35ffe4a0cd1ec8644e6e8d8d91d1b3b0bc050b95
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-20  Filip Pizlo  <fpizlo@apple.com>
2
3         Make MarkedBlock state tracking support overlapped allocation and marking state
4         https://bugs.webkit.org/show_bug.cgi?id=161581
5
6         Reviewed by Geoffrey Garen.
7         
8         Concurrent GCs must allow for mutation and allocation during collection. We already know
9         how to mutate during collection. We have a write barrier for that. Allocation during
10         collection is more involved: the collector modifies the the mark bits, as well as other
11         kinds of MarkedBlock state, in-place during a collection. The allocator uses that same
12         MarkedBlock state to decide which regions of memory are free. This works if the allocator
13         never runs while the collector is running, but if we want to allow them to run at the same
14         time, then we need to have two versions of the state: one version built up by the
15         collector and another consumed by the allocator. We clear the collector state at the
16         beginning of collection, and splat the collector state onto the allocator state after
17         collection.
18         
19         This could be super expensive, but we can make it cheap with some cleverness. The biggest
20         observation is just that most of the state is a handful of bits per block: is the block
21         free-listed? is it completely full? completely empty? in the incremental sweeper's
22         snapshot? is it retired? is it in eden? There is also state inside blocks, like the mark
23         bits, but I have a solid plan there and I'll save it for another patch. Once we view the
24         state of blocks as bits, we can put that state into bitvectors, so that if the collector
25         needs to transform the state of some blocks, it can do it with a single operation over
26         bitvectors. I like to think of this as 32-way parallelizing block operations, since
27         doing one operation on a 32-bit word in one of those bitvectors instantly affects 32
28         blocks.
29         
30         This change converts all previous collections of MarkedBlocks, along with the MarkedBlock
31         state, into 8 bitvectors (live, empty, allocated, canAllocateButNotEmpty, eden, unswept,
32         markingNotEmpty, and markingRetired). The bitvectors separate allocator state (empty,
33         allocated, canAllocateButNotEmpty) from marking state (markingNotEmpty, markingRetired).
34         
35         As a nice side-effect of switching to bitvectors, we get size class rebalancing for free.
36         It used to be that if a MarkedAllocator had an empty block, we would only allow that
37         memory to be reused by a different MarkedAllocator if we did an incremental sweep or a
38         full eager sweep. Now we hunt down all destructorless empty blocks before allocating new
39         MarkedBlocks. It would be relatively easy to also hunt down destructor empty blocks, but
40         the theory is that those might be expensive to sweep, so it might still be better to leave
41         those to the incremental sweeper.
42         
43         This change is perf-neutral all around. I did some tests with two different kinds of
44         allocation strategies - something that is somewhat easier to do now that you can look for
45         blocks that are candidates for allocation by just scanning some bitvectors. I tried two
46         variants:
47         
48         - Allocate out of non-empty blocks first, leaving empty blocks for last in case a
49           different allocator needed them. This is sort of a best-fit strategy. I tried this
50           first, and it can be expressed as:
51           
52           m_allocationCursor = m_canAllocateButNotEmpty.findBit(m_allocationCursor, true)
53         
54         - Allocate out of lower-indexed blocks first, treating empty and canAllocateButNotEmpty
55           blocks equally. This is sort of a first-fit strategy. This is what I ended up settling
56           on, and it can be expressed as:
57           
58           m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(m_allocationCursor, true)
59         
60         The best-fit strategy meant 1% regressions in LongSpider and Octane overall, and a 11%
61         regression on Octane/earley. First-fit means perf-neutrality. Most great allocators skew
62         towards first-fit because it's empirically better, so this result is not surprising.
63         
64         Overall, the performance of this patch on my machine is as follows, where "neutral" means
65         less than 1% and not statistically significant.
66         
67         run-jsc-benchmarks:
68             SunSpider: neutral
69             LongSpider: 0.6% slower
70             V8Spider: neutral
71             Octane: neutral
72             Kraken: neutral
73             Microbenchmarks: 0.37% slower
74             AsmBench: neutral
75             CompressionBench: maybe 1% faster
76         
77         For browser benchmarks, I report the ratio of means (bigger / smaller) along with a T-test
78         from Mathematica reported as % chance of not [sic] the null hypothesis. Note that we
79         normally consider anything less than 95% confidence to be inconclusive.
80         
81         Browser benchmarks:
82             PLT3: 0.3% faster with 67% confidence
83             membuster:
84                 Snap2FinishedLoadingPost: 0.68% more memory with 50% confidence
85                 Snap3EndPost: 2.4% more memory with 61% confidence
86             JetStream: 0.2% slower with 32% confidence
87             Speedometer: 0.7% faster with 82% confidence
88         
89         Additionally, Octane/splay's heap capacity goes down to ~180KB from ~200KB, so about a 10%
90         progression. This is due to the allocator rebalancing feature.
91         
92         Finally, this breaks --useImmortalObjects. It was already broken as far as I can tell. I
93         filed a bug to reimplement it (bug 162296). Unless someone urgently needs this internal
94         tool, it's probably best to reimplement it after I'm done refactoring MarkedSpace. 
95
96         * JavaScriptCore.xcodeproj/project.pbxproj:
97         * debugger/Debugger.cpp:
98         * heap/CellContainer.h:
99         * heap/CellContainerInlines.h:
100         (JSC::CellContainer::vm):
101         (JSC::CellContainer::heap):
102         (JSC::CellContainer::isMarkedOrNewlyAllocated):
103         (JSC::CellContainer::aboutToMark):
104         (JSC::CellContainer::isMarked): Deleted.
105         (JSC::CellContainer::flipIfNecessary): Deleted.
106         * heap/ConservativeRoots.cpp:
107         * heap/Heap.cpp:
108         (JSC::Heap::beginMarking):
109         (JSC::Heap::endMarking):
110         (JSC::Heap::collectAllGarbage):
111         (JSC::Heap::collectImpl):
112         (JSC::Heap::snapshotMarkedSpace):
113         (JSC::Heap::prepareForAllocation):
114         (JSC::Heap::zombifyDeadObjects):
115         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor): Deleted.
116         (JSC::MarkedBlockSnapshotFunctor::operator()): Deleted.
117         (JSC::Heap::resetAllocators): Deleted.
118         * heap/Heap.h:
119         * heap/HeapInlines.h:
120         (JSC::Heap::isMarked):
121         (JSC::Heap::isMarkedConcurrently):
122         (JSC::Heap::testAndSetMarked):
123         * heap/HeapStatistics.cpp:
124         * heap/HeapUtil.h:
125         (JSC::HeapUtil::findGCObjectPointersForMarking):
126         (JSC::HeapUtil::isPointerGCObjectJSCell):
127         * heap/HeapVerifier.cpp:
128         * heap/IncrementalSweeper.cpp:
129         (JSC::IncrementalSweeper::IncrementalSweeper):
130         (JSC::IncrementalSweeper::doSweep):
131         (JSC::IncrementalSweeper::sweepNextBlock):
132         (JSC::IncrementalSweeper::startSweeping):
133         (JSC::IncrementalSweeper::willFinishSweeping):
134         * heap/IncrementalSweeper.h:
135         * heap/LargeAllocation.h:
136         (JSC::LargeAllocation::isMarked):
137         (JSC::LargeAllocation::isMarkedConcurrently):
138         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
139         (JSC::LargeAllocation::aboutToMark):
140         (JSC::LargeAllocation::isMarkedDuringWeakVisiting): Deleted.
141         (JSC::LargeAllocation::flipIfNecessary): Deleted.
142         (JSC::LargeAllocation::flipIfNecessaryDuringMarking): Deleted.
143         * heap/MarkedAllocator.cpp:
144         (JSC::MarkedAllocator::MarkedAllocator):
145         (JSC::MarkedAllocator::isPagedOut):
146         (JSC::MarkedAllocator::findEmptyBlock):
147         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
148         (JSC::MarkedAllocator::allocateIn):
149         (JSC::MarkedAllocator::tryAllocateIn):
150         (JSC::MarkedAllocator::allocateSlowCaseImpl):
151         (JSC::MarkedAllocator::tryAllocateBlock):
152         (JSC::MarkedAllocator::addBlock):
153         (JSC::MarkedAllocator::removeBlock):
154         (JSC::MarkedAllocator::stopAllocating):
155         (JSC::MarkedAllocator::prepareForAllocation):
156         (JSC::MarkedAllocator::lastChanceToFinalize):
157         (JSC::MarkedAllocator::resumeAllocating):
158         (JSC::MarkedAllocator::beginMarkingForFullCollection):
159         (JSC::MarkedAllocator::endMarking):
160         (JSC::MarkedAllocator::snapshotForEdenCollection):
161         (JSC::MarkedAllocator::snapshotForFullCollection):
162         (JSC::MarkedAllocator::findBlockToSweep):
163         (JSC::MarkedAllocator::sweep):
164         (JSC::MarkedAllocator::shrink):
165         (JSC::MarkedAllocator::assertSnapshotEmpty):
166         (JSC::MarkedAllocator::dump):
167         (JSC::MarkedAllocator::dumpBits):
168         (JSC::MarkedAllocator::retire): Deleted.
169         (JSC::MarkedAllocator::filterNextBlock): Deleted.
170         (JSC::MarkedAllocator::setNextBlockToSweep): Deleted.
171         (JSC::MarkedAllocator::reset): Deleted.
172         * heap/MarkedAllocator.h:
173         (JSC::MarkedAllocator::forEachBitVector):
174         (JSC::MarkedAllocator::forEachBitVectorWithName):
175         (JSC::MarkedAllocator::nextAllocator):
176         (JSC::MarkedAllocator::setNextAllocator):
177         (JSC::MarkedAllocator::forEachBlock):
178         (JSC::MarkedAllocator::resumeAllocating): Deleted.
179         * heap/MarkedBlock.cpp:
180         (JSC::MarkedBlock::tryCreate):
181         (JSC::MarkedBlock::Handle::Handle):
182         (JSC::MarkedBlock::Handle::~Handle):
183         (JSC::MarkedBlock::MarkedBlock):
184         (JSC::MarkedBlock::Handle::specializedSweep):
185         (JSC::MarkedBlock::Handle::sweep):
186         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
187         (JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode):
188         (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated):
189         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode):
190         (JSC::MarkedBlock::Handle::sweepHelperSelectFlipMode):
191         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
192         (JSC::MarkedBlock::Handle::setIsFreeListed):
193         (JSC::MarkedBlock::Handle::stopAllocating):
194         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
195         (JSC::MarkedBlock::Handle::resumeAllocating):
196         (JSC::MarkedBlock::aboutToMarkSlow):
197         (JSC::MarkedBlock::clearMarks):
198         (JSC::MarkedBlock::isMarked):
199         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
200         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
201         (JSC::MarkedBlock::Handle::didConsumeFreeList):
202         (JSC::MarkedBlock::markCount):
203         (JSC::MarkedBlock::Handle::isEmpty):
204         (JSC::MarkedBlock::noteMarkedSlow):
205         (JSC::MarkedBlock::Handle::removeFromAllocator):
206         (JSC::MarkedBlock::Handle::didAddToAllocator):
207         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
208         (JSC::MarkedBlock::Handle::isLive):
209         (JSC::MarkedBlock::Handle::isLiveCell):
210         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode): Deleted.
211         (JSC::MarkedBlock::flipIfNecessary): Deleted.
212         (JSC::MarkedBlock::Handle::flipIfNecessary): Deleted.
213         (JSC::MarkedBlock::flipIfNecessarySlow): Deleted.
214         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow): Deleted.
215         (JSC::MarkedBlock::Handle::willRemoveBlock): Deleted.
216         (WTF::printInternal): Deleted.
217         * heap/MarkedBlock.h:
218         (JSC::MarkedBlock::Handle::isFreeListed):
219         (JSC::MarkedBlock::Handle::index):
220         (JSC::MarkedBlock::aboutToMark):
221         (JSC::MarkedBlock::isMarked):
222         (JSC::MarkedBlock::isMarkedConcurrently):
223         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
224         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
225         (JSC::MarkedBlock::Handle::isOnBlocksToSweep): Deleted.
226         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep): Deleted.
227         (JSC::MarkedBlock::Handle::state): Deleted.
228         (JSC::MarkedBlock::flipIfNecessary): Deleted.
229         (JSC::MarkedBlock::flipIfNecessaryDuringMarking): Deleted.
230         (JSC::MarkedBlock::Handle::flipIfNecessary): Deleted.
231         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking): Deleted.
232         (JSC::MarkedBlock::Handle::flipForEdenCollection): Deleted.
233         (JSC::MarkedBlock::isMarkedDuringWeakVisiting): Deleted.
234         (JSC::MarkedBlock::Handle::isLive): Deleted.
235         (JSC::MarkedBlock::Handle::isLiveCell): Deleted.
236         (JSC::MarkedBlock::Handle::forEachLiveCell): Deleted.
237         (JSC::MarkedBlock::Handle::forEachDeadCell): Deleted.
238         (JSC::MarkedBlock::Handle::needsSweeping): Deleted.
239         (JSC::MarkedBlock::Handle::isAllocated): Deleted.
240         (JSC::MarkedBlock::Handle::isMarked): Deleted.
241         * heap/MarkedBlockInlines.h: Added.
242         (JSC::MarkedBlock::Handle::isLive):
243         (JSC::MarkedBlock::Handle::isLiveCell):
244         (JSC::MarkedBlock::Handle::forEachLiveCell):
245         (JSC::MarkedBlock::Handle::forEachDeadCell):
246         (JSC::MarkedBlock::resetVersion):
247         * heap/MarkedSpace.cpp:
248         (JSC::MarkedSpace::MarkedSpace):
249         (JSC::MarkedSpace::allocate):
250         (JSC::MarkedSpace::tryAllocate):
251         (JSC::MarkedSpace::sweep):
252         (JSC::MarkedSpace::prepareForAllocation):
253         (JSC::MarkedSpace::shrink):
254         (JSC::MarkedSpace::clearNewlyAllocated):
255         (JSC::MarkedSpace::beginMarking):
256         (JSC::MarkedSpace::endMarking):
257         (JSC::MarkedSpace::didAllocateInBlock):
258         (JSC::MarkedSpace::findEmptyBlock):
259         (JSC::MarkedSpace::snapshot):
260         (JSC::MarkedSpace::assertSnapshotEmpty):
261         (JSC::MarkedSpace::dumpBits):
262         (JSC::MarkedSpace::zombifySweep): Deleted.
263         (JSC::MarkedSpace::resetAllocators): Deleted.
264         (JSC::VerifyMarked::operator()): Deleted.
265         (JSC::MarkedSpace::flip): Deleted.
266         * heap/MarkedSpace.h:
267         (JSC::MarkedSpace::nextVersion):
268         (JSC::MarkedSpace::firstAllocator):
269         (JSC::MarkedSpace::allocatorForEmptyAllocation):
270         (JSC::MarkedSpace::forEachAllocator):
271         (JSC::MarkedSpace::blocksWithNewObjects): Deleted.
272         (JSC::MarkedSpace::setIsMarking): Deleted.
273         (JSC::MarkedSpace::forEachLiveCell): Deleted.
274         (JSC::MarkedSpace::forEachDeadCell): Deleted.
275         * heap/MarkedSpaceInlines.h: Added.
276         (JSC::MarkedSpace::forEachLiveCell):
277         (JSC::MarkedSpace::forEachDeadCell):
278         * heap/SlotVisitor.cpp:
279         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
280         (JSC::SlotVisitor::markAuxiliary):
281         (JSC::SlotVisitor::visitChildren):
282         * heap/Weak.h:
283         (WTF::HashTraits<JSC::Weak<T>>::emptyValue):
284         (WTF::HashTraits<JSC::Weak<T>>::peek):
285         * heap/WeakBlock.cpp:
286         (JSC::WeakBlock::specializedVisit):
287         (JSC::WeakBlock::reap):
288         * heap/WeakInlines.h:
289         (WTF::HashTraits<JSC::Weak<T>>::emptyValue): Deleted.
290         (WTF::HashTraits<JSC::Weak<T>>::peek): Deleted.
291         * jit/JITThunks.h:
292         * runtime/JSGlobalObject.cpp:
293         * runtime/PrototypeMap.h:
294         * runtime/SamplingProfiler.cpp:
295         * runtime/WeakGCMap.h:
296         * tools/JSDollarVMPrototype.cpp:
297
298 2016-09-20  Jonathan Bedard  <jbedard@apple.com>
299
300         Undefined behavior: Left shift negative number
301         https://bugs.webkit.org/show_bug.cgi?id=161866
302
303         Reviewed by Keith Miller.
304
305         Left shifting a negative number is undefined behavior in C/C++, although most implementations do define it. Explicitly clarifying the intended behavior due to shifting negative number in some cases.
306
307         * dfg/DFGAbstractHeap.h:
308         (JSC::DFG::AbstractHeap::encode): Explicitly cast signed integer for left shift.
309
310 2016-09-20  Saam Barati  <sbarati@apple.com>
311
312         Unreviewed fix for 32-bit DFG x86 implementation of HasOwnProperty.
313
314         Fixup phase is always setting ObjectUse on child1() of HasOwnProperty.
315         However, on x86 32-bit, I omitted a call to speculateObject() on child1().
316
317         * dfg/DFGSpeculativeJIT32_64.cpp:
318         (JSC::DFG::SpeculativeJIT::compile):
319
320 2016-09-20  Yusuke Suzuki  <utatane.tea@gmail.com>
321
322         [JSC] Add `typeof value === "symbol"` handling to bytecode compiler
323         https://bugs.webkit.org/show_bug.cgi?id=162253
324
325         Reviewed by Sam Weinig.
326
327         Add `typeof value === "symbol"` handling to the bytecode compiler.
328         The effect is tiny, but it keeps consistency since the bytecode compiler
329         already has the similar optimization for "string" case.
330
331         * bytecode/SpeculatedType.cpp:
332         (JSC::speculationFromJSType):
333         * bytecompiler/BytecodeGenerator.cpp:
334         (JSC::BytecodeGenerator::emitEqualityOp):
335
336 2016-09-19  Saam Barati  <sbarati@apple.com>
337
338         Make HasOwnProperty faster
339         https://bugs.webkit.org/show_bug.cgi?id=161708
340
341         Reviewed by Geoffrey Garen.
342
343         This patch adds a cache for HasOwnProperty. The cache holds tuples
344         of {StructureID, UniquedStringImpl*, boolean} where the boolean indicates
345         the result of performing hasOwnProperty on an object with StructureID and
346         UniquedStringImpl*. If the cache contains an item, we can be guaranteed
347         that it contains the same result as performing hasOwnProperty on an
348         object O with a given structure and key. To guarantee this, we only add
349         items into the cache when the Structure of the given item is cacheable.
350
351         The caching strategy is simple: when adding new items into the cache,
352         we will evict any item that was in the location that the new item
353         is hashed into. We also clear the cache on every GC. This strategy
354         proves to be successful on speedometer, which sees a cache hit rate
355         over 90%. This caching strategy is now inlined into the DFG/FTL JITs
356         by now recognizing hasOwnProperty as an intrinsic with the corresponding
357         HasOwnProperty node. The goal of the node is to emit inlined code for
358         the cache lookup to prevent the overhead of the call for the common
359         case where we get a cache hit.
360
361         I'm seeing around a 1% to 1.5% percent improvement on Speedometer on
362         my machine. Hopefully the perf bots agree with my machine.
363
364         This patch also speeds up the microbenchmark I added by 2.5x.
365
366         * JavaScriptCore.xcodeproj/project.pbxproj:
367         * dfg/DFGAbstractInterpreterInlines.h:
368         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
369         * dfg/DFGByteCodeParser.cpp:
370         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
371         * dfg/DFGClobberize.h:
372         (JSC::DFG::clobberize):
373         * dfg/DFGDoesGC.cpp:
374         (JSC::DFG::doesGC):
375         * dfg/DFGFixupPhase.cpp:
376         (JSC::DFG::FixupPhase::fixupNode):
377         * dfg/DFGNodeType.h:
378         * dfg/DFGOperations.cpp:
379         * dfg/DFGOperations.h:
380         * dfg/DFGPredictionPropagationPhase.cpp:
381         * dfg/DFGSafeToExecute.h:
382         (JSC::DFG::safeToExecute):
383         * dfg/DFGSpeculativeJIT.h:
384         (JSC::DFG::SpeculativeJIT::callOperation):
385         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
386         * dfg/DFGSpeculativeJIT32_64.cpp:
387         (JSC::DFG::SpeculativeJIT::compile):
388         * dfg/DFGSpeculativeJIT64.cpp:
389         (JSC::DFG::SpeculativeJIT::compile):
390         * dfg/DFGValidate.cpp:
391         * ftl/FTLAbstractHeapRepository.h:
392         * ftl/FTLCapabilities.cpp:
393         (JSC::FTL::canCompile):
394         * ftl/FTLLowerDFGToB3.cpp:
395         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
396         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
397         * heap/Heap.cpp:
398         (JSC::Heap::collectImpl):
399         * jit/JITOperations.h:
400         * runtime/HasOwnPropertyCache.h: Added.
401         (JSC::HasOwnPropertyCache::Entry::offsetOfStructureID):
402         (JSC::HasOwnPropertyCache::Entry::offsetOfImpl):
403         (JSC::HasOwnPropertyCache::Entry::offsetOfResult):
404         (JSC::HasOwnPropertyCache::operator delete):
405         (JSC::HasOwnPropertyCache::create):
406         (JSC::HasOwnPropertyCache::hash):
407         (JSC::HasOwnPropertyCache::get):
408         (JSC::HasOwnPropertyCache::tryAdd):
409         (JSC::HasOwnPropertyCache::clear):
410         (JSC::VM::ensureHasOwnPropertyCache):
411         * runtime/Intrinsic.h:
412         * runtime/JSObject.h:
413         * runtime/JSObjectInlines.h:
414         (JSC::JSObject::hasOwnProperty):
415         * runtime/ObjectPrototype.cpp:
416         (JSC::ObjectPrototype::finishCreation):
417         (JSC::objectProtoFuncHasOwnProperty):
418         * runtime/Symbol.h:
419         * runtime/VM.cpp:
420         * runtime/VM.h:
421         (JSC::VM::hasOwnPropertyCache):
422
423 2016-09-19  Benjamin Poulain  <bpoulain@apple.com>
424
425         [JSC] Make the rounding-related nodes support any type
426         https://bugs.webkit.org/show_bug.cgi?id=161895
427
428         Reviewed by Geoffrey Garen.
429
430         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
431         to support polymorphic input without exiting on entry.
432
433         * dfg/DFGAbstractInterpreterInlines.h:
434         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
435         * dfg/DFGByteCodeParser.cpp:
436         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
437         The 4 functions ignore any input past the first argument. It is okay
438         to use the nodes with the first argument and let the Phantoms keep
439         the remaining arguments live.
440
441         * dfg/DFGClobberize.h:
442         (JSC::DFG::clobberize):
443         * dfg/DFGFixupPhase.cpp:
444         (JSC::DFG::FixupPhase::fixupNode):
445         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
446         prevents us from picking a good type if we do not see any double.
447
448         * dfg/DFGNodeType.h:
449         * dfg/DFGOperations.cpp:
450         * dfg/DFGOperations.h:
451         * dfg/DFGPredictionPropagationPhase.cpp:
452         Prediction propagation of those nodes are fully determined
453         from their flags and results's prediction. They are moved
454         to the invariant processing.
455
456         * dfg/DFGSpeculativeJIT.cpp:
457         (JSC::DFG::SpeculativeJIT::compileArithRounding):
458         * ftl/FTLLowerDFGToB3.cpp:
459         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
460         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
461         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
462         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
463
464 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
465
466         Unreviewed, build fix for Win64
467         https://bugs.webkit.org/show_bug.cgi?id=162132
468
469         In Windows 64bit, t3 register in LLInt is not r[a-d]x.
470         It means that this cannot be used for byte operation.
471
472         * llint/LowLevelInterpreter64.asm:
473
474 2016-09-19  Daniel Bates  <dabates@apple.com>
475
476         Remove ENABLE(TEXT_AUTOSIZING) automatic text size adjustment code
477         https://bugs.webkit.org/show_bug.cgi?id=162167
478
479         Reviewed by Simon Fraser.
480
481         * Configurations/FeatureDefines.xcconfig:
482
483 2016-09-19  Keith Miller  <keith_miller@apple.com>
484
485         Update WASM towards 0xc
486         https://bugs.webkit.org/show_bug.cgi?id=162067
487
488         Reviewed by Geoffrey Garen.
489
490         This patch updates some of the core parts of the WASM frontend to the 0xc standard.
491         First, it changes the section names from strings to bytecodes. It also adds support
492         for inline block signatures. This is a change from the old version that used to have
493         each branch indicate the arity. Finally, this patch updates all the tests and deletes
494         a duplicate test.
495
496         * CMakeLists.txt:
497         * JavaScriptCore.xcodeproj/project.pbxproj:
498         * testWASM.cpp:
499         (runWASMTests):
500         * wasm/WASMB3IRGenerator.cpp:
501         * wasm/WASMFormat.h:
502         * wasm/WASMFunctionParser.h:
503         (JSC::WASM::FunctionParser<Context>::FunctionParser):
504         (JSC::WASM::FunctionParser<Context>::parseBlock):
505         (JSC::WASM::FunctionParser<Context>::parseExpression):
506         * wasm/WASMModuleParser.cpp:
507         (JSC::WASM::ModuleParser::parse):
508         * wasm/WASMSections.cpp: Removed.
509         (JSC::WASM::Sections::lookup): Deleted.
510         * wasm/WASMSections.h:
511         (JSC::WASM::Sections::validateOrder):
512
513 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
514
515         [JSC] Use is_cell_with_type for @isRegExpObject, @isMap, and @isSet
516         https://bugs.webkit.org/show_bug.cgi?id=162142
517
518         Reviewed by Michael Saboff.
519
520         Use is_cell_with_type for @isRegExpObject, @isMap and @isSet.
521         Previously, they were implemented as functions and only @isRegExpObject was handled in the DFG and FTL.
522         The recently added op_is_cell_with_type bytecode and DFG IsCellWithType node allows us to simplify the above checks in all JIT tiers.
523         Changed these checks to bytecode intrinsics using op_is_cell_with_type.
524
525         * builtins/BuiltinNames.h:
526         * bytecode/BytecodeIntrinsicRegistry.h:
527         * bytecode/SpeculatedType.cpp:
528         (JSC::speculationFromJSType):
529         * bytecompiler/BytecodeGenerator.h:
530         (JSC::BytecodeGenerator::emitIsRegExpObject):
531         (JSC::BytecodeGenerator::emitIsMap):
532         (JSC::BytecodeGenerator::emitIsSet):
533         (JSC::BytecodeGenerator::emitIsProxyObject): Deleted.
534         * bytecompiler/NodesCodegen.cpp:
535         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
536         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
537         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
538         * dfg/DFGByteCodeParser.cpp:
539         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
540         * runtime/ECMAScriptSpecInternalFunctions.cpp:
541         (JSC::esSpecIsRegExpObject): Deleted.
542         * runtime/ECMAScriptSpecInternalFunctions.h:
543         * runtime/Intrinsic.h:
544         * runtime/JSGlobalObject.cpp:
545         (JSC::JSGlobalObject::init):
546         * runtime/MapPrototype.cpp:
547         (JSC::privateFuncIsMap): Deleted.
548         * runtime/MapPrototype.h:
549         * runtime/SetPrototype.cpp:
550         (JSC::privateFuncIsSet): Deleted.
551         * runtime/SetPrototype.h:
552
553 2016-09-19  Brian Burg  <bburg@apple.com>
554
555         Web Replay: teach the replay inputs generator to encode and decode OptionSet<T>
556         https://bugs.webkit.org/show_bug.cgi?id=162107
557
558         Reviewed by Anders Carlsson.
559
560         Add a new type flag OPTION_SET. This means that the type is a typechecked enum class
561         declaration, but it's stored in an OptionSet object and can contain multiple
562         distinct enumeration values like an untyped enum declaration.
563
564         Do some cleanup since the generator now supports three different enumerable types:
565         'enum', 'enum class', and 'OptionSet<T>' where T is an enum class.
566
567         Also clean up some sloppy variable names. Using an 'enum_' prefix is really confusing now.
568
569         * replay/scripts/CodeGeneratorReplayInputs.py:
570         (Type.is_enum_declaration):
571         (Type.is_enum_class_declaration):
572         (Type.is_option_set):
573         (Type):
574         (Type.is_enumerable):
575         When we want all enumerable types, this property includes all three variants.
576
577         (Type.declaration_kind): Forward-declare OptionSet's type parameter as an enum class.
578         (VectorType.is_enum_declaration): Renamed from is_enum().
579         (VectorType.is_enum_class_declaration): Renamed from is_enum_class().
580         (VectorType.is_option_set): Added.
581         (InputsModel.enumerable_types): Added.
582         (InputsModel.parse_type_with_framework):
583         (Generator.generate_header):
584         (Generator.generate_implementation):
585         (Generator.generate_includes):
586         (Generator.generate_type_forward_declarations):
587         (Generator.generate_enumerable_type_trait_declaration):
588         (Generator.generate_enum_trait_declaration): Renamed.
589         (Generator.generate_enum_trait_implementation): Renamed.
590
591         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
592         Add new templates for OptionSet types. Clean up parameter names and simplify the
593         enumerable type declaration template, which is the same for all enumerable type variants.
594
595         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error:
596         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
597         (JSC::EncodingTraits<Test::PlatformEvent::OtherType>::encodeValue):
598         (JSC::EncodingTraits<Test::PlatformEvent::OtherType>::decodeValue):
599         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
600         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
601         Rebaseline test results.
602
603         * replay/scripts/tests/generate-enum-encoding-helpers.json:
604         Add a new type for OptionSet<PlatformEvent::Modifier> to capture generated encode/decode methods.
605
606 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
607
608         [JSC][LLInt] Introduce is_cell_with_type
609         https://bugs.webkit.org/show_bug.cgi?id=162132
610
611         Reviewed by Sam Weinig.
612
613         In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
614         op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
615         And we now drop DFG node IsString since we can use IsCellWithType instead.
616         This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.
617
618         Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].
619
620         The performance results are neutral.
621
622         [1]: https://bugs.webkit.org/show_bug.cgi?id=162142
623
624         * bytecode/BytecodeList.json:
625         * bytecode/BytecodeUseDef.h:
626         (JSC::computeUsesForBytecodeOffset):
627         (JSC::computeDefsForBytecodeOffset):
628         * bytecode/CodeBlock.cpp:
629         (JSC::CodeBlock::dumpBytecode):
630         * bytecode/SpeculatedType.cpp:
631         (JSC::speculationFromJSType):
632         * bytecode/SpeculatedType.h:
633         * bytecompiler/BytecodeGenerator.cpp:
634         (JSC::BytecodeGenerator::emitEqualityOp):
635         (JSC::BytecodeGenerator::emitIsCellWithType):
636         * bytecompiler/BytecodeGenerator.h:
637         (JSC::BytecodeGenerator::emitIsJSArray):
638         (JSC::BytecodeGenerator::emitIsProxyObject):
639         (JSC::BytecodeGenerator::emitIsDerivedArray):
640         * dfg/DFGAbstractInterpreterInlines.h:
641         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
642         * dfg/DFGByteCodeParser.cpp:
643         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
644         (JSC::DFG::ByteCodeParser::parseBlock):
645         * dfg/DFGCapabilities.cpp:
646         (JSC::DFG::capabilityLevel):
647         * dfg/DFGClobberize.h:
648         (JSC::DFG::clobberize):
649         * dfg/DFGDoesGC.cpp:
650         (JSC::DFG::doesGC):
651         * dfg/DFGFixupPhase.cpp:
652         (JSC::DFG::FixupPhase::fixupNode):
653         (JSC::DFG::FixupPhase::fixupIsCellWithType):
654         * dfg/DFGNode.h:
655         (JSC::DFG::Node::speculatedTypeForQuery):
656         * dfg/DFGNodeType.h:
657         * dfg/DFGPredictionPropagationPhase.cpp:
658         * dfg/DFGSafeToExecute.h:
659         (JSC::DFG::safeToExecute):
660         * dfg/DFGSpeculativeJIT32_64.cpp:
661         (JSC::DFG::SpeculativeJIT::compile):
662         * dfg/DFGSpeculativeJIT64.cpp:
663         (JSC::DFG::SpeculativeJIT::compile):
664         * ftl/FTLCapabilities.cpp:
665         (JSC::FTL::canCompile):
666         * ftl/FTLLowerDFGToB3.cpp:
667         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
668         (JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.
669         * jit/JIT.cpp:
670         (JSC::JIT::privateCompileMainPass):
671         * jit/JIT.h:
672         * jit/JITOpcodes.cpp:
673         (JSC::JIT::emit_op_is_cell_with_type):
674         (JSC::JIT::emitIsCellWithType): Deleted.
675         (JSC::JIT::emit_op_is_string): Deleted.
676         (JSC::JIT::emit_op_is_jsarray): Deleted.
677         (JSC::JIT::emit_op_is_proxy_object): Deleted.
678         (JSC::JIT::emit_op_is_derived_array): Deleted.
679         * jit/JITOpcodes32_64.cpp:
680         (JSC::JIT::emit_op_is_cell_with_type):
681         (JSC::JIT::emitIsCellWithType): Deleted.
682         (JSC::JIT::emit_op_is_string): Deleted.
683         (JSC::JIT::emit_op_is_jsarray): Deleted.
684         (JSC::JIT::emit_op_is_proxy_object): Deleted.
685         (JSC::JIT::emit_op_is_derived_array): Deleted.
686         * llint/LLIntData.cpp:
687         (JSC::LLInt::Data::performAssertions):
688         * llint/LowLevelInterpreter32_64.asm:
689         * llint/LowLevelInterpreter64.asm:
690
691 2016-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         [JSC] Assert length of LLInt opcodes using isCellWithType is 3
694         https://bugs.webkit.org/show_bug.cgi?id=162134
695
696         Reviewed by Saam Barati.
697
698         * llint/LLIntData.cpp:
699         (JSC::LLInt::Data::performAssertions):
700
701 2016-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         [JSC] Do not need to use defineProperty to define methods for object literals
704         https://bugs.webkit.org/show_bug.cgi?id=162111
705
706         Reviewed by Saam Barati.
707
708         When we receive the following code,
709
710             var object = { method() { } };
711
712         currently, we use defineProperty to define "method" function for "object".
713         This patch replaces it with the ordinary put_by_id_direct / put_by_val_direct
714         because the following 2 conditions are met.
715
716         1. While methods in classes have special attributes ({configurable: true, writable: true, enumerable: false}),
717            the attributes of methods in object literals is just the same to the other normal properties ({configurable: true, writable: true, enumerable: true}).
718            This means that we can use the usual put_by_id_direct / put_by_val_direct to define method properties for object literals.
719
720         2. Furthermore, all the own properties that can reside in objects created by object literals have {configurable: true}.
721            So there is no need to check conflict by defineProperty. Always overwriting is OK.
722
723                 let name = 'method';
724                 var object = { get [name]() { }, method() { } };
725                 // Latter method wins.
726
727             On the other hand, in class syntax, conflict check is necessary since "prototype" own property is defined as {configurable: false}.
728
729                 class Hello { static prototype() { } }  // Should throw error by defineProperty's check.
730
731             This means that conflict check done in defneProperty is not necessary for object literals' properties.
732
733         * bytecompiler/NodesCodegen.cpp:
734         (JSC::PropertyListNode::emitPutConstantProperty):
735
736 2016-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
737
738         [DFG] Introduce IsCellWithType node and unify IsJSArray, IsRegExpObject and newly added IsProxyObject
739         https://bugs.webkit.org/show_bug.cgi?id=162000
740
741         Reviewed by Filip Pizlo.
742
743         Sampling profiler tells that ES6SampleBench/Basic frequently calls Array.isArray(). This function is introduced in
744         ES5 and it is well-used to distinguish Array from the other objects. Moreover, this function is used in Array.prototype.xxx
745         methods as @isArray. So it's worth optimizing.
746
747         The difference between Array.isArray and @isJSArray is that Array.isArray need to consider about ProxyObject while
748         @isJSArray builtin intrinsic does not. So in this patch, we leverage the existing @isJSArray to implement Array.isArray.
749         Array.isArray is written in builtin JS code using @isJSArray and newly added @isProxyObject(). That allow us to inline
750         Array.isArray() code and the inlined code uses existing DFG nodes well.
751
752         Another problem is RuntimeArray and ArrayPrototype. They inherit JSArray and their JSType is ObjectType. But Array.isArray need
753         to return true for those types. While optimizing type checking in generic way by type display is nice, RuntimeArray and
754         ArrayPrototype are a bit tricky and it is super rare that these functions are passed to Array.isArray(). So instead of introducing
755         type display in this patch, we just introduce a new JSType, DerivedArrayType and use it in the above 2 use classes. Since
756         Array.isArray is specially handled in the spec (while we don't have any Date.isDate() like functions, only Array.isArray
757         is specified in the spec because we frequently want to distinguish Arrays from other Objects), optimizing Array.isArray specially
758         by introducing special DerivedArrayType is reasonable.
759
760         In LLInt level, we add a new opcode, op_is_proxy_object and op_is_derived_array. This works similar to op_is_jsarray.
761         And we also perform LLInt code cleanup by introducing a macro isCellWithType.
762
763         In baseline, we perform some clean up for op_is_proxy_object etc. Now duplicate code is reduced.
764
765         In DFG, we unify IsJSArray, IsRegExpObject, IsProxyObject, and IsDerivedArray into one IsCellWithType node. And we clean up
766         some AI code related to IsJSArray and IsRegExpObject since SpeculatedType now recognizes ProxyObject. IsJSArray and IsRegExpObject
767         does not do anything special for proxy objects.
768
769         The above change simplify things to create a new IsXXX DFG handling and paves the way for optimizing @isMap & @isSet in DFG.
770         Furthermore, introducing @isProxyObject() is nice for the first step to optimize ProxyObject handling.
771
772         Here is microbenchmark result. We can see stable performance improvement (Even if we use Proxies!).
773
774                                                     baseline                  patched
775
776             is-array-for-array                   2.5156+-0.0288     ^      2.0668+-0.0285        ^ definitely 1.2171x faster
777             is-array-for-mixed-case              4.7787+-0.0755     ^      4.4722+-0.0789        ^ definitely 1.0686x faster
778             is-array-for-non-array-object        2.3596+-0.0368     ^      1.8178+-0.0262        ^ definitely 1.2980x faster
779             is-array-for-proxy                   4.0469+-0.0437     ^      3.3845+-0.0404        ^ definitely 1.1957x faster
780
781         And ES6SampleBench/Basic reports 5.2% perf improvement. And now sampling result in ES6SampleBench/Basic does not pose Array.isArray.
782
783             Benchmark             First Iteration        Worst 2%               Steady State
784             baseline:Basic        28.59 ms +- 1.03 ms    15.08 ms +- 0.28 ms    1656.96 ms +- 18.02 ms
785             patched:Basic         27.82 ms +- 0.44 ms    14.59 ms +- 0.16 ms    1574.65 ms +- 8.44 ms
786
787         * builtins/ArrayConstructor.js:
788         (isArray):
789         (from): Deleted.
790         * builtins/BuiltinNames.h:
791         * bytecode/BytecodeIntrinsicRegistry.h:
792         * bytecode/BytecodeList.json:
793         * bytecode/BytecodeUseDef.h:
794         (JSC::computeUsesForBytecodeOffset):
795         (JSC::computeDefsForBytecodeOffset):
796         * bytecode/CodeBlock.cpp:
797         (JSC::CodeBlock::dumpBytecode):
798         * bytecode/SpeculatedType.cpp:
799         (JSC::dumpSpeculation):
800         (JSC::speculationFromClassInfo):
801         (JSC::speculationFromStructure):
802         * bytecode/SpeculatedType.h:
803         (JSC::isProxyObjectSpeculation):
804         (JSC::isDerivedArraySpeculation):
805         * bytecompiler/BytecodeGenerator.h:
806         (JSC::BytecodeGenerator::emitIsProxyObject):
807         (JSC::BytecodeGenerator::emitIsDerivedArray):
808         (JSC::BytecodeGenerator::emitIsJSArray): Deleted.
809         * bytecompiler/NodesCodegen.cpp:
810         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
811         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
812         * dfg/DFGAbstractInterpreterInlines.h:
813         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
814         * dfg/DFGByteCodeParser.cpp:
815         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
816         (JSC::DFG::ByteCodeParser::parseBlock):
817         * dfg/DFGCapabilities.cpp:
818         (JSC::DFG::capabilityLevel):
819         * dfg/DFGClobberize.h:
820         (JSC::DFG::clobberize):
821         * dfg/DFGDoesGC.cpp:
822         (JSC::DFG::doesGC):
823         * dfg/DFGFixupPhase.cpp:
824         (JSC::DFG::FixupPhase::fixupNode):
825         (JSC::DFG::FixupPhase::fixupIsCellWithType):
826         * dfg/DFGGraph.cpp:
827         (JSC::DFG::Graph::dump):
828         * dfg/DFGNode.h:
829         (JSC::DFG::Node::hasQueriedType):
830         (JSC::DFG::Node::queriedType):
831         (JSC::DFG::Node::hasSpeculatedTypeForQuery):
832         (JSC::DFG::Node::speculatedTypeForQuery):
833         (JSC::DFG::Node::shouldSpeculateProxyObject):
834         (JSC::DFG::Node::shouldSpeculateDerivedArray):
835         (JSC::DFG::Node::loadVarargsData): Deleted.
836         (JSC::DFG::Node::shouldSpeculateArray): Deleted.
837         * dfg/DFGNodeType.h:
838         * dfg/DFGPredictionPropagationPhase.cpp:
839         * dfg/DFGSafeToExecute.h:
840         (JSC::DFG::SafeToExecuteEdge::operator()):
841         (JSC::DFG::safeToExecute):
842         * dfg/DFGSpeculativeJIT.cpp:
843         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
844         (JSC::DFG::SpeculativeJIT::speculateProxyObject):
845         (JSC::DFG::SpeculativeJIT::speculateDerivedArray):
846         (JSC::DFG::SpeculativeJIT::speculate):
847         (JSC::DFG::SpeculativeJIT::compileIsJSArray): Deleted.
848         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject): Deleted.
849         * dfg/DFGSpeculativeJIT.h:
850         * dfg/DFGSpeculativeJIT32_64.cpp:
851         (JSC::DFG::SpeculativeJIT::compile):
852         * dfg/DFGSpeculativeJIT64.cpp:
853         (JSC::DFG::SpeculativeJIT::compile):
854         * dfg/DFGUseKind.cpp:
855         (WTF::printInternal):
856         * dfg/DFGUseKind.h:
857         (JSC::DFG::typeFilterFor):
858         (JSC::DFG::isCell):
859         * ftl/FTLCapabilities.cpp:
860         (JSC::FTL::canCompile):
861         * ftl/FTLLowerDFGToB3.cpp:
862         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
863         (JSC::FTL::DFG::LowerDFGToB3::compileIsCellWithType):
864         (JSC::FTL::DFG::LowerDFGToB3::speculate):
865         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
866         (JSC::FTL::DFG::LowerDFGToB3::speculateProxyObject):
867         (JSC::FTL::DFG::LowerDFGToB3::speculateDerivedArray):
868         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray): Deleted.
869         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject): Deleted.
870         (JSC::FTL::DFG::LowerDFGToB3::isArray): Deleted.
871         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject): Deleted.
872         * jit/JIT.cpp:
873         (JSC::JIT::privateCompileMainPass):
874         * jit/JIT.h:
875         * jit/JITOpcodes.cpp:
876         (JSC::JIT::emitIsCellWithType):
877         (JSC::JIT::emit_op_is_string):
878         (JSC::JIT::emit_op_is_jsarray):
879         (JSC::JIT::emit_op_is_proxy_object):
880         (JSC::JIT::emit_op_is_derived_array):
881         * jit/JITOpcodes32_64.cpp:
882         (JSC::JIT::emitIsCellWithType):
883         (JSC::JIT::emit_op_is_string):
884         (JSC::JIT::emit_op_is_jsarray):
885         (JSC::JIT::emit_op_is_proxy_object):
886         (JSC::JIT::emit_op_is_derived_array):
887         * jsc.cpp:
888         (WTF::RuntimeArray::createStructure):
889         * llint/LLIntData.cpp:
890         (JSC::LLInt::Data::performAssertions):
891         * llint/LowLevelInterpreter.asm:
892         * llint/LowLevelInterpreter32_64.asm:
893         * llint/LowLevelInterpreter64.asm:
894         * runtime/ArrayConstructor.cpp:
895         (JSC::ArrayConstructor::finishCreation):
896         (JSC::isArraySlowInline):
897         (JSC::isArraySlow):
898         (JSC::arrayConstructorPrivateFuncIsArraySlow):
899         (JSC::arrayConstructorIsArray): Deleted.
900         * runtime/ArrayConstructor.h:
901         (JSC::isArray):
902         * runtime/ArrayPrototype.h:
903         (JSC::ArrayPrototype::createStructure):
904         * runtime/JSArray.h:
905         (JSC::JSArray::finishCreation):
906         * runtime/JSGlobalObject.cpp:
907         (JSC::JSGlobalObject::init):
908         * runtime/JSType.h:
909
910 2016-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
911
912         [DFG] Introduce ArrayUse
913         https://bugs.webkit.org/show_bug.cgi?id=162063
914
915         Reviewed by Keith Miller.
916
917         ArrayUse is particularly useful: for IsJSArray.
918         We can drop IsJSArray in fixup phase by setting ArrayUse edge filter.
919
920         Since @isJSArray user is limited (Array.prototype.concat), the effect of this patch is small.
921         But later, I'll update {@isArray, Array.isArray} to use @isJSArray[1]. In that patch, we are planning
922         to implement more aggressive optimization like, setting CellUse edge filter to avoid cell check in
923         SpeculativeJIT::compileIsJSArray.
924
925         In the benchmark using Array.prototype.concat, we can see perf improvement since we can drop IsJSArray in fixup phase.
926
927                                                      baseline                  patched
928
929             lazy-array-species-watchpoints       25.0911+-0.0516     ^     24.7687+-0.0767        ^ definitely 1.0130x faster
930
931         [1]: https://bugs.webkit.org/show_bug.cgi?id=162000
932
933         * dfg/DFGFixupPhase.cpp:
934         (JSC::DFG::FixupPhase::fixupNode):
935         * dfg/DFGSafeToExecute.h:
936         (JSC::DFG::SafeToExecuteEdge::operator()):
937         * dfg/DFGSpeculativeJIT.cpp:
938         (JSC::DFG::SpeculativeJIT::speculateArray):
939         (JSC::DFG::SpeculativeJIT::speculate):
940         * dfg/DFGSpeculativeJIT.h:
941         * dfg/DFGUseKind.cpp:
942         (WTF::printInternal):
943         * dfg/DFGUseKind.h:
944         (JSC::DFG::typeFilterFor):
945         (JSC::DFG::isCell):
946         * ftl/FTLCapabilities.cpp:
947         (JSC::FTL::canCompile):
948         * ftl/FTLLowerDFGToB3.cpp:
949         (JSC::FTL::DFG::LowerDFGToB3::speculate):
950         (JSC::FTL::DFG::LowerDFGToB3::speculateArray):
951         (JSC::FTL::DFG::LowerDFGToB3::speculateObject): Deleted.
952
953 2016-09-16  Joseph Pecoraro  <pecoraro@apple.com>
954
955         test262: Various Constructors length properties should be configurable
956         https://bugs.webkit.org/show_bug.cgi?id=161998
957
958         Reviewed by Saam Barati.
959
960         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
961         Unless otherwise specified, the length property of a built-in Function
962         object has the attributes:
963         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
964
965         * runtime/ErrorConstructor.cpp:
966         (JSC::ErrorConstructor::finishCreation):
967         * runtime/JSPromiseConstructor.cpp:
968         (JSC::JSPromiseConstructor::finishCreation):
969         * runtime/MapConstructor.cpp:
970         (JSC::MapConstructor::finishCreation):
971         * runtime/NativeErrorConstructor.cpp:
972         (JSC::NativeErrorConstructor::finishCreation):
973         * runtime/ProxyConstructor.cpp:
974         (JSC::ProxyConstructor::finishCreation):
975         * runtime/SetConstructor.cpp:
976         (JSC::SetConstructor::finishCreation):
977         * runtime/WeakMapConstructor.cpp:
978         (JSC::WeakMapConstructor::finishCreation):
979         * runtime/WeakSetConstructor.cpp:
980         (JSC::WeakSetConstructor::finishCreation):
981
982 2016-09-16  Youenn Fablet  <youenn@apple.com>
983
984         Custom promise-returning functions should not throw if callee has not the expected type
985         https://bugs.webkit.org/show_bug.cgi?id=162011
986
987         Reviewed by Sam Weinig.
988
989         * JavaScriptCore.xcodeproj/project.pbxproj: Making JSPromiseConstructor.h private
990
991 2016-09-15  Filip Pizlo  <fpizlo@apple.com>
992
993         REGRESSION (r205462): Lot of leaks
994         https://bugs.webkit.org/show_bug.cgi?id=161946
995
996         Reviewed by Saam Barati.
997         
998         We were forgetting to delete LargeAllocations on VM exit!
999
1000         * heap/MarkedSpace.cpp:
1001         (JSC::MarkedSpace::~MarkedSpace):
1002
1003 2016-09-15  Keith Miller  <keith_miller@apple.com>
1004
1005
1006         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
1007         https://bugs.webkit.org/show_bug.cgi?id=161985
1008
1009         Reviewed by Alex Christensen.
1010
1011         I started a true fix for this in
1012         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
1013         for this issue is not sustainable. Since the scope of this issue
1014         is just limited to the static const ClassInfo member it is
1015         simpler to just pragma out this warning. This works because
1016         COMDAT will, AFAIK, pick the actual specialization.  If, in the
1017         future, we want to expose these classes to WebCore we will need to
1018         do what we do for JSGenericTypedArrayViews and create a custom
1019         info() function with a switch.
1020
1021         This patch also fixes a bunch of weak external symbols due to one of:
1022         1) out of line template member definitions functions not being marked inline.
1023         2) inline member functions definitions being marked as exported.
1024         3) missing header file includes for forward function declarations.
1025
1026         * API/JSCallbackObject.h:
1027         * b3/B3ValueInlines.h:
1028         (JSC::B3::Value::as):
1029         * runtime/HashMapImpl.cpp:
1030         (JSC::getHashMapBucketKeyClassInfo):
1031         (JSC::getHashMapBucketKeyValueClassInfo):
1032         (JSC::getHashMapImplKeyClassInfo):
1033         (JSC::getHashMapImplKeyValueClassInfo):
1034         * runtime/HashMapImpl.h:
1035         (JSC::HashMapBucket::info):
1036         (JSC::HashMapImpl::info):
1037         * runtime/JSCJSValue.h:
1038         (JSC::toUInt32): Deleted.
1039         * runtime/JSGenericTypedArrayView.h:
1040         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1041         * runtime/JSGenericTypedArrayViewConstructor.h:
1042         * runtime/JSGenericTypedArrayViewPrototype.h:
1043         * runtime/MathCommon.h:
1044         (JSC::toUInt32):
1045         * runtime/TypedArrayAdaptors.h:
1046         * runtime/VM.h:
1047         (JSC::VM::watchdog):
1048         (JSC::VM::heapProfiler):
1049         (JSC::VM::samplingProfiler):
1050
1051 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
1052
1053         There is no good reason for WeakBlock to care about newly allocated objects
1054         https://bugs.webkit.org/show_bug.cgi?id=162006
1055
1056         Reviewed by Geoffrey Garen.
1057
1058         WeakBlock scans itself in two modes:
1059
1060         visit: if a Weak in the block belongs to an unmarked object, ask the Weak to consider whether
1061             it should do things.
1062         
1063         reap: if a Weak in a block belongs to an unmarked object, delete the Weak.
1064
1065         Except that "unmarked" has a peculiar meaning: WeakBlock defines it as
1066         !markedOrNewlyAllocated. So, a newly allocated object will never be consulted about anything. 
1067         That sounds scary until you realize that newlyAllocated must have been cleared before we even
1068         got here.
1069
1070         So, we were paying the price of checking newlyAllocated for no reason. This switches the code
1071         to using isMarked(). I don't know why the code previously checked newlyAllocated, but I do
1072         trust my reasoning.
1073
1074         * heap/LargeAllocation.h:
1075         (JSC::LargeAllocation::isMarkedDuringWeakVisiting):
1076         (JSC::LargeAllocation::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
1077         * heap/MarkedBlock.h:
1078         (JSC::MarkedBlock::isMarkedDuringWeakVisiting):
1079         (JSC::MarkedBlock::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
1080         * heap/WeakBlock.cpp:
1081         (JSC::WeakBlock::specializedVisit):
1082         (JSC::WeakBlock::reap):
1083
1084 2016-09-15  Commit Queue  <commit-queue@webkit.org>
1085
1086         Unreviewed, rolling out r205931.
1087         https://bugs.webkit.org/show_bug.cgi?id=162021
1088
1089         Tests for this change fail on 32-bit JSC bots (Requested by
1090         ryanhaddad on #webkit).
1091
1092         Reverted changeset:
1093
1094         "[JSC] Make the rounding-related nodes support any type"
1095         https://bugs.webkit.org/show_bug.cgi?id=161895
1096         http://trac.webkit.org/changeset/205931
1097
1098 2016-09-15  Joseph Pecoraro  <pecoraro@apple.com>
1099
1100         test262: Should be a SyntaxError for duplicate parameter names in function with default parameters
1101         https://bugs.webkit.org/show_bug.cgi?id=162013
1102
1103         Reviewed by Saam Barati.
1104
1105         https://tc39.github.io/ecma262/#sec-function-definitions-static-semantics-early-errors
1106         It is a Syntax Error if IsSimpleParameterList of FormalParameterList is
1107         false and BoundNames of FormalParameterList contains any duplicate elements.
1108
1109         Non-simple parameter lists include rest parameters, destructuring,
1110         and default parameters.
1111
1112         * parser/Parser.cpp:
1113         (JSC::Parser<LexerType>::parseFormalParameters):
1114         Previously, we were not failing if there were default parameters
1115         early in the parameter list that were not yet identified as duplicates
1116         and simple parameters later were duplicates. Now, we fail if there
1117         are default parameters anywhere in the parameter list with a duplicate.
1118
1119 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1120
1121         ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply
1122         https://bugs.webkit.org/show_bug.cgi?id=162003
1123
1124         Reviewed by Saam Barati.
1125
1126         * bytecompiler/NodesCodegen.cpp:
1127         (JSC::ArrayNode::isSimpleArray):
1128         Don't treat an Array that has a spread expression inside it as simple.
1129         This avoids a fast path for f.apply(x, simpleArray) that was not handling
1130         spread expressions within arrays, and instead taking a path that can
1131         handle the spreading.
1132
1133 2016-09-14  Commit Queue  <commit-queue@webkit.org>
1134
1135         Unreviewed, rolling out r205933 and r205936.
1136         https://bugs.webkit.org/show_bug.cgi?id=162002
1137
1138         broke the build (Requested by keith_miller on #webkit).
1139
1140         Reverted changesets:
1141
1142         "Pragma out undefined-var-template warnings in JSC for
1143         JSObjects that are templatized"
1144         https://bugs.webkit.org/show_bug.cgi?id=161985
1145         http://trac.webkit.org/changeset/205933
1146
1147         "Unreviewed, fix the Windows build."
1148         http://trac.webkit.org/changeset/205936
1149
1150 2016-09-14  Chris Dumez  <cdumez@apple.com>
1151
1152         REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
1153         https://bugs.webkit.org/show_bug.cgi?id=161982
1154
1155         Reviewed by Saam Barati.
1156
1157         Update JSProxy::setPrototype() to return false unconditionally instead
1158         of forwarding the call to its target. We used to forward to the target
1159         and then the JSDOMWindow's [[SetPrototypeOf]] would return false.
1160         However, the JSC tests use a different GlobalObject and forwarding
1161         the setPrototypeOf() call to the GlobalObject lead to hitting an
1162         assertion. This patch aligns the behavior of the GlobalObject used by
1163         the JSC tests with JSDOMWindow.
1164
1165         * runtime/JSProxy.cpp:
1166         (JSC::JSProxy::setPrototype):
1167
1168 2016-09-14  Michael Saboff  <msaboff@apple.com>
1169
1170         YARR doesn't check for invalid flags for literal regular expressions
1171         https://bugs.webkit.org/show_bug.cgi?id=161995
1172
1173         Reviewed by Mark Lam.
1174
1175         Added a new error and a check that the flags are valid when we create a
1176         literal regular expression.
1177
1178         * runtime/RegExp.cpp:
1179         (JSC::RegExp::finishCreation):
1180         * yarr/YarrPattern.cpp:
1181         (JSC::Yarr::YarrPattern::errorMessage):
1182         (JSC::Yarr::YarrPattern::compile):
1183         * yarr/YarrPattern.h:
1184
1185 2016-09-14  Keith Miller  <keith_miller@apple.com>
1186
1187         Unreviewed, fix the Windows build.
1188
1189         * runtime/HashMapImpl.cpp:
1190
1191 2016-09-14  Keith Miller  <keith_miller@apple.com>
1192
1193         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
1194         https://bugs.webkit.org/show_bug.cgi?id=161985
1195
1196         Reviewed by Geoffrey Garen.
1197
1198         I started a true fix for this in
1199         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
1200         for this issue is not sustainable. Since the scope of this issue
1201         is just limited to the static const ClassInfo member it is
1202         simpler to just pragma out this warning. This works because
1203         COMDAT will, AFAIK, pick the actual specialization.  If, in the
1204         future, we want to expose these classes to WebCore we will need to
1205         do what we do for JSGenericTypedArrayViews and create a custom
1206         info() function with a switch.
1207
1208         This patch also fixes a bunch of weak external symbols due to one of:
1209         1) out of line template member definitions functions not being marked inline.
1210         2) inline member functions definitions being marked as exported.
1211         3) missing header file includes for forward function declarations.
1212
1213         * API/JSCallbackObject.h:
1214         * b3/B3ValueInlines.h:
1215         (JSC::B3::Value::as):
1216         * runtime/HashMapImpl.h:
1217         * runtime/JSCJSValue.h:
1218         (JSC::toUInt32): Deleted.
1219         * runtime/JSGenericTypedArrayView.h:
1220         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1221         * runtime/JSGenericTypedArrayViewConstructor.h:
1222         * runtime/JSGenericTypedArrayViewPrototype.h:
1223         * runtime/MathCommon.h:
1224         (JSC::toUInt32):
1225         * runtime/TypedArrayAdaptors.h:
1226         * runtime/VM.h:
1227         (JSC::VM::watchdog):
1228         (JSC::VM::heapProfiler):
1229         (JSC::VM::samplingProfiler):
1230
1231 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1232
1233         test262: TypedArray constructors length should be 3 and configurable
1234         https://bugs.webkit.org/show_bug.cgi?id=161955
1235
1236         Reviewed by Mark Lam.
1237
1238         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
1239         Unless otherwise specified, the length property of a built-in Function
1240         object has the attributes:
1241         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
1242
1243         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1244         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1245
1246 2016-09-14  Benjamin Poulain  <bpoulain@apple.com>
1247
1248         [JSC] Make the rounding-related nodes support any type
1249         https://bugs.webkit.org/show_bug.cgi?id=161895
1250
1251         Reviewed by Geoffrey Garen.
1252
1253         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
1254         to support polymorphic input without exiting on entry.
1255
1256         * dfg/DFGAbstractInterpreterInlines.h:
1257         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1258         * dfg/DFGByteCodeParser.cpp:
1259         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1260         The 4 functions ignore any input past the first argument. It is okay
1261         to use the nodes with the first argument and let the Phantoms keep
1262         the remaining arguments live.
1263
1264         * dfg/DFGClobberize.h:
1265         (JSC::DFG::clobberize):
1266         * dfg/DFGFixupPhase.cpp:
1267         (JSC::DFG::FixupPhase::fixupNode):
1268         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
1269         prevents us from picking a good type if we do not see any double.
1270
1271         * dfg/DFGNodeType.h:
1272         * dfg/DFGOperations.cpp:
1273         * dfg/DFGOperations.h:
1274         * dfg/DFGPredictionPropagationPhase.cpp:
1275         Prediction propagation of those nodes are fully determined
1276         from their flags and results's prediction. They are moved
1277         to the invariant processing.
1278
1279         * dfg/DFGSpeculativeJIT.cpp:
1280         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1281         * ftl/FTLLowerDFGToB3.cpp:
1282         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1283         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
1284         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
1285         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
1286
1287 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
1288
1289         Remove Heap::setMarked()
1290
1291         Rubber stamped by Keith Miller.
1292         
1293         Nobody uses this function.
1294
1295         * heap/Heap.h:
1296         * heap/HeapInlines.h:
1297         (JSC::Heap::setMarked): Deleted.
1298         * heap/LargeAllocation.h:
1299         (JSC::LargeAllocation::testAndSetMarked):
1300         (JSC::LargeAllocation::setMarked): Deleted.
1301         * heap/MarkedBlock.h:
1302
1303 2016-09-14  Mark Lam  <mark.lam@apple.com>
1304
1305         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
1306         https://bugs.webkit.org/show_bug.cgi?id=161975
1307
1308         Reviewed by Keith Miller.
1309
1310         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
1311         incremental work towards enabling checks all the time.
1312
1313         * runtime/Options.h:
1314         * runtime/VM.cpp:
1315         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1316         * runtime/VM.h:
1317
1318 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1319
1320         TaggedTemplateString function calls should emit tail position calls
1321         https://bugs.webkit.org/show_bug.cgi?id=161948
1322
1323         Reviewed by Yusuke Suzuki.
1324
1325         * bytecompiler/NodesCodegen.cpp:
1326         (JSC::TaggedTemplateNode::emitBytecode):
1327         The tagged template string function call can be a tail call:
1328         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
1329
1330 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1331
1332         test262: Array.prototype.slice should always set length
1333         https://bugs.webkit.org/show_bug.cgi?id=161953
1334
1335         Reviewed by Mark Lam.
1336
1337         * runtime/ArrayPrototype.cpp:
1338         (JSC::arrayProtoFuncSplice):
1339
1340 2016-09-13  Michael Saboff  <msaboff@apple.com>
1341
1342         Promises aren't resolved properly when making a ObjC API callback
1343         https://bugs.webkit.org/show_bug.cgi?id=161929
1344
1345         Reviewed by Geoffrey Garen.
1346
1347         When we go to call out to an Objective C function registered via the API,
1348         we first drop all JSC locks to make the call.  As part of dropping the locks,
1349         we drain the microtask queue that is used among other things for handling deferred
1350         promise resolution.  The DropAllLocks scope class that drops the locks while in
1351         scope, resets the current thread's AtomicStringTable to the default table.  This
1352         is wrong for two reasons, first it happens before we drain the microtask queue and
1353         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
1354         AtomicStringTable to the table before the lock was acquired.
1355
1356         In fact, the manipulation of the current thread's AtomicStringTable is already 
1357         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
1358         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
1359         and destructor should be removed.
1360
1361         * API/tests/testapi.mm:
1362         (testObjectiveCAPIMain): Added a new test.
1363         * runtime/JSLock.cpp:
1364         (JSC::JSLock::DropAllLocks::DropAllLocks):
1365         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1366
1367 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
1368
1369         Remove Heap::isLive()
1370         https://bugs.webkit.org/show_bug.cgi?id=161933
1371
1372         Reviewed by Mark Lam.
1373         
1374         Before I put any more effort into maintaining this weird function, I decided to check how it
1375         was used. It turns out it's not.
1376
1377         * heap/Heap.h:
1378         * heap/HeapInlines.h:
1379         (JSC::Heap::isLive): Deleted.
1380
1381 2016-09-13  Mark Lam  <mark.lam@apple.com>
1382
1383         DFG NewArrayBuffer node should watch for "have a bad time" state change.
1384         https://bugs.webkit.org/show_bug.cgi?id=161927
1385         <rdar://problem/27995222>
1386
1387         Reviewed by Geoffrey Garen.
1388
1389         * dfg/DFGFixupPhase.cpp:
1390         (JSC::DFG::FixupPhase::fixupNode):
1391
1392 2016-09-13  JF Bastien  <jfbastien@apple.com>
1393
1394         Support jsc shell builtin `read`
1395         https://bugs.webkit.org/show_bug.cgi?id=161662
1396
1397         Reviewed by Keith Miller.
1398
1399         The jsc shell currently supports a `readFile` method which returns
1400         a string. SpiderMonkey's js shell and V8's d8 shell both support
1401         similar file-to-string functions, as well as a
1402         binary-file-to-Uint8Array function. jsc should support a similar
1403         binary file method to simplify testing, including testing of
1404         WebAssembly blobs.
1405
1406         Emscripten's shell.js (which is also used for some WebAssembly
1407         things) has a polyfill [1] for a builtin called `read`. jsc should
1408         therefore have a builtin with the same name if we want things to
1409         "Just Work".
1410
1411           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
1412
1413         * jsc.cpp:
1414         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
1415         (functionReadFile): support binary files, as per SpiderMonkey.
1416         * runtime/Error.h:
1417         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
1418         * runtime/JSTypedArrays.cpp:
1419         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
1420         * runtime/JSTypedArrays.h: expose private export.
1421
1422 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
1423
1424         ES6: Classes: Should be allowed to create a static method with name "arguments"
1425         https://bugs.webkit.org/show_bug.cgi?id=152985
1426
1427         Reviewed by Keith Miller.
1428
1429         Current patch covered 16.2 Forbidden Extensions - first topic 
1430         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
1431         should not have own properties named "caller" or "arguments".
1432         Also added possibility to declare static methods and getters with 
1433         name 'arguments' and 'caller' for classes. i.e.:
1434         class A { static arguments() { return 'value'; } }
1435         A.arguments() === 'value';
1436         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
1437         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
1438         property from Lazy to common because it necessary to use execState during init of the accessors 
1439         properties.
1440
1441         * runtime/Executable.h:
1442         * runtime/FunctionPrototype.cpp:
1443         (JSC::FunctionPrototype::initRestrictedProperties):
1444         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
1445         * runtime/FunctionPrototype.h:
1446         * runtime/JSFunction.cpp:
1447         (JSC::JSFunction::getOwnPropertySlot):
1448         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1449         (JSC::JSFunction::put):
1450         (JSC::JSFunction::deleteProperty):
1451         (JSC::JSFunction::defineOwnProperty):
1452         * runtime/JSGlobalObject.cpp:
1453         (JSC::JSGlobalObject::init):
1454         (JSC::JSGlobalObject::visitChildren):
1455         * runtime/JSGlobalObject.h:
1456         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
1457
1458 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
1459
1460         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
1461         https://bugs.webkit.org/show_bug.cgi?id=161869
1462
1463         Reviewed by Saam Barati.
1464         
1465         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
1466         empty" hook, which will set a bit in the markingNotEmpty bitvector.
1467         
1468         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
1469         If anyone else does it but they aren't marking new objects, then this prevents
1470         flipIfNecessary() from triggering when the first object is marked, which means we won't
1471         always detect when a block became non-empty.
1472         
1473         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
1474         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
1475         knows that it can trigger something like noteMarked(). The only places that were using
1476         flipIfNecessary() should have been using needsFlip() anyway.
1477
1478         * heap/CellContainer.h:
1479         * heap/CellContainerInlines.h:
1480         (JSC::CellContainer::needsFlip):
1481         * heap/Heap.cpp:
1482         (JSC::Heap::markRoots):
1483         (JSC::Heap::beginMarking):
1484         (JSC::Heap::endMarking):
1485         (JSC::Heap::clearLivenessData): Deleted.
1486         (JSC::Heap::converge): Deleted.
1487         (JSC::Heap::resetVisitors): Deleted.
1488         * heap/Heap.h:
1489         * heap/HeapInlines.h:
1490         (JSC::Heap::testAndSetMarked):
1491         * heap/LargeAllocation.h:
1492         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
1493         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
1494         * heap/MarkedBlock.cpp:
1495         (JSC::MarkedBlock::flipIfNecessarySlow):
1496         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
1497         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
1498         * heap/MarkedBlock.h:
1499         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
1500         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
1501         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
1502         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
1503         * heap/MarkedSpace.h:
1504         (JSC::MarkedSpace::isMarking):
1505         (JSC::MarkedSpace::setIsMarking):
1506         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
1507         * heap/SlotVisitor.cpp:
1508         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1509         * heap/WeakBlock.cpp:
1510         (JSC::WeakBlock::visit):
1511
1512 2016-09-12  Saam Barati  <sbarati@apple.com>
1513
1514         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
1515         https://bugs.webkit.org/show_bug.cgi?id=161640
1516
1517         Reviewed by Geoffrey Garen.
1518
1519         HashMapImpl now takes into account m_deleteCount in its load factor.
1520         It now knows how to rehash to either decrease its capacity, stay at
1521         the same capacity, or increase its capacity. The reason we can sometimes
1522         stay at the same capacity is that we can reduce the load factor enough
1523         by rehashing that growing isn't warranted. The reason for this is that
1524         anytime we rehash, we remove all deleted sentinels from the buffer.
1525         Therefore, staying at the same same capacity, when there are deleted entries,
1526         can still reduce the load factor because it removes all deleted sentinels.
1527
1528         * runtime/HashMapImpl.h:
1529         (JSC::HashMapBuffer::create):
1530         (JSC::HashMapBuffer::reset):
1531         (JSC::HashMapImpl::HashMapImpl):
1532         (JSC::HashMapImpl::add):
1533         (JSC::HashMapImpl::remove):
1534         (JSC::HashMapImpl::size):
1535         (JSC::HashMapImpl::clear):
1536         (JSC::HashMapImpl::approximateSize):
1537         (JSC::HashMapImpl::shouldRehashAfterAdd):
1538         (JSC::HashMapImpl::shouldShrink):
1539         (JSC::HashMapImpl::rehash):
1540         (JSC::HashMapImpl::checkConsistency):
1541         (JSC::HashMapImpl::makeAndSetNewBuffer):
1542         (JSC::HashMapImpl::assertBufferIsEmpty):
1543
1544 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
1545
1546         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
1547         https://bugs.webkit.org/show_bug.cgi?id=161671
1548
1549         Reviewed by Geoffrey Garen.
1550
1551         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
1552         it gets a butterfly with its length.
1553         When we were querying that length, we were generating a generic GetById with inline cache.
1554
1555         This patch adds the missing bits to treat Undecided like the other types with storage.
1556
1557         * dfg/DFGArrayMode.cpp:
1558         (JSC::DFG::canBecomeGetArrayLength):
1559         (JSC::DFG::ArrayMode::refine):
1560         * dfg/DFGArrayMode.h:
1561         (JSC::DFG::ArrayMode::usesButterfly):
1562         (JSC::DFG::ArrayMode::lengthNeedsStorage):
1563         * dfg/DFGClobberize.h:
1564         (JSC::DFG::clobberize):
1565         * dfg/DFGFixupPhase.cpp:
1566         (JSC::DFG::FixupPhase::checkArray):
1567         * dfg/DFGSpeculativeJIT.cpp:
1568         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1569         * ftl/FTLCapabilities.cpp:
1570         (JSC::FTL::canCompile):
1571         * ftl/FTLLowerDFGToB3.cpp:
1572         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1573
1574 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1575
1576         [DFG][FTL] Add ArithTan
1577         https://bugs.webkit.org/show_bug.cgi?id=161857
1578
1579         Reviewed by Filip Pizlo.
1580
1581         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
1582         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
1583
1584         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
1585         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
1586         The microbenchmark shows the 9% perf improvement.
1587
1588             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
1589
1590         * dfg/DFGAbstractInterpreterInlines.h:
1591         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1592         * dfg/DFGByteCodeParser.cpp:
1593         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1594         * dfg/DFGClobberize.h:
1595         (JSC::DFG::clobberize):
1596         * dfg/DFGDoesGC.cpp:
1597         (JSC::DFG::doesGC):
1598         * dfg/DFGFixupPhase.cpp:
1599         (JSC::DFG::FixupPhase::fixupNode):
1600         * dfg/DFGNodeType.h:
1601         * dfg/DFGOperations.cpp:
1602         * dfg/DFGOperations.h:
1603         * dfg/DFGPredictionPropagationPhase.cpp:
1604         * dfg/DFGSafeToExecute.h:
1605         (JSC::DFG::safeToExecute):
1606         * dfg/DFGSpeculativeJIT.cpp:
1607         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
1608         (JSC::DFG::SpeculativeJIT::compileArithCos):
1609         (JSC::DFG::SpeculativeJIT::compileArithTan):
1610         (JSC::DFG::SpeculativeJIT::compileArithSin):
1611         (JSC::DFG::SpeculativeJIT::compileArithLog):
1612         * dfg/DFGSpeculativeJIT.h:
1613         * dfg/DFGSpeculativeJIT32_64.cpp:
1614         (JSC::DFG::SpeculativeJIT::compile):
1615         * dfg/DFGSpeculativeJIT64.cpp:
1616         (JSC::DFG::SpeculativeJIT::compile):
1617         * ftl/FTLCapabilities.cpp:
1618         (JSC::FTL::canCompile):
1619         * ftl/FTLLowerDFGToB3.cpp:
1620         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1621         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
1622         * ftl/FTLOutput.cpp:
1623         (JSC::FTL::Output::doubleTan):
1624         * ftl/FTLOutput.h:
1625         * runtime/Intrinsic.h:
1626         * runtime/MathObject.cpp:
1627         (JSC::MathObject::finishCreation):
1628
1629 2016-09-12  Saam Barati  <sbarati@apple.com>
1630
1631         MapHash should do constant folding when it has a constant argument and its legal to hash that value
1632         https://bugs.webkit.org/show_bug.cgi?id=161639
1633
1634         Reviewed by Filip Pizlo.
1635
1636         We now constant fold the MapHash node. We're careful to not resolve
1637         ropes from the compiler thread, and to only hash strings if they're
1638         not too large. The microbenchmark I added runs about 12% faster with
1639         this patch.
1640
1641         * dfg/DFGAbstractInterpreterInlines.h:
1642         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1643         * runtime/HashMapImpl.h:
1644         (JSC::wangsInt64Hash):
1645         (JSC::jsMapHash):
1646         (JSC::concurrentJSMapHash):
1647
1648 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
1649
1650         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
1651         https://bugs.webkit.org/show_bug.cgi?id=161849
1652
1653         Reviewed by Saam Barati.
1654         
1655         This is a fairly obvious change. This turns a loop that would query each bit individually
1656         into a loop that will process a word at a time. I would expect a very tiny progression in
1657         DFG compile times.
1658         
1659         This also gave me an opportunity to test and fix the new FastBitVector functionality.
1660
1661         * dfg/DFGForAllKills.h:
1662         (JSC::DFG::forAllKilledOperands):
1663
1664 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
1665
1666         FastBitVector should have efficient and easy-to-use vector-vector operations
1667         https://bugs.webkit.org/show_bug.cgi?id=161847
1668
1669         Reviewed by Saam Barati.
1670         
1671         Adapt existing users of FastBitVector to the new API.
1672
1673         * bytecode/BytecodeLivenessAnalysis.cpp:
1674         (JSC::BytecodeLivenessAnalysis::computeKills):
1675         (JSC::BytecodeLivenessAnalysis::dumpResults):
1676         * bytecode/BytecodeLivenessAnalysisInlines.h:
1677         (JSC::operandThatIsNotAlwaysLiveIsLive):
1678         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1679         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
1680         * bytecode/CodeBlock.cpp:
1681         (JSC::CodeBlock::validate):
1682         * dfg/DFGByteCodeParser.cpp:
1683         (JSC::DFG::ByteCodeParser::flushForTerminal):
1684         * dfg/DFGForAllKills.h:
1685         (JSC::DFG::forAllKilledOperands):
1686         * dfg/DFGGraph.h:
1687         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1688         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1689         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
1690         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
1691         * dfg/DFGNaturalLoops.cpp:
1692         (JSC::DFG::NaturalLoops::NaturalLoops):
1693         * dfg/DFGPlan.cpp:
1694         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1695
1696 2016-09-10  Chris Dumez  <cdumez@apple.com>
1697
1698         parseHTMLInteger() should take a StringView in parameter
1699         https://bugs.webkit.org/show_bug.cgi?id=161669
1700
1701         Reviewed by Ryosuke Niwa.
1702
1703         * runtime/DateConversion.cpp:
1704         (JSC::formatDateTime):
1705         Explicitly construct a String from the const WCHAR* on Windows because
1706         it is ambiguous otherwise now that there is a StringBuilder::append()
1707         overload taking an AtomicString in.
1708
1709 2016-09-08  Keith Miller  <keith_miller@apple.com>
1710
1711         WASM should support if-then-else
1712         https://bugs.webkit.org/show_bug.cgi?id=161778
1713
1714         Reviewed by Michael Saboff.
1715
1716         This patch makes some major changes to the way that the WASM
1717         function parser works. First, the control stack has been moved
1718         from the parser's context to the parser itself. This simplifies
1719         the way that the parser works and allows us to make the decoder
1720         iterative rather than recursive. Since the control stack has been
1721         moved to the parser, any context operation that refers to some
1722         block now receives that block by reference.
1723
1724         For any if block, regardless of whether or not it is an
1725         if-then-else or not, we will allocate both the entire control flow
1726         diamond. This is not a major issue in the if-then case since B3
1727         will immediately cleanup these blocks. In order to support if-then
1728         and if-then-else we needed to be able to distinguish what the type
1729         of the top block on the control stack is. This will be necessary
1730         when validating the else opcode in the future. In the B3 IR
1731         generator we decide to the type of the block strictly by the
1732         shape.
1733
1734         Currently, if blocks don't handle passed and returned stack values
1735         correctly. I plan to fix this when I add support for the block
1736         signatures. See: https://github.com/WebAssembly/design/pull/765
1737
1738         * testWASM.cpp:
1739         (runWASMTests):
1740         * wasm/WASMB3IRGenerator.cpp:
1741         (dumpProcedure):
1742         (JSC::WASM::parseAndCompile):
1743         * wasm/WASMB3IRGenerator.h:
1744         * wasm/WASMFunctionParser.h:
1745         (JSC::WASM::FunctionParser<Context>::parseBlock):
1746         (JSC::WASM::FunctionParser<Context>::parseExpression):
1747         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
1748         * wasm/WASMOps.h:
1749
1750 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
1751
1752         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
1753         https://bugs.webkit.org/show_bug.cgi?id=161801
1754
1755         Reviewed by Keith Miller.
1756         
1757         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
1758         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
1759         that is to call initializeMainThread().
1760
1761         * jsc.cpp:
1762         (jscmain):
1763
1764 2016-09-09  Saam Barati  <sbarati@apple.com>
1765
1766         Make hasOwnProperty ALWAYS_INLINE
1767         https://bugs.webkit.org/show_bug.cgi?id=161775
1768
1769         Reviewed by Ryosuke Niwa.
1770
1771         Speedometer spends around 2.5% of its time in hasOwnProperty.
1772         Let's reduce the overhead of calling that function by marking
1773         it as inline. Also, it's likely that the function will call into
1774         JSObject::getOwnPropertySlot. I added a check to see if that's
1775         the function we're calling, if it is, we do a direct call instead
1776         of an indirect call.
1777
1778         * runtime/JSObject.cpp:
1779         (JSC::JSObject::hasOwnProperty): Deleted.
1780         * runtime/JSObjectInlines.h:
1781         (JSC::JSObject::hasOwnProperty):
1782
1783 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
1784
1785         HashMapImpl needs to m_buffer.clear() in its constructor
1786         https://bugs.webkit.org/show_bug.cgi?id=161796
1787
1788         Reviewed by Keith Miller.
1789         
1790         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
1791         itself. That seemed like a good idea because maybe sometimes the user knows better how to
1792         initialize it. But, it's not worth it if it's a constant source of bugs.
1793         
1794         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
1795         m_value.
1796
1797         * runtime/AuxiliaryBarrier.h:
1798         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
1799         * runtime/DirectArguments.cpp:
1800         (JSC::DirectArguments::DirectArguments):
1801
1802 2016-09-09  Youenn Fablet  <youenn@apple.com>
1803
1804         ASSERTION FAILED: promise.inherits(JSPromise::info())
1805         https://bugs.webkit.org/show_bug.cgi?id=161632
1806         <rdar://problem/28184743>
1807
1808         Reviewed by Mark Lam.
1809
1810         * runtime/JSPromiseDeferred.cpp:
1811         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
1812
1813 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1814
1815         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
1816         https://bugs.webkit.org/show_bug.cgi?id=161760
1817
1818         Reviewed by Mark Lam.
1819         
1820         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
1821         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
1822         
1823         This introduces three unnecessary overheads:
1824         
1825         - isLive() is not called by marking, so that change was not necessary.
1826         
1827         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
1828           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
1829           isMarked().
1830         
1831         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
1832           return false if the flip is necessary.
1833         
1834         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
1835         during marking.
1836         
1837         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
1838         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
1839         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
1840         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
1841         thing.
1842
1843         * bytecode/CodeBlock.cpp:
1844         (JSC::CodeBlock::visitWeakly):
1845         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1846         (JSC::shouldMarkTransition):
1847         (JSC::CodeBlock::propagateTransitions):
1848         (JSC::CodeBlock::determineLiveness):
1849         * bytecode/PolymorphicAccess.cpp:
1850         (JSC::AccessCase::propagateTransitions):
1851         * heap/Heap.h:
1852         * heap/HeapInlines.h:
1853         (JSC::Heap::isLive):
1854         (JSC::Heap::isMarked):
1855         (JSC::Heap::isMarkedConcurrently):
1856         * heap/MarkedBlock.cpp:
1857         (JSC::MarkedBlock::flipIfNecessarySlow):
1858         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
1859         (JSC::MarkedBlock::needsFlip):
1860         * heap/MarkedBlock.h:
1861         (JSC::MarkedBlock::needsFlip):
1862         (JSC::MarkedBlock::flipIfNecessary):
1863         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
1864         * heap/SlotVisitor.cpp:
1865         (JSC::SlotVisitor::appendToMarkStack):
1866         (JSC::SlotVisitor::markAuxiliary):
1867         (JSC::SlotVisitor::visitChildren):
1868         * runtime/Structure.cpp:
1869         (JSC::Structure::isCheapDuringGC):
1870         (JSC::Structure::markIfCheap):
1871
1872 2016-09-08  Saam Barati  <sbarati@apple.com>
1873
1874         We should inline operationConvertJSValueToBoolean into JIT code
1875         https://bugs.webkit.org/show_bug.cgi?id=161729
1876
1877         Reviewed by Filip Pizlo.
1878
1879         This patch introduces an AssemblyHelpers emitter function
1880         that replaces operationConvertJSValueToBoolean. This operation
1881         was showing up when I was doing performance analysis for the
1882         speedometer benchmark. I saw that it was spending about 1% of
1883         its time in this function. Hopefully this patch can help us speedup
1884         up speedometer by a little bit.
1885
1886         * dfg/DFGSpeculativeJIT32_64.cpp:
1887         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1888         (JSC::DFG::SpeculativeJIT::emitBranch):
1889         * dfg/DFGSpeculativeJIT64.cpp:
1890         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1891         (JSC::DFG::SpeculativeJIT::emitBranch):
1892         * jit/AssemblyHelpers.cpp:
1893         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
1894         * jit/AssemblyHelpers.h:
1895         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1896         * jit/JIT.cpp:
1897         (JSC::JIT::privateCompileSlowCases):
1898         * jit/JIT.h:
1899         * jit/JITOpcodes.cpp:
1900         (JSC::JIT::emit_op_jfalse):
1901         (JSC::JIT::emit_op_jtrue):
1902         (JSC::JIT::emitSlow_op_jfalse): Deleted.
1903         (JSC::JIT::emitSlow_op_jtrue): Deleted.
1904         * jit/JITOpcodes32_64.cpp:
1905         (JSC::JIT::emit_op_jfalse):
1906         (JSC::JIT::emit_op_jtrue):
1907         (JSC::JIT::emitSlow_op_jfalse): Deleted.
1908         (JSC::JIT::emitSlow_op_jtrue): Deleted.
1909         * jit/JITOperations.cpp:
1910         * jit/JITOperations.h:
1911
1912 2016-09-08  Chris Dumez  <cdumez@apple.com>
1913
1914         Align proto getter / setter behavior with other browsers
1915         https://bugs.webkit.org/show_bug.cgi?id=161455
1916
1917         Reviewed by Saam Barati.
1918
1919         Drop allowsAccessFrom from the methodTable and delegate cross-origin
1920         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
1921         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
1922
1923         * jsc.cpp:
1924         * runtime/JSGlobalObject.cpp:
1925         * runtime/JSGlobalObject.h:
1926         * runtime/JSGlobalObjectFunctions.cpp:
1927         (JSC::globalFuncProtoGetter):
1928         (JSC::globalFuncProtoSetter):
1929         (JSC::globalFuncBuiltinLog): Deleted.
1930         * runtime/JSGlobalObjectFunctions.h:
1931         * runtime/JSObject.cpp:
1932         (JSC::JSObject::setPrototypeWithCycleCheck):
1933         Remove check added in r197648. This check was added to match
1934         the latest EcmaScript spec:
1935         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
1936         This check allowed for [[Prototype]] chain cycles if the prototype
1937         chain includes objects that do not use the ordinary object definitions
1938         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
1939         The issue is that the rest of our code base does not properly handle
1940         such cycles and we can end up in infinite loops. This became obvious
1941         because this patch updates Window / Location so that they no longer
1942         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
1943         remove this check, I get an infinite loop in
1944         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
1945         called from JSObject::setPrototypeDirect(), when running the following
1946         layout test:
1947         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
1948         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
1949         issue.
1950
1951         * runtime/JSObject.h:
1952         (JSC::JSObject::getArrayLength): Deleted.
1953         * runtime/JSProxy.cpp:
1954         (JSC::JSProxy::setPrototype):
1955         (JSC::JSProxy::getPrototype):
1956         * runtime/JSProxy.h:
1957         * runtime/ObjectConstructor.cpp:
1958         (JSC::objectConstructorGetPrototypeOf):
1959         (JSC::objectConstructorSetPrototypeOf):
1960         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
1961         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
1962         * runtime/ObjectConstructor.h:
1963         * runtime/ReflectObject.cpp:
1964         (JSC::reflectObjectGetPrototypeOf):
1965         (JSC::reflectObjectSetPrototypeOf):
1966
1967 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1968
1969         Remove CopiedSpace and use MarkedSpace instead
1970         https://bugs.webkit.org/show_bug.cgi?id=159658
1971
1972         Reviewed by Keith Miller.
1973         
1974         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
1975         is a simple change.
1976         
1977         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
1978         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
1979         
1980         The rest of this patch is deleting CopiedSpace.
1981
1982         * API/JSObjectRef.cpp:
1983         * CMakeLists.txt:
1984         * JavaScriptCore.xcodeproj/project.pbxproj:
1985         * dfg/DFGOperations.cpp:
1986         * heap/ConservativeRoots.cpp:
1987         (JSC::ConservativeRoots::genericAddPointer):
1988         * heap/CopiedAllocator.h: Removed.
1989         * heap/CopiedBlock.cpp: Removed.
1990         * heap/CopiedBlock.h: Removed.
1991         * heap/CopiedBlockInlines.h: Removed.
1992         * heap/CopiedSpace.cpp: Removed.
1993         * heap/CopiedSpace.h: Removed.
1994         * heap/CopiedSpaceInlines.h: Removed.
1995         * heap/CopyBarrier.h: Removed.
1996         * heap/CopyToken.h: Removed.
1997         * heap/CopyVisitor.cpp: Removed.
1998         * heap/CopyVisitor.h: Removed.
1999         * heap/CopyVisitorInlines.h: Removed.
2000         * heap/CopyWorkList.h: Removed.
2001         * heap/Heap.cpp:
2002         (JSC::Heap::Heap):
2003         (JSC::Heap::isPagedOut):
2004         (JSC::Heap::updateObjectCounts):
2005         (JSC::Heap::size):
2006         (JSC::Heap::capacity):
2007         (JSC::Heap::collectImpl):
2008         (JSC::Heap::stopAllocation):
2009         (JSC::Heap::updateAllocationLimits):
2010         (JSC::Heap::copyBackingStores): Deleted.
2011         (JSC::Heap::threadBytesCopied): Deleted.
2012         * heap/Heap.h:
2013         (JSC::Heap::objectSpace):
2014         (JSC::Heap::allocatorForAuxiliaryData):
2015         (JSC::Heap::storageSpace): Deleted.
2016         (JSC::Heap::storageAllocator): Deleted.
2017         * heap/HeapCellInlines.h:
2018         * heap/HeapInlines.h:
2019         (JSC::Heap::tryAllocateStorage): Deleted.
2020         (JSC::Heap::tryReallocateStorage): Deleted.
2021         * heap/HeapVerifier.cpp:
2022         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
2023         (JSC::HeapVerifier::reportObject):
2024         (JSC::getButterflyDetails): Deleted.
2025         * heap/SlotVisitor.cpp:
2026         (JSC::SlotVisitor::copyLater): Deleted.
2027         * heap/SlotVisitor.h:
2028         * jit/AssemblyHelpers.h:
2029         * jit/JITOpcodes.cpp:
2030         * jsc.cpp:
2031         * runtime/ArrayConstructor.cpp:
2032         * runtime/ArrayPrototype.cpp:
2033         * runtime/Butterfly.h:
2034         * runtime/ButterflyInlines.h:
2035         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
2036         * runtime/ClassInfo.h:
2037         * runtime/DirectArguments.cpp:
2038         (JSC::DirectArguments::visitChildren):
2039         (JSC::DirectArguments::overrideThings):
2040         (JSC::DirectArguments::copyBackingStore): Deleted.
2041         * runtime/DirectArguments.h:
2042         * runtime/JSArray.cpp:
2043         * runtime/JSCell.cpp:
2044         (JSC::JSCell::copyBackingStore): Deleted.
2045         * runtime/JSCell.h:
2046         * runtime/JSLexicalEnvironment.h:
2047         * runtime/JSObject.cpp:
2048         * runtime/JSTypedArrays.cpp:
2049         * runtime/LiteralParser.cpp:
2050         * runtime/ObjectConstructor.cpp:
2051         * runtime/RegExpObject.cpp:
2052         * runtime/StringPrototype.cpp:
2053         * runtime/WeakMapData.cpp:
2054         * tools/JSDollarVMPrototype.cpp:
2055         (JSC::JSDollarVMPrototype::isInStorageSpace):
2056
2057 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2058
2059         Heap version should be 32-bit
2060         https://bugs.webkit.org/show_bug.cgi?id=161751
2061
2062         Reviewed by Mark Lam.
2063         
2064         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
2065         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
2066         easy to handle.
2067
2068         * heap/CellContainer.h:
2069         * heap/CellContainerInlines.h:
2070         (JSC::CellContainer::flipIfNecessary):
2071         * heap/ConservativeRoots.cpp:
2072         (JSC::ConservativeRoots::genericAddPointer):
2073         (JSC::ConservativeRoots::genericAddSpan):
2074         * heap/ConservativeRoots.h:
2075         * heap/Heap.h:
2076         * heap/HeapInlines.h:
2077         (JSC::Heap::testAndSetMarked):
2078         * heap/HeapUtil.h:
2079         (JSC::HeapUtil::findGCObjectPointersForMarking):
2080         * heap/MarkedBlock.cpp:
2081         (JSC::MarkedBlock::MarkedBlock):
2082         * heap/MarkedBlock.h:
2083         (JSC::MarkedBlock::flipIfNecessary):
2084         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2085         (JSC::MarkedBlock::Handle::flipIfNecessary):
2086         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2087         * heap/MarkedSpace.cpp:
2088         (JSC::MarkedSpace::flip):
2089         * heap/MarkedSpace.h:
2090         (JSC::MarkedSpace::version):
2091         * heap/SlotVisitor.cpp:
2092         (JSC::SlotVisitor::SlotVisitor):
2093         * heap/SlotVisitor.h:
2094
2095 2016-09-08  Mark Lam  <mark.lam@apple.com>
2096
2097         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
2098         https://bugs.webkit.org/show_bug.cgi?id=161724
2099
2100         Reviewed by Filip Pizlo.
2101
2102         ARM architectures support ternary sub instructions.  We should make use of them
2103         in emitAllocateWithNonNullAllocator().
2104
2105         * assembler/MacroAssemblerARM.h:
2106         (JSC::MacroAssemblerARM::sub32):
2107         * assembler/MacroAssemblerARM64.h:
2108         (JSC::MacroAssemblerARM64::sub32):
2109         * assembler/MacroAssemblerARMv7.h:
2110         (JSC::MacroAssemblerARMv7::sub32):
2111         * assembler/MacroAssemblerSH4.h:
2112         (JSC::MacroAssemblerSH4::sub32):
2113         * assembler/MacroAssemblerX86Common.h:
2114         (JSC::MacroAssemblerX86Common::sub32):
2115         * b3/air/AirOpcode.opcodes:
2116         * b3/testb3.cpp:
2117         (JSC::B3::testTernarySubInstructionSelection):
2118         (JSC::B3::run):
2119         * jit/AssemblyHelpers.h:
2120         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2121
2122 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2123
2124         Move JSMap/JSSet over to Auxiliary MarkedSpace
2125         https://bugs.webkit.org/show_bug.cgi?id=161744
2126
2127         Reviewed by Saam Barati.
2128         
2129         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
2130         
2131         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
2132         speak of CopiedSpace.
2133         
2134         This is a purely mechanical change.
2135
2136         * JavaScriptCore.xcodeproj/project.pbxproj:
2137         * heap/CopyToken.h:
2138         * runtime/HashMapImpl.cpp:
2139         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2140         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
2141         * runtime/HashMapImpl.h:
2142         (JSC::HashMapBuffer::create):
2143         * runtime/JSMapIterator.cpp:
2144         * runtime/JSMapIterator.h:
2145         * runtime/JSSetIterator.cpp:
2146         * runtime/JSSetIterator.h:
2147         * runtime/MapBase.cpp:
2148         * runtime/MapData.h: Removed.
2149         * runtime/MapDataInlines.h: Removed.
2150         * runtime/MapPrototype.cpp:
2151         * runtime/SetConstructor.cpp:
2152         * runtime/SetPrototype.cpp:
2153         * runtime/VM.cpp:
2154
2155 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2156
2157         Typed arrays should use MarkedSpace instead of CopiedSpace
2158         https://bugs.webkit.org/show_bug.cgi?id=161100
2159
2160         Reviewed by Geoffrey Garen.
2161         
2162         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2163         
2164         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2165         everything that typed arrays want.
2166
2167         * dfg/DFGOperations.cpp:
2168         (JSC::DFG::newTypedArrayWithSize):
2169         * dfg/DFGOperations.h:
2170         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2171         * dfg/DFGSpeculativeJIT.cpp:
2172         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2173         * dfg/DFGSpeculativeJIT.h:
2174         (JSC::DFG::SpeculativeJIT::callOperation):
2175         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2176         * ftl/FTLLowerDFGToB3.cpp:
2177         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2178         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2179         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2180         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2181         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2182         * heap/CopyToken.h:
2183         * heap/SlotVisitor.cpp:
2184         (JSC::SlotVisitor::markAuxiliary):
2185         * jit/JITOperations.h:
2186         * runtime/JSArrayBufferView.cpp:
2187         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2188         (JSC::JSArrayBufferView::JSArrayBufferView):
2189         * runtime/JSArrayBufferView.h:
2190         * runtime/JSGenericTypedArrayView.h:
2191         * runtime/JSGenericTypedArrayViewInlines.h:
2192         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2193         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2194         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2195         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2196
2197 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
2198
2199         [Win64] Compile fixes.
2200         https://bugs.webkit.org/show_bug.cgi?id=161682
2201
2202         Reviewed by Brent Fulgham.
2203
2204         * dfg/DFGSpeculativeJIT64.cpp:
2205         (JSC::DFG::SpeculativeJIT::emitCall):
2206         * jit/JITCall.cpp:
2207         (JSC::JIT::compileOpCall):
2208         * runtime/ArrayConventions.cpp:
2209         (JSC::clearArrayMemset):
2210
2211 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
2212
2213         [Win] Exception fuzz tests fail
2214         https://bugs.webkit.org/show_bug.cgi?id=140928
2215
2216         Reviewed by Mark Lam.
2217
2218         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
2219         The tests depend on the output to stdout being written in the correct order.
2220
2221         * runtime/ExceptionFuzz.cpp:
2222         (JSC::doExceptionFuzzing):
2223
2224 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
2225
2226         Enable the <meter> element on iOS
2227         https://bugs.webkit.org/show_bug.cgi?id=161714
2228         rdar://problem/8978410
2229
2230         Reviewed by Tim Horton.
2231
2232         Define ENABLE_METER_ELEMENT unconditionally now.
2233
2234         * Configurations/FeatureDefines.xcconfig:
2235
2236 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2237
2238         Modernize Debugger to use nullptr
2239         https://bugs.webkit.org/show_bug.cgi?id=161718
2240
2241         Reviewed by Mark Lam.
2242
2243         * debugger/Debugger.cpp:
2244         (JSC::Debugger::Debugger):
2245         (JSC::Debugger::~Debugger):
2246         (JSC::Debugger::detach):
2247         (JSC::Debugger::stepOutOfFunction):
2248         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
2249         * debugger/Debugger.h:
2250
2251 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2252
2253         Web Inspector: Remove always false case in Debugger
2254         https://bugs.webkit.org/show_bug.cgi?id=161717
2255
2256         Reviewed by Brian Burg.
2257
2258         * debugger/Debugger.cpp:
2259         (JSC::Debugger::didExecuteProgram):
2260         We would have earlier returned a few statements ago if this case was true.
2261         And we would have crashed in the previous statement if this case was true.
2262
2263 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2264
2265         Unreviewed, build fix after r205569
2266
2267         Tweak CMakeLists.txt
2268
2269         * CMakeLists.txt:
2270
2271 2016-09-07  Mark Lam  <mark.lam@apple.com>
2272
2273         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
2274         https://bugs.webkit.org/show_bug.cgi?id=161498
2275
2276         Reviewed by Geoffrey Garen.
2277
2278         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
2279         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
2280         introduced.
2281
2282         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
2283         which is a more suitable name now.
2284
2285         Note: exception scope verification is still disabled by default.  There are still
2286         many places that need to be fixed up or re-expressed in a way that is friendly
2287         to the verification.  I'll address those in subsequent patches.
2288
2289         After this patch, the code will statically enforce that:
2290         1. all calls to throwException() go through a ThrowScope.
2291         2. all calls to clearException() go through a CatchScope.
2292         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
2293            or CatchScope.
2294
2295         A Summary of how to use ExceptionScopes
2296         =======================================
2297         1. If a function can throw a JS exception, it should declare a ThrowScope at the
2298            top of the function (as early as possible).
2299
2300         2. If a function can clear JS exceptions, it should declare a CatchScope at the
2301            top of the function (as early as possible).
2302
2303         Declaring a ThrowScope in a function means that the function may throw an exception
2304         that its caller will have to handle.  Declaring a CatchScope in a function means
2305         that the function intends to clear pending exceptions before returning to its
2306         caller. 
2307
2308         For more details, see the notes below.
2309         
2310         Everything you may want to know about ExceptionScopes
2311         =====================================================
2312         ExceptionScope verification works to simulate exception throws and detect cases
2313         where exception checks are missing.  The notes below will cover:
2314
2315             1. The VM::m_needExceptionCheck bit
2316             2. ThrowScopes and CatchScopes
2317             3. Verification of needed exception checks
2318             3. Checking Exceptions
2319             4. Simulating throws
2320             5. Using ThrowScope::release()
2321             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
2322             7. Checking exceptions by checking callee results
2323             8. Debugging verification errors
2324
2325         1. The VM::m_needExceptionCheck bit
2326
2327            The VM has a m_needExceptionCheck bit that indicates when an exception may be
2328            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
2329            throw.
2330
2331         2. ThrowScopes and CatchScopes
2332
2333            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
2334
2335            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
2336            at the top of its function (as early as possible) e.g.
2337  
2338                 void foo(...)
2339                 {
2340                     auto scope = DECLARE_THROW_SCOPE(vm);
2341                     ...
2342                     throwException(exec, scope, ...);
2343                 }
2344
2345            Note: by convention, every throw helper function must take a ThrowScope argument
2346            instead of instantiating its own ThrowScope.  This allows the throw to be
2347            attributed to the client code rather than the throw helper itself.
2348
2349            Every catch site (i.e. a site that calls clearException()) must declare a
2350            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
2351
2352            If a function can both throw or clear exceptions, then the ThrowScope should
2353            be declared first so that it can simulate a throw to the function's caller.
2354
2355            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
2356            can be aware if there's an enclosing CatchScope between it and the point where
2357            C++ code returns to JS code.  This is needed to determine if the ThrowScope
2358            should simulate a re-throw or not.  See (4) below for more details on returning
2359            to JS code.
2360
2361         3. Verification of needed exception checks
2362
2363            a. On construction, each ThrowScope and CatchScope will verify that
2364               VM::m_needExceptionCheck is not set.
2365  
2366               This ensures that the caller of the current function has checked for exceptions
2367               where needed before doing more work which lead to calling the current function.
2368
2369            b. On destruction, each ThrowScope and CatchScope will verify that
2370               VM::m_needExceptionCheck is not set. This verification will be skipped if
2371               the ThrowScope has been released (see (5) below).
2372
2373               This ensures that the function that owns this exception scope is not missing
2374               any exception checks before returning.
2375
2376            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
2377               is not already set, unless it's been ask to rethrow the same Exception object.
2378
2379         4. Simulating throws
2380
2381            Throws are simulated by setting the m_needExceptionCheck bit.
2382
2383            The bit will only be set in the ThrowScope destructor except when the ThrowScope
2384            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
2385            check for exceptions after a host C++ function returns to it.  However, they will
2386            not clear the m_needExceptionCheck bit.
2387
2388            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
2389            it will just skip the setting of the bit.
2390
2391            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
2392            throwException methods.  This is because, in practice, we always return
2393            immediately after throwing an exception.  It doesn't make sense to set the bit in
2394            the throw just to have to clear it immediately after before we do verification in
2395            the ThrowScope destructor.
2396
2397         5. Using ThrowScope::release()
2398
2399            Calling release() means that the scope is released from its obligation to
2400            verify the VM::m_needExceptionCheck bit on destruction.
2401
2402            release() should only be used at the bottom of a function if:
2403
2404            a. This function is going to let its caller check and handle the exception, e.g.
2405
2406                 void foo(...)
2407                 {
2408                     auto scope = DECLARE_THROW_SCOPE(vm);
2409                     auto result = goo(); // may throw.
2410
2411                     ... // Code that will are not affected by a pending exceptions.
2412
2413                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
2414                     return result;
2415                 }
2416
2417            b. This function is going to do a tail call that may throw.
2418
2419                 void foo(...)
2420                 {
2421                     auto scope = DECLARE_THROW_SCOPE(vm);
2422                     ...
2423                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
2424                     return goo(); // may throw.
2425                 }
2426
2427               release() should not be used in code paths that branch. For example:
2428
2429                 void foo(...)
2430                 {
2431                     auto scope = DECLARE_THROW_SCOPE(vm);
2432
2433                     auto result = goo1(); // may throw.
2434                     scope.release(); // WRONG !!! Don't do this.
2435                     if (result)
2436                         return;
2437
2438                     result = goo2(); // may throw.
2439                     ...
2440                     return result;
2441                 }
2442
2443             The above will result in a verification error in goo2()'s ThrowScope.  The
2444             proper way to fix this verification is to do either (6) or (7) below.
2445
2446          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
2447
2448             ThrowScope/CatchScope::exception() returns the thrown Exception object if
2449             there is one pending.  Else, it returns nullptr.
2450
2451             It also clears the m_needExceptionCheck bit thereby indicating that we've
2452             satisfied the needed exception check.  For example,
2453
2454                 void foo(...)
2455                 {
2456                     auto scope = DECLARE_THROW_SCOPE(vm);
2457
2458                     auto result = goo1(); // may throw.
2459                     if (scope.exception())
2460                         return;
2461
2462                     result = goo2(); // may throw.
2463                     ...
2464                     return result;
2465                 }
2466
2467             But sometimes, for optimization reasons, we may choose to test the result of
2468             the callee function instead doing a load of the VM exception value.  See (7)
2469             below.
2470
2471          7. Checking exceptions by checking callee results
2472
2473             This approach should only be applied when it makes a difference to performance.
2474             If we need to do this, we should add an ASSERT() that invokes the scope's
2475             exception() method to verify the result.  Since exception scope verification
2476             is only done on DEBUG builds, this ASSERT will satisfy the verification
2477             requirements without impacting performance.  For example,
2478
2479                 void foo(...)
2480                 {
2481                     auto scope = DECLARE_THROW_SCOPE(vm);
2482
2483                     bool failed = goo1(); // may throw.
2484                     ASSERT(!!scope.exception() == failed)
2485                     if (failed)
2486                         return;
2487
2488                     result = goo2(); // may throw.
2489                     ...
2490                     return result;
2491                 }
2492
2493          8. Debugging verification errors
2494
2495             a. When verification fails, you will see a message followed by an assertion
2496                failure.  For example:
2497
2498             ERROR: Unchecked JS exception:
2499                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
2500                     (ExceptionScope::m_recursionDepth was ...)
2501                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
2502                     (ExceptionScope::m_recursionDepth was ...)
2503                 [ backtrace here ]
2504
2505                The message tells you that failure was detected at in varargsSetup() at
2506                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
2507                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
2508                line 1245 and it.
2509
2510                If that is insufficient information, you can ...
2511
2512             b. Dump simulated throws
2513
2514                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
2515                back traces at each simulated throw.
2516
2517             c. Narrowing down the source of a simulated throw
2518
2519                Another technique for narrowing down the source of simulated throws is by
2520                further dividing a function to smaller regions by separating each region
2521                with additional local throw scopes.  For example,
2522
2523                 ... // Region 1
2524                 { auto scope = DECLARE_THROW_SCOPE(vm); }
2525                 ... // Region 2
2526                 { auto scope = DECLARE_THROW_SCOPE(vm); }
2527                 ... // Region 3
2528
2529         * API/APIUtils.h:
2530         (handleExceptionIfNeeded):
2531         * CMakeLists.txt:
2532         * JavaScriptCore.xcodeproj/project.pbxproj:
2533         * bindings/ScriptFunctionCall.cpp:
2534         (Deprecated::ScriptFunctionCall::call):
2535         * bindings/ScriptValue.cpp:
2536         (Deprecated::ScriptValue::toString):
2537         * debugger/Debugger.cpp:
2538         (JSC::Debugger::pauseIfNeeded):
2539         * debugger/DebuggerCallFrame.cpp:
2540         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2541         * dfg/DFGOSRExitCompiler.cpp:
2542         * dfg/DFGOperations.cpp:
2543         (JSC::DFG::operationPutByValInternal):
2544         * inspector/InjectedScriptManager.cpp:
2545         (Inspector::InjectedScriptManager::createInjectedScript):
2546         * inspector/JSGlobalObjectInspectorController.cpp:
2547         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2548         * inspector/JSInjectedScriptHost.cpp:
2549         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2550         (Inspector::JSInjectedScriptHost::getInternalProperties):
2551         (Inspector::JSInjectedScriptHost::weakMapEntries):
2552         (Inspector::JSInjectedScriptHost::weakSetEntries):
2553         (Inspector::JSInjectedScriptHost::iteratorEntries):
2554         * inspector/JSJavaScriptCallFrame.cpp:
2555         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2556         * inspector/ScriptCallStackFactory.cpp:
2557         (Inspector::extractSourceInformationFromException):
2558         * interpreter/CachedCall.h:
2559         (JSC::CachedCall::CachedCall):
2560         * interpreter/CallFrame.h:
2561         (JSC::ExecState::clearException): Deleted.
2562         (JSC::ExecState::exception): Deleted.
2563         (JSC::ExecState::hadException): Deleted.
2564         (JSC::ExecState::lastException): Deleted.
2565         (JSC::ExecState::clearLastException): Deleted.
2566         * interpreter/Interpreter.cpp:
2567         (JSC::eval):
2568         (JSC::sizeOfVarargs):
2569         (JSC::notifyDebuggerOfUnwinding):
2570         (JSC::Interpreter::unwind):
2571         (JSC::Interpreter::execute):
2572         (JSC::Interpreter::executeCall):
2573         (JSC::Interpreter::executeConstruct):
2574         (JSC::Interpreter::prepareForRepeatCall):
2575         (JSC::Interpreter::debug):
2576         * interpreter/Interpreter.h:
2577         (JSC::SuspendExceptionScope::SuspendExceptionScope):
2578         * interpreter/ShadowChicken.cpp:
2579         (JSC::ShadowChicken::functionsOnStack):
2580         * jit/JITCode.cpp:
2581         (JSC::JITCode::execute):
2582         * jit/JITExceptions.cpp:
2583         (JSC::genericUnwind):
2584         * jit/JITOperations.cpp:
2585         (JSC::getByVal):
2586         * jsc.cpp:
2587         (WTF::ImpureGetter::getOwnPropertySlot):
2588         (GlobalObject::moduleLoaderResolve):
2589         (GlobalObject::moduleLoaderFetch):
2590         (functionCreateElement):
2591         (functionRun):
2592         (functionRunString):
2593         (functionLoad):
2594         (functionLoadString):
2595         (functionReadFile):
2596         (functionCheckSyntax):
2597         (functionSetRandomSeed):
2598         (functionLoadModule):
2599         (functionCreateBuiltin):
2600         (functionCheckModuleSyntax):
2601         (functionGenerateHeapSnapshot):
2602         (functionSamplingProfilerStackTraces):
2603         (dumpException):
2604         (checkUncaughtException):
2605         (runWithScripts):
2606         (runInteractive):
2607         * llint/LLIntExceptions.cpp:
2608         (JSC::LLInt::returnToThrow):
2609         (JSC::LLInt::callToThrow):
2610         * llint/LLIntSlowPaths.cpp:
2611         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2612         * profiler/ProfilerBytecodeSequence.cpp:
2613         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2614         * profiler/ProfilerCompilation.cpp:
2615         (JSC::Profiler::Compilation::toJS):
2616         * profiler/ProfilerDatabase.cpp:
2617         (JSC::Profiler::Database::toJS):
2618         * profiler/ProfilerOSRExitSite.cpp:
2619         (JSC::Profiler::OSRExitSite::toJS):
2620         * profiler/ProfilerOriginStack.cpp:
2621         (JSC::Profiler::OriginStack::toJS):
2622         * runtime/ArrayPrototype.cpp:
2623         (JSC::speciesConstructArray):
2624         (JSC::shift):
2625         (JSC::unshift):
2626         (JSC::arrayProtoFuncToString):
2627         (JSC::arrayProtoFuncToLocaleString):
2628         (JSC::slowJoin):
2629         (JSC::fastJoin):
2630         (JSC::arrayProtoFuncJoin):
2631         (JSC::arrayProtoFuncPop):
2632         (JSC::arrayProtoFuncPush):
2633         (JSC::arrayProtoFuncReverse):
2634         (JSC::arrayProtoFuncShift):
2635         (JSC::arrayProtoFuncSlice):
2636         (JSC::arrayProtoFuncSplice):
2637         (JSC::arrayProtoFuncUnShift):
2638         (JSC::arrayProtoFuncIndexOf):
2639         (JSC::arrayProtoFuncLastIndexOf):
2640         (JSC::moveElements):
2641         (JSC::concatAppendOne):
2642         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2643         * runtime/BooleanConstructor.cpp:
2644         (JSC::constructWithBooleanConstructor):
2645         * runtime/CallData.cpp:
2646         (JSC::call):
2647         * runtime/CatchScope.cpp: Added.
2648         (JSC::CatchScope::CatchScope):
2649         (JSC::CatchScope::~CatchScope):
2650         * runtime/CatchScope.h: Added.
2651         (JSC::CatchScope::clearException):
2652         (JSC::CatchScope::CatchScope):
2653         * runtime/CommonSlowPaths.cpp:
2654         (JSC::SLOW_PATH_DECL):
2655         * runtime/CommonSlowPaths.h:
2656         (JSC::CommonSlowPaths::opIn):
2657         * runtime/CommonSlowPathsExceptions.cpp:
2658         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2659         * runtime/Completion.cpp:
2660         (JSC::evaluate):
2661         (JSC::rejectPromise):
2662         (JSC::loadAndEvaluateModule):
2663         (JSC::loadModule):
2664         * runtime/ConsoleObject.cpp:
2665         (JSC::consoleProtoFuncAssert):
2666         (JSC::consoleProtoFuncProfile):
2667         (JSC::consoleProtoFuncProfileEnd):
2668         (JSC::consoleProtoFuncTakeHeapSnapshot):
2669         (JSC::consoleProtoFuncTime):
2670         (JSC::consoleProtoFuncTimeEnd):
2671         * runtime/DateConstructor.cpp:
2672         (JSC::constructDate):
2673         (JSC::dateParse):
2674         * runtime/DatePrototype.cpp:
2675         (JSC::dateProtoFuncToPrimitiveSymbol):
2676         (JSC::dateProtoFuncToJSON):
2677         * runtime/ErrorConstructor.cpp:
2678         (JSC::Interpreter::constructWithErrorConstructor):
2679         * runtime/ErrorInstance.cpp:
2680         (JSC::ErrorInstance::sanitizedToString):
2681         * runtime/ErrorPrototype.cpp:
2682         (JSC::errorProtoFuncToString):
2683         * runtime/ExceptionEventLocation.cpp: Added.
2684         (WTF::printInternal):
2685         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
2686         (JSC::ExceptionEventLocation::ExceptionEventLocation):
2687         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
2688         * runtime/ExceptionHelpers.h:
2689         * runtime/ExceptionScope.cpp: Added.
2690         (JSC::ExceptionScope::ExceptionScope):
2691         (JSC::ExceptionScope::~ExceptionScope):
2692         * runtime/ExceptionScope.h: Added.
2693         (JSC::ExceptionScope::vm):
2694         (JSC::ExceptionScope::recursionDepth):
2695         (JSC::ExceptionScope::exception):
2696         (JSC::ExceptionScope::ExceptionScope):
2697         * runtime/FunctionConstructor.cpp:
2698         (JSC::constructFunctionSkippingEvalEnabledCheck):
2699         * runtime/FunctionPrototype.cpp:
2700         (JSC::functionProtoFuncBind):
2701         * runtime/GenericArgumentsInlines.h:
2702         (JSC::GenericArguments<Type>::copyToArguments):
2703         * runtime/GetterSetter.cpp:
2704         (JSC::callGetter):
2705         * runtime/InspectorInstrumentationObject.cpp:
2706         (JSC::inspectorInstrumentationObjectLog):
2707         * runtime/InternalFunction.cpp:
2708         (JSC::InternalFunction::createSubclassStructure):
2709         * runtime/IntlCollator.cpp:
2710         (JSC::IntlCollator::initializeCollator):
2711         (JSC::IntlCollator::createCollator):
2712         (JSC::IntlCollator::resolvedOptions):
2713         * runtime/IntlCollatorConstructor.cpp:
2714         (JSC::constructIntlCollator):
2715         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2716         * runtime/IntlCollatorPrototype.cpp:
2717         (JSC::IntlCollatorFuncCompare):
2718         (JSC::IntlCollatorPrototypeGetterCompare):
2719         * runtime/IntlDateTimeFormat.cpp:
2720         (JSC::toDateTimeOptionsAnyDate):
2721         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2722         (JSC::IntlDateTimeFormat::resolvedOptions):
2723         (JSC::IntlDateTimeFormat::format):
2724         * runtime/IntlDateTimeFormatConstructor.cpp:
2725         (JSC::constructIntlDateTimeFormat):
2726         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2727         * runtime/IntlDateTimeFormatPrototype.cpp:
2728         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2729         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2730         * runtime/IntlNumberFormat.cpp:
2731         (JSC::IntlNumberFormat::initializeNumberFormat):
2732         (JSC::IntlNumberFormat::createNumberFormat):
2733         (JSC::IntlNumberFormat::resolvedOptions):
2734         * runtime/IntlNumberFormatConstructor.cpp:
2735         (JSC::constructIntlNumberFormat):
2736         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
2737         * runtime/IntlNumberFormatPrototype.cpp:
2738         (JSC::IntlNumberFormatFuncFormatNumber):
2739         (JSC::IntlNumberFormatPrototypeGetterFormat):
2740         * runtime/IntlObject.cpp:
2741         (JSC::intlBooleanOption):
2742         (JSC::intlStringOption):
2743         (JSC::intlNumberOption):
2744         (JSC::canonicalizeLocaleList):
2745         (JSC::supportedLocales):
2746         * runtime/IntlObjectInlines.h:
2747         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2748         * runtime/IteratorOperations.cpp:
2749         (JSC::iteratorNext):
2750         (JSC::iteratorStep):
2751         (JSC::iteratorClose):
2752         (JSC::iteratorForIterable):
2753         * runtime/IteratorOperations.h:
2754         (JSC::forEachInIterable):
2755         * runtime/JSArray.cpp:
2756         (JSC::JSArray::pop):
2757         (JSC::JSArray::push):
2758         (JSC::JSArray::copyToArguments):
2759         * runtime/JSArrayBufferConstructor.cpp:
2760         (JSC::constructArrayBuffer):
2761         * runtime/JSArrayBufferPrototype.cpp:
2762         (JSC::arrayBufferProtoFuncSlice):
2763         * runtime/JSArrayInlines.h:
2764         (JSC::getLength):
2765         (JSC::toLength):
2766         * runtime/JSBoundFunction.cpp:
2767         (JSC::getBoundFunctionStructure):
2768         (JSC::JSBoundFunction::create):
2769         * runtime/JSCJSValue.cpp:
2770         (JSC::JSValue::putToPrimitive):
2771         (JSC::JSValue::putToPrimitiveByIndex):
2772         (JSC::JSValue::toStringSlowCase):
2773         * runtime/JSCJSValueInlines.h:
2774         (JSC::toPreferredPrimitiveType):
2775         (JSC::JSValue::getPropertySlot):
2776         (JSC::JSValue::equalSlowCaseInline):
2777         * runtime/JSDataViewPrototype.cpp:
2778         (JSC::getData):
2779         (JSC::setData):
2780         * runtime/JSFunction.cpp:
2781         (JSC::JSFunction::setFunctionName):
2782         * runtime/JSGenericTypedArrayView.h:
2783         (JSC::JSGenericTypedArrayView::setIndex):
2784         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2785         (JSC::constructGenericTypedArrayViewFromIterator):
2786         (JSC::constructGenericTypedArrayViewWithArguments):
2787         (JSC::constructGenericTypedArrayView):
2788         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2789         (JSC::speciesConstruct):
2790         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2791         (JSC::genericTypedArrayViewProtoFuncIncludes):
2792         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2793         (JSC::genericTypedArrayViewProtoFuncJoin):
2794         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2795         (JSC::genericTypedArrayViewProtoFuncSlice):
2796         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2797         * runtime/JSGlobalObject.h:
2798         (JSC::constructEmptyArray):
2799         (JSC::constructArray):
2800         (JSC::constructArrayNegativeIndexed):
2801         * runtime/JSGlobalObjectFunctions.cpp:
2802         (JSC::globalFuncEval):
2803         * runtime/JSJob.cpp:
2804         (JSC::JSJobMicrotask::run):
2805         * runtime/JSModuleEnvironment.cpp:
2806         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2807         * runtime/JSModuleLoader.cpp:
2808         (JSC::JSModuleLoader::fetch):
2809         * runtime/JSModuleNamespaceObject.cpp:
2810         (JSC::JSModuleNamespaceObject::finishCreation):
2811         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2812         * runtime/JSModuleRecord.cpp:
2813         (JSC::JSModuleRecord::instantiateDeclarations):
2814         * runtime/JSONObject.cpp:
2815         (JSC::Stringifier::Stringifier):
2816         (JSC::Stringifier::stringify):
2817         (JSC::Stringifier::toJSON):
2818         (JSC::Stringifier::appendStringifiedValue):
2819         (JSC::Stringifier::Holder::appendNextProperty):
2820         (JSC::Walker::walk):
2821         (JSC::JSONProtoFuncParse):
2822         * runtime/JSObject.cpp:
2823         (JSC::ordinarySetSlow):
2824         (JSC::JSObject::setPrototypeWithCycleCheck):
2825         (JSC::callToPrimitiveFunction):
2826         (JSC::JSObject::ordinaryToPrimitive):
2827         (JSC::JSObject::defaultHasInstance):
2828         (JSC::JSObject::getPropertyNames):
2829         (JSC::JSObject::toNumber):
2830         (JSC::JSObject::toString):
2831         (JSC::JSObject::defineOwnNonIndexProperty):
2832         (JSC::JSObject::getGenericPropertyNames):
2833         (JSC::JSObject::getMethod):
2834         * runtime/JSObjectInlines.h:
2835         (JSC::createListFromArrayLike):
2836         (JSC::JSObject::getPropertySlot):
2837         (JSC::JSObject::getNonIndexPropertySlot):
2838         * runtime/JSPromiseConstructor.cpp:
2839         (JSC::constructPromise):
2840         * runtime/JSPropertyNameEnumerator.h:
2841         (JSC::propertyNameEnumerator):
2842         * runtime/JSPropertyNameIterator.cpp:
2843         (JSC::JSPropertyNameIterator::create):
2844         * runtime/JSScope.cpp:
2845         (JSC::isUnscopable):
2846         (JSC::JSScope::resolve):
2847         * runtime/JSString.cpp:
2848         (JSC::JSString::equalSlowCase):
2849         * runtime/JSStringJoiner.cpp:
2850         (JSC::JSStringJoiner::join):
2851         * runtime/LiteralParser.cpp:
2852         (JSC::LiteralParser<CharType>::parse):
2853         * runtime/MapConstructor.cpp:
2854         (JSC::constructMap):
2855         * runtime/MathObject.cpp:
2856         (JSC::mathProtoFuncClz32):
2857         (JSC::mathProtoFuncHypot):
2858         (JSC::mathProtoFuncIMul):
2859         * runtime/ModuleLoaderPrototype.cpp:
2860         (JSC::moduleLoaderPrototypeParseModule):
2861         (JSC::moduleLoaderPrototypeRequestedModules):
2862         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2863         * runtime/NativeErrorConstructor.cpp:
2864         (JSC::Interpreter::constructWithNativeErrorConstructor):
2865         * runtime/NumberConstructor.cpp:
2866         (JSC::constructWithNumberConstructor):
2867         * runtime/ObjectConstructor.cpp:
2868         (JSC::constructObject):
2869         (JSC::objectConstructorGetPrototypeOf):
2870         (JSC::objectConstructorSetPrototypeOf):
2871         (JSC::objectConstructorGetOwnPropertyDescriptor):
2872         (JSC::objectConstructorGetOwnPropertyDescriptors):
2873         (JSC::objectConstructorGetOwnPropertyNames):
2874         (JSC::objectConstructorGetOwnPropertySymbols):
2875         (JSC::objectConstructorKeys):
2876         (JSC::ownEnumerablePropertyKeys):
2877         (JSC::toPropertyDescriptor):
2878         (JSC::objectConstructorDefineProperty):
2879         (JSC::defineProperties):
2880         (JSC::objectConstructorSeal):
2881         (JSC::objectConstructorFreeze):
2882         (JSC::objectConstructorIsSealed):
2883         (JSC::objectConstructorIsFrozen):
2884         (JSC::objectConstructorIsExtensible):
2885         (JSC::ownPropertyKeys):
2886         * runtime/ObjectConstructor.h:
2887         (JSC::constructObjectFromPropertyDescriptor):
2888         * runtime/ObjectPrototype.cpp:
2889         (JSC::objectProtoFuncHasOwnProperty):
2890         (JSC::objectProtoFuncIsPrototypeOf):
2891         (JSC::objectProtoFuncDefineGetter):
2892         (JSC::objectProtoFuncDefineSetter):
2893         (JSC::objectProtoFuncLookupGetter):
2894         (JSC::objectProtoFuncLookupSetter):
2895         (JSC::objectProtoFuncPropertyIsEnumerable):
2896         (JSC::objectProtoFuncToLocaleString):
2897         (JSC::objectProtoFuncToString):
2898         * runtime/Operations.cpp:
2899         (JSC::jsAddSlowCase):
2900         * runtime/Options.h:
2901         * runtime/PropertyDescriptor.cpp:
2902         (JSC::PropertyDescriptor::slowGetterSetter):
2903         * runtime/ProxyConstructor.cpp:
2904         (JSC::makeRevocableProxy):
2905         * runtime/ProxyObject.cpp:
2906         (JSC::ProxyObject::toStringName):
2907         (JSC::performProxyGet):
2908         (JSC::ProxyObject::performGet):
2909         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2910         (JSC::ProxyObject::performHasProperty):
2911         (JSC::ProxyObject::performPut):
2912         (JSC::ProxyObject::putByIndexCommon):
2913         (JSC::performProxyCall):
2914         (JSC::performProxyConstruct):
2915         (JSC::ProxyObject::performDelete):
2916         (JSC::ProxyObject::performPreventExtensions):
2917         (JSC::ProxyObject::performIsExtensible):
2918         (JSC::ProxyObject::performDefineOwnProperty):
2919         (JSC::ProxyObject::performGetOwnPropertyNames):
2920         (JSC::ProxyObject::performSetPrototype):
2921         (JSC::ProxyObject::performGetPrototype):
2922         * runtime/ReflectObject.cpp:
2923         (JSC::reflectObjectConstruct):
2924         (JSC::reflectObjectDefineProperty):
2925         (JSC::reflectObjectGet):
2926         (JSC::reflectObjectGetOwnPropertyDescriptor):
2927         (JSC::reflectObjectIsExtensible):
2928         (JSC::reflectObjectPreventExtensions):
2929         (JSC::reflectObjectSet):
2930         (JSC::reflectObjectSetPrototypeOf):
2931         * runtime/RegExpConstructor.cpp:
2932         (JSC::toFlags):
2933         (JSC::regExpCreate):
2934         (JSC::constructRegExp):
2935         * runtime/RegExpConstructor.h:
2936         (JSC::isRegExp):
2937         * runtime/RegExpObject.cpp:
2938         (JSC::collectMatches):
2939         (JSC::RegExpObject::matchGlobal):
2940         * runtime/RegExpPrototype.cpp:
2941         (JSC::regExpProtoFuncCompile):
2942         (JSC::flagsString):
2943         (JSC::regExpProtoFuncToString):
2944         (JSC::regExpProtoGetterFlags):
2945         (JSC::regExpProtoFuncSearchFast):
2946         (JSC::regExpProtoFuncSplitFast):
2947         * runtime/SetConstructor.cpp:
2948         (JSC::constructSet):
2949         * runtime/StringConstructor.cpp:
2950         (JSC::stringFromCodePoint):
2951         (JSC::constructWithStringConstructor):
2952         * runtime/StringObject.cpp:
2953         (JSC::StringObject::defineOwnProperty):
2954         * runtime/StringPrototype.cpp:
2955         (JSC::replaceUsingRegExpSearch):
2956         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2957         (JSC::replaceUsingStringSearch):
2958         (JSC::replace):
2959         (JSC::stringProtoFuncReplaceUsingRegExp):
2960         (JSC::stringProtoFuncReplaceUsingStringSearch):
2961         (JSC::stringProtoFuncCodePointAt):
2962         (JSC::stringProtoFuncSlice):
2963         (JSC::stringProtoFuncSplitFast):
2964         (JSC::stringProtoFuncSubstr):
2965         (JSC::stringProtoFuncSubstring):
2966         (JSC::stringProtoFuncLocaleCompare):
2967         (JSC::toLocaleCase):
2968         (JSC::stringProtoFuncBig):
2969         (JSC::stringProtoFuncSmall):
2970         (JSC::stringProtoFuncBlink):
2971         (JSC::stringProtoFuncBold):
2972         (JSC::stringProtoFuncFixed):
2973         (JSC::stringProtoFuncItalics):
2974         (JSC::stringProtoFuncStrike):
2975         (JSC::stringProtoFuncSub):
2976         (JSC::stringProtoFuncSup):
2977         (JSC::stringProtoFuncFontcolor):
2978         (JSC::stringProtoFuncFontsize):
2979         (JSC::stringProtoFuncAnchor):
2980         (JSC::stringProtoFuncLink):
2981         (JSC::trimString):
2982         (JSC::stringProtoFuncStartsWith):
2983         (JSC::stringProtoFuncEndsWith):
2984         (JSC::stringIncludesImpl):
2985         (JSC::stringProtoFuncIncludes):
2986         (JSC::builtinStringIncludesInternal):
2987         (JSC::stringProtoFuncNormalize):
2988         * runtime/SymbolConstructor.cpp:
2989         (JSC::symbolConstructorFor):
2990         * runtime/TemplateRegistry.cpp:
2991         (JSC::TemplateRegistry::getTemplateObject):
2992         * runtime/ThrowScope.cpp:
2993         (JSC::ThrowScope::ThrowScope):
2994         (JSC::ThrowScope::~ThrowScope):
2995         (JSC::ThrowScope::throwException):
2996         (JSC::ThrowScope::simulateThrow):
2997         (JSC::ThrowScope::printIfNeedCheck): Deleted.
2998         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
2999         * runtime/ThrowScope.h:
3000         (JSC::ThrowScope::release):
3001         (JSC::ThrowScope::ThrowScope):
3002         (JSC::ThrowScope::throwException):
3003         (JSC::ThrowScope::vm): Deleted.
3004         (JSC::ThrowScope::exception): Deleted.
3005         * runtime/ThrowScopeLocation.h: Removed.
3006         * runtime/VM.cpp:
3007         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
3008         * runtime/VM.h:
3009         (JSC::VM::exception):
3010         (JSC::VM::clearException):
3011         (JSC::VM::setException): Deleted.
3012         * runtime/WeakMapConstructor.cpp:
3013         (JSC::constructWeakMap):
3014         * runtime/WeakSetConstructor.cpp:
3015         (JSC::constructWeakSet):
3016         * tools/JSDollarVMPrototype.cpp:
3017         (JSC::functionPrint):
3018
3019 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
3020
3021         [INTL] some valid language tags cause errors in Intl constructors
3022         https://bugs.webkit.org/show_bug.cgi?id=161672
3023
3024         Reviewed by Mark Lam.
3025
3026         Fix private use tag parsing to match spec, allowing single character parts.
3027         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
3028
3029         ```
3030         privateuse    = "x" 1*("-" (1*8alphanum))
3031         ```
3032
3033         * runtime/IntlObject.cpp:
3034         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
3035
3036 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
3037
3038         [JSC] Remove a couple of useless forward declaration
3039         https://bugs.webkit.org/show_bug.cgi?id=161676
3040
3041         Reviewed by Mark Lam.
3042
3043         JITMathICForwards.h should take care of declarating the Math ICs.
3044
3045         * bytecode/CodeBlock.h:
3046         * jit/JITOperations.h:
3047
3048 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
3049
3050         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
3051         https://bugs.webkit.org/show_bug.cgi?id=161706
3052
3053         Reviewed by Geoffrey Garen.
3054         
3055         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
3056         have to do something different.
3057
3058         * jit/AssemblyHelpers.h:
3059         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3060
3061 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
3062
3063         Unreviewed CMake build fix after r205552
3064
3065         * CMakeLists.txt:
3066
3067 2016-09-03  Keith Miller  <keith_miller@apple.com>
3068
3069         Add support for WASM Loops and Branches
3070         https://bugs.webkit.org/show_bug.cgi?id=161569
3071
3072         Reviewed by Benjamin Poulain.
3073
3074         This patch adds support for loops and branches to WASM. In order
3075         to support loops, we needed to change the way the B3IRGenerator
3076         tracked control information. Now, the control data holds three
3077         pieces of information: The continuation block, the loop branch
3078         target, and variables exiting the block. Whenever we branch to
3079         some control point we first check if it is a loop by checking that
3080         the loop branch target is non-null. If the branch is not targeting
3081         a loop, we map the stack values to the associated B3 variables for
3082         that stack slot.
3083
3084         Another interesting thing of note is that we now only allocate the
3085         continuation basic block lazily. This is beneficial when the
3086         continuation would just fall through to another block anyway. For
3087         example, in code like: (block ... (block (add 1 2) end) end) the
3088         continuation for the inner block just falls through to the outer
3089         block's continuation so we don't need an extra block.
3090
3091         * B3CallingConventions.cpp:
3092         (JSC::B3::jscCallingConvention): Deleted.
3093         * B3CallingConventions.h:
3094         (JSC::B3::CallingConvention::CallingConvention): Deleted.
3095         (JSC::B3::CallingConvention::iterate): Deleted.
3096         (JSC::B3::nextJSCOffset): Deleted.
3097         * JavaScriptCore.xcodeproj/project.pbxproj:
3098         * b3/B3Type.h:
3099         * testWASM.cpp:
3100         (runWASMTests):
3101         * wasm/WASMB3IRGenerator.cpp:
3102         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
3103         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
3104         (JSC::WASM::B3IRGenerator::LazyBlock::get):
3105         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
3106         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
3107         (JSC::WASM::B3IRGenerator::ControlData::dump):
3108         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
3109         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
3110         (JSC::WASM::B3IRGenerator::addLocal):
3111         (JSC::WASM::B3IRGenerator::addArguments):
3112         (JSC::WASM::B3IRGenerator::setLocal):
3113         (JSC::WASM::B3IRGenerator::addBlock):
3114         (JSC::WASM::B3IRGenerator::addLoop):
3115         (JSC::WASM::B3IRGenerator::endBlock):
3116         (JSC::WASM::B3IRGenerator::addReturn):
3117         (JSC::WASM::B3IRGenerator::addBranch):
3118         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
3119         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
3120         (JSC::WASM::B3IRGenerator::controlDataForLevel):
3121         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
3122         (JSC::WASM::parseAndCompile):
3123         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
3124         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
3125         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
3126         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
3127         (JSC::WASM::jscCallingConvention):
3128         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
3129         (JSC::WASM::CallingConvention::CallingConvention):
3130         (JSC::WASM::CallingConvention::iterate):
3131         (JSC::WASM::nextJSCOffset):
3132         * wasm/WASMFormat.h:
3133         (JSC::WASM::toB3Type):
3134         (JSC::WASM::isValueType):
3135         * wasm/WASMFunctionParser.h:
3136         (JSC::WASM::FunctionParser<Context>::parse):
3137         (JSC::WASM::FunctionParser<Context>::parseExpression):
3138         * wasm/WASMModuleParser.cpp:
3139         (JSC::WASM::ModuleParser::parseFunctionTypes):
3140         * wasm/WASMOps.h:
3141
3142 2016-09-07  Youenn Fablet  <youenn@apple.com>
3143
3144         [Streams API] Separate compile flag for ReadableStream and WritableStream
3145         https://bugs.webkit.org/show_bug.cgi?id=161044
3146
3147         Reviewed by Alex Christensen.
3148
3149         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
3150         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
3151
3152         * Configurations/FeatureDefines.xcconfig:
3153         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
3154         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3155         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
3156
3157 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
3158
3159         Fix the ENABLE(WEBASSEMBLY) build on Linux
3160         https://bugs.webkit.org/show_bug.cgi?id=161685
3161
3162         Unreviewed buildfix.
3163
3164         * wasm/JSWASMModule.cpp:
3165
3166 2016-09-06  Saam Barati  <sbarati@apple.com>
3167
3168         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
3169         https://bugs.webkit.org/show_bug.cgi?id=161558
3170
3171         Reviewed by Benjamin Poulain.
3172
3173         ProxyObject had ObjectPrototype as its direct prototype.
3174         This could lead to infinite loops when doing a getDirectPrototype()
3175         loop.
3176
3177         Fixing this bug revealed another bug, which I made when implementing Proxy.
3178         We should not special case "__proto__" in get and set for Proxy Object's
3179         hooks. "__proto__" should just go through the normal set and get path.
3180
3181         * runtime/JSGlobalObject.cpp:
3182         (JSC::JSGlobalObject::init):
3183         * runtime/ProxyObject.cpp:
3184         (JSC::performProxyGet):
3185         (JSC::ProxyObject::put):
3186
3187 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3188
3189         Make JSC::PrivateName copyable
3190         https://bugs.webkit.org/show_bug.cgi?id=161666
3191
3192         Reviewed by Ryosuke Niwa.
3193
3194         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
3195         And since the custom copy constructor deletes the default move constructor, we explcitly define
3196         it by `= default;`.
3197
3198         * runtime/PrivateName.h:
3199         (JSC::PrivateName::PrivateName):
3200
3201 2016-09-06  Daniel Bates  <dabates@apple.com>
3202
3203         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
3204         https://bugs.webkit.org/show_bug.cgi?id=161296
3205
3206         Reviewed by Dan Bernstein.
3207
3208         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
3209         with the iOS 10 beta SDK.
3210
3211         * Configurations/Base.xcconfig:
3212
3213 2016-09-06  Saam Barati  <sbarati@apple.com>
3214
3215         Unreviewed build fix for 32-bit platforms after r205520.
3216
3217         * dfg/DFGSpeculativeJIT.h:
3218         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
3219
3220 2016-09-06  Saam Barati  <sbarati@apple.com>
3221
3222         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
3223         https://bugs.webkit.org/show_bug.cgi?id=160870
3224
3225         Reviewed by Darin Adler.
3226
3227         Credit goes to Jonathan Bedard for finding this bug using the undefined
3228         behavior sanitizer.
3229
3230         The rule for MaterializeNewObject inside AI was assuming that the graph
3231         is in SSA form. This used to be true when MaterializeNewObject was only
3232         inserted by the allocation sinking phase. However, Filip added more uses
3233         of MaterializeNewObject in his RegExp constant folding patch. This fixes
3234         the bug by using the structure set inside the Node's OpInfo rather than
3235         generating it from m_phiChildren inside AI.
3236
3237         * dfg/DFGAbstractInterpreterInlines.h:
3238         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3239
3240 2016-09-06  Saam Barati  <sbarati@apple.com>
3241
3242         Make JSMap and JSSet faster
3243         https://bugs.webkit.org/show_bug.cgi?id=160989
3244
3245         Reviewed by Filip Pizlo.
3246
3247         This patch revamps how we implement Map and Set. It uses
3248         a new hash map implementation. The hash map uses linear
3249         probing and it uses Wang's 64 bit hash function for JSValues
3250         that aren't strings. Strings use StringImpl's hash function.
3251         The reason I wanted to roll our own HashTable is twofold:
3252         I didn't want to inline WTF::HashMap's implementation into our
3253         JIT, since that seems error prone and unmaintainable. Also, I wanted
3254         a different structure for hash map buckets where buckets also exist in
3255         a linked list.
3256
3257         The reason for making buckets part of a linked list is that iteration
3258         is now simple. Iteration works by just traversing a linked list.
3259         This design also allows for a simple implementation when doing iteration
3260         while the hash table is mutating. Whenever we remove a bucket from
3261         the hash table, it is removed from the list, meaning items in the
3262         list don't point to it. However, the removed bucket will still point
3263         to things that are either in the list, or have also been removed.
3264         e.g, from a removed bucket, you can always follow pointers until you
3265         either find an item in the list, or you find the tail of the list.
3266         This is a really nice property because it means that a Map or Set
3267         does not need to reason about the all the iterators that point
3268         into its list. Also, whenever we add items to the Map or Set, we
3269         hijack the tail as the new item, and make the new item point to a newly
3270         created tail. This means that any iterator that pointed to the "tail" now
3271         points to non-tail items. This makes the implementation of adding things
3272         to the Map/Set while iterating easy.
3273
3274         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
3275         into intrinsics in the DFG. The IR can now reason about hash map
3276         operations and can even do CSE over Wang's hash function, hash map
3277         bucket lookups, hash map bucket loads, and testing if a key is in
3278         the hash table. This makes code patterns for Map like so, super fast
3279         in the FTL, since we will only be doing a single hash and hash bucket lookup:
3280
3281         ```
3282         function getKeyIfPresent(map, key) {
3283             if (map.has(key))
3284                 return map.get(key);
3285         }
3286         ```
3287
3288         This patch is roughly an 8% speedup on ES6SampleBench.
3289
3290
3291         * CMakeLists.txt:
3292         * JavaScriptCore.xcodeproj/project.pbxproj:
3293         * assembler/MacroAssemblerARM64.h:
3294         (JSC::MacroAssemblerARM64::not64):
3295         * bytecode/SpeculatedType.cpp:
3296         (JSC::speculationFromClassInfo):
3297         * bytecode/SpeculatedType.h:
3298         * dfg/DFGAbstractInterpreterInlines.h:
3299         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3300         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
3301         * dfg/DFGByteCodeParser.cpp:
3302         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3303         * dfg/DFGClobberize.h:
3304         (JSC::DFG::clobberize):
3305         * dfg/DFGDoesGC.cpp:
3306         (JSC::DFG::doesGC):
3307         * dfg/DFGEdge.h:
3308         (JSC::DFG::Edge::shift):
3309         (JSC::DFG::Edge::makeWord):
3310         * dfg/DFGFixupPhase.cpp:
3311         (JSC::DFG::FixupPhase::fixupNode):
3312         * dfg/DFGHeapLocation.cpp:
3313         (WTF::printInternal):
3314         * dfg/DFGHeapLocation.h:
3315         * dfg/DFGNode.h:
3316         (JSC::DFG::Node::hasHeapPrediction):
3317         * dfg/DFGNodeType.h:
3318         * dfg/DFGOperations.cpp:
3319         * dfg/DFGOperations.h:
3320         * dfg/DFGPredictionPropagationPhase.cpp:
3321         * dfg/DFGSafeToExecute.h:
3322         (JSC::DFG::SafeToExecuteEdge::operator()):
3323         (JSC::DFG::safeToExecute):
3324         * dfg/DFGSpeculativeJIT.cpp:
3325         (JSC::DFG::SpeculativeJIT::speculateMapObject):
3326         (JSC::DFG::SpeculativeJIT::speculateSetObject):
3327         (JSC::DFG::SpeculativeJIT::speculate):
3328         * dfg/DFGSpeculativeJIT.h:
3329         (JSC::DFG::SpeculativeJIT::callOperation):
3330         * dfg/DFGSpeculativeJIT32_64.cpp:
3331         (JSC::DFG::SpeculativeJIT::compile):
3332         * dfg/DFGSpeculativeJIT64.cpp:
3333         (JSC::DFG::SpeculativeJIT::compile):
3334         * dfg/DFGUseKind.cpp:
3335         (WTF::printInternal):
3336         * dfg/DFGUseKind.h:
3337         (JSC::DFG::typeFilterFor):
3338         (JSC::DFG::isCell):
3339         * ftl/FTLAbstractHeapRepository.h:
3340         * ftl/FTLCapabilities.cpp:
3341         (JSC::FTL::canCompile):
3342         * ftl/FTLLowerDFGToB3.cpp:
3343         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3344         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3345         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3346         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
3347         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
3348         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
3349         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
3350         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
3351         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3352         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
3353         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
3354         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
3355         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
3356         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
3357         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
3358         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
3359         * jit/AssemblyHelpers.cpp:
3360         (JSC::AssemblyHelpers::wangsInt64Hash):
3361         * jit/AssemblyHelpers.h:
3362         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
3363         * jit/JITOperations.h:
3364         * parser/ModuleAnalyzer.cpp:
3365         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3366         * runtime/HashMapImpl.cpp: Added.
3367         (JSC::HashMapBucket<Data>::visitChildren):
3368         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3369         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
3370         * runtime/HashMapImpl.h: Added.
3371         (JSC::HashMapBucket::selectStructure):
3372         (JSC::HashMapBucket::createStructure):
3373         (JSC::HashMapBucket::create):
3374         (JSC::HashMapBucket::HashMapBucket):
3375         (JSC::HashMapBucket::setNext):
3376         (JSC::HashMapBucket::setPrev):
3377         (JSC::HashMapBucket::setKey):
3378         (JSC::HashMapBucket::setValue):
3379         (JSC::HashMapBucket::key):
3380         (JSC::HashMapBucket::value):
3381         (JSC::HashMapBucket::next):
3382         (JSC::HashMapBucket::prev):
3383         (JSC::HashMapBucket::deleted):
3384         (JSC::HashMapBucket::setDeleted):
3385         (JSC::HashMapBucket::offsetOfKey):
3386         (JSC::HashMapBucket::offsetOfValue):
3387         (JSC::HashMapBuffer::allocationSize):
3388         (JSC::HashMapBuffer::buffer):
3389         (JSC::HashMapBuffer::create):
3390         (JSC::areKeysEqual):
3391         (JSC::normalizeMapKey):
3392         (JSC::jsMapHash):
3393         (JSC::HashMapImpl::selectStructure):
3394         (JSC::HashMapImpl::createStructure):
3395         (JSC::HashMapImpl::create):
3396         (JSC::HashMapImpl::HashMapImpl):
3397         (JSC::HashMapImpl::buffer):
3398         (JSC::HashMapImpl::finishCreation):
3399         (JSC::HashMapImpl::emptyValue):
3400         (JSC::HashMapImpl::isEmpty):
3401         (JSC::HashMapImpl::deletedValue):
3402         (JSC::HashMapImpl::isDeleted):
3403         (JSC::HashMapImpl::findBucket):
3404         (JSC::HashMapImpl::get):
3405         (JSC::HashMapImpl::has):
3406         (JSC::HashMapImpl::add):
3407         (JSC::HashMapImpl::remove):
3408         (JSC::HashMapImpl::size):
3409         (JSC::HashMapImpl::clear):
3410         (JSC::HashMapImpl::bufferSizeInBytes):
3411         (JSC::HashMapImpl::offsetOfBuffer):
3412         (JSC::HashMapImpl::offsetOfCapacity):
3413         (JSC::HashMapImpl::head):
3414         (JSC::HashMapImpl::tail):
3415         (JSC::HashMapImpl::approximateSize):
3416         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
3417         (JSC::HashMapImpl::rehash):
3418         (JSC::HashMapImpl::makeAndSetNewBuffer):
3419         * runtime/Intrinsic.h:
3420         * runtime/JSCJSValue.h:
3421         * runtime/JSCJSValueInlines.h:
3422         (JSC::sameValue):
3423         * runtime/JSGlobalObject.cpp:
3424         (JSC::JSGlobalObject::init):
3425         * runtime/JSMap.cpp:
3426         (JSC::JSMap::destroy): Deleted.
3427         (JSC::JSMap::estimatedSize): Deleted.
3428         (JSC::JSMap::visitChildren): Deleted.
3429         (JSC::JSMap::copyBackingStore): Deleted.
3430         (JSC::JSMap::has): Deleted.
3431         (JSC::JSMap::size): Deleted.
3432         (JSC::JSMap::get): Deleted.
3433         (JSC::JSMap::set): Deleted.
3434         (JSC::JSMap::clear): Deleted.
3435         (JSC::JSMap::remove): Deleted.
3436         * runtime/JSMap.h:
3437         (JSC::JSMap::createStructure):
3438         (JSC::JSMap::create):
3439         (JSC::JSMap::get):
3440         (JSC::JSMap::set):
3441         (JSC::JSMap::JSMap):
3442         (JSC::JSMap::Entry::key): Deleted.
3443         (JSC::JSMap::Entry::value): Deleted.
3444         (JSC::JSMap::Entry::visitChildren): Deleted.
3445         (JSC::JSMap::Entry::setKey): Deleted.
3446         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
3447         (JSC::JSMap::Entry::setValue): Deleted.
3448         (JSC::JSMap::Entry::clear): Deleted.
3449         * runtime/JSMapIterator.cpp:
3450         (JSC::JSMapIterator::finishCreation):
3451         (JSC::JSMapIterator::visitChildren):
3452         (JSC::JSMapIterator::clone):
3453         * runtime/JSMapIterator.h:
3454         (JSC::JSMapIterator::advanceIter):
3455         (JSC::JSMapIterator::next):
3456         (JSC::JSMapIterator::nextKeyValue):
3457         (JSC::JSMapIterator::JSMapIterator):
3458         (JSC::JSMapIterator::setIterator):
3459         (JSC::JSMapIterator::finish): Deleted.
3460         (JSC::JSMapIterator::iteratorData): Deleted.
3461         * runtime/JSModuleLoader.cpp:
3462         (JSC::JSModuleLoader::finishCreation):
3463         * runtime/JSModuleLoader.h:
3464         (JSC::JSModuleLoader::create):
3465         * runtime/JSModuleRecord.cpp:
3466         (JSC::JSModuleRecord::finishCreation):
3467         * runtime/JSModuleRecord.h:
3468         (JSC::JSModuleRecord::create):
3469         * runtime/JSSet.cpp:
3470         (JSC::JSSet::destroy): Deleted.
3471         (JSC::JSSet::estimatedSize): Deleted.
3472         (JSC::JSSet::visitChildren): Deleted.
3473         (JSC::JSSet::copyBackingStore): Deleted.
3474         (JSC::JSSet::has): Deleted.
3475         (JSC::JSSet::size): Deleted.
3476         (JSC::JSSet::add): Deleted.
3477         (JSC::JSSet::clear): Deleted.
3478         (JSC::JSSet::remove): Deleted.
3479         * runtime/JSSet.h:
3480         (JSC::JSSet::createStructure):
3481         (JSC::JSSet::create):
3482         (JSC::JSSet::add):
3483         (JSC::JSSet::JSSet):
3484         (JSC::JSSet::Entry::key): Deleted.
3485         (JSC::JSSet::Entry::value): Deleted.
3486         (JSC::JSSet::Entry::visitChildren): Deleted.
3487         (JSC::JSSet::Entry::setKey): Deleted.
3488         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
3489         (JSC::JSSet::Entry::setValue): Deleted.
3490         (JSC::JSSet::Entry::clear): Deleted.
3491         * runtime/JSSetIterator.cpp:
3492         (JSC::JSSetIterator::finishCreation):
3493         (JSC::JSSetIterator::visitChildren):
3494         (JSC::JSSetIterator::clone):
3495         * runtime/JSSetIterator.h:
3496         (JSC::JSSetIterator::advanceIter):
3497         (JSC::JSSetIterator::next):
3498         (JSC::JSSetIterator::JSSetIterator):
3499         (JSC::JSSetIterator::setIterator):
3500         (JSC::JSSetIterator::finish): Deleted.
3501         (JSC::JSSetIterator::iteratorData): Deleted.
3502         * runtime/JSType.h:
3503         * runtime/MapBase.cpp: Added.
3504         (JSC::MapBase<HashMapBucketType>::visitChildren):
3505         (JSC::MapBase<HashMapBucketType>::estimatedSize):
3506         * runtime/MapBase.h: Added.
3507         (JSC::MapBase::size):
3508         (JSC::MapBase::has):
3509         (JSC::MapBase::clear):
3510         (JSC::MapBase::remove):
3511         (JSC::MapBase::findBucket):
3512         (JSC::MapBase::offsetOfHashMapImpl):
3513         (JSC::MapBase::impl):
3514         (JSC::MapBase::finishCreation):
3515         (JSC::MapBase::MapBase):
3516         * runtime/MapConstructor.cpp:
3517         (JSC::constructMap):
3518         * runtime/MapIteratorPrototype.cpp:
3519         (JSC::MapIteratorPrototypeFuncNext):
3520         * runtime/MapPrototype.cpp:
3521         (JSC::MapPrototype::finishCreation):
3522         (JSC::getMap):
3523         (JSC::privateFuncIsMap):
3524         (JSC::privateFuncMapIteratorNext):
3525         * runtime/PropertyDescriptor.cpp:
3526         (JSC::sameValue): Deleted.
3527         * runtime/PropertyDescriptor.h:
3528         * runtime/SetConstructor.cpp:
3529         (JSC::constructSet):
3530         * runtime/SetIteratorPrototype.cpp:
3531         (JSC::SetIteratorPrototypeFuncNext):
3532         * runtime/SetPrototype.cpp:
3533         (JSC::SetPrototype::finishCreation):
3534         (JSC::getSet):
3535         (JSC::privateFuncSetIteratorNext):
3536         * runtime/VM.cpp:
3537         (JSC::VM::VM):
3538         * runtime/VM.h:
3539
3540 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
3541
3542         [JSC] Make ArithClz32 work with Cell arguments
3543         https://bugs.webkit.org/show_bug.cgi?id=161369
3544
3545         Reviewed by Geoffrey Garen.
3546
3547         ArithClz32 was already working with all primitive types
3548         thanks to the magic of ValueToInt32.
3549         This patch adds support for cell arguments through a function
3550         call.
3551
3552         * dfg/DFGAbstractInterpreterInlines.h:
3553         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3554         * dfg/DFGClobberize.h:
3555         (JSC::DFG::clobberize):
3556         * dfg/DFGFixupPhase.cpp:
3557         (JSC::DFG::FixupPhase::fixupNode):
3558         * dfg/DFGNodeType.h:
3559         * dfg/DFGOperations.cpp:
3560         * dfg/DFGOperations.h:
3561         * dfg/DFGSpeculativeJIT.cpp:
3562         (JSC::DFG::SpeculativeJIT::compileArithClz32):
3563         * dfg/DFGSpeculativeJIT.h:
3564         (JSC::DFG::SpeculativeJIT::callOperation):
3565         * ftl/FTLLowerDFGToB3.cpp:
3566         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
3567
3568 2016-09-06  Mark Lam  <mark.lam@apple.com>
3569
3570         Gardening: change to use old header guard to appease Win EWS.
3571
3572         Not reviewed.
3573
3574         * runtime/AuxiliaryBarrier.h:
3575
3576 2016-09-06  Commit Queue  <commit-queue@webkit.org>
3577
3578         Unreviewed, rolling out r205494.
3579         https://bugs.webkit.org/show_bug.cgi?id=161646
3580
3581         This change broke the Windows build (Requested by ryanhaddad
3582         on #webkit).
3583
3584         Reverted changeset:
3585
3586         "Typed arrays should use MarkedSpace instead of CopiedSpace"
3587         https://bugs.webkit.org/show_bug.cgi?id=161100
3588         http://trac.webkit.org/changeset/205494
3589
3590 2016-09-06  Commit Queue  <commit-queue@webkit.org>
3591
3592         Unreviewed, rolling out r205504.
3593         https://bugs.webkit.org/show_bug.cgi?id=161645
3594
3595         Broke the iOS device build (Requested by ryanhaddad on
3596         #webkit).
3597
3598         Reverted changeset:
3599
3600         "Make JSMap and JSSet faster"
3601         https://bugs.webkit.org/show_bug.cgi?id=160989
3602         http://trac.webkit.org/changeset/205504
3603
3604 2016-09-06  Saam Barati  <sbarati@apple.com>
3605
3606         Make JSMap and JSSet faster
3607         https://bugs.webkit.org/show_bug.cgi?id=160989
3608
3609         Reviewed by Filip Pizlo.
3610
3611         This patch revamps how we implement Map and Set. It uses
3612         a new hash map implementation. The hash map uses linear
3613         probing and it uses Wang's 64 bit hash function for JSValues
3614         that aren't strings. Strings use StringImpl's hash function.
3615         The reason I wanted to roll our own HashTable is twofold:
3616         I didn't want to inline WTF::HashMap's implementation into our
3617         JIT, since that seems error prone and unmaintainable. Also, I wanted
3618         a different structure for hash map buckets where buckets also exist in
3619         a linked list.
3620
3621         The reason for making buckets part of a linked list is that iteration
3622         is now simple. Iteration works by just traversing a linked list.
3623         This design also allows for a simple implementation when doing iteration
3624         while the hash table is mutating. Whenever we remove a bucket from
3625         the hash table, it is removed from the list, meaning items in the
3626         list don't point to it. However, the removed bucket will still point
3627         to things that are either in the list, or have also been removed.
3628         e.g, from a removed bucket, you can always follow pointers until you
3629         either find an item in the list, or you find the tail of the list.
3630         This is a really nice property because it means that a Map or Set
3631         does not need to reason about the all the iterators that point
3632         into its list. Also, whenever we add items to the Map or Set, we
3633         hijack the tail as the new item, and make the new item point to a newly
3634         created tail. This means that any iterator that pointed to the "tail" now
3635         points to non-tail items. This makes the implementation of adding things
3636         to the Map/Set while iterating easy.
3637
3638         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
3639         into intrinsics in the DFG. The IR can now reason about hash map
3640         operations and can even do CSE over Wang's hash function, hash map
3641         bucket lookups, hash map bucket loads, and testing if a key is in
3642         the hash table. This makes code patterns for Map like so, super fast
3643         in the FTL, since we will only be doing a single hash and hash bucket lookup:
3644
3645         ```
3646         function getKeyIfPresent(map, key) {
3647             if (map.has(key))
3648                 return map.get(key);
3649         }
3650         ```
3651
3652         This patch is roughly an 8% speedup on ES6SampleBench.
3653
3654         * CMakeLists.txt:
3655         * JavaScriptCore.xcodeproj/project.pbxproj:
3656         * bytecode/SpeculatedType.cpp:
3657         (JSC::speculationFromClassInfo):
3658         * bytecode/SpeculatedType.h:
3659         * dfg/DFGAbstractInterpreterInlines.h:
3660         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
3662         * dfg/DFGByteCodeParser.cpp:
3663         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3664         * dfg/DFGClobberize.h:
3665         (JSC::DFG::clobberize):
3666         * dfg/DFGDoesGC.cpp:
3667         (JSC::DFG::doesGC):
3668         * dfg/DFGEdge.h:
3669         (JSC::DFG::Edge::shift):
3670         (JSC::DFG::Edge::makeWord):
3671         * dfg/DFGFixupPhase.cpp:
3672         (JSC::DFG::FixupPhase::fixupNode):
3673         * dfg/DFGHeapLocation.cpp:
3674         (WTF::printInternal):
3675         * dfg/DFGHeapLocation.h:
3676         * dfg/DFGNode.h:
3677         (JSC::DFG::Node::hasHeapPrediction):
3678         * dfg/DFGNodeType.h:
3679         * dfg/DFGOperations.cpp:
3680         * dfg/DFGOperations.h:
3681         * dfg/DFGPredictionPropagationPhase.cpp:
3682         * dfg/DFGSafeToExecute.h:
3683         (JSC::DFG::SafeToExecuteEdge::operator()):
3684         (JSC::DFG::safeToExecute):
3685         * dfg/DFGSpeculativeJIT.cpp:
3686         (JSC::DFG::SpeculativeJIT::speculateMapObject):
3687         (JSC::DFG::SpeculativeJIT::speculateSetObject):
3688         (JSC::DFG::SpeculativeJIT::speculate):
3689         * dfg/DFGSpeculativeJIT.h:
3690         (JSC::DFG::SpeculativeJIT::callOperation):
3691         * dfg/DFGSpeculativeJIT32_64.cpp:
3692         (JSC::DFG::SpeculativeJIT::compile):
3693         * dfg/DFGSpeculativeJIT64.cpp:
3694         (JSC::DFG::SpeculativeJIT::compile):
3695         * dfg/DFGUseKind.cpp:
3696         (WTF::printInternal):
3697         * dfg/DFGUseKind.h:
3698         (JSC::DFG::typeFilterFor):
3699         (JSC::DFG::isCell):
3700         * ftl/FTLAbstractHeapRepository.h:
3701         * ftl/FTLCapabilities.cpp:
3702         (JSC::FTL::canCompile):
3703         * ftl/FTLLowerDFGToB3.cpp:
3704         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3705         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3706         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3707         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
3708         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
3709         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
3710         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
3711         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
3712         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3713         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
3714         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
3715         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
3716         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
3717         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
3718         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
3719         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
3720         * jit/AssemblyHelpers.cpp:
3721         (JSC::AssemblyHelpers::wangsInt64Hash):
3722         * jit/AssemblyHelpers.h:
3723         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
3724         * jit/JITOperations.h:
3725         * parser/ModuleAnalyzer.cpp:
3726         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3727         * runtime/HashMapImpl.cpp: Added.
3728         (JSC::HashMapBucket<Data>::visitChildren):
3729         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3730         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
3731         * runtime/HashMapImpl.h: Added.
3732         (JSC::HashMapBucket::selectStructure):
3733         (JSC::HashMapBucket::createStructure):
3734         (JSC::HashMapBucket::create):
3735         (JSC::HashMapBucket::HashMapBucket):
3736         (JSC::HashMapBucket::setNext):
3737         (JSC::HashMapBucket::setPrev):
3738         (JSC::HashMapBucket::setKey):
3739         (JSC::HashMapBucket::setValue):
3740         (JSC::HashMapBucket::key):
3741         (JSC::HashMapBucket::value):
3742         (JSC::HashMapBucket::next):
3743         (JSC::HashMapBucket::prev):
3744         (JSC::HashMapBucket::deleted):
3745         (JSC::HashMapBucket::setDeleted):
3746         (JSC::HashMapBucket::offsetOfKey):
3747         (JSC::HashMapBucket::offsetOfValue):
3748         (JSC::HashMapBuffer::allocationSize):
3749         (JSC::HashMapBuffer::buffer):
3750         (JSC::HashMapBuffer::create):
3751         (JSC::areKeysEqual):
3752         (JSC::normalizeMapKey):
3753         (JSC::jsMapHash):
3754         (JSC::HashMapImpl::selectStructure):
3755         (JSC::HashMapImpl::createStructure):
3756         (JSC::HashMapImpl::create):
3757         (JSC::HashMapImpl::HashMapImpl):
3758         (JSC::HashMapImpl::buffer):
3759         (JSC::HashMapImpl::finishCreation):
3760         (JSC::HashMapImpl::emptyValue):
3761         (JSC::HashMapImpl::isEmpty):
3762         (JSC::HashMapImpl::deletedValue):
3763         (JSC::HashMapImpl::isDeleted):
3764         (JSC::HashMapImpl::findBucket):
3765         (JSC::HashMapImpl::get):
3766         (JSC::HashMapImpl::has):
3767         (JSC::HashMapImpl::add):
3768         (JSC::HashMapImpl::remove):
3769         (JSC::HashMapImpl::size):
3770         (JSC::HashMapImpl::clear):
3771         (JSC::HashMapImpl::bufferSizeInBytes):
3772         (JSC::HashMapImpl::offsetOfBuffer):
3773         (JSC::HashMapImpl::offsetOfCapacity):
3774         (JSC::HashMapImpl::head):
3775         (JSC::HashMapImpl::tail):
3776         (JSC::HashMapImpl::approximateSize):
3777         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
3778         (JSC::HashMapImpl::rehash):
3779         (JSC::HashMapImpl::makeAndSetNewBuffer):
3780         * runtime/Intrinsic.h:
3781         * runtime/JSCJSValue.h:
3782         * runtime/JSCJSValueInlines.h:
3783         (JSC::sameValue):
3784         * runtime/JSGlobalObject.cpp:
3785         (JSC::JSGlobalObject::init):
3786         * runtime/JSMap.cpp:
3787         (JSC::JSMap::destroy): Deleted.
3788         (JSC::JSMap::estimatedSize): Deleted.
3789         (JSC::JSMap::visitChildren): Deleted.
3790         (JSC::JSMap::copyBackingStore): Deleted.
3791         (JSC::JSMap::has): Deleted.
3792         (JSC::JSMap::size): Deleted.
3793         (JSC::JSMap::get): Deleted.
3794         (JSC::JSMap::set): Deleted.
3795         (JSC::JSMap::clear): Deleted.
3796         (JSC::JSMap::remove): Deleted.
3797         * runtime/JSMap.h:
3798         (JSC::JSMap::createStructure):
3799         (JSC::JSMap::create):
3800         (JSC::JSMap::get):
3801         (JSC::JSMap::set):
3802         (JSC::JSMap::JSMap):
3803         (JSC::JSMap::Entry::key): Deleted.
3804         (JSC::JSMap::Entry::value): Deleted.
3805         (JSC::JSMap::Entry::visitChildren): Deleted.
3806         (JSC::JSMap::Entry::setKey): Deleted.
3807         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
3808         (JSC::JSMap::Entry::setValue): Deleted.
3809         (JSC::JSMap::Entry::clear): Deleted.
3810         * runtime/JSMapIterator.cpp:
3811         (JSC::JSMapIterator::finishCreation):
3812         (JSC::JSMapIterator::visitChildren):
3813         (JSC::JSMapIterator::clone):
3814         * runtime/JSMapIterator.h:
3815         (JSC::JSMapIterator::advanceIter):
3816         (JSC::JSMapIterator::next):
3817         (JSC::JSMapIterator::nextKeyValue):
3818         (JSC::JSMapIterator::JSMapIterator):
3819         (JSC::JSMapIterator::setIterator):
3820         (JSC::JSMapIterator::finish): Deleted.
3821         (JSC::JSMapIterator::iteratorData): Deleted.
3822         * runtime/JSModuleLoader.cpp:
3823         (JSC::JSModuleLoader::finishCreation):
3824         * runtime/JSModuleLoader.h:
3825         (JSC::JSModuleLoader::create):
3826         * runtime/JSModuleRecord.cpp:
3827         (JSC::JSModuleRecord::finishCreation):
3828         * runtime/JSModuleRecord.h:
3829         (JSC::JSModuleRecord::create):
3830         * runtime/JSSet.cpp:
3831         (JSC::JSSet::destroy): Deleted.
3832         (JSC::JSSet::estimatedSize): Deleted.
3833         (JSC::JSSet::visitChildren): Deleted.
3834         (JSC::JSSet::copyBackingStore): Deleted.
3835         (JSC::JSSet::has): Deleted.
3836         (JSC::JSSet::size): Deleted.
3837         (JSC::JSSet::add): Deleted.
3838         (JSC::JSSet::clear): Deleted.
3839         (JSC::JSSet::remove): Deleted.
3840         * runtime/JSSet.h:
3841         (JSC::JSSet::createStructure):
3842         (JSC::JSSet::create):
3843         (JSC::JSSet::add):
3844         (JSC::JSSet::JSSet):
3845         (JSC::JSSet::Entry::key): Deleted.
3846         (JSC::JSSet::Entry::value): Deleted.
3847         (JSC::JSSet::Entry::visitChildren): Deleted.
3848         (JSC::JSSet::Entry::setKey): Deleted.
3849         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
3850         (JSC::JSSet::Entry::setValue): Deleted.
3851         (JSC::JSSet::Entry::clear): Deleted.
3852         * runtime/JSSetIterator.cpp:
3853         (JSC::JSSetIterator::finishCreation):
3854         (JSC::JSSetIterator::visitChildren):
3855         (JSC::JSSetIterator::clone):
3856         * runtime/JSSetIterator.h:
3857         (JSC::JSSetIterator::advanceIter):
3858         (JSC::JSSetIterator::next):
3859         (JSC::JSSetIterator::JSSetIterator):
3860         (JSC::JSSetIterator::setIterator):
3861         (JSC::JSSetIterator::finish): Deleted.
3862         (JSC::JSSetIterator::iteratorData): Deleted.
3863         * runtime/JSType.h:
3864         * runtime/MapBase.cpp: Added.
3865         (JSC::MapBase<HashMapBucketType>::visitChildren):
3866         (JSC::MapBase<HashMapBucketType>::estimatedSize):
3867         * runtime/MapBase.h: Added.
3868         (JSC::MapBase::size):
3869         (JSC::MapBase::has):
3870         (JSC::MapBase::clear):
3871         (JSC::MapBase::remove):
3872         (JSC::MapBase::findBucket):
3873         (JSC::MapBase::offsetOfHashMapImpl):
3874         (JSC::MapBase::impl):
3875         (JSC::MapBase::finishCreation):
3876         (JSC::MapBase::MapBase):
3877         * runtime/MapConstructor.cpp:
3878         (JSC::constructMap):
3879         * runtime/MapIteratorPrototype.cpp:
3880         (JSC::MapIteratorPrototypeFuncNext):
3881         * runtime/MapPrototype.cpp:
3882         (JSC::MapPrototype::finishCreation):
3883         (JSC::getMap):