         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
76         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
77         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
78         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
79         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
80         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
81         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
82         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
83         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
84         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
85         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
86         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
87
88 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
89
90         Unreviewed, fix cloop build.
91
92         * bytecode/SuperSampler.cpp:
93
94 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
95
96         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
97         https://bugs.webkit.org/show_bug.cgi?id=160125
98
99         Reviewed by Geoffrey Garen and Keith Miller.
100
101         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
102         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
103         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
104         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
105         to get rid of copied space. This change moves copied space's biggest client over to marked
106         space.
107         
108         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
109         allocation path. This is a fairly mechanical change, but it caused performance regressions
110         everywhere, so this change also fixes MarkedSpace's performance issues.
111         
112         At a high level the mechanical changes are:
113         
114         - We use AuxiliaryBarrier instead of CopyBarrier.
115         
116         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
117           CheckedBoolean stuff, since it's so much more trouble than it's worth.
118         
119         - The JITs have to emit inlined marked space allocations instead of inline copy space
120           allocations.
121         
122         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
123           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
124           space doesn't.
125         
126         That's about 1/3 of this change. But this led to performance problems, which I fixed with
127         optimizations that amounted to a major MarkedSpace rewrite:
128         
129         - MarkedSpace always causes internal fragmentation for array allocations because the vector
130           length we choose when we resize usually leads to a cell size that doesn't correspond to any
131           size class. I got around this by making array allocations usually round up vectorLength to
132           the maximum allowed by the size class that we would have allocated in. Also,
133           ensureLengthSlow() and friends first make sure that the requested length can't just be
134           fulfilled with the current allocation size. This safeguard means that not every array
135           allocation has to do size class queries. For example, the fast path of new Array(length)
136           never does any size class queries, under the assumption that (1) the speed gained from
137           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
138           size class query, is too small to offset the speed lost by doing the query on every
139           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
140           likely.
141         
142         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
143           changes MarkedSpace size classes to use a linear progression for very small sizes followed
144           by a geometric progression that naturally transitions to a hyperbolic progression. We want
145           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
146           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
147           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
148           size (80 bytes), we proceed using a geometric progression, but round up each size to
149           minimize slop at the end of the block. This naturally causes the geometric progression to
150           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
151           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
152         
153         - Large allocations caused massive internal fragmentation, since the smallest large
154           allocation had to use exactly blockSize, and the largest small allocation used
155           blockSize / 2. The next size up - the first large allocation size to require two blocks -
156           also had 50% internal fragmentation. This is because we required large allocations to be
157           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
158           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
159           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
160           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
161           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
162           out great since (1) typed arrays won't use large allocations anyway since they have their
163           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
164           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
165           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
166           rare as possible; for example, ExecState::vm() skips the check because we know that callees
167           must be small allocations. It's also possible to use template tricks to do one check for
168           cell container kind, and then invoke a function specialized for MarkedBlock or a function
169           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
170           that get used from functions that are template-specialized like this. That's mostly to
171           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
172           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
173           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
174           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
175           cutoff for large allocations is runtime-configurable, so long as you don't choose something
176           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
177           that the MarkedBlock size classes end up being:
178           
179           16, 32, 48, 64, 80, 112, 160, 224, 320
180           
181           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
182           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
183           size classes you end up with by doing --dumpSizeClasses=true.
184         
185         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
186           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
187           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
188           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
189           side, for better locality during a sequential walk. It's no longer necessary to scan
190           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
191           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
192           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
193           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
194           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
195           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
196           together, these optimizations allowed me to reduce block size to 16KB without losing much
197           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
198           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
199           progression on membuster. That's not possible yet, since there is still enough per-block
200           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
201           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
202         
203         - Even after all of that, copying butterflies was still faster because it allowed us to skip
204           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
205           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
206           larger than O(live), especially in an eden collection. Copying satisfies this premise while
207           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
208           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
209           that we walk the block to build a free list. This means walking dead space. The new
210           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
211           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
212           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
213           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
214           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
215           is completely empty, which is the common case because of the generational hypothesis: the
216           number of objects that survive an eden collection is a tiny fraction of the number of
217           objects that had been allocated, and this fraction is so small that there are typically
218           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
219           win over tip-of-tree.
220         
221         - FTL now shares the same allocation fast paths as everything else, which is great, because
222           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
223           control flow, since it won't be able to improve the machine code we write ourselves. GC
224           fast paths are best written in assembly. So, I've empowered B3 to have even better support
225           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
226           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
227           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
228           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
229           ability to constant-fold some allocator logic (in case we first assume that we're doing a
230           variable-length allocation but then realize that the length is known). I think it makes
231           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
232           since this makes lowering easier (you can constant fold during lowering more easily) and it
233           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
234           constant-fold this code. That would require allowing loads to be constant-folded, which is
235           doable but hella tricky.
236         
237         - It used to be that if a logical object allocation required two physical allocations (first
238           the butterfly and then the cell), then the JIT would emit the code in such a way that a
239           failure in the second fast path would cause us to forget the successful first physical
240           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
241           register to storing either the butterfly or null, because the butterfly register is anyway
242           going to be free inside the first allocation. The only overhead here is zeroing the
243           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
244           path, which can then either allocate a butterfly or not. So now we never waste a successful
245           allocation. This patch implements such a solution both in DFG (where it's easy to do this
246           since we control registers already) and in FTL (where it's annoying, because mutable
247           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
248           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
249           one version of this patch, this wastage would resonate with some Kraken benchmark: the
250           benchmark would always allocate N small things followed by one bigger thing. The problem
251           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
252           the JSObject size class, which both the small and big thing shared for their cell, could
253           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
254           it allocated the big thing. So, it would end up having to allocate the big thing's large
255           butterfly twice, every single time! Ouch!
256         
257         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
258           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
259           of the allocator to initialize the object to whatever state they need. It used to be that
260           we would just use a dumb loop. I initially changed this so that we would end up in memset
261           for large allocations, but this didn't actually help performance that much. I got a much
262           better result by playing with different memsets written in assembly. First I wrote one
263           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
264           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
265           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
266           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
267           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
268           of stores (if the size is known), but those paths in the JIT won't trigger for
269           NewArrayWithSize() if the size is large, since that takes us to the
270           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
271           optimizations here are all in JSArray::create() - that's the hot place for large arrays
272           that need to be filled with holes.
273         
274         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
275         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
276         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
277         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
278         difference, but take the hit for now because it's a crazy corner case. By comparison, the
279         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
280         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
281         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
282         marking barrier and we simply won't need a copying barrier. This change gets us there for
283         the purposes of our benchmarks, since the remaining clients of copied space are not very
284         important. On the other hand, if we keep copying, then getting barrier-ready would mean
285         adding back the copy barrier, which costs more perf.
286         
287         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
288         typed arrays and a few other weird things over to Aux MarkedSpace.
289         
290         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
291         and CellContainer meant that I had to include those files from everywhere. Fortunately,
292         just including JSCInlines.h (instead of manually including the files that includes) is
293         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
294         that we were already basically doing. In places where JSCInlines.h would be too much, I just
295         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
296         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
297         meant having to manually include HeapInlines.h from the places that previously got it
298         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
299         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
300         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
301         made it impossible to include it from outside JSC. This was a lot of work, but it was
302         necessary to get the patch to build on all ports. It's also a net win. There were many places
303         in WebCore that were transitively including a *ton* of JSC headers just because of the
304         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
305         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
306
307         * API/JSManagedValue.mm:
308         (-[JSManagedValue initWithValue:]):
309         * API/JSTypedArray.cpp:
310         * API/ObjCCallbackFunction.mm:
311         * API/tests/testapi.mm:
312         (testObjectiveCAPI):
313         (testWeakValue): Deleted.
314         * CMakeLists.txt:
315         * JavaScriptCore.xcodeproj/project.pbxproj:
316         * Scripts/builtins/builtins_generate_combined_implementation.py:
317         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
318         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
319         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
320         * Scripts/builtins/builtins_generate_separate_implementation.py:
321         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
322         * assembler/AbstractMacroAssembler.h:
323         (JSC::AbstractMacroAssembler::JumpList::link):
324         (JSC::AbstractMacroAssembler::JumpList::linkTo):
325         * assembler/MacroAssembler.h:
326         * assembler/MacroAssemblerARM64.h:
327         (JSC::MacroAssemblerARM64::add32):
328         * assembler/MacroAssemblerCodeRef.cpp: Added.
329         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
330         (JSC::MacroAssemblerCodePtr::dumpWithName):
331         (JSC::MacroAssemblerCodePtr::dump):
332         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
333         (JSC::MacroAssemblerCodeRef::dump):
334         * assembler/MacroAssemblerCodeRef.h:
335         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
336         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
337         (JSC::MacroAssemblerCodePtr::dump): Deleted.
338         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
339         (JSC::MacroAssemblerCodeRef::dump): Deleted.
340         * b3/B3BasicBlock.cpp:
341         (JSC::B3::BasicBlock::appendBoolConstant):
342         * b3/B3BasicBlock.h:
343         * b3/B3DuplicateTails.cpp:
344         * b3/B3StackmapGenerationParams.h:
345         * b3/testb3.cpp:
346         (JSC::B3::testPatchpointTerminalReturnValue):
347         (JSC::B3::run):
348         * bindings/ScriptValue.cpp:
349         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
350         * bytecode/BytecodeBasicBlock.cpp:
351         * bytecode/BytecodeLivenessAnalysis.cpp:
352         * bytecode/BytecodeUseDef.h:
353         * bytecode/CallLinkInfo.cpp:
354         (JSC::CallLinkInfo::callTypeFor):
355         * bytecode/CallLinkInfo.h:
356         (JSC::CallLinkInfo::callTypeFor): Deleted.
357         * bytecode/CallLinkStatus.cpp:
358         * bytecode/CodeBlock.cpp:
359         (JSC::CodeBlock::finishCreation):
360         (JSC::CodeBlock::clearLLIntGetByIdCache):
361         (JSC::CodeBlock::predictedMachineCodeSize):
362         * bytecode/CodeBlock.h:
363         (JSC::CodeBlock::jitCodeMap): Deleted.
364         (JSC::clearLLIntGetByIdCache): Deleted.
365         * bytecode/ExecutionCounter.h:
366         * bytecode/Instruction.h:
367         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
368         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
369         * bytecode/ObjectAllocationProfile.h:
370         (JSC::ObjectAllocationProfile::isNull):
371         (JSC::ObjectAllocationProfile::initialize):
372         * bytecode/Opcode.h:
373         (JSC::padOpcodeName):
374         * bytecode/PolymorphicAccess.cpp:
375         (JSC::AccessCase::generateImpl):
376         (JSC::PolymorphicAccess::regenerate):
377         * bytecode/PolymorphicAccess.h:
378         * bytecode/PreciseJumpTargets.cpp:
379         * bytecode/StructureStubInfo.cpp:
380         * bytecode/StructureStubInfo.h:
381         * bytecode/UnlinkedCodeBlock.cpp:
382         (JSC::UnlinkedCodeBlock::vm): Deleted.
383         * bytecode/UnlinkedCodeBlock.h:
384         * bytecode/UnlinkedInstructionStream.cpp:
385         * bytecode/UnlinkedInstructionStream.h:
386         * dfg/DFGOperations.cpp:
387         * dfg/DFGSpeculativeJIT.cpp:
388         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
389         (JSC::DFG::SpeculativeJIT::compileMakeRope):
390         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
391         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
392         * dfg/DFGSpeculativeJIT.h:
393         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
394         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
395         * dfg/DFGSpeculativeJIT32_64.cpp:
396         (JSC::DFG::SpeculativeJIT::compile):
397         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
398         * dfg/DFGSpeculativeJIT64.cpp:
399         (JSC::DFG::SpeculativeJIT::compile):
400         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
401         * dfg/DFGStrengthReductionPhase.cpp:
402         (JSC::DFG::StrengthReductionPhase::handleNode):
403         * ftl/FTLAbstractHeapRepository.h:
404         * ftl/FTLCompile.cpp:
405         * ftl/FTLJITFinalizer.cpp:
406         * ftl/FTLLowerDFGToB3.cpp:
407         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
408         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
409         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
410         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
411         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
412         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
413         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
414         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
415         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
416         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
417         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
418         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
419         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
420         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
421         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
422         * ftl/FTLOutput.cpp:
423         (JSC::FTL::Output::constBool):
424         (JSC::FTL::Output::add):
425         (JSC::FTL::Output::shl):
426         (JSC::FTL::Output::aShr):
427         (JSC::FTL::Output::lShr):
428         (JSC::FTL::Output::zeroExt):
429         (JSC::FTL::Output::equal):
430         (JSC::FTL::Output::notEqual):
431         (JSC::FTL::Output::above):
432         (JSC::FTL::Output::aboveOrEqual):
433         (JSC::FTL::Output::below):
434         (JSC::FTL::Output::belowOrEqual):
435         (JSC::FTL::Output::greaterThan):
436         (JSC::FTL::Output::greaterThanOrEqual):
437         (JSC::FTL::Output::lessThan):
438         (JSC::FTL::Output::lessThanOrEqual):
439         (JSC::FTL::Output::select):
440         (JSC::FTL::Output::appendSuccessor):
441         (JSC::FTL::Output::addIncomingToPhi):
442         * ftl/FTLOutput.h:
443         * ftl/FTLValueFromBlock.h:
444         (JSC::FTL::ValueFromBlock::operator bool):
445         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
446         * ftl/FTLWeightedTarget.h:
447         (JSC::FTL::WeightedTarget::frequentedBlock):
448         * heap/CellContainer.h: Added.
449         (JSC::CellContainer::CellContainer):
450         (JSC::CellContainer::operator bool):
451         (JSC::CellContainer::isMarkedBlock):
452         (JSC::CellContainer::isLargeAllocation):
453         (JSC::CellContainer::markedBlock):
454         (JSC::CellContainer::largeAllocation):
455         * heap/CellContainerInlines.h: Added.
456         (JSC::CellContainer::isMarked):
457         (JSC::CellContainer::isMarkedOrNewlyAllocated):
458         (JSC::CellContainer::noteMarked):
459         (JSC::CellContainer::cellSize):
460         (JSC::CellContainer::weakSet):
461         (JSC::CellContainer::flipIfNecessary):
462         * heap/ConservativeRoots.cpp:
463         (JSC::ConservativeRoots::ConservativeRoots):
464         (JSC::ConservativeRoots::~ConservativeRoots):
465         (JSC::ConservativeRoots::grow):
466         (JSC::ConservativeRoots::genericAddPointer):
467         (JSC::ConservativeRoots::genericAddSpan):
468         * heap/ConservativeRoots.h:
469         (JSC::ConservativeRoots::roots):
470         * heap/CopyToken.h:
471         * heap/FreeList.cpp: Added.
472         (JSC::FreeList::dump):
473         * heap/FreeList.h: Added.
474         (JSC::FreeList::FreeList):
475         (JSC::FreeList::list):
476         (JSC::FreeList::bump):
477         (JSC::FreeList::operator==):
478         (JSC::FreeList::operator!=):
479         (JSC::FreeList::operator bool):
480         (JSC::FreeList::allocationWillFail):
481         (JSC::FreeList::allocationWillSucceed):
482         * heap/GCTypeMap.h: Added.
483         (JSC::GCTypeMap::operator[]):
484         * heap/Heap.cpp:
485         (JSC::Heap::Heap):
486         (JSC::Heap::lastChanceToFinalize):
487         (JSC::Heap::finalizeUnconditionalFinalizers):
488         (JSC::Heap::markRoots):
489         (JSC::Heap::copyBackingStores):
490         (JSC::Heap::gatherStackRoots):
491         (JSC::Heap::gatherJSStackRoots):
492         (JSC::Heap::gatherScratchBufferRoots):
493         (JSC::Heap::clearLivenessData):
494         (JSC::Heap::visitSmallStrings):
495         (JSC::Heap::visitConservativeRoots):
496         (JSC::Heap::removeDeadCompilerWorklistEntries):
497         (JSC::Heap::gatherExtraHeapSnapshotData):
498         (JSC::Heap::removeDeadHeapSnapshotNodes):
499         (JSC::Heap::visitProtectedObjects):
500         (JSC::Heap::visitArgumentBuffers):
501         (JSC::Heap::visitException):
502         (JSC::Heap::visitStrongHandles):
503         (JSC::Heap::visitHandleStack):
504         (JSC::Heap::visitSamplingProfiler):
505         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
506         (JSC::Heap::converge):
507         (JSC::Heap::visitWeakHandles):
508         (JSC::Heap::updateObjectCounts):
509         (JSC::Heap::clearUnmarkedExecutables):
510         (JSC::Heap::deleteUnmarkedCompiledCode):
511         (JSC::Heap::collectAllGarbage):
512         (JSC::Heap::collect):
513         (JSC::Heap::collectWithoutAnySweep):
514         (JSC::Heap::collectImpl):
515         (JSC::Heap::suspendCompilerThreads):
516         (JSC::Heap::willStartCollection):
517         (JSC::Heap::flushOldStructureIDTables):
518         (JSC::Heap::flushWriteBarrierBuffer):
519         (JSC::Heap::stopAllocation):
520         (JSC::Heap::prepareForMarking):
521         (JSC::Heap::reapWeakHandles):
522         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
523         (JSC::Heap::sweepArrayBuffers):
524         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
525         (JSC::MarkedBlockSnapshotFunctor::operator()):
526         (JSC::Heap::snapshotMarkedSpace):
527         (JSC::Heap::deleteSourceProviderCaches):
528         (JSC::Heap::notifyIncrementalSweeper):
529         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
530         (JSC::Heap::resetAllocators):
531         (JSC::Heap::updateAllocationLimits):
532         (JSC::Heap::didFinishCollection):
533         (JSC::Heap::resumeCompilerThreads):
534         (JSC::Zombify::visit):
535         (JSC::Heap::forEachCodeBlockImpl):
536         * heap/Heap.h:
537         (JSC::Heap::allocatorForObjectWithoutDestructor):
538         (JSC::Heap::allocatorForObjectWithDestructor):
539         (JSC::Heap::allocatorForAuxiliaryData):
540         (JSC::Heap::jitStubRoutines):
541         (JSC::Heap::codeBlockSet):
542         (JSC::Heap::storageAllocator): Deleted.
543         * heap/HeapCell.h:
544         (JSC::HeapCell::isZapped): Deleted.
545         * heap/HeapCellInlines.h: Added.
546         (JSC::HeapCell::isLargeAllocation):
547         (JSC::HeapCell::cellContainer):
548         (JSC::HeapCell::markedBlock):
549         (JSC::HeapCell::largeAllocation):
550         (JSC::HeapCell::heap):
551         (JSC::HeapCell::vm):
552         (JSC::HeapCell::cellSize):
553         (JSC::HeapCell::allocatorAttributes):
554         (JSC::HeapCell::destructionMode):
555         (JSC::HeapCell::cellKind):
556         * heap/HeapInlines.h:
557         (JSC::Heap::heap):
558         (JSC::Heap::isLive):
559         (JSC::Heap::isMarked):
560         (JSC::Heap::testAndSetMarked):
561         (JSC::Heap::setMarked):
562         (JSC::Heap::cellSize):
563         (JSC::Heap::forEachCodeBlock):
564         (JSC::Heap::allocateObjectOfType):
565         (JSC::Heap::subspaceForObjectOfType):
566         (JSC::Heap::allocatorForObjectOfType):
567         (JSC::Heap::allocateAuxiliary):
568         (JSC::Heap::tryAllocateAuxiliary):
569         (JSC::Heap::tryReallocateAuxiliary):
570         (JSC::Heap::isPointerGCObject): Deleted.
571         (JSC::Heap::isValueGCObject): Deleted.
572         * heap/HeapOperation.cpp: Added.
573         (WTF::printInternal):
574         * heap/HeapOperation.h:
575         * heap/HeapUtil.h: Added.
576         (JSC::HeapUtil::findGCObjectPointersForMarking):
577         (JSC::HeapUtil::isPointerGCObjectJSCell):
578         (JSC::HeapUtil::isValueGCObject):
579         * heap/IncrementalSweeper.cpp:
580         (JSC::IncrementalSweeper::sweepNextBlock):
581         * heap/IncrementalSweeper.h:
582         * heap/LargeAllocation.cpp: Added.
583         (JSC::LargeAllocation::tryCreate):
584         (JSC::LargeAllocation::LargeAllocation):
585         (JSC::LargeAllocation::lastChanceToFinalize):
586         (JSC::LargeAllocation::shrink):
587         (JSC::LargeAllocation::visitWeakSet):
588         (JSC::LargeAllocation::reapWeakSet):
589         (JSC::LargeAllocation::flip):
590         (JSC::LargeAllocation::isEmpty):
591         (JSC::LargeAllocation::sweep):
592         (JSC::LargeAllocation::destroy):
593         (JSC::LargeAllocation::dump):
594         * heap/LargeAllocation.h: Added.
595         (JSC::LargeAllocation::fromCell):
596         (JSC::LargeAllocation::cell):
597         (JSC::LargeAllocation::isLargeAllocation):
598         (JSC::LargeAllocation::heap):
599         (JSC::LargeAllocation::vm):
600         (JSC::LargeAllocation::weakSet):
601         (JSC::LargeAllocation::clearNewlyAllocated):
602         (JSC::LargeAllocation::isNewlyAllocated):
603         (JSC::LargeAllocation::isMarked):
604         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
605         (JSC::LargeAllocation::isLive):
606         (JSC::LargeAllocation::hasValidCell):
607         (JSC::LargeAllocation::cellSize):
608         (JSC::LargeAllocation::aboveLowerBound):
609         (JSC::LargeAllocation::belowUpperBound):
610         (JSC::LargeAllocation::contains):
611         (JSC::LargeAllocation::attributes):
612         (JSC::LargeAllocation::flipIfNecessary):
613         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
614         (JSC::LargeAllocation::testAndSetMarked):
615         (JSC::LargeAllocation::setMarked):
616         (JSC::LargeAllocation::clearMarked):
617         (JSC::LargeAllocation::noteMarked):
618         (JSC::LargeAllocation::headerSize):
619         * heap/MarkedAllocator.cpp:
620         (JSC::MarkedAllocator::MarkedAllocator):
621         (JSC::MarkedAllocator::isPagedOut):
622         (JSC::MarkedAllocator::retire):
623         (JSC::MarkedAllocator::filterNextBlock):
624         (JSC::MarkedAllocator::setNextBlockToSweep):
625         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
626         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
627         (JSC::MarkedAllocator::allocateSlowCase):
628         (JSC::MarkedAllocator::tryAllocateSlowCase):
629         (JSC::MarkedAllocator::allocateSlowCaseImpl):
630         (JSC::blockHeaderSize):
631         (JSC::MarkedAllocator::blockSizeForBytes):
632         (JSC::MarkedAllocator::tryAllocateBlock):
633         (JSC::MarkedAllocator::addBlock):
634         (JSC::MarkedAllocator::removeBlock):
635         (JSC::MarkedAllocator::stopAllocating):
636         (JSC::MarkedAllocator::reset):
637         (JSC::MarkedAllocator::lastChanceToFinalize):
638         (JSC::MarkedAllocator::setFreeList):
639         (JSC::isListPagedOut): Deleted.
640         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
641         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
642         (JSC::MarkedAllocator::tryAllocate): Deleted.
643         (JSC::MarkedAllocator::allocateBlock): Deleted.
644         * heap/MarkedAllocator.h:
645         (JSC::MarkedAllocator::takeLastActiveBlock):
646         (JSC::MarkedAllocator::offsetOfFreeList):
647         (JSC::MarkedAllocator::offsetOfCellSize):
648         (JSC::MarkedAllocator::tryAllocate):
649         (JSC::MarkedAllocator::allocate):
650         (JSC::MarkedAllocator::forEachBlock):
651         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
652         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
653         (JSC::MarkedAllocator::init): Deleted.
654         (JSC::MarkedAllocator::stopAllocating): Deleted.
655         * heap/MarkedBlock.cpp:
656         (JSC::MarkedBlock::tryCreate):
657         (JSC::MarkedBlock::Handle::Handle):
658         (JSC::MarkedBlock::Handle::~Handle):
659         (JSC::MarkedBlock::MarkedBlock):
660         (JSC::MarkedBlock::Handle::specializedSweep):
661         (JSC::MarkedBlock::Handle::sweep):
662         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
663         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
664         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
665         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
666         (JSC::SetNewlyAllocatedFunctor::operator()):
667         (JSC::MarkedBlock::Handle::stopAllocating):
668         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
669         (JSC::MarkedBlock::Handle::resumeAllocating):
670         (JSC::MarkedBlock::Handle::zap):
671         (JSC::MarkedBlock::Handle::forEachFreeCell):
672         (JSC::MarkedBlock::flipIfNecessary):
673         (JSC::MarkedBlock::Handle::flipIfNecessary):
674         (JSC::MarkedBlock::flipIfNecessarySlow):
675         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
676         (JSC::MarkedBlock::clearMarks):
677         (JSC::MarkedBlock::assertFlipped):
678         (JSC::MarkedBlock::needsFlip):
679         (JSC::MarkedBlock::Handle::needsFlip):
680         (JSC::MarkedBlock::Handle::willRemoveBlock):
681         (JSC::MarkedBlock::Handle::didConsumeFreeList):
682         (JSC::MarkedBlock::markCount):
683         (JSC::MarkedBlock::Handle::isEmpty):
684         (JSC::MarkedBlock::clearHasAnyMarked):
685         (JSC::MarkedBlock::noteMarkedSlow):
686         (WTF::printInternal):
687         (JSC::MarkedBlock::create): Deleted.
688         (JSC::MarkedBlock::destroy): Deleted.
689         (JSC::MarkedBlock::callDestructor): Deleted.
690         (JSC::MarkedBlock::specializedSweep): Deleted.
691         (JSC::MarkedBlock::sweep): Deleted.
692         (JSC::MarkedBlock::sweepHelper): Deleted.
693         (JSC::MarkedBlock::stopAllocating): Deleted.
694         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
695         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
696         (JSC::MarkedBlock::resumeAllocating): Deleted.
697         (JSC::MarkedBlock::didRetireBlock): Deleted.
698         * heap/MarkedBlock.h:
699         (JSC::MarkedBlock::VoidFunctor::returnValue):
700         (JSC::MarkedBlock::CountFunctor::CountFunctor):
701         (JSC::MarkedBlock::CountFunctor::count):
702         (JSC::MarkedBlock::CountFunctor::returnValue):
703         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
704         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
705         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
706         (JSC::MarkedBlock::Handle::state):
707         (JSC::MarkedBlock::needsDestruction):
708         (JSC::MarkedBlock::handle):
709         (JSC::MarkedBlock::Handle::block):
710         (JSC::MarkedBlock::firstAtom):
711         (JSC::MarkedBlock::atoms):
712         (JSC::MarkedBlock::isAtomAligned):
713         (JSC::MarkedBlock::Handle::cellAlign):
714         (JSC::MarkedBlock::blockFor):
715         (JSC::MarkedBlock::Handle::allocator):
716         (JSC::MarkedBlock::Handle::heap):
717         (JSC::MarkedBlock::Handle::vm):
718         (JSC::MarkedBlock::vm):
719         (JSC::MarkedBlock::Handle::weakSet):
720         (JSC::MarkedBlock::weakSet):
721         (JSC::MarkedBlock::Handle::shrink):
722         (JSC::MarkedBlock::Handle::visitWeakSet):
723         (JSC::MarkedBlock::Handle::reapWeakSet):
724         (JSC::MarkedBlock::Handle::cellSize):
725         (JSC::MarkedBlock::cellSize):
726         (JSC::MarkedBlock::Handle::attributes):
727         (JSC::MarkedBlock::attributes):
728         (JSC::MarkedBlock::Handle::needsDestruction):
729         (JSC::MarkedBlock::Handle::destruction):
730         (JSC::MarkedBlock::Handle::cellKind):
731         (JSC::MarkedBlock::Handle::markCount):
732         (JSC::MarkedBlock::Handle::size):
733         (JSC::MarkedBlock::atomNumber):
734         (JSC::MarkedBlock::flipIfNecessary):
735         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
736         (JSC::MarkedBlock::Handle::flipIfNecessary):
737         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
738         (JSC::MarkedBlock::Handle::flipForEdenCollection):
739         (JSC::MarkedBlock::assertFlipped):
740         (JSC::MarkedBlock::Handle::assertFlipped):
741         (JSC::MarkedBlock::isMarked):
742         (JSC::MarkedBlock::testAndSetMarked):
743         (JSC::MarkedBlock::Handle::isNewlyAllocated):
744         (JSC::MarkedBlock::Handle::setNewlyAllocated):
745         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
746         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
747         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
748         (JSC::MarkedBlock::Handle::isLive):
749         (JSC::MarkedBlock::isAtom):
750         (JSC::MarkedBlock::Handle::isLiveCell):
751         (JSC::MarkedBlock::Handle::forEachCell):
752         (JSC::MarkedBlock::Handle::forEachLiveCell):
753         (JSC::MarkedBlock::Handle::forEachDeadCell):
754         (JSC::MarkedBlock::Handle::needsSweeping):
755         (JSC::MarkedBlock::Handle::isAllocated):
756         (JSC::MarkedBlock::Handle::isMarked):
757         (JSC::MarkedBlock::Handle::isFreeListed):
758         (JSC::MarkedBlock::hasAnyMarked):
759         (JSC::MarkedBlock::noteMarked):
760         (WTF::MarkedBlockHash::hash):
761         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
762         (JSC::MarkedBlock::allocator): Deleted.
763         (JSC::MarkedBlock::heap): Deleted.
764         (JSC::MarkedBlock::shrink): Deleted.
765         (JSC::MarkedBlock::visitWeakSet): Deleted.
766         (JSC::MarkedBlock::reapWeakSet): Deleted.
767         (JSC::MarkedBlock::willRemoveBlock): Deleted.
768         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
769         (JSC::MarkedBlock::markCount): Deleted.
770         (JSC::MarkedBlock::isEmpty): Deleted.
771         (JSC::MarkedBlock::destruction): Deleted.
772         (JSC::MarkedBlock::cellKind): Deleted.
773         (JSC::MarkedBlock::size): Deleted.
774         (JSC::MarkedBlock::capacity): Deleted.
775         (JSC::MarkedBlock::setMarked): Deleted.
776         (JSC::MarkedBlock::clearMarked): Deleted.
777         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
778         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
779         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
780         (JSC::MarkedBlock::isLive): Deleted.
781         (JSC::MarkedBlock::isLiveCell): Deleted.
782         (JSC::MarkedBlock::forEachCell): Deleted.
783         (JSC::MarkedBlock::forEachLiveCell): Deleted.
784         (JSC::MarkedBlock::forEachDeadCell): Deleted.
785         (JSC::MarkedBlock::needsSweeping): Deleted.
786         (JSC::MarkedBlock::isAllocated): Deleted.
787         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
788         * heap/MarkedSpace.cpp:
789         (JSC::MarkedSpace::initializeSizeClassForStepSize):
790         (JSC::MarkedSpace::MarkedSpace):
791         (JSC::MarkedSpace::~MarkedSpace):
792         (JSC::MarkedSpace::lastChanceToFinalize):
793         (JSC::MarkedSpace::allocate):
794         (JSC::MarkedSpace::tryAllocate):
795         (JSC::MarkedSpace::allocateLarge):
796         (JSC::MarkedSpace::tryAllocateLarge):
797         (JSC::MarkedSpace::sweep):
798         (JSC::MarkedSpace::sweepLargeAllocations):
799         (JSC::MarkedSpace::zombifySweep):
800         (JSC::MarkedSpace::resetAllocators):
801         (JSC::MarkedSpace::visitWeakSets):
802         (JSC::MarkedSpace::reapWeakSets):
803         (JSC::MarkedSpace::stopAllocating):
804         (JSC::MarkedSpace::prepareForMarking):
805         (JSC::MarkedSpace::resumeAllocating):
806         (JSC::MarkedSpace::isPagedOut):
807         (JSC::MarkedSpace::freeBlock):
808         (JSC::MarkedSpace::freeOrShrinkBlock):
809         (JSC::MarkedSpace::shrink):
810         (JSC::MarkedSpace::clearNewlyAllocated):
811         (JSC::VerifyMarked::operator()):
812         (JSC::MarkedSpace::flip):
813         (JSC::MarkedSpace::objectCount):
814         (JSC::MarkedSpace::size):
815         (JSC::MarkedSpace::capacity):
816         (JSC::MarkedSpace::addActiveWeakSet):
817         (JSC::MarkedSpace::didAddBlock):
818         (JSC::MarkedSpace::didAllocateInBlock):
819         (JSC::MarkedSpace::forEachAllocator): Deleted.
820         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
821         (JSC::MarkedSpace::clearMarks): Deleted.
822         * heap/MarkedSpace.h:
823         (JSC::MarkedSpace::sizeClassToIndex):
824         (JSC::MarkedSpace::indexToSizeClass):
825         (JSC::MarkedSpace::version):
826         (JSC::MarkedSpace::blocksWithNewObjects):
827         (JSC::MarkedSpace::largeAllocations):
828         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
829         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
830         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
831         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
832         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
833         (JSC::MarkedSpace::forEachLiveCell):
834         (JSC::MarkedSpace::forEachDeadCell):
835         (JSC::MarkedSpace::allocatorFor):
836         (JSC::MarkedSpace::destructorAllocatorFor):
837         (JSC::MarkedSpace::auxiliaryAllocatorFor):
838         (JSC::MarkedSpace::allocateWithoutDestructor):
839         (JSC::MarkedSpace::allocateWithDestructor):
840         (JSC::MarkedSpace::allocateAuxiliary):
841         (JSC::MarkedSpace::tryAllocateAuxiliary):
842         (JSC::MarkedSpace::forEachBlock):
843         (JSC::MarkedSpace::forEachAllocator):
844         (JSC::MarkedSpace::optimalSizeFor):
845         (JSC::MarkedSpace::didAddBlock): Deleted.
846         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
847         (JSC::MarkedSpace::objectCount): Deleted.
848         (JSC::MarkedSpace::size): Deleted.
849         (JSC::MarkedSpace::capacity): Deleted.
850         * heap/SlotVisitor.cpp:
851         (JSC::SlotVisitor::SlotVisitor):
852         (JSC::SlotVisitor::didStartMarking):
853         (JSC::SlotVisitor::reset):
854         (JSC::SlotVisitor::append):
855         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
856         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
857         (JSC::SlotVisitor::appendToMarkStack):
858         (JSC::SlotVisitor::markAuxiliary):
859         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
860         (JSC::SlotVisitor::visitChildren):
861         * heap/SlotVisitor.h:
862         * heap/WeakBlock.cpp:
863         (JSC::WeakBlock::create):
864         (JSC::WeakBlock::WeakBlock):
865         (JSC::WeakBlock::visit):
866         (JSC::WeakBlock::reap):
867         * heap/WeakBlock.h:
868         (JSC::WeakBlock::disconnectContainer):
869         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
870         * heap/WeakSet.cpp:
871         (JSC::WeakSet::~WeakSet):
872         (JSC::WeakSet::sweep):
873         (JSC::WeakSet::shrink):
874         (JSC::WeakSet::addAllocator):
875         * heap/WeakSet.h:
876         (JSC::WeakSet::container):
877         (JSC::WeakSet::setContainer):
878         (JSC::WeakSet::WeakSet):
879         (JSC::WeakSet::visit):
880         (JSC::WeakSet::shrink): Deleted.
881         * heap/WeakSetInlines.h:
882         (JSC::WeakSet::allocate):
883         * inspector/InjectedScriptManager.cpp:
884         * inspector/JSGlobalObjectInspectorController.cpp:
885         * inspector/JSJavaScriptCallFrame.cpp:
886         * inspector/ScriptDebugServer.cpp:
887         * inspector/agents/InspectorDebuggerAgent.cpp:
888         * interpreter/CachedCall.h:
889         (JSC::CachedCall::CachedCall):
890         * interpreter/Interpreter.cpp:
891         (JSC::loadVarargs):
892         (JSC::StackFrame::sourceID): Deleted.
893         (JSC::StackFrame::sourceURL): Deleted.
894         (JSC::StackFrame::functionName): Deleted.
895         (JSC::StackFrame::computeLineAndColumn): Deleted.
896         (JSC::StackFrame::toString): Deleted.
897         * interpreter/Interpreter.h:
898         (JSC::StackFrame::isNative): Deleted.
899         * jit/AssemblyHelpers.h:
900         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
901         (JSC::AssemblyHelpers::emitAllocate):
902         (JSC::AssemblyHelpers::emitAllocateJSCell):
903         (JSC::AssemblyHelpers::emitAllocateJSObject):
904         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
905         (JSC::AssemblyHelpers::emitAllocateVariableSized):
906         * jit/GCAwareJITStubRoutine.cpp:
907         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
908         * jit/JIT.cpp:
909         (JSC::JIT::compileCTINativeCall):
910         (JSC::JIT::link):
911         * jit/JIT.h:
912         (JSC::JIT::compileCTINativeCall): Deleted.
913         * jit/JITExceptions.cpp:
914         (JSC::genericUnwind):
915         * jit/JITExceptions.h:
916         * jit/JITOpcodes.cpp:
917         (JSC::JIT::emit_op_new_object):
918         (JSC::JIT::emitSlow_op_new_object):
919         (JSC::JIT::emit_op_create_this):
920         (JSC::JIT::emitSlow_op_create_this):
921         * jit/JITOpcodes32_64.cpp:
922         (JSC::JIT::emit_op_new_object):
923         (JSC::JIT::emitSlow_op_new_object):
924         (JSC::JIT::emit_op_create_this):
925         (JSC::JIT::emitSlow_op_create_this):
926         * jit/JITOperations.cpp:
927         * jit/JITOperations.h:
928         * jit/JITPropertyAccess.cpp:
929         (JSC::JIT::emitWriteBarrier):
930         * jit/JITThunks.cpp:
931         * jit/JITThunks.h:
932         * jsc.cpp:
933         (functionDescribeArray):
934         (main):
935         * llint/LLIntData.cpp:
936         (JSC::LLInt::Data::performAssertions):
937         * llint/LLIntExceptions.cpp:
938         * llint/LLIntThunks.cpp:
939         * llint/LLIntThunks.h:
940         * llint/LowLevelInterpreter.asm:
941         * llint/LowLevelInterpreter.cpp:
942         * llint/LowLevelInterpreter32_64.asm:
943         * llint/LowLevelInterpreter64.asm:
944         * parser/ModuleAnalyzer.cpp:
945         * parser/NodeConstructors.h:
946         * parser/Nodes.h:
947         * profiler/ProfilerBytecode.cpp:
948         * profiler/ProfilerBytecode.h:
949         * profiler/ProfilerBytecodeSequence.cpp:
950         * runtime/ArrayConventions.h:
951         (JSC::indexingHeaderForArrayStorage):
952         (JSC::baseIndexingHeaderForArrayStorage):
953         (JSC::indexingHeaderForArray): Deleted.
954         (JSC::baseIndexingHeaderForArray): Deleted.
955         * runtime/ArrayPrototype.cpp:
956         (JSC::arrayProtoFuncSplice):
957         (JSC::concatAppendOne):
958         (JSC::arrayProtoPrivateFuncConcatMemcpy):
959         * runtime/ArrayStorage.h:
960         (JSC::ArrayStorage::vectorLength):
961         (JSC::ArrayStorage::totalSizeFor):
962         (JSC::ArrayStorage::totalSize):
963         (JSC::ArrayStorage::availableVectorLength):
964         (JSC::ArrayStorage::optimalVectorLength):
965         (JSC::ArrayStorage::sizeFor): Deleted.
966         * runtime/AuxiliaryBarrier.h: Added.
967         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
968         (JSC::AuxiliaryBarrier::clear):
969         (JSC::AuxiliaryBarrier::get):
970         (JSC::AuxiliaryBarrier::slot):
971         (JSC::AuxiliaryBarrier::operator bool):
972         (JSC::AuxiliaryBarrier::setWithoutBarrier):
973         * runtime/AuxiliaryBarrierInlines.h: Added.
974         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
975         (JSC::AuxiliaryBarrier<T>::set):
976         * runtime/Butterfly.h:
977         * runtime/ButterflyInlines.h:
978         (JSC::Butterfly::availableContiguousVectorLength):
979         (JSC::Butterfly::optimalContiguousVectorLength):
980         (JSC::Butterfly::createUninitialized):
981         (JSC::Butterfly::growArrayRight):
982         * runtime/ClonedArguments.cpp:
983         (JSC::ClonedArguments::createEmpty):
984         * runtime/CommonSlowPathsExceptions.cpp:
985         * runtime/CommonSlowPathsExceptions.h:
986         * runtime/DataView.cpp:
987         * runtime/DirectArguments.h:
988         * runtime/ECMAScriptSpecInternalFunctions.cpp:
989         * runtime/Error.cpp:
990         * runtime/Error.h:
991         * runtime/ErrorInstance.cpp:
992         * runtime/ErrorInstance.h:
993         * runtime/Exception.cpp:
994         * runtime/Exception.h:
995         * runtime/GeneratorFrame.cpp:
996         * runtime/GeneratorPrototype.cpp:
997         * runtime/InternalFunction.cpp:
998         (JSC::InternalFunction::InternalFunction):
999         * runtime/IntlCollator.cpp:
1000         * runtime/IntlCollatorConstructor.cpp:
1001         * runtime/IntlCollatorPrototype.cpp:
1002         * runtime/IntlDateTimeFormat.cpp:
1003         * runtime/IntlDateTimeFormatConstructor.cpp:
1004         * runtime/IntlDateTimeFormatPrototype.cpp:
1005         * runtime/IntlNumberFormat.cpp:
1006         * runtime/IntlNumberFormatConstructor.cpp:
1007         * runtime/IntlNumberFormatPrototype.cpp:
1008         * runtime/IntlObject.cpp:
1009         * runtime/IteratorPrototype.cpp:
1010         * runtime/JSArray.cpp:
1011         (JSC::JSArray::tryCreateUninitialized):
1012         (JSC::JSArray::setLengthWritable):
1013         (JSC::JSArray::unshiftCountSlowCase):
1014         (JSC::JSArray::setLengthWithArrayStorage):
1015         (JSC::JSArray::appendMemcpy):
1016         (JSC::JSArray::setLength):
1017         (JSC::JSArray::pop):
1018         (JSC::JSArray::push):
1019         (JSC::JSArray::fastSlice):
1020         (JSC::JSArray::shiftCountWithArrayStorage):
1021         (JSC::JSArray::shiftCountWithAnyIndexingType):
1022         (JSC::JSArray::unshiftCountWithArrayStorage):
1023         (JSC::JSArray::fillArgList):
1024         (JSC::JSArray::copyToArguments):
1025         * runtime/JSArray.h:
1026         (JSC::createContiguousArrayButterfly):
1027         (JSC::createArrayButterfly):
1028         (JSC::JSArray::create):
1029         (JSC::JSArray::tryCreateUninitialized): Deleted.
1030         * runtime/JSArrayBufferView.h:
1031         * runtime/JSCInlines.h:
1032         * runtime/JSCJSValue.cpp:
1033         (JSC::JSValue::dumpInContextAssumingStructure):
1034         * runtime/JSCallee.cpp:
1035         (JSC::JSCallee::JSCallee):
1036         * runtime/JSCell.cpp:
1037         (JSC::JSCell::estimatedSize):
1038         * runtime/JSCell.h:
1039         (JSC::JSCell::cellStateOffset): Deleted.
1040         * runtime/JSCellInlines.h:
1041         (JSC::ExecState::vm):
1042         (JSC::JSCell::classInfo):
1043         (JSC::JSCell::callDestructor):
1044         (JSC::JSCell::vm): Deleted.
1045         * runtime/JSFunction.cpp:
1046         (JSC::JSFunction::create):
1047         (JSC::JSFunction::allocateAndInitializeRareData):
1048         (JSC::JSFunction::initializeRareData):
1049         (JSC::JSFunction::getOwnPropertySlot):
1050         (JSC::JSFunction::put):
1051         (JSC::JSFunction::deleteProperty):
1052         (JSC::JSFunction::defineOwnProperty):
1053         (JSC::JSFunction::setFunctionName):
1054         (JSC::JSFunction::reifyLength):
1055         (JSC::JSFunction::reifyName):
1056         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1057         (JSC::JSFunction::reifyBoundNameIfNeeded):
1058         * runtime/JSFunction.h:
1059         * runtime/JSFunctionInlines.h:
1060         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1061         (JSC::JSFunction::JSFunction):
1062         * runtime/JSGenericTypedArrayViewInlines.h:
1063         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1064         * runtime/JSInternalPromise.cpp:
1065         * runtime/JSInternalPromiseConstructor.cpp:
1066         * runtime/JSInternalPromiseDeferred.cpp:
1067         * runtime/JSInternalPromisePrototype.cpp:
1068         * runtime/JSJob.cpp:
1069         * runtime/JSMapIterator.cpp:
1070         * runtime/JSModuleNamespaceObject.cpp:
1071         * runtime/JSModuleRecord.cpp:
1072         * runtime/JSObject.cpp:
1073         (JSC::JSObject::visitButterfly):
1074         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1075         (JSC::JSObject::createInitialIndexedStorage):
1076         (JSC::JSObject::createInitialUndecided):
1077         (JSC::JSObject::createInitialInt32):
1078         (JSC::JSObject::createInitialDouble):
1079         (JSC::JSObject::createInitialContiguous):
1080         (JSC::JSObject::createArrayStorage):
1081         (JSC::JSObject::createInitialArrayStorage):
1082         (JSC::JSObject::convertUndecidedToInt32):
1083         (JSC::JSObject::convertUndecidedToContiguous):
1084         (JSC::JSObject::convertUndecidedToArrayStorage):
1085         (JSC::JSObject::convertInt32ToDouble):
1086         (JSC::JSObject::convertInt32ToArrayStorage):
1087         (JSC::JSObject::convertDoubleToArrayStorage):
1088         (JSC::JSObject::convertContiguousToArrayStorage):
1089         (JSC::JSObject::putByIndexBeyondVectorLength):
1090         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1091         (JSC::JSObject::getNewVectorLength):
1092         (JSC::JSObject::increaseVectorLength):
1093         (JSC::JSObject::ensureLengthSlow):
1094         (JSC::JSObject::growOutOfLineStorage):
1095         (JSC::JSObject::copyButterfly): Deleted.
1096         (JSC::JSObject::copyBackingStore): Deleted.
1097         * runtime/JSObject.h:
1098         (JSC::JSObject::globalObject):
1099         (JSC::JSObject::putDirectInternal):
1100         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
1101         * runtime/JSObjectInlines.h:
1102         * runtime/JSPromise.cpp:
1103         * runtime/JSPromiseConstructor.cpp:
1104         * runtime/JSPromiseDeferred.cpp:
1105         * runtime/JSPromisePrototype.cpp:
1106         * runtime/JSPropertyNameIterator.cpp:
1107         * runtime/JSScope.cpp:
1108         (JSC::JSScope::resolve):
1109         * runtime/JSScope.h:
1110         (JSC::JSScope::globalObject):
1111         (JSC::JSScope::vm): Deleted.
1112         * runtime/JSSetIterator.cpp:
1113         * runtime/JSStringIterator.cpp:
1114         * runtime/JSTemplateRegistryKey.cpp:
1115         * runtime/JSTypedArrayViewConstructor.cpp:
1116         * runtime/JSTypedArrayViewPrototype.cpp:
1117         * runtime/JSWeakMap.cpp:
1118         * runtime/JSWeakSet.cpp:
1119         * runtime/MapConstructor.cpp:
1120         * runtime/MapIteratorPrototype.cpp:
1121         * runtime/MapPrototype.cpp:
1122         * runtime/NativeErrorConstructor.cpp:
1123         * runtime/NativeStdFunctionCell.cpp:
1124         * runtime/Operations.h:
1125         (JSC::scribbleFreeCells):
1126         (JSC::scribble):
1127         * runtime/Options.h:
1128         * runtime/PropertyTable.cpp:
1129         * runtime/ProxyConstructor.cpp:
1130         * runtime/ProxyObject.cpp:
1131         * runtime/ProxyRevoke.cpp:
1132         * runtime/RegExp.cpp:
1133         (JSC::RegExp::match):
1134         (JSC::RegExp::matchConcurrently):
1135         (JSC::RegExp::matchCompareWithInterpreter):
1136         * runtime/RegExp.h:
1137         * runtime/RegExpConstructor.h:
1138         * runtime/RegExpInlines.h:
1139         (JSC::RegExp::matchInline):
1140         * runtime/RegExpMatchesArray.h:
1141         (JSC::tryCreateUninitializedRegExpMatchesArray):
1142         (JSC::createRegExpMatchesArray):
1143         * runtime/RegExpPrototype.cpp:
1144         (JSC::genericSplit):
1145         * runtime/RuntimeType.cpp:
1146         * runtime/SamplingProfiler.cpp:
1147         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1148         * runtime/SetConstructor.cpp:
1149         * runtime/SetIteratorPrototype.cpp:
1150         * runtime/SetPrototype.cpp:
1151         * runtime/StackFrame.cpp: Added.
1152         (JSC::StackFrame::sourceID):
1153         (JSC::StackFrame::sourceURL):
1154         (JSC::StackFrame::functionName):
1155         (JSC::StackFrame::computeLineAndColumn):
1156         (JSC::StackFrame::toString):
1157         * runtime/StackFrame.h: Added.
1158         (JSC::StackFrame::isNative):
1159         * runtime/StringConstructor.cpp:
1160         * runtime/StringIteratorPrototype.cpp:
1161         * runtime/StructureInlines.h:
1162         (JSC::Structure::propertyTable):
1163         * runtime/TemplateRegistry.cpp:
1164         * runtime/TestRunnerUtils.cpp:
1165         (JSC::finalizeStatsAtEndOfTesting):
1166         * runtime/TestRunnerUtils.h:
1167         * runtime/TypeProfilerLog.cpp:
1168         * runtime/TypeSet.cpp:
1169         * runtime/VM.cpp:
1170         (JSC::VM::VM):
1171         (JSC::VM::ensureStackCapacityForCLoop):
1172         (JSC::VM::isSafeToRecurseSoftCLoop):
1173         * runtime/VM.h:
1174         * runtime/VMEntryScope.h:
1175         * runtime/VMInlines.h:
1176         (JSC::VM::ensureStackCapacityFor):
1177         (JSC::VM::isSafeToRecurseSoft):
1178         * runtime/WeakMapConstructor.cpp:
1179         * runtime/WeakMapData.cpp:
1180         * runtime/WeakMapPrototype.cpp:
1181         * runtime/WeakSetConstructor.cpp:
1182         * runtime/WeakSetPrototype.cpp:
1183         * testRegExp.cpp:
1184         (testOneRegExp):
1185         * tools/JSDollarVM.cpp:
1186         * tools/JSDollarVMPrototype.cpp:
1187         (JSC::JSDollarVMPrototype::isInObjectSpace):
1188
1189 2016-09-04  Commit Queue  <commit-queue@webkit.org>
1190
1191         Unreviewed, rolling out r205415.
1192         https://bugs.webkit.org/show_bug.cgi?id=161573
1193
1194         Many bots see inspector test failures, rolling out now and
1195         investigating later. (Requested by brrian on #webkit).
1196
1197         Reverted changeset:
1198
1199         "Web Inspector: unify Main.html and Test.html sources and
1200         generate different copies with the preprocessor"
1201         https://bugs.webkit.org/show_bug.cgi?id=161212
1202         http://trac.webkit.org/changeset/205415
1203
1204 2016-09-01  Brian Burg  <bburg@apple.com>
1205
1206         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
1207         https://bugs.webkit.org/show_bug.cgi?id=161212
1208         <rdar://problem/28017961>
1209
1210         Reviewed by Joseph Pecoraro.
1211
1212         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
1213
1214 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1215
1216         Use ASCIILiteral in some more places
1217         https://bugs.webkit.org/show_bug.cgi?id=161557
1218
1219         Reviewed by Darin Adler.
1220
1221         * runtime/TypeSet.h:
1222         (JSC::StructureShape::setConstructorName):
1223
1224 2016-09-01  Michael Saboff  <msaboff@apple.com>
1225
1226         Import Chakra tests to JSC
1227         https://bugs.webkit.org/show_bug.cgi?id=154697
1228
1229         Reviewed by Saam Barati.
1230
1231         Added --dumpException option to jsc command line utility to dump uncaught exception
1232         text even for the last exception that matches --exception.  This is used to
1233         check the exception text for a text that is expected to end on an exception.
1234         Chakra has several tests of this form and does the same thing when such a test
1235         ends with an exception.  Tests that rely on this behavior have had their expected
1236         output updated for JSC specific text.
1237
1238         * jsc.cpp:
1239
1240 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
1241
1242         [JSC] Remove some more useless cases from FTL Capabilities
1243         https://bugs.webkit.org/show_bug.cgi?id=161466
1244
1245         Reviewed by Geoffrey Garen.
1246
1247         Some cases do not make sense:
1248         -In: Fixup only generate CellUse.
1249         -PutByIdXXX: same.
1250         -GetIndexedPropertyStorage: those cases are the only ones supported
1251          by DFG. We would have crashed in SpeculativeJIT if other modes
1252          were generated.
1253
1254         * ftl/FTLCapabilities.cpp:
1255         (JSC::FTL::canCompile):
1256         * ftl/FTLLowerDFGToB3.cpp:
1257         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1258         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1259         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1260
1261 2016-09-02  Chris Dumez  <cdumez@apple.com>
1262
1263         Unreviewed, roll out r205354 because it caused JSC test failures
1264
1265         * jsc.cpp:
1266         * runtime/JSGlobalObject.cpp:
1267         * runtime/JSGlobalObject.h:
1268         (JSC::JSGlobalObject::allowsAccessFrom):
1269         (JSC::JSGlobalObject::setDebugger): Deleted.
1270         * runtime/JSGlobalObjectFunctions.cpp:
1271         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1272         (JSC::GlobalFuncProtoGetterFunctor::result):
1273         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1274         (JSC::globalFuncProtoGetter):
1275         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
1276         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1277         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1278         (JSC::checkProtoSetterAccessAllowed):
1279         (JSC::globalFuncProtoSetter):
1280         * runtime/JSGlobalObjectFunctions.h:
1281         * runtime/JSObject.cpp:
1282         (JSC::JSObject::setPrototypeWithCycleCheck):
1283         (JSC::JSObject::allowsAccessFrom):
1284         * runtime/JSObject.h:
1285         * runtime/JSProxy.cpp:
1286         * runtime/JSProxy.h:
1287         * runtime/ObjectConstructor.cpp:
1288         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1289         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1290         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1291         (JSC::objectConstructorGetPrototypeOf):
1292         (JSC::objectConstructorSetPrototypeOf):
1293         * runtime/ObjectConstructor.h:
1294         * runtime/ReflectObject.cpp:
1295         (JSC::reflectObjectGetPrototypeOf):
1296         (JSC::reflectObjectSetPrototypeOf):
1297
1298 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
1299
1300         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
1301         https://bugs.webkit.org/show_bug.cgi?id=160802
1302
1303         Reviewed by Saam Barati.
1304
1305         This patch is fixing a broken mechanism of MathIC that avoids allocate
1306         a register to LHS or RHS if one of these operands are proven as valid
1307         constant for JIT*Generator. In previous implementation, even if the
1308         JIT*Generator was not using an operand register because it was proven as a
1309         constant, compileMathIC and emitICFast were allocating a register for
1310         it. This was broken because mathIC->isLeftOperandValidConstant and
1311         mathIC->isLeftOperandValidConstant were being called before its Generator be
1312         properly initialized. We changed this mechanism to enable Generators write
1313         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
1314         and isRightOperandValidConstant(SnippetOperand).
1315
1316         * dfg/DFGSpeculativeJIT.cpp:
1317         (JSC::DFG::SpeculativeJIT::compileMathIC):
1318         * jit/JITAddGenerator.h:
1319         (JSC::JITAddGenerator::JITAddGenerator):
1320         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1321         (JSC::JITAddGenerator::isRightOperandValidConstant):
1322         * jit/JITArithmetic.cpp:
1323         (JSC::JIT::emitMathICFast):
1324         * jit/JITMathIC.h:
1325         * jit/JITMulGenerator.h:
1326         (JSC::JITMulGenerator::JITMulGenerator):
1327         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1328         (JSC::JITMulGenerator::isRightOperandValidConstant):
1329         * jit/JITSubGenerator.h:
1330         (JSC::JITSubGenerator::isLeftOperandValidConstant):
1331         (JSC::JITSubGenerator::isRightOperandValidConstant):
1332
1333 2016-09-02  JF Bastien  <jfbastien@apple.com>
1334
1335         GetByValWithThis: fix opInfo in DFG creation
1336         https://bugs.webkit.org/show_bug.cgi?id=161541
1337
1338         Reviewed by Saam Barati.
1339
1340         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
1341
1342         * dfg/DFGByteCodeParser.cpp:
1343         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
1344
1345 2016-09-02  Chris Dumez  <cdumez@apple.com>
1346
1347         Object.preventExtensions() should throw cross-origin
1348         https://bugs.webkit.org/show_bug.cgi?id=161486
1349
1350         Reviewed by Geoffrey Garen.
1351
1352         Update JSProxy to forward preventExtensions() calls to its target.
1353
1354         * runtime/JSProxy.cpp:
1355         (JSC::JSProxy::preventExtensions):
1356         * runtime/JSProxy.h:
1357
1358 2016-09-02  Chris Dumez  <cdumez@apple.com>
1359
1360         Align proto getter / setter behavior with other browsers
1361         https://bugs.webkit.org/show_bug.cgi?id=161455
1362
1363         Reviewed by Mark Lam.
1364
1365         Drop allowsAccessFrom from the methodTable and delegate cross-origin
1366         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
1367         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
1368
1369         * jsc.cpp:
1370         * runtime/JSGlobalObject.cpp:
1371         * runtime/JSGlobalObject.h:
1372         * runtime/JSGlobalObjectFunctions.cpp:
1373         (JSC::globalFuncProtoGetter):
1374         (JSC::globalFuncProtoSetter):
1375         (JSC::globalFuncBuiltinLog): Deleted.
1376         * runtime/JSGlobalObjectFunctions.h:
1377         * runtime/JSObject.h:
1378         (JSC::JSObject::getArrayLength): Deleted.
1379         * runtime/JSProxy.cpp:
1380         (JSC::JSProxy::setPrototype):
1381         (JSC::JSProxy::getPrototype):
1382         * runtime/JSProxy.h:
1383         * runtime/ObjectConstructor.cpp:
1384         (JSC::objectConstructorGetPrototypeOf):
1385         (JSC::objectConstructorSetPrototypeOf):
1386         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
1387         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
1388         * runtime/ObjectConstructor.h:
1389         * runtime/ReflectObject.cpp:
1390         (JSC::reflectObjectGetPrototypeOf):
1391         (JSC::reflectObjectSetPrototypeOf):
1392
1393         * runtime/JSObject.cpp:
1394         (JSC::JSObject::setPrototypeWithCycleCheck):
1395         Comment out check added in r197648. This check was added to match
1396         the latest EcmaScript spec:
1397         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
1398         This check allowed for [[Prototype]] chain cycles if the prototype
1399         chain includes objects that do not use the ordinary object definitions
1400         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
1401         The issue is that the rest of our code base does not properly handle
1402         such cycles and we can end up in infinite loops. This became obvious
1403         because this patch updates Window / Location so that they no longer
1404         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
1405         comment out this check, I get an infinite loop in
1406         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
1407         called from JSObject::setPrototypeDirect(), when running the following
1408         layout test:
1409         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
1410         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
1411         issue.
1412
1413 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1414
1415         Add toJS for JSC::PrivateName
1416         https://bugs.webkit.org/show_bug.cgi?id=161522
1417
1418         Reviewed by Ryosuke Niwa.
1419
1420         Add the export annotation.
1421         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
1422         since PrivateName never holds null SymbolImpl pointer. And along with this change,
1423         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
1424
1425         * runtime/Completion.cpp:
1426         (JSC::createSymbolForEntryPointModule):
1427         * runtime/IdentifierInlines.h:
1428         (JSC::Identifier::fromUid):
1429         * runtime/JSFunction.cpp:
1430         (JSC::JSFunction::setFunctionName):
1431         * runtime/PrivateName.h:
1432         (JSC::PrivateName::PrivateName):
1433         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
1434         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
1435         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
1436         (JSC::PrivateName::operator==):
1437         (JSC::PrivateName::operator!=):
1438         * runtime/PropertyName.h:
1439         (JSC::PropertyName::PropertyName):
1440         * runtime/Symbol.cpp:
1441         (JSC::Symbol::finishCreation):
1442         * runtime/Symbol.h:
1443         * runtime/SymbolConstructor.cpp:
1444         (JSC::symbolConstructorKeyFor):
1445
1446 2016-09-01  Dan Bernstein  <mitz@apple.com>
1447
1448         Build fix.
1449
1450         * Configurations/FeatureDefines.xcconfig:
1451
1452 2016-09-01  JF Bastien  <jfbastien@apple.com>
1453
1454         jsc: fix cmake build missing symbol getPropertySlot
1455         https://bugs.webkit.org/show_bug.cgi?id=161521
1456
1457         Reviewed by Saam Barati.
1458
1459         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
1460         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
1461
1462 2016-09-01  JF Bastien  <jfbastien@apple.com>
1463
1464         jsc: provide printErr()
1465         https://bugs.webkit.org/show_bug.cgi?id=161513
1466
1467         Reviewed by Mark Lam.
1468
1469         * jsc.cpp:
1470         (GlobalObject::finishCreation):
1471         (printInternal): renamed from functionPrint, add error checking
1472         (functionPrintStdOut): punt to printInternal
1473         (functionPrintStdErr): punt to printInternal
1474         (functionPrint): Deleted.
1475
1476 2016-09-01  Mark Lam  <mark.lam@apple.com>
1477
1478         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
1479         https://bugs.webkit.org/show_bug.cgi?id=161499
1480
1481         Reviewed by Saam Barati.
1482
1483         This is just a refactoring patch to move some inline functions to their Inlines.h
1484         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
1485         later.
1486
1487         * bindings/ScriptValue.cpp:
1488         * interpreter/Interpreter.cpp:
1489         * runtime/IntlDateTimeFormatPrototype.cpp:
1490         * runtime/IntlNumberFormatPrototype.cpp:
1491         * runtime/JSArray.cpp:
1492         * runtime/JSArray.h:
1493         (JSC::getLength): Deleted.
1494         (JSC::toLength): Deleted.
1495         * runtime/JSArrayInlines.h:
1496         (JSC::JSArray::mergeIndexingTypeForCopying):
1497         (JSC::JSArray::canFastCopy):
1498         (JSC::getLength):
1499         (JSC::toLength):
1500         * runtime/JSInternalPromise.cpp:
1501         * runtime/JSInternalPromiseDeferred.cpp:
1502         * runtime/JSJob.cpp:
1503         * runtime/JSModuleRecord.cpp:
1504         * runtime/JSObject.h:
1505         (JSC::JSObject::getPropertySlot): Deleted.
1506         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
1507         * runtime/JSObjectInlines.h:
1508         (JSC::JSObject::getPropertySlot):
1509         (JSC::JSObject::getNonIndexPropertySlot):
1510         * runtime/JSPromiseDeferred.cpp:
1511         * runtime/JSTypedArrayViewPrototype.cpp:
1512         * runtime/MapConstructor.cpp:
1513         * runtime/SamplingProfiler.cpp:
1514         * runtime/SetConstructor.cpp:
1515         * runtime/WeakMapConstructor.cpp:
1516         * runtime/WeakSetConstructor.cpp:
1517
1518 2016-09-01  JF Bastien  <jfbastien@apple.com>
1519
1520         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
1521         https://bugs.webkit.org/show_bug.cgi?id=160922
1522
1523         Reviewed by Keith Miller.
1524
1525         Add value profiling to GetBy{Id,Val}WithThis.
1526
1527         * bytecode/BytecodeList.json:
1528         * bytecode/CodeBlock.cpp:
1529         (JSC::CodeBlock::dumpBytecode):
1530         (JSC::CodeBlock::finishCreation):
1531         * bytecompiler/BytecodeGenerator.cpp:
1532         (JSC::BytecodeGenerator::emitGetById):
1533         (JSC::BytecodeGenerator::emitGetByVal):
1534         * dfg/DFGByteCodeParser.cpp:
1535         (JSC::DFG::ByteCodeParser::parseBlock):
1536         * dfg/DFGNode.h:
1537         (JSC::DFG::Node::hasHeapPrediction):
1538         * dfg/DFGPredictionPropagationPhase.cpp:
1539         * llint/LowLevelInterpreter.asm:
1540         * runtime/CommonSlowPaths.cpp:
1541         (JSC::SLOW_PATH_DECL):
1542
1543 2016-09-01  Keith Miller  <keith_miller@apple.com>
1544
1545         WASM functions should be able to use arguments
1546         https://bugs.webkit.org/show_bug.cgi?id=161471
1547
1548         Reviewed by Benjamin Poulain.
1549
1550         This patch does a couple of changes:
1551
1552         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
1553
1554         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
1555
1556         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
1557
1558         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
1559         (JSC::B3::jscCallingConvention):
1560         * B3CallingConventions.h: Added.
1561         (JSC::B3::CallingConvention::CallingConvention):
1562         (JSC::B3::CallingConvention::iterate):
1563         (JSC::B3::nextJSCOffset):
1564         * JavaScriptCore.xcodeproj/project.pbxproj:
1565         * interpreter/ProtoCallFrame.h:
1566         * llint/LLIntThunks.cpp:
1567         (JSC::vmEntryToWASM):
1568         * llint/LLIntThunks.h:
1569         * testWASM.cpp:
1570         (invoke):
1571         (box):
1572         (runWASMTests):
1573         * wasm/WASMB3IRGenerator.cpp:
1574         (JSC::WASM::B3IRGenerator::addLocal):
1575         (JSC::WASM::B3IRGenerator::addArguments):
1576         (JSC::WASM::B3IRGenerator::getLocal):
1577         * wasm/WASMFormat.h:
1578         * wasm/WASMFunctionParser.h:
1579         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1580         (JSC::WASM::FunctionParser<Context>::parseExpression):
1581         * wasm/WASMModuleParser.cpp:
1582         (JSC::WASM::ModuleParser::parseFunctionTypes):
1583         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1584         * wasm/WASMModuleParser.h:
1585         * wasm/WASMOps.h:
1586
1587 2016-09-01  Keith Miller  <keith_miller@apple.com>
1588
1589         Rename WASM classes dropping the WASM prefix
1590         https://bugs.webkit.org/show_bug.cgi?id=161500
1591
1592         Reviewed by Mark Lam.
1593
1594         Having to write WASM::WASMModule seems silly. Also, this patch
1595         merges WASMFunctionReturnType and WASMValueType into one type
1596         that is a typedef of B3::Type. Using B3::Type as the WASM
1597         primitive type makes it trivial to convert a Vector of WASM
1598         types into a Vector of B3 types.
1599
1600         * b3/B3Type.h:
1601         * wasm/JSWASMModule.h:
1602         (JSC::JSWASMModule::signatures):
1603         (JSC::JSWASMModule::functionImports):
1604         (JSC::JSWASMModule::functionImportSignatures):
1605         (JSC::JSWASMModule::globalVariableTypes):
1606         (JSC::JSWASMModule::functionDeclarations):
1607         (JSC::JSWASMModule::functionPointerTables):
1608         * wasm/WASMB3IRGenerator.cpp:
1609         (JSC::WASM::toB3Op):
1610         (JSC::WASM::B3IRGenerator::addLocal):
1611         (JSC::WASM::B3IRGenerator::unaryOp):
1612         (JSC::WASM::B3IRGenerator::binaryOp):
1613         (JSC::WASM::B3IRGenerator::addConstant):
1614         (JSC::WASM::parseAndCompile):
1615         * wasm/WASMB3IRGenerator.h:
1616         * wasm/WASMFormat.h:
1617         * wasm/WASMFunctionParser.h:
1618         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1619         (JSC::WASM::FunctionParser<Context>::parse):
1620         (JSC::WASM::FunctionParser<Context>::parseBlock):
1621         (JSC::WASM::FunctionParser<Context>::parseExpression):
1622         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
1623         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
1624         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
1625         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
1626         * wasm/WASMModuleParser.cpp:
1627         (JSC::WASM::ModuleParser::parse):
1628         (JSC::WASM::ModuleParser::parseFunctionTypes):
1629         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1630         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
1631         (JSC::WASM::WASMModuleParser::parse): Deleted.
1632         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
1633         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
1634         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
1635         * wasm/WASMModuleParser.h:
1636         (JSC::WASM::ModuleParser::ModuleParser):
1637         (JSC::WASM::ModuleParser::functionInformation):
1638         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
1639         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
1640         * wasm/WASMOps.h:
1641         * wasm/WASMParser.h:
1642         (JSC::WASM::Parser::Parser):
1643         (JSC::WASM::Parser::consumeCharacter):
1644         (JSC::WASM::Parser::consumeString):
1645         (JSC::WASM::Parser::parseUInt32):
1646         (JSC::WASM::Parser::parseUInt7):
1647         (JSC::WASM::Parser::parseVarUInt1):
1648         (JSC::WASM::Parser::parseValueType):
1649         (JSC::WASM::WASMParser::WASMParser): Deleted.
1650         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
1651         (JSC::WASM::WASMParser::consumeString): Deleted.
1652         (JSC::WASM::WASMParser::parseUInt32): Deleted.
1653         (JSC::WASM::WASMParser::parseUInt7): Deleted.
1654         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
1655         (JSC::WASM::WASMParser::parseValueType): Deleted.
1656         * wasm/WASMPlan.cpp:
1657         (JSC::WASM::Plan::Plan):
1658         * wasm/WASMSections.cpp:
1659         (JSC::WASM::Sections::lookup):
1660         (JSC::WASM::WASMSections::lookup): Deleted.
1661         * wasm/WASMSections.h:
1662         (JSC::WASM::Sections::validateOrder):
1663         (JSC::WASM::WASMSections::validateOrder): Deleted.
1664
1665 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
1666
1667         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
1668         https://bugs.webkit.org/show_bug.cgi?id=161492
1669
1670         Reviewed by Mark Lam.
1671         
1672         If you materialize a sunken object that is referenced from another sunken object, then you
1673         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
1674         object rather than to the old sunken one.
1675         
1676         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
1677         did it when the PromotedLocationDescriptor for the field used for referring to the other
1678         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
1679         I can sort of imagine why we thought that would be right - neededForMaterialization() means
1680         it's a special meta-data field initialized on construction. But just because it's immutable
1681         and special doesn't mean that materialization can't change its physical representation.
1682         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
1683         regress anything.
1684
1685         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1686
1687 2016-09-01  Chris Dumez  <cdumez@apple.com>
1688
1689         Unreviewed, rolling out r205297.
1690
1691         Caused some JSC test failures
1692
1693         Reverted changeset:
1694
1695         "Align cross-origin proto getter / setter behavior with the
1696         specification"
1697         https://bugs.webkit.org/show_bug.cgi?id=161455
1698         http://trac.webkit.org/changeset/205297
1699
1700 2016-09-01  Chris Dumez  <cdumez@apple.com>
1701
1702         Align cross-origin proto getter / setter behavior with the specification
1703         https://bugs.webkit.org/show_bug.cgi?id=161455
1704
1705         Reviewed by Mark Lam.
1706
1707         Align cross-origin proto getter / setter behavior with the specification:
1708
1709         The setter should throw a TypeError:
1710         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
1711         - https://html.spec.whatwg.org/#location-setprototypeof
1712         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
1713
1714         The getter should return null:
1715         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
1716         - https://html.spec.whatwg.org/#location-getprototypeof
1717
1718         I have verified that this aligns our behavior with Firefox and Chrome.
1719
1720         * runtime/JSGlobalObjectFunctions.cpp:
1721         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1722         (JSC::globalFuncProtoSetter):
1723
1724 2016-09-01  Csaba Osztrogon√°c  <ossy@webkit.org>
1725
1726         Unreviewed ARM buildfix after r205283.
1727
1728         * assembler/ARMAssembler.h:
1729         (JSC::ARMAssembler::patchableJumpSize):
1730         * assembler/MacroAssemblerARM.h:
1731         (JSC::MacroAssemblerARM::patchableJumpSize):
1732
1733 2016-09-01  Saam Barati  <sbarati@apple.com>
1734
1735         JITMathIC was misusing maxJumpReplacementSize
1736         https://bugs.webkit.org/show_bug.cgi?id=161356
1737         <rdar://problem/28065560>
1738
1739         Reviewed by Benjamin Poulain.
1740
1741         JITMathIC was assuming that maxJumpReplacementSize is the size
1742         you'd get if you emitted a patchableJump() using the macro assembler.
1743         This is not true, however. It happens to be true on arm64, x86 and x86-64,
1744         however, it is not true on armv7. This patch introduces an alternative to
1745         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
1746         to use that number instead.
1747
1748         * assembler/ARM64Assembler.h:
1749         (JSC::ARM64Assembler::patchableJumpSize):
1750         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
1751         * assembler/ARMv7Assembler.h:
1752         (JSC::ARMv7Assembler::patchableJumpSize):
1753         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
1754         * assembler/MacroAssemblerARM64.h:
1755         (JSC::MacroAssemblerARM64::patchableJumpSize):
1756         * assembler/MacroAssemblerARMv7.h:
1757         (JSC::MacroAssemblerARMv7::patchableJumpSize):
1758         * assembler/MacroAssemblerX86Common.h:
1759         (JSC::MacroAssemblerX86Common::patchableJumpSize):
1760         * assembler/X86Assembler.h:
1761         (JSC::X86Assembler::patchableJumpSize):
1762         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
1763         * jit/JITMathIC.h:
1764         (JSC::JITMathIC::generateInline):
1765
1766 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1767
1768         [JSC] Add initiator parameter to module pipeline
1769         https://bugs.webkit.org/show_bug.cgi?id=161470
1770
1771         Reviewed by Saam Barati.
1772
1773         The fetching semantics of the <script type="module"> tag has per module-tag context.
1774         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
1775         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
1776         to the module loader pipeline. We are planning to transfer information by this parameter.
1777
1778         At the same time, we also perform some clean up.
1779
1780         - Use arrow function in ModuleLoaderPrototype.js.
1781         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
1782
1783         * builtins/ModuleLoaderPrototype.js:
1784         (newRegistryEntry):
1785         (commitInstantiated):
1786         (requestFetch):
1787         (requestTranslate):
1788         (requestInstantiate):
1789         (requestSatisfy):
1790         (requestInstantiateAll):
1791         (requestLink):
1792         (moduleEvaluation):
1793         (provide):
1794         (loadAndEvaluateModule):
1795         (requestResolveDependencies.): Deleted.
1796         (requestResolveDependencies): Deleted.
1797         (requestReady): Deleted.
1798         (link): Deleted.
1799         (loadModule): Deleted.
1800         (linkAndEvaluateModule): Deleted.
1801         * bytecode/BytecodeIntrinsicRegistry.cpp:
1802         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1803         * bytecode/BytecodeIntrinsicRegistry.h:
1804         * jsc.cpp:
1805         (GlobalObject::moduleLoaderResolve):
1806         (GlobalObject::moduleLoaderFetch):
1807         * runtime/Completion.cpp:
1808         (JSC::loadAndEvaluateModule):
1809         (JSC::loadModule):
1810         (JSC::linkAndEvaluateModule):
1811         * runtime/Completion.h:
1812         * runtime/JSGlobalObject.h:
1813         * runtime/JSModuleLoader.cpp:
1814         (JSC::JSModuleLoader::loadAndEvaluateModule):
1815         (JSC::JSModuleLoader::loadModule):
1816         (JSC::JSModuleLoader::linkAndEvaluateModule):
1817         (JSC::JSModuleLoader::resolve):
1818         (JSC::JSModuleLoader::fetch):
1819         (JSC::JSModuleLoader::translate):
1820         (JSC::JSModuleLoader::instantiate):
1821         (JSC::JSModuleLoader::evaluate):
1822         * runtime/JSModuleLoader.h:
1823         * runtime/ModuleLoaderPrototype.cpp:
1824         (JSC::moduleLoaderPrototypeResolve):
1825         (JSC::moduleLoaderPrototypeFetch):
1826         (JSC::moduleLoaderPrototypeTranslate):
1827         (JSC::moduleLoaderPrototypeInstantiate):
1828         (JSC::moduleLoaderPrototypeEvaluate):
1829
1830 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1831
1832         [JSC] linking and evaluating the modules are done in a sync manner
1833         https://bugs.webkit.org/show_bug.cgi?id=161467
1834
1835         Reviewed by Saam Barati.
1836
1837         While the fetching and the other stages are done in an asynchronous manner,
1838         linking and evaluating are done in a sync manner.
1839         Just return the result value and do not wrap them with the internal promise.
1840
1841         * builtins/ModuleLoaderPrototype.js:
1842         (linkAndEvaluateModule):
1843         * runtime/Completion.cpp:
1844         (JSC::linkAndEvaluateModule):
1845         * runtime/Completion.h:
1846         * runtime/JSModuleLoader.cpp:
1847         (JSC::JSModuleLoader::linkAndEvaluateModule):
1848         * runtime/JSModuleLoader.h:
1849
1850 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
1853         https://bugs.webkit.org/show_bug.cgi?id=161436
1854
1855         Reviewed by Filip Pizlo.
1856
1857         * jsc.cpp:
1858         (GlobalObject::finishCreation):
1859         (functionGetRandomSeed):
1860         (functionSetRandomSeed):
1861         * runtime/JSGlobalObject.h:
1862         (JSC::JSGlobalObject::weakRandom):
1863         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
1864
1865 2016-08-31  Chris Dumez  <cdumez@apple.com>
1866
1867         Object.getPrototypeOf() should return null cross-origin
1868         https://bugs.webkit.org/show_bug.cgi?id=161393
1869
1870         Reviewed by Geoffrey Garen.
1871
1872         Object.getPrototypeOf() should return null cross-origin:
1873         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
1874         - https://html.spec.whatwg.org/#location-getprototypeof
1875
1876         Firefox and Chrome return null. However, WebKit was returning undefined.
1877
1878         * runtime/ObjectConstructor.cpp:
1879         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1880
1881 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1882
1883         [JSC] AbstractValue can contain padding which is not zero-filled
1884         https://bugs.webkit.org/show_bug.cgi?id=161427
1885
1886         Reviewed by Saam Barati.
1887
1888         We checked that AbstractValue is zero-filled when initializing it to ensure
1889         that zero-filled memory can be used as the initialized AbstractValue.
1890         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
1891         padding now. And this padding is not ensured that it is initialized with zeros.
1892         So debug assertion fails when building with GCC.
1893
1894         This patch changes the strategy. Instead of checking the initialized
1895         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
1896         considered to be equal to the initialized AbstractValue.
1897
1898         * dfg/DFGAbstractValue.cpp:
1899         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
1900         * dfg/DFGAbstractValue.h:
1901         (JSC::DFG::AbstractValue::AbstractValue):
1902
1903 2016-08-31  Brady Eidson  <beidson@apple.com>
1904
1905         WK2 Gamepad provider on iOS.
1906         https://bugs.webkit.org/show_bug.cgi?id=161412
1907
1908         Reviewed by Tim Horton.
1909
1910         * Configurations/FeatureDefines.xcconfig:
1911
1912 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
1913
1914         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
1915         https://bugs.webkit.org/show_bug.cgi?id=161410
1916
1917         Reviewed by Geoffrey Garen.
1918
1919         * dfg/DFGFixupPhase.cpp:
1920         (JSC::DFG::FixupPhase::fixupNode):
1921         DoubleRep is able to convert numbers, undefined, booleans and null.
1922         I was too pessimistic when I gated the double implementations
1923         on number-or-boolean speculation. We can just let DoubleRep convert
1924         the other cases as long as it is not a Cell.
1925
1926 2016-08-30  Chris Dumez  <cdumez@apple.com>
1927
1928         Unreviewed, fix build after r205205.
1929
1930         * runtime/ObjectConstructor.cpp:
1931         (JSC::objectConstructorSetPrototypeOf):
1932
1933 2016-08-30  Chris Dumez  <cdumez@apple.com>
1934
1935         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
1936         https://bugs.webkit.org/show_bug.cgi?id=161396
1937
1938         Reviewed by Ryosuke Niwa.
1939
1940         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
1941         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
1942         - https://html.spec.whatwg.org/#location-setprototypeof
1943         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
1944
1945         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
1946
1947         Note that technically, we should also throw in the same origin case.
1948         However, not all browsers agree on this yet so I haven't not changed
1949         the behavior for the same origin case.
1950
1951         * runtime/ObjectConstructor.cpp:
1952         (JSC::objectConstructorSetPrototypeOf):
1953
1954 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
1955
1956         [JSC] Clean up the remaining compare nodes in FTLCapabilities
1957         https://bugs.webkit.org/show_bug.cgi?id=161400
1958
1959         Reviewed by Geoffrey Garen.
1960
1961         It looks like we implemented all the cases without realizing it.
1962
1963         * ftl/FTLCapabilities.cpp:
1964         (JSC::FTL::canCompile):
1965         * ftl/FTLLowerDFGToB3.cpp:
1966         (JSC::FTL::DFG::LowerDFGToB3::compare):
1967
1968 2016-08-30  Mark Lam  <mark.lam@apple.com>
1969
1970         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
1971         https://bugs.webkit.org/show_bug.cgi?id=161171
1972
1973         Reviewed by Filip Pizlo and Geoffrey Garen.
1974
1975         This is the first step towards having a mechanism (using the ThrowScope) to
1976         verify that we're properly checking for exceptions in all the needed places.
1977         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
1978
1979         This patch only introduces the ThrowScope, and changes all throw sites to throw
1980         using a ThrowScope instance.  VM::throwException() functions are now private, and
1981         cannot be accessed directly.  All throws must now go through a ThrowScope.
1982
1983         Verification is disabled for the moment until we can fix all the verification
1984         failures that will show up.
1985
1986         I also did a smoke test of the ThrowScope mechanisms by running verification on
1987         the JSTests/stress/op-add-exceptions.js test with a local build with verification
1988         turned on.
1989
1990         Performance is neutral on aggregate with this patch.
1991
1992         Misc other changes:
1993         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
1994         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
1995
1996         * API/APICallbackFunction.h:
1997         (JSC::APICallbackFunction::call):
1998         (JSC::APICallbackFunction::construct):
1999         * API/JSCallbackObjectFunctions.h:
2000         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2001         (JSC::JSCallbackObject<Parent>::defaultValue):
2002         (JSC::JSCallbackObject<Parent>::put):
2003         (JSC::JSCallbackObject<Parent>::putByIndex):
2004         (JSC::JSCallbackObject<Parent>::deleteProperty):
2005         (JSC::JSCallbackObject<Parent>::construct):
2006         (JSC::JSCallbackObject<Parent>::customHasInstance):
2007         (JSC::JSCallbackObject<Parent>::call):
2008         (JSC::JSCallbackObject<Parent>::getStaticValue):
2009         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2010         (JSC::JSCallbackObject<Parent>::callbackGetter):
2011         * API/JSTypedArray.cpp:
2012         (createTypedArray):
2013         * CMakeLists.txt:
2014         * JavaScriptCore.xcodeproj/project.pbxproj:
2015         * dfg/DFGOperations.cpp:
2016         (JSC::DFG::newTypedArrayWithSize):
2017         * inspector/JSInjectedScriptHost.cpp:
2018         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2019         * inspector/JSInjectedScriptHostPrototype.cpp:
2020         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
2021         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
2022         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
2023         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
2024         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
2025         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
2026         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
2027         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
2028         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
2029         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
2030         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
2031         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
2032         * inspector/JSJavaScriptCallFrame.cpp:
2033         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2034         * inspector/JSJavaScriptCallFramePrototype.cpp:
2035         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
2036         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2037         (Inspector::jsJavaScriptCallFrameAttributeCaller):
2038         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
2039         (Inspector::jsJavaScriptCallFrameAttributeLine):
2040         (Inspector::jsJavaScriptCallFrameAttributeColumn):
2041         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
2042         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
2043         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
2044         (Inspector::jsJavaScriptCallFrameAttributeType):
2045         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
2046         * interpreter/CachedCall.h:
2047         (JSC::CachedCall::CachedCall):
2048         * interpreter/Interpreter.cpp:
2049         (JSC::eval):
2050         (JSC::sizeOfVarargs):
2051         (JSC::sizeFrameForForwardArguments):
2052         (JSC::sizeFrameForVarargs):
2053         (JSC::Interpreter::execute):
2054         (JSC::Interpreter::executeCall):
2055         (JSC::Interpreter::executeConstruct):
2056         (JSC::Interpreter::prepareForRepeatCall):
2057         * jit/JITOperations.cpp:
2058         * jsc.cpp:
2059         (WTF::CustomGetter::customGetter):
2060         (WTF::RuntimeArray::lengthGetter):
2061         (functionCreateElement):
2062         (functionRun):
2063         (functionRunString):
2064         (functionLoad):
2065         (functionLoadString):
2066         (functionReadFile):
2067         (functionCheckSyntax):
2068         (functionTransferArrayBuffer):
2069         (functionLoadModule):
2070         (functionCheckModuleSyntax):
2071         (functionSamplingProfilerStackTraces):
2072         * llint/LLIntSlowPaths.cpp:
2073         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2074         (JSC::LLInt::getByVal):
2075         (JSC::LLInt::handleHostCall):
2076         (JSC::LLInt::setUpCall):
2077         (JSC::LLInt::llint_throw_stack_overflow_error):
2078         * runtime/ArrayConstructor.cpp:
2079         (JSC::constructArrayWithSizeQuirk):
2080         * runtime/ArrayConstructor.h:
2081         (JSC::isArray):
2082         * runtime/ArrayPrototype.cpp:
2083         (JSC::shift):
2084         (JSC::unshift):
2085         (JSC::arrayProtoFuncToString):
2086         (JSC::arrayProtoFuncPop):
2087         (JSC::arrayProtoFuncReverse):
2088         (JSC::arrayProtoFuncSplice):
2089         (JSC::concatAppendOne):
2090         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2091         * runtime/BooleanPrototype.cpp:
2092         (JSC::booleanProtoFuncToString):
2093         (JSC::booleanProtoFuncValueOf):
2094         * runtime/CommonSlowPaths.cpp:
2095         * runtime/CommonSlowPaths.h:
2096         (JSC::CommonSlowPaths::opIn):
2097         * runtime/CommonSlowPathsExceptions.cpp:
2098         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2099         * runtime/ConstructData.cpp:
2100         (JSC::construct):
2101         * runtime/DatePrototype.cpp:
2102         (JSC::formateDateInstance):
2103         (JSC::dateProtoFuncToISOString):
2104         (JSC::dateProtoFuncToLocaleString):
2105         (JSC::dateProtoFuncToLocaleDateString):
2106         (JSC::dateProtoFuncToLocaleTimeString):
2107         (JSC::dateProtoFuncToPrimitiveSymbol):
2108         (JSC::dateProtoFuncGetTime):
2109         (JSC::dateProtoFuncGetFullYear):
2110         (JSC::dateProtoFuncGetUTCFullYear):
2111         (JSC::dateProtoFuncGetMonth):
2112         (JSC::dateProtoFuncGetUTCMonth):
2113         (JSC::dateProtoFuncGetDate):
2114         (JSC::dateProtoFuncGetUTCDate):
2115         (JSC::dateProtoFuncGetDay):
2116         (JSC::dateProtoFuncGetUTCDay):
2117         (JSC::dateProtoFuncGetHours):
2118         (JSC::dateProtoFuncGetUTCHours):
2119         (JSC::dateProtoFuncGetMinutes):
2120         (JSC::dateProtoFuncGetUTCMinutes):
2121         (JSC::dateProtoFuncGetSeconds):
2122         (JSC::dateProtoFuncGetUTCSeconds):
2123         (JSC::dateProtoFuncGetMilliSeconds):
2124         (JSC::dateProtoFuncGetUTCMilliseconds):
2125         (JSC::dateProtoFuncGetTimezoneOffset):
2126         (JSC::dateProtoFuncSetTime):
2127         (JSC::setNewValueFromTimeArgs):
2128         (JSC::setNewValueFromDateArgs):
2129         (JSC::dateProtoFuncSetYear):
2130         (JSC::dateProtoFuncGetYear):
2131         (JSC::dateProtoFuncToJSON):
2132         * runtime/Error.cpp:
2133         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2134         (JSC::throwTypeError):
2135         (JSC::throwSyntaxError):
2136         * runtime/Error.h:
2137         (JSC::throwRangeError):
2138         (JSC::throwVMError):
2139         (JSC::throwVMTypeError):
2140         (JSC::throwVMRangeError):
2141         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2142         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2143         * runtime/ErrorPrototype.cpp:
2144         (JSC::errorProtoFuncToString):
2145         * runtime/ExceptionFuzz.cpp:
2146         (JSC::doExceptionFuzzing):
2147         * runtime/ExceptionHelpers.cpp:
2148         (JSC::throwOutOfMemoryError):
2149         (JSC::throwStackOverflowError):
2150         (JSC::throwTerminatedExecutionException):
2151         * runtime/ExceptionHelpers.h:
2152         * runtime/Executable.cpp:
2153         (JSC::ScriptExecutable::newCodeBlockFor):
2154         (JSC::EvalExecutable::create):
2155         * runtime/FunctionConstructor.cpp:
2156         (JSC::constructFunction):
2157         (JSC::constructFunctionSkippingEvalEnabledCheck):
2158         * runtime/FunctionPrototype.cpp:
2159         (JSC::functionProtoFuncToString):
2160         (JSC::functionProtoFuncBind):
2161         * runtime/GetterSetter.cpp:
2162         (JSC::callSetter):
2163         * runtime/IntlCollator.cpp:
2164         (JSC::IntlCollator::compareStrings):
2165         * runtime/IntlCollatorPrototype.cpp:
2166         (JSC::IntlCollatorPrototypeGetterCompare):
2167         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2168         * runtime/IntlDateTimeFormat.cpp:
2169         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2170         (JSC::IntlDateTimeFormat::format):
2171         * runtime/IntlDateTimeFormatPrototype.cpp:
2172         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2173         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2174         * runtime/IntlNumberFormat.cpp:
2175         (JSC::IntlNumberFormat::initializeNumberFormat):
2176         (JSC::IntlNumberFormat::formatNumber):
2177         * runtime/IntlNumberFormatPrototype.cpp:
2178         (JSC::IntlNumberFormatPrototypeGetterFormat):
2179         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2180         * runtime/IntlObject.cpp:
2181         (JSC::intlStringOption):
2182         (JSC::intlNumberOption):
2183         (JSC::canonicalizeLocaleList):
2184         (JSC::lookupSupportedLocales):
2185         * runtime/IteratorOperations.cpp:
2186         (JSC::iteratorNext):
2187         (JSC::iteratorClose):
2188         (JSC::createIteratorResultObject):
2189         (JSC::iteratorForIterable):
2190         * runtime/JSArray.cpp:
2191         (JSC::JSArray::defineOwnProperty):
2192         (JSC::JSArray::put):
2193         (JSC::JSArray::appendMemcpy):
2194         (JSC::JSArray::setLength):
2195         (JSC::JSArray::pop):
2196         (JSC::JSArray::push):
2197         (JSC::JSArray::unshiftCountWithArrayStorage):
2198         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2199         * runtime/JSArrayBufferConstructor.cpp:
2200         (JSC::constructArrayBuffer):
2201         (JSC::callArrayBuffer):
2202         * runtime/JSArrayBufferPrototype.cpp:
2203         (JSC::arrayBufferProtoFuncSlice):
2204         * runtime/JSCInlines.h:
2205         * runtime/JSCJSValue.cpp:
2206         (JSC::JSValue::toObjectSlowCase):
2207         (JSC::JSValue::synthesizePrototype):
2208         (JSC::JSValue::putToPrimitive):
2209         (JSC::JSValue::putToPrimitiveByIndex):
2210         (JSC::JSValue::toStringSlowCase):
2211         * runtime/JSCJSValueInlines.h:
2212         (JSC::toPreferredPrimitiveType):
2213         (JSC::JSValue::requireObjectCoercible):
2214         * runtime/JSDataView.cpp:
2215         (JSC::JSDataView::create):
2216         * runtime/JSDataViewPrototype.cpp:
2217         (JSC::getData):
2218         (JSC::setData):
2219         (JSC::dataViewProtoGetterBuffer):
2220         (JSC::dataViewProtoGetterByteLength):
2221         (JSC::dataViewProtoGetterByteOffset):
2222         * runtime/JSFunction.cpp:
2223         (JSC::callHostFunctionAsConstructor):
2224         (JSC::JSFunction::callerGetter):
2225         (JSC::JSFunction::put):
2226         (JSC::JSFunction::defineOwnProperty):
2227         * runtime/JSGenericTypedArrayView.h:
2228         (JSC::JSGenericTypedArrayView::setIndex):
2229         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2230         (JSC::constructGenericTypedArrayViewFromIterator):
2231         (JSC::constructGenericTypedArrayViewWithArguments):
2232         (JSC::constructGenericTypedArrayView):
2233         (JSC::callGenericTypedArrayView):
2234         * runtime/JSGenericTypedArrayViewInlines.h:
2235         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2236         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2237         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
2238         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
2239         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2240         (JSC::speciesConstruct):
2241         (JSC::genericTypedArrayViewProtoFuncSet):
2242         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2243         (JSC::genericTypedArrayViewProtoFuncIncludes):
2244         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2245         (JSC::genericTypedArrayViewProtoFuncJoin):
2246         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2247         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
2248         (JSC::genericTypedArrayViewProtoGetterFuncLength):
2249         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
2250         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
2251         (JSC::genericTypedArrayViewProtoFuncReverse):
2252         (JSC::genericTypedArrayViewPrivateFuncSort):
2253         (JSC::genericTypedArrayViewProtoFuncSlice):
2254         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2255         * runtime/JSGlobalObject.cpp:
2256         (JSC::JSGlobalObject::createEvalCodeBlock):
2257         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2258         * runtime/JSGlobalObjectFunctions.cpp:
2259         (JSC::encode):
2260         (JSC::decode):
2261         (JSC::globalFuncEval):
2262         (JSC::globalFuncThrowTypeError):
2263         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
2264         (JSC::globalFuncProtoGetter):
2265         (JSC::globalFuncProtoSetter):
2266         * runtime/JSModuleEnvironment.cpp:
2267         (JSC::JSModuleEnvironment::put):
2268         * runtime/JSModuleNamespaceObject.cpp:
2269         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2270         (JSC::JSModuleNamespaceObject::put):
2271         (JSC::JSModuleNamespaceObject::putByIndex):
2272         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2273         (JSC::moduleNamespaceObjectSymbolIterator):
2274         * runtime/JSModuleRecord.cpp:
2275         (JSC::JSModuleRecord::getModuleNamespace):
2276         (JSC::JSModuleRecord::link):
2277         (JSC::JSModuleRecord::instantiateDeclarations):
2278         * runtime/JSONObject.cpp:
2279         (JSC::Stringifier::appendStringifiedValue):
2280         (JSC::Walker::walk):
2281         (JSC::JSONProtoFuncParse):
2282         (JSC::JSONProtoFuncStringify):
2283         * runtime/JSObject.cpp:
2284         (JSC::JSObject::setPrototypeWithCycleCheck):
2285         (JSC::callToPrimitiveFunction):
2286         (JSC::JSObject::ordinaryToPrimitive):
2287         (JSC::JSObject::hasInstance):
2288         (JSC::JSObject::defaultHasInstance):
2289         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2290         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2291         (JSC::validateAndApplyPropertyDescriptor):
2292         (JSC::JSObject::getMethod):
2293         * runtime/JSObject.h:
2294         (JSC::createListFromArrayLike): Deleted.
2295         * runtime/JSObjectInlines.h:
2296         (JSC::createListFromArrayLike):
2297         (JSC::JSObject::putInline):
2298         * runtime/JSPromiseConstructor.cpp:
2299         (JSC::constructPromise):
2300         (JSC::callPromise):
2301         * runtime/JSPropertyNameIterator.cpp:
2302         (JSC::propertyNameIteratorFuncNext):
2303         * runtime/JSString.cpp:
2304         (JSC::JSRopeString::outOfMemory):
2305         * runtime/JSStringBuilder.h:
2306         (JSC::JSStringBuilder::build):
2307         (JSC::jsMakeNontrivialString):
2308         * runtime/JSStringJoiner.cpp:
2309         (JSC::JSStringJoiner::joinedLength):
2310         (JSC::JSStringJoiner::join):
2311         * runtime/JSStringJoiner.h:
2312         (JSC::JSStringJoiner::JSStringJoiner):
2313         * runtime/JSSymbolTableObject.h:
2314         (JSC::symbolTablePut):
2315         * runtime/JSTypedArrayViewConstructor.cpp:
2316         (JSC::constructTypedArrayView):
2317         * runtime/JSTypedArrayViewPrototype.cpp:
2318         (JSC::typedArrayViewPrivateFuncLength):
2319         (JSC::typedArrayViewPrivateFuncSort):
2320         (JSC::typedArrayViewProtoFuncSet):
2321         (JSC::typedArrayViewProtoFuncCopyWithin):
2322         (JSC::typedArrayViewProtoFuncIncludes):
2323         (JSC::typedArrayViewProtoFuncLastIndexOf):
2324         (JSC::typedArrayViewProtoFuncIndexOf):
2325         (JSC::typedArrayViewProtoFuncJoin):
2326         (JSC::typedArrayViewProtoGetterFuncBuffer):
2327         (JSC::typedArrayViewProtoGetterFuncLength):
2328         (JSC::typedArrayViewProtoGetterFuncByteLength):
2329         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2330         (JSC::typedArrayViewProtoFuncReverse):
2331         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2332         (JSC::typedArrayViewProtoFuncSlice):
2333         * runtime/MapConstructor.cpp:
2334         (JSC::callMap):
2335         (JSC::constructMap):
2336         * runtime/MapDataInlines.h:
2337         (JSC::JSIterator>::ensureSpaceForAppend):
2338         * runtime/MapIteratorPrototype.cpp:
2339         (JSC::MapIteratorPrototypeFuncNext):
2340         * runtime/MapPrototype.cpp:
2341         (JSC::getMap):
2342         (JSC::mapProtoFuncValues):
2343         (JSC::mapProtoFuncEntries):
2344         (JSC::mapProtoFuncKeys):
2345         * runtime/ModuleLoaderPrototype.cpp:
2346         (JSC::moduleLoaderPrototypeParseModule):
2347         * runtime/NullSetterFunction.cpp:
2348         (JSC::callReturnUndefined):
2349         * runtime/NumberPrototype.cpp:
2350         (JSC::numberProtoFuncToExponential):
2351         (JSC::numberProtoFuncToFixed):
2352         (JSC::numberProtoFuncToPrecision):
2353         (JSC::numberProtoFuncToString):
2354         (JSC::numberProtoFuncToLocaleString):
2355         (JSC::numberProtoFuncValueOf):
2356         * runtime/ObjectConstructor.cpp:
2357         (JSC::objectConstructorSetPrototypeOf):
2358         (JSC::toPropertyDescriptor):
2359         (JSC::objectConstructorDefineProperty):
2360         (JSC::objectConstructorDefineProperties):
2361         (JSC::objectConstructorCreate):
2362         * runtime/ObjectPrototype.cpp:
2363         (JSC::objectProtoFuncDefineGetter):
2364         (JSC::objectProtoFuncDefineSetter):
2365         (JSC::objectProtoFuncToString):
2366         * runtime/Operations.h:
2367         (JSC::jsString):
2368         (JSC::jsStringFromRegisterArray):
2369         (JSC::jsStringFromArguments):
2370         * runtime/ProxyConstructor.cpp:
2371         (JSC::makeRevocableProxy):
2372         (JSC::proxyRevocableConstructorThrowError):
2373         (JSC::constructProxyObject):
2374         (JSC::callProxy):
2375         * runtime/ProxyObject.cpp:
2376         (JSC::ProxyObject::finishCreation):
2377         (JSC::performProxyGet):
2378         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2379         (JSC::ProxyObject::performHasProperty):
2380         (JSC::ProxyObject::getOwnPropertySlotCommon):
2381         (JSC::ProxyObject::performPut):
2382         (JSC::performProxyCall):
2383         (JSC::performProxyConstruct):
2384         (JSC::ProxyObject::performDelete):
2385         (JSC::ProxyObject::performPreventExtensions):
2386         (JSC::ProxyObject::performIsExtensible):
2387         (JSC::ProxyObject::performDefineOwnProperty):
2388         (JSC::ProxyObject::performGetOwnPropertyNames):
2389         (JSC::ProxyObject::performSetPrototype):
2390         (JSC::ProxyObject::performGetPrototype):
2391         * runtime/ReflectObject.cpp:
2392         (JSC::reflectObjectConstruct):
2393         (JSC::reflectObjectDefineProperty):
2394         (JSC::reflectObjectEnumerate):
2395         (JSC::reflectObjectGet):
2396         (JSC::reflectObjectGetOwnPropertyDescriptor):
2397         (JSC::reflectObjectGetPrototypeOf):
2398         (JSC::reflectObjectIsExtensible):
2399         (JSC::reflectObjectOwnKeys):
2400         (JSC::reflectObjectPreventExtensions):
2401         (JSC::reflectObjectSet):
2402         (JSC::reflectObjectSetPrototypeOf):
2403         * runtime/RegExpConstructor.cpp:
2404         (JSC::toFlags):
2405         (JSC::regExpCreate):
2406         * runtime/RegExpObject.cpp:
2407         (JSC::collectMatches):
2408         * runtime/RegExpObject.h:
2409         (JSC::RegExpObject::setLastIndex):
2410         * runtime/RegExpPrototype.cpp:
2411         (JSC::regExpProtoFuncTestFast):
2412         (JSC::regExpProtoFuncExec):
2413         (JSC::regExpProtoFuncMatchFast):
2414         (JSC::regExpProtoFuncCompile):
2415         (JSC::regExpProtoFuncToString):
2416         (JSC::regExpProtoGetterGlobal):
2417         (JSC::regExpProtoGetterIgnoreCase):
2418         (JSC::regExpProtoGetterMultiline):
2419         (JSC::regExpProtoGetterSticky):
2420         (JSC::regExpProtoGetterUnicode):
2421         (JSC::regExpProtoGetterFlags):
2422         (JSC::regExpProtoGetterSource):
2423         (JSC::regExpProtoFuncSplitFast):
2424         * runtime/Reject.h:
2425         (JSC::reject):
2426         * runtime/SetConstructor.cpp:
2427         (JSC::callSet):
2428         (JSC::constructSet):
2429         * runtime/SetIteratorPrototype.cpp:
2430         (JSC::SetIteratorPrototypeFuncNext):
2431         * runtime/SetPrototype.cpp:
2432         (JSC::getSet):
2433         (JSC::setProtoFuncValues):
2434         (JSC::setProtoFuncEntries):
2435         * runtime/SparseArrayValueMap.cpp:
2436         (JSC::SparseArrayValueMap::putEntry):
2437         (JSC::SparseArrayEntry::put):
2438         * runtime/StringConstructor.cpp:
2439         (JSC::stringFromCodePoint):
2440         * runtime/StringObject.cpp:
2441         (JSC::StringObject::put):
2442         (JSC::StringObject::putByIndex):
2443         * runtime/StringPrototype.cpp:
2444         (JSC::jsSpliceSubstrings):
2445         (JSC::jsSpliceSubstringsWithSeparators):
2446         (JSC::repeatCharacter):
2447         (JSC::replace):
2448         (JSC::stringProtoFuncToString):
2449         (JSC::stringProtoFuncCharAt):
2450         (JSC::stringProtoFuncCharCodeAt):
2451         (JSC::stringProtoFuncCodePointAt):
2452         (JSC::stringProtoFuncConcat):
2453         (JSC::stringProtoFuncIndexOf):
2454         (JSC::stringProtoFuncLastIndexOf):
2455         (JSC::stringProtoFuncSlice):
2456         (JSC::stringProtoFuncSubstr):
2457         (JSC::stringProtoFuncSubstring):
2458         (JSC::stringProtoFuncToLowerCase):
2459         (JSC::stringProtoFuncToUpperCase):
2460         (JSC::stringProtoFuncLocaleCompare):
2461         (JSC::toLocaleCase):
2462         (JSC::stringProtoFuncBig):
2463         (JSC::stringProtoFuncSmall):
2464         (JSC::stringProtoFuncBlink):
2465         (JSC::stringProtoFuncBold):
2466         (JSC::stringProtoFuncFixed):
2467         (JSC::stringProtoFuncItalics):
2468         (JSC::stringProtoFuncStrike):
2469         (JSC::stringProtoFuncSub):
2470         (JSC::stringProtoFuncSup):
2471         (JSC::stringProtoFuncFontcolor):
2472         (JSC::stringProtoFuncFontsize):
2473         (JSC::stringProtoFuncAnchor):
2474         (JSC::stringProtoFuncLink):
2475         (JSC::trimString):
2476         (JSC::stringProtoFuncStartsWith):
2477         (JSC::stringProtoFuncEndsWith):
2478         (JSC::stringProtoFuncIncludes):
2479         (JSC::stringProtoFuncIterator):
2480         (JSC::normalize):
2481         (JSC::stringProtoFuncNormalize):
2482         * runtime/StringRecursionChecker.cpp:
2483         (JSC::StringRecursionChecker::throwStackOverflowError):
2484         * runtime/Symbol.cpp:
2485         (JSC::Symbol::toNumber):
2486         * runtime/SymbolConstructor.cpp:
2487         (JSC::symbolConstructorKeyFor):
2488         * runtime/SymbolPrototype.cpp:
2489         (JSC::symbolProtoFuncToString):
2490         (JSC::symbolProtoFuncValueOf):
2491         * runtime/ThrowScope.cpp: Added.
2492         (JSC::ThrowScope::ThrowScope):
2493         (JSC::ThrowScope::~ThrowScope):
2494         (JSC::ThrowScope::throwException):
2495         (JSC::ThrowScope::printIfNeedCheck):
2496         (JSC::ThrowScope::simulateThrow):
2497         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
2498         * runtime/ThrowScope.h: Added.
2499         (JSC::ThrowScope::vm):
2500         (JSC::ThrowScope::exception):
2501         (JSC::ThrowScope::release):
2502         (JSC::ThrowScope::ThrowScope):
2503         (JSC::ThrowScope::throwException):
2504         (JSC::throwException):
2505         * runtime/ThrowScopeLocation.h: Added.
2506         (JSC::ThrowScopeLocation::ThrowScopeLocation):
2507         * runtime/VM.h:
2508         * runtime/VMEntryScope.h:
2509         (JSC::VMEntryScope::vm):
2510         * runtime/WeakMapConstructor.cpp:
2511         (JSC::callWeakMap):
2512         (JSC::constructWeakMap):
2513         * runtime/WeakMapPrototype.cpp:
2514         (JSC::getWeakMapData):
2515         (JSC::protoFuncWeakMapSet):
2516         * runtime/WeakSetConstructor.cpp:
2517         (JSC::callWeakSet):
2518         (JSC::constructWeakSet):
2519         * runtime/WeakSetPrototype.cpp:
2520         (JSC::getWeakMapData):
2521         (JSC::protoFuncWeakSetAdd):
2522
2523 2016-08-30  Alex Christensen  <achristensen@webkit.org>
2524
2525         Fix WebInspectorUI in internal Windows build
2526         https://bugs.webkit.org/show_bug.cgi?id=161221
2527         rdar://problem/28019023
2528
2529         Reviewed by Brent Fulgham and Joseph Pecoraro.
2530
2531         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2532
2533 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
2534
2535         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
2536         https://bugs.webkit.org/show_bug.cgi?id=161263
2537         <rdar://problem/28035849>
2538
2539         Reviewed by Matt Baker.
2540
2541         * inspector/InjectedScriptSource.js:
2542         (InjectedScript.prototype._propertyDescriptors):
2543         Previously we only took the "numeric index fast path" if an object was
2544         array like with length > 100. When we dropped the length check we
2545         ended up breaking our display of Array prototype, because [].__proto__
2546         is an array instance. Get it back by just doing a check of length > 0.
2547         We may want to address this differently in the future by knowing if
2548         we are getting properties for a prototype or not.
2549
2550 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2551
2552         [JSC] Clean up FTL Capabilities for CompareEq
2553         https://bugs.webkit.org/show_bug.cgi?id=161353
2554
2555         Reviewed by Geoffrey Garen.
2556
2557         It looks like we already have code for every case.
2558         This patch removes the tests from FTLCapabilities
2559         and move the generic case last as usual.
2560
2561         * ftl/FTLCapabilities.cpp:
2562         (JSC::FTL::canCompile):
2563         * ftl/FTLLowerDFGToB3.cpp:
2564         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
2565
2566 2016-08-29  Keith Miller  <keith_miller@apple.com>
2567
2568         Fix toStringName for Proxies and add support for normal instances
2569         https://bugs.webkit.org/show_bug.cgi?id=161275
2570
2571         Reviewed by Saam Barati.
2572
2573         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
2574         Additionally, there are a couple of other classes that need to return "Object" for their
2575         toStringName. Since this isn't tested by test262 I will propose a new test there.
2576
2577         * runtime/ClassInfo.h:
2578         * runtime/JSArrayBufferView.cpp:
2579         (JSC::JSArrayBufferView::toStringName):
2580         * runtime/JSArrayBufferView.h:
2581         * runtime/JSCell.cpp:
2582         (JSC::JSCell::toStringName):
2583         * runtime/JSCell.h:
2584         * runtime/JSMap.cpp:
2585         (JSC::JSMap::toStringName):
2586         * runtime/JSMap.h:
2587         * runtime/JSObject.cpp:
2588         (JSC::JSObject::toStringName):
2589         * runtime/JSObject.h:
2590         * runtime/JSSet.cpp:
2591         (JSC::JSSet::destroy):
2592         (JSC::JSSet::toStringName):
2593         * runtime/JSSet.h:
2594         * runtime/JSWeakMap.cpp:
2595         (JSC::JSWeakMap::toStringName):
2596         * runtime/JSWeakMap.h:
2597         * runtime/JSWeakSet.cpp:
2598         (JSC::JSWeakSet::toStringName):
2599         * runtime/JSWeakSet.h:
2600         * runtime/ObjectPrototype.cpp:
2601         (JSC::objectProtoFuncToString):
2602         * runtime/ProxyObject.cpp:
2603         (JSC::ProxyObject::toStringName):
2604         * runtime/ProxyObject.h:
2605         * runtime/SymbolObject.cpp:
2606         (JSC::SymbolObject::toStringName):
2607         * runtime/SymbolObject.h:
2608         (JSC::SymbolObject::internalValue):
2609
2610 2016-08-29  Youenn Fablet  <youenn@apple.com>
2611
2612         [Fetch API] Response cloning should structureClone when teeing Response stream
2613         https://bugs.webkit.org/show_bug.cgi?id=161147
2614
2615         Reviewed by Darin Adler.
2616
2617         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
2618         * runtime/JSArrayBufferConstructor.cpp:
2619         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
2620         * runtime/JSDataView.h: Exporting create method.
2621
2622 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2623
2624         [JSC] Improve ArithAbs with polymorphic input
2625         https://bugs.webkit.org/show_bug.cgi?id=161286
2626
2627         Reviewed by Saam Barati.
2628
2629         This is similar to the previous patches: if we have polymorphic
2630         input, do a function call.
2631
2632         I also discovered a few problems with the tests and fixed them:
2633         -I forgot to add NodeMustGenerate to the previous nodes I changed.
2634          They could have been eliminated by DCE.
2635         -ArithAbs was always exiting if the input types do not include numbers.
2636          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
2637          instead of isInt32OrBooleanSpeculation(). The test of
2638          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
2639          contains double or int52. If we were in that case, we were always speculating
2640          Int32. That always fails and we were recompiling the same code over and over.
2641
2642         * dfg/DFGAbstractInterpreterInlines.h:
2643         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2644         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
2645
2646         * dfg/DFGClobberize.h:
2647         (JSC::DFG::clobberize):
2648         * dfg/DFGFixupPhase.cpp:
2649         (JSC::DFG::FixupPhase::fixupNode):
2650         * dfg/DFGNode.h:
2651         (JSC::DFG::Node::hasResult):
2652         (JSC::DFG::Node::hasHeapPrediction):
2653         (JSC::DFG::Node::hasInt32Result): Deleted.
2654         The accessor hasInt32Result() was unused.
2655
2656         * dfg/DFGNodeType.h:
2657         * dfg/DFGOperations.cpp:
2658         * dfg/DFGOperations.h:
2659         * dfg/DFGPredictionPropagationPhase.cpp:
2660         * dfg/DFGSpeculativeJIT.cpp:
2661         (JSC::DFG::SpeculativeJIT::compileArithAbs):
2662         * dfg/DFGSpeculativeJIT.h:
2663         * dfg/DFGSpeculativeJIT32_64.cpp:
2664         (JSC::DFG::SpeculativeJIT::compile):
2665         * dfg/DFGSpeculativeJIT64.cpp:
2666         (JSC::DFG::SpeculativeJIT::compile):
2667         * ftl/FTLLowerDFGToB3.cpp:
2668         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
2669
2670 2016-08-28  Saam Barati  <sbarati@apple.com>
2671
2672         Make SpeculatedType a 64-bit integer
2673         https://bugs.webkit.org/show_bug.cgi?id=161268
2674
2675         Reviewed by Filip Pizlo and Benjamin Poulain.
2676
2677         I'm going to introduce two new types into this and we only
2678         have room for one in 32-bits. So, this patch widens SpeculatedType
2679         to 64 bits. This also pulls this information through the DFG where
2680         we needed to change DFGNode to support this.
2681
2682         * bytecode/SpeculatedType.h:
2683         * dfg/DFGNode.cpp:
2684         (JSC::DFG::Node::convertToPutHint):
2685         (JSC::DFG::Node::promotedLocationDescriptor):
2686         * dfg/DFGNode.h:
2687         (JSC::DFG::Node::Node):
2688         (JSC::DFG::Node::convertToCheckStructure):
2689         (JSC::DFG::Node::constant):
2690         (JSC::DFG::Node::convertToConstant):
2691         (JSC::DFG::Node::convertToConstantStoragePointer):
2692         (JSC::DFG::Node::convertToPutStack):
2693         (JSC::DFG::Node::convertToGetStack):
2694         (JSC::DFG::Node::convertToGetByOffset):
2695         (JSC::DFG::Node::convertToMultiGetByOffset):
2696         (JSC::DFG::Node::convertToPutByOffset):
2697         (JSC::DFG::Node::convertToMultiPutByOffset):
2698         (JSC::DFG::Node::convertToPhantomNewObject):
2699         (JSC::DFG::Node::convertToPhantomNewFunction):
2700         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
2701         (JSC::DFG::Node::convertToPhantomCreateActivation):
2702         (JSC::DFG::Node::convertToGetLocal):
2703         (JSC::DFG::Node::lazyJSValue):
2704         (JSC::DFG::Node::initializationValueForActivation):
2705         (JSC::DFG::Node::tryGetVariableAccessData):
2706         (JSC::DFG::Node::variableAccessData):
2707         (JSC::DFG::Node::unlinkedLocal):
2708         (JSC::DFG::Node::unlinkedMachineLocal):
2709         (JSC::DFG::Node::stackAccessData):
2710         (JSC::DFG::Node::phi):
2711         (JSC::DFG::Node::identifierNumber):
2712         (JSC::DFG::Node::getPutInfo):
2713         (JSC::DFG::Node::accessorAttributes):
2714         (JSC::DFG::Node::newArrayBufferData):
2715         (JSC::DFG::Node::indexingType):
2716         (JSC::DFG::Node::typedArrayType):
2717         (JSC::DFG::Node::inlineCapacity):
2718         (JSC::DFG::Node::scopeOffset):
2719         (JSC::DFG::Node::capturedArgumentsOffset):
2720         (JSC::DFG::Node::variablePointer):
2721         (JSC::DFG::Node::callVarargsData):
2722         (JSC::DFG::Node::loadVarargsData):
2723         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
2724         (JSC::DFG::Node::targetBlock):
2725         (JSC::DFG::Node::branchData):
2726         (JSC::DFG::Node::switchData):
2727         (JSC::DFG::Node::getHeapPrediction):
2728         (JSC::DFG::Node::cellOperand):
2729         (JSC::DFG::Node::watchpointSet):
2730         (JSC::DFG::Node::storagePointer):
2731         (JSC::DFG::Node::uidOperand):
2732         (JSC::DFG::Node::typeInfoOperand):
2733         (JSC::DFG::Node::transition):
2734         (JSC::DFG::Node::structureSet):
2735         (JSC::DFG::Node::structure):
2736         (JSC::DFG::Node::storageAccessData):
2737         (JSC::DFG::Node::multiGetByOffsetData):
2738         (JSC::DFG::Node::multiPutByOffsetData):
2739         (JSC::DFG::Node::objectMaterializationData):
2740         (JSC::DFG::Node::arrayMode):
2741         (JSC::DFG::Node::arithMode):
2742         (JSC::DFG::Node::arithRoundingMode):
2743         (JSC::DFG::Node::setArithRoundingMode):
2744         (JSC::DFG::Node::executionCounter):
2745         (JSC::DFG::Node::typeLocation):
2746         (JSC::DFG::Node::basicBlockLocation):
2747         (JSC::DFG::Node::numberOfArgumentsToSkip):
2748         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
2749         (JSC::DFG::Node::OpInfoWrapper::operator=):
2750         * dfg/DFGOpInfo.h:
2751         (JSC::DFG::OpInfo::OpInfo):
2752         * dfg/DFGPromotedHeapLocation.h:
2753         (JSC::DFG::PromotedLocationDescriptor::imm1):
2754         (JSC::DFG::PromotedLocationDescriptor::imm2):
2755
2756 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
2757
2758         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
2759         https://bugs.webkit.org/show_bug.cgi?id=161120
2760
2761         Reviewed by Darin Adler.
2762
2763         * inspector/JSGlobalObjectInspectorController.cpp:
2764
2765 2016-08-26  Sam Weinig  <sam@webkit.org>
2766
2767         Remove support for ENABLE_LEGACY_WEB_AUDIO
2768         https://bugs.webkit.org/show_bug.cgi?id=161262
2769
2770         Reviewed by Anders Carlsson.
2771
2772         * Configurations/FeatureDefines.xcconfig:
2773         Remove ENABLE_LEGACY_WEB_AUDIO
2774
2775 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
2776
2777         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
2778         https://bugs.webkit.org/show_bug.cgi?id=161229
2779
2780         Reviewed by Geoffrey Garen.
2781
2782         Add (String, Untyped) uses to FTL CompareStrictEq.
2783         This was the last use type not implemented, the node is fully
2784         supported by FTL after this patch.
2785
2786         * ftl/FTLCapabilities.cpp:
2787         (JSC::FTL::canCompile):
2788         * ftl/FTLLowerDFGToB3.cpp:
2789         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2790         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
2791
2792         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
2793         Remove the type checks when possible.
2794
2795 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
2796
2797         Web Inspector: Frontend should have access to Resource Timing information
2798         https://bugs.webkit.org/show_bug.cgi?id=160095
2799
2800         Reviewed by Alex Christensen.
2801
2802         Rename ResourceTiming property.
2803
2804         * inspector/protocol/Network.json:
2805         Rename navigationStart to startTime so it's applicable
2806         for all resources and not just the main resource.
2807
2808 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
2809
2810         Web Inspector: Provide a way to clear an IndexedDB object store
2811         https://bugs.webkit.org/show_bug.cgi?id=161167
2812         <rdar://problem/27996932>
2813
2814         Reviewed by Brian Burg.
2815
2816         * inspector/protocol/IndexedDB.json:
2817         Cleanup the protocol file.
2818
2819 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
2820
2821         Web Inspector: Some CSS selectors in the UI aren't escaped
2822         https://bugs.webkit.org/show_bug.cgi?id=151378
2823
2824         Reviewed by Joseph Pecoraro.
2825
2826         Change ElementData from sending a className string to using an array of
2827         classes, allowing for proper escaping of each class value.
2828
2829         * inspector/protocol/OverlayTypes.json:
2830
2831 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
2832
2833         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
2834         https://bugs.webkit.org/show_bug.cgi?id=161213
2835         <rdar://problem/28017986>
2836
2837         Reviewed by Brian Burg.
2838
2839         * inspector/agents/InspectorHeapAgent.cpp:
2840         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
2841         Don't take a final snapshot when disconnecting.
2842
2843         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2844         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
2845         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
2846         * inspector/agents/InspectorScriptProfilerAgent.h:
2847         * runtime/SamplingProfiler.h:
2848         Don't process samples when disconnecting.
2849
2850 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
2851
2852         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
2853         https://bugs.webkit.org/show_bug.cgi?id=161027
2854         <rdar://problem/27871349>
2855
2856         Reviewed by Mark Lam.
2857
2858         For JSContext inspection, when a frontend connects keep the target alive.
2859         This means ref'ing the JSGlobalObject / VM when the first frontend
2860         connects and deref'ing when the last frontend disconnects.
2861
2862         * inspector/JSGlobalObjectInspectorController.h:
2863         * inspector/JSGlobalObjectInspectorController.cpp:
2864         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
2865         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
2866         Now that frontends keep the global object alive, when the global object
2867         is destroyed that must mean that no frontends exist. Remove the now
2868         stale code path.
2869
2870         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2871         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2872         Ref the target when the first frontend connects, deref when the last disconnects.
2873
2874 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2875
2876         [ES6] newPromiseCapabilities should check the given argument is constructor
2877         https://bugs.webkit.org/show_bug.cgi?id=161226
2878
2879         Reviewed by Mark Lam.
2880
2881         Use @isConstructor.
2882
2883         * builtins/PromiseOperations.js:
2884
2885 2016-08-25  Keith Miller  <keith_miller@apple.com>
2886
2887         toString called on proxies returns incorrect tag
2888         https://bugs.webkit.org/show_bug.cgi?id=161111
2889
2890         Reviewed by Benjamin Poulain.
2891
2892         This patch adds a new Method table function toStringName. This function
2893         is used by Object.prototype.toString to create the string tag that it
2894         inserts. Right now it only changes the stringification of proxy objects.
2895         In future patches I plan to make it work for other classes of objects as
2896         well.
2897
2898         * runtime/ClassInfo.h:
2899         * runtime/JSCell.cpp:
2900         (JSC::JSCell::toStringName):
2901         * runtime/JSCell.h:
2902         * runtime/JSObject.cpp:
2903         (JSC::JSObject::toStringName):
2904         * runtime/JSObject.h:
2905         * runtime/ObjectPrototype.cpp:
2906         (JSC::objectProtoFuncToString):
2907         * runtime/ProxyObject.cpp:
2908         (JSC::ProxyObject::toStringName):
2909         * runtime/ProxyObject.h:
2910
2911 2016-08-26  Csaba Osztrogon√°c  <ossy@webkit.org>
2912
2913         Fix the ENABLE(WEBASSEMBLY) build on Linux
2914         https://bugs.webkit.org/show_bug.cgi?id=161197
2915
2916         Reviewed by Mark Lam.
2917
2918         * CMakeLists.txt:
2919         * b3/B3Common.cpp:
2920         (JSC::B3::shouldDumpIR):
2921         * shell/CMakeLists.txt:
2922         * wasm/JSWASMModule.h:
2923         * wasm/WASMB3IRGenerator.cpp:
2924         (JSC::WASM::toB3Op):
2925         * wasm/WASMB3IRGenerator.h:
2926         * wasm/WASMFormat.h:
2927         * wasm/WASMFunctionParser.h:
2928         * wasm/WASMModuleParser.cpp:
2929         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
2930         * wasm/WASMModuleParser.h:
2931         * wasm/WASMParser.h:
2932         * wasm/WASMPlan.cpp:
2933         * wasm/WASMPlan.h:
2934         * wasm/WASMSections.cpp:
2935
2936 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
2937
2938         [Win] Compile fix.
2939         https://bugs.webkit.org/show_bug.cgi?id=161235
2940
2941         Reviewed by Brent Fulgham.
2942
2943         YarrPattern::errorMessage has inconsistent dll linkage.
2944
2945         * yarr/YarrPattern.h:
2946
2947 2016-08-25  Alex Christensen  <achristensen@webkit.org>
2948
2949         CMake build fix.
2950
2951         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
2952         This is needed for the internal Windows build.
2953
2954 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
2955
2956         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
2957         https://bugs.webkit.org/show_bug.cgi?id=161181
2958
2959         Reviewed by Geoffrey Garen.
2960
2961         All the nodes are doing the exact same thing with a single
2962         difference: how to process constants. I made that into a separate
2963         function called from each node.
2964
2965         I also generalized the constant-to-number code of DoubleRep
2966         to make it available for all those nodes.
2967
2968         * dfg/DFGAbstractInterpreter.h:
2969         * dfg/DFGAbstractInterpreterInlines.h:
2970         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2971         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2972         * runtime/JSCJSValue.cpp:
2973         (JSC::JSValue::toNumberFromPrimitive):
2974         * runtime/JSCJSValue.h:
2975
2976 2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2977
2978         [DFG][FTL] Implement ES6 Generators in DFG / FTL
2979         https://bugs.webkit.org/show_bug.cgi?id=152723
2980
2981         Reviewed by Filip Pizlo.
2982
2983         This patch introduces DFG and FTL support for ES6 generators.
2984         ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
2985         In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
2986         here. Those are emitted by the generatorification phase.
2987
2988         So the graph is super simple! Before the generatorification, the graph looks like this.
2989
2990              op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...
2991
2992         Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
2993         This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
2994         op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
2995         perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
2996         special generator frame scope. And we also set up the global switch for the generator.
2997
2998         In the generatorification phase,
2999
3000         1. We construct the BytecodeGraph from the unlinked instructions. This constructs the basic blocks, and it is used in the subsequent analysis.
3001         2. We perform the analysis onto the unlinked code. We extract the live variables at each op_yield.
3002         3. We insert the get_from_scope and put_to_scope at each op_yield. Which registers should be saved and resumed is offered by (2).
3003            Then, clip the op_yield themselves. And we also insert the switch_imm. The jump targets of this switch are just after this op_switch_imm and each op_yield point.
3004
3005         One interesting point is the try-range. We split the try-range at the op_yield point in BytecodeGenerator phase.
3006         This drops the hacky thing that is introduced in [1].
3007         If the try-range covers the resume sequences, the exception handler's use-registers are incorrectly transferred to the entry block.
3008         For example,
3009
3010             handler uses r2
3011                                                              try-range
3012             label:(entry block can jump here)                 ^
3013                 r1 = get_from_scope # resume sequence starts  | use r2 is transferred to the entry block!
3014                 r2 = get_from_scope                           |
3015                 starts usual sequences                        |
3016                 ...                                           |
3017
3018         Handler's r2 use should be considered at the `r1 = get_from_scope` point.
3019         Previously, we handle this edge case by treating op_resume specially in the liveness analysis[1].
3020         To drop this workaround, we split the try-range not to cover this resume sequence.
3021
3022             handler uses r2
3023                                                              try-range
3024             label:(entry block can jump here)
3025                 r1 = get_from_scope # resume sequence starts
3026                 r2 = get_from_scope
3027                 starts usual sequences                        ^ try-range should start from here.
3028                 ...                                           |
3029
3030         OK. Let's show the detailed example.
3031
3032             1. First, there is the normal bytecode sequence. Here, | represents the offsets, and [] represents the bytecodes.
3033
3034                 bytecodes   | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
3035                 try-range   <----------------------------------->
3036
3037             2. When we emit the op_yield in the bytecode generator, we carefully split the try-range.
3038
3039                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
3040                 try-range   <----------->            <----------------->
3041
3042             3. And in the generatorification phase, we insert the switch's jump target and save & resume sequences. And we also drop op_yield.
3043
3044                         Insert save seq  Insert resume seq
3045                         before op_yield. after op_yield's point.
3046                                        v v
3047                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
3048                 try-range   <----------->     ^      <----------------->
3049                                         ^     |
3050                              Jump to here.    Drop this op_yield.
3051
3052             4. The final layout is the following.
3053
3054                 bytecodes   | [ ] | [ ][save seq][op_ret] | [resume seq] | [ ] | [ ] | [ ] |
3055                 try-range   <----------------------------->               <---------------->
3056                                                           ^
3057                                               Jump to here.
3058
3059         The rewriting done by the BytecodeRewriter is executed in a batch manner. Since these modification changes the basic blocks and size of unlinked instructions,
3060         BytecodeRewriter also performs the offset adjustment for UnlinkedCodeBlock. So, this rewriting is performed onto the BytecodeGraph rather than BytecodeBasicBlock.
3061         The reason why we take this design is simple: we don't want to newly create the basic blocks and opcodes for this early phase like DFG. Instead, we perform the
3062         modification and adjustment to the unlinked instructions and UnlinkedCodeBlock in a in-place manner.
3063
3064         Bytecode rewriting functionality is offered by BytecodeRewriter. BytecodeRewriter allows us to insert any bytecodes to any places
3065         in a in-place manner. BytecodeRewriter handles the original bytecode offsets as labels. And you can insert bytecodes before and after
3066         these labels. You can also insert any jumps to any places. When you insert jumps, you need to specify jump target with this labels.
3067         These labels (original bytecode offsets) are automatically converted to the appropriate offsets by BytecodeRewriter.
3068
3069         After that phase, the data flow of the generator-saved-and-resumed-registers are explicitly represented by the get_from_scope and put_to_scope.
3070         And the switch is inserted to represent the actual control flow for the generator. And op_yield is removed. Since we use the existing bytecodes (op_switch_imm, op_put_to_scope
3071         op_ret, and op_get_from_scope), DFG and FTL changes are not necessary. This patch also drops data structures and implementations for the old generator,
3072         op_resume, op_save implementations and GeneratorFrame.
3073
3074         Note that this patch does not leverage the recent multi entrypoints support in B3. After this patch is introduced, we will submit a new patch that leverages the multi
3075         entrypoints for generator's resume and sees the performance gain.
3076
3077         Microbenchmarks related to generators show up to 2.9x improvements.
3078
3079                                                         Baseline                  Patched
3080
3081             generator-fib                          102.0116+-3.2880     ^     34.9670+-0.2221        ^ definitely 2.9174x faster
3082             generator-sunspider-access-nsieve        5.8596+-0.0371     ^      4.9051+-0.0720        ^ definitely 1.1946x faster
3083             generator-with-several-types           332.1478+-4.2425     ^    124.6642+-2.4826        ^ definitely 2.6643x faster
3084
3085             <geometric>                             58.2998+-0.7758     ^     27.7425+-0.2577        ^ definitely 2.1015x faster
3086
3087         In ES6SampleBench's Basic, we can observe 41% improvement (Macbook Pro).
3088
3089             Baseline:
3090                 Geometric Mean Result: 133.55 ms +- 4.49 ms
3091
3092                 Benchmark    First Iteration        Worst 2%               Steady State
3093                 Air          54.03 ms +- 7.51 ms    29.06 ms +- 3.13 ms    2276.59 ms +- 61.17 ms
3094                 Basic        30.18 ms +- 1.86 ms    18.85 ms +- 0.45 ms    2851.16 ms +- 41.87 ms
3095
3096             Patched:
3097                 Geometric Mean Result: 121.78 ms +- 3.96 ms
3098
3099                 Benchmark    First Iteration        Worst 2%               Steady State
3100                 Air          52.09 ms +- 6.89 ms    29.59 ms +- 3.16 ms    2239.90 ms +- 54.60 ms
3101                 Basic        29.28 ms +- 1.46 ms    16.26 ms +- 0.66 ms    2025.15 ms +- 38.56 ms
3102
3103         [1]: https://bugs.webkit.org/show_bug.cgi?id=159281
3104
3105         * CMakeLists.txt:
3106         * JavaScriptCore.xcodeproj/project.pbxproj:
3107         * builtins/GeneratorPrototype.js:
3108         (globalPrivate.generatorResume):
3109         * bytecode/BytecodeBasicBlock.cpp:
3110         (JSC::BytecodeBasicBlock::shrinkToFit):
3111         (JSC::BytecodeBasicBlock::computeImpl):
3112         (JSC::BytecodeBasicBlock::compute):
3113         (JSC::isBranch): Deleted.
3114         (JSC::isUnconditionalBranch): Deleted.
3115         (JSC::isTerminal): Deleted.
3116         (JSC::isThrow): Deleted.
3117         (JSC::linkBlocks): Deleted.
3118         (JSC::computeBytecodeBasicBlocks): Deleted.
3119         * bytecode/BytecodeBasicBlock.h:
3120         (JSC::BytecodeBasicBlock::isEntryBlock):
3121         (JSC::BytecodeBasicBlock::isExitBlock):
3122         (JSC::BytecodeBasicBlock::leaderOffset):
3123         (JSC::BytecodeBasicBlock::totalLength):
3124         (JSC::BytecodeBasicBlock::offsets):
3125         (JSC::BytecodeBasicBlock::successors):
3126         (JSC::BytecodeBasicBlock::index):
3127         (JSC::BytecodeBasicBlock::addSuccessor):
3128         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
3129         (JSC::BytecodeBasicBlock::addLength):
3130         (JSC::BytecodeBasicBlock::leaderBytecodeOffset): Deleted.
3131         (JSC::BytecodeBasicBlock::totalBytecodeLength): Deleted.
3132         (JSC::BytecodeBasicBlock::bytecodeOffsets): Deleted.
3133         (JSC::BytecodeBasicBlock::addBytecodeLength): Deleted.
3134         * bytecode/BytecodeGeneratorification.cpp: Added.
3135         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3136         (JSC::BytecodeGeneratorification::graph):
3137         (JSC::BytecodeGeneratorification::yields):
3138         (JSC::BytecodeGeneratorification::enterPoint):
3139         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3140         (JSC::GeneratorLivenessAnalysis::GeneratorLivenessAnalysis):
3141         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset):
3142         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset):
3143         (JSC::GeneratorLivenessAnalysis::run):
3144         (JSC::BytecodeGeneratorification::run):
3145         (JSC::performGeneratorification):
3146         * bytecode/BytecodeGeneratorification.h: Copied from Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysisInlines.h.
3147         * bytecode/BytecodeGraph.h: Added.
3148         (JSC::BytecodeGraph::codeBlock):
3149         (JSC::BytecodeGraph::instructions):
3150         (JSC::BytecodeGraph::basicBlocksInReverseOrder):
3151         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
3152         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
3153         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
3154         (JSC::BytecodeGraph::size):
3155         (JSC::BytecodeGraph::at):
3156         (JSC::BytecodeGraph::operator[]):
3157         (JSC::BytecodeGraph::begin):
3158         (JSC::BytecodeGraph::end):
3159         (JSC::BytecodeGraph::first):
3160         (JSC::BytecodeGraph::last):
3161         (JSC::BytecodeGraph<Block>::BytecodeGraph):
3162         * bytecode/BytecodeList.json:
3163         * bytecode/BytecodeLivenessAnalysis.cpp:
3164         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
3165         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset):
3166         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset):
3167         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3168         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3169         (JSC::BytecodeLivenessAnalysis::computeKills):
3170         (JSC::BytecodeLivenessAnalysis::dumpResults):
3171         (JSC::BytecodeLivenessAnalysis::compute):
3172         (JSC::isValidRegisterForLiveness): Deleted.
3173         (JSC::getLeaderOffsetForBasicBlock): Deleted.
3174         (JSC::findBasicBlockWithLeaderOffset): Deleted.
3175         (JSC::blockContainsBytecodeOffset): Deleted.
3176         (JSC::findBasicBlockForBytecodeOffset): Deleted.
3177         (JSC::stepOverInstruction): Deleted.
3178         (JSC::computeLocalLivenessForBytecodeOffset): Deleted.
3179         (JSC::computeLocalLivenessForBlock): Deleted.
3180         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Deleted.
3181         * bytecode/BytecodeLivenessAnalysis.h:
3182         * bytecode/BytecodeLivenessAnalysisInlines.h:
3183         (JSC::isValidRegisterForLiveness):
3184         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3185         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset):
3186         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock):
3187         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset):
3188         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
3189         * bytecode/BytecodeRewriter.cpp: Added.
3190         (JSC::BytecodeRewriter::applyModification):
3191         (JSC::BytecodeRewriter::execute):
3192         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3193         (JSC::BytecodeRewriter::insertImpl):
3194         (JSC::BytecodeRewriter::adjustJumpTarget):
3195         * bytecode/BytecodeRewriter.h: Added.
3196         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
3197         (JSC::BytecodeRewriter::InsertionPoint::operator<):
3198         (JSC::BytecodeRewriter::InsertionPoint::operator==):
3199         (JSC::BytecodeRewriter::Insertion::length):
3200         (JSC::BytecodeRewriter::Fragment::Fragment):
3201         (JSC::BytecodeRewriter::Fragment::appendInstruction):
3202         (JSC::BytecodeRewriter::BytecodeRewriter):
3203         (JSC::BytecodeRewriter::insertFragmentBefore):
3204         (JSC::BytecodeRewriter::insertFragmentAfter):
3205         (JSC::BytecodeRewriter::removeBytecode):
3206         (JSC::BytecodeRewriter::graph):
3207         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
3208         (JSC::BytecodeRewriter::adjustJumpTarget):
3209         (JSC::BytecodeRewriter::calculateDifference):
3210         * bytecode/BytecodeUseDef.h:
3211         (JSC::computeUsesForBytecodeOffset):
3212         (JSC::computeDefsForBytecodeOffset):
3213         * bytecode/CodeBlock.cpp:
3214         (JSC::CodeBlock::dumpBytecode):
3215         (JSC::CodeBlock::finishCreation):
3216         (JSC::CodeBlock::handlerForIndex):
3217         (JSC::CodeBlock::shrinkToFit):
3218         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3219         (JSC::CodeBlock::livenessAnalysisSlow):
3220         * bytecode/CodeBlock.h:
3221         (JSC::CodeBlock::isConstantRegisterIndex):
3222         (JSC::CodeBlock::livenessAnalysis):
3223         (JSC::CodeBlock::liveCalleeLocalsAtYield): Deleted.
3224         * bytecode/HandlerInfo.h:
3225         (JSC::HandlerInfoBase::handlerForIndex):
3226         * bytecode/Opcode.h:
3227         (JSC::isBranch):
3228         (JSC::isUnconditionalBranch):
3229         (JSC::isTerminal):
3230         (JSC::isThrow):
3231         * bytecode/PreciseJumpTargets.cpp:
3232         (JSC::getJumpTargetsForBytecodeOffset):
3233         (JSC::computePreciseJumpTargetsInternal):
3234         (JSC::computePreciseJumpTargets):
3235         (JSC::recomputePreciseJumpTargets):
3236         (JSC::findJumpTargetsForBytecodeOffset):
3237         * bytecode/PreciseJumpTargets.h:
3238         * bytecode/PreciseJumpTargetsInlines.h: Added.
3239         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3240         * bytecode/UnlinkedCodeBlock.cpp:
3241         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset):
3242         (JSC::UnlinkedCodeBlock::handlerForIndex):
3243         (JSC::UnlinkedCodeBlock::applyModification):
3244         * bytecode/UnlinkedCodeBlock.h:
3245         (JSC::UnlinkedStringJumpTable::offsetForValue):
3246         (JSC::UnlinkedCodeBlock::numCalleeLocals):
3247         * bytecode/VirtualRegister.h:
3248         * bytecompiler/BytecodeGenerator.cpp:
3249         (JSC::BytecodeGenerator::generate):
3250         (JSC::BytecodeGenerator::BytecodeGenerator):
3251         (JSC::BytecodeGenerator::emitComplexPopScopes):
3252         (JSC::prepareJumpTableForStringSwitch):
3253         (JSC::BytecodeGenerator::emitYieldPoint):
3254         (JSC::BytecodeGenerator::emitSave): Deleted.
3255         (JSC::BytecodeGenerator::emitResume): Deleted.
3256         (JSC::BytecodeGenerator::emitGeneratorStateLabel): Deleted.
3257         (JSC::BytecodeGenerator::beginGenerator): Deleted.
3258         (JSC::BytecodeGenerator::endGenerator): Deleted.
3259         * bytecompiler/BytecodeGenerator.h:
3260         (JSC::BytecodeGenerator::generatorStateRegister):
3261         (JSC::BytecodeGenerator::generatorValueRegister):
3262         (JSC::BytecodeGenerator::generatorResumeModeRegister):
3263         (JSC::BytecodeGenerator::generatorFrameRegister):
3264         * bytecompiler/NodesCodegen.cpp:
3265         (JSC::FunctionNode::emitBytecode):
3266         * dfg/DFGOperations.cpp:
3267         * interpreter/Interpreter.cpp:
3268         (JSC::findExceptionHandler):
3269         (JSC::GetCatchHandlerFunctor::operator()):
3270         (JSC::UnwindFunctor::operator()):
3271         * interpreter/Interpreter.h:
3272         * interpreter/InterpreterInlines.h: Copied from Source/JavaScriptCore/bytecode/PreciseJumpTargets.h.
3273         (JSC::Interpreter::getOpcodeID):
3274         * jit/JIT.cpp:
3275         (JSC::JIT::privateCompileMainPass):
3276         * jit/JIT.h:
3277         * jit/JITOpcodes.cpp:
3278         (JSC::JIT::emit_op_save): Deleted.
3279         (JSC::JIT::emit_op_resume): Deleted.
3280         * llint/LowLevelInterpreter.asm:
3281         * parser/Parser.cpp:
3282         (JSC::Parser<LexerType>::parseInner):
3283         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
3284         (JSC::Parser<LexerType>::createGeneratorParameters):
3285         * parser/Parser.h:
3286         * runtime/CommonSlowPaths.cpp:
3287         (JSC::SLOW_PATH_DECL): Deleted.
3288         * runtime/CommonSlowPaths.h:
3289         * runtime/GeneratorFrame.cpp: Removed.
3290         (JSC::GeneratorFrame::GeneratorFrame): Deleted.
3291         (JSC::GeneratorFrame::finishCreation): Deleted.
3292         (JSC::GeneratorFrame::createStructure): Deleted.
3293         (JSC::GeneratorFrame::create): Deleted.