3905b5321e69cbf0b8e67356e2ad785e546c0786
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
2
3         Enable the <meter> element on iOS
4         https://bugs.webkit.org/show_bug.cgi?id=161714
5         rdar://problem/8978410
6
7         Reviewed by Tim Horton.
8
9         Define ENABLE_METER_ELEMENT unconditionally now.
10
11         * Configurations/FeatureDefines.xcconfig:
12
13 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
14
15         Modernize Debugger to use nullptr
16         https://bugs.webkit.org/show_bug.cgi?id=161718
17
18         Reviewed by Mark Lam.
19
20         * debugger/Debugger.cpp:
21         (JSC::Debugger::Debugger):
22         (JSC::Debugger::~Debugger):
23         (JSC::Debugger::detach):
24         (JSC::Debugger::stepOutOfFunction):
25         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
26         * debugger/Debugger.h:
27
28 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
29
30         Web Inspector: Remove always false case in Debugger
31         https://bugs.webkit.org/show_bug.cgi?id=161717
32
33         Reviewed by Brian Burg.
34
35         * debugger/Debugger.cpp:
36         (JSC::Debugger::didExecuteProgram):
37         We would have earlier returned a few statements ago if this case was true.
38         And we would have crashed in the previous statement if this case was true.
39
40 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
41
42         Unreviewed, build fix after r205569
43
44         Tweak CMakeLists.txt
45
46         * CMakeLists.txt:
47
48 2016-09-07  Mark Lam  <mark.lam@apple.com>
49
50         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
51         https://bugs.webkit.org/show_bug.cgi?id=161498
52
53         Reviewed by Geoffrey Garen.
54
55         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
56         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
57         introduced.
58
59         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
60         which is a more suitable name now.
61
62         Note: exception scope verification is still disabled by default.  There are still
63         many places that need to be fixed up or re-expressed in a way that is friendly
64         to the verification.  I'll address those in subsequent patches.
65
66         After this patch, the code will statically enforce that:
67         1. all calls to throwException() go through a ThrowScope.
68         2. all calls to clearException() go through a CatchScope.
69         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
70            or CatchScope.
71
72         A Summary of how to use ExceptionScopes
73         =======================================
74         1. If a function can throw a JS exception, it should declare a ThrowScope at the
75            top of the function (as early as possible).
76
77         2. If a function can clear JS exceptions, it should declare a CatchScope at the
78            top of the function (as early as possible).
79
80         Declaring a ThrowScope in a function means that the function may throw an exception
81         that its caller will have to handle.  Declaring a CatchScope in a function means
82         that the function intends to clear pending exceptions before returning to its
83         caller. 
84
85         For more details, see the notes below.
86         
87         Everything you may want to know about ExceptionScopes
88         =====================================================
89         ExceptionScope verification works to simulate exception throws and detect cases
90         where exception checks are missing.  The notes below will cover:
91
92             1. The VM::m_needExceptionCheck bit
93             2. ThrowScopes and CatchScopes
94             3. Verification of needed exception checks
95             3. Checking Exceptions
96             4. Simulating throws
97             5. Using ThrowScope::release()
98             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
99             7. Checking exceptions by checking callee results
100             8. Debugging verification errors
101
102         1. The VM::m_needExceptionCheck bit
103
104            The VM has a m_needExceptionCheck bit that indicates when an exception may be
105            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
106            throw.
107
108         2. ThrowScopes and CatchScopes
109
110            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
111
112            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
113            at the top of its function (as early as possible) e.g.
114  
115                 void foo(...)
116                 {
117                     auto scope = DECLARE_THROW_SCOPE(vm);
118                     ...
119                     throwException(exec, scope, ...);
120                 }
121
122            Note: by convention, every throw helper function must take a ThrowScope argument
123            instead of instantiating its own ThrowScope.  This allows the throw to be
124            attributed to the client code rather than the throw helper itself.
125
126            Every catch site (i.e. a site that calls clearException()) must declare a
127            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
128
129            If a function can both throw or clear exceptions, then the ThrowScope should
130            be declared first so that it can simulate a throw to the function's caller.
131
132            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
133            can be aware if there's an enclosing CatchScope between it and the point where
134            C++ code returns to JS code.  This is needed to determine if the ThrowScope
135            should simulate a re-throw or not.  See (4) below for more details on returning
136            to JS code.
137
138         3. Verification of needed exception checks
139
140            a. On construction, each ThrowScope and CatchScope will verify that
141               VM::m_needExceptionCheck is not set.
142  
143               This ensures that the caller of the current function has checked for exceptions
144               where needed before doing more work which lead to calling the current function.
145
146            b. On destruction, each ThrowScope and CatchScope will verify that
147               VM::m_needExceptionCheck is not set. This verification will be skipped if
148               the ThrowScope has been released (see (5) below).
149
150               This ensures that the function that owns this exception scope is not missing
151               any exception checks before returning.
152
153            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
154               is not already set, unless it's been ask to rethrow the same Exception object.
155
156         4. Simulating throws
157
158            Throws are simulated by setting the m_needExceptionCheck bit.
159
160            The bit will only be set in the ThrowScope destructor except when the ThrowScope
161            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
162            check for exceptions after a host C++ function returns to it.  However, they will
163            not clear the m_needExceptionCheck bit.
164
165            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
166            it will just skip the setting of the bit.
167
168            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
169            throwException methods.  This is because, in practice, we always return
170            immediately after throwing an exception.  It doesn't make sense to set the bit in
171            the throw just to have to clear it immediately after before we do verification in
172            the ThrowScope destructor.
173
174         5. Using ThrowScope::release()
175
176            Calling release() means that the scope is released from its obligation to
177            verify the VM::m_needExceptionCheck bit on destruction.
178
179            release() should only be used at the bottom of a function if:
180
181            a. This function is going to let its caller check and handle the exception, e.g.
182
183                 void foo(...)
184                 {
185                     auto scope = DECLARE_THROW_SCOPE(vm);
186                     auto result = goo(); // may throw.
187
188                     ... // Code that will are not affected by a pending exceptions.
189
190                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
191                     return result;
192                 }
193
194            b. This function is going to do a tail call that may throw.
195
196                 void foo(...)
197                 {
198                     auto scope = DECLARE_THROW_SCOPE(vm);
199                     ...
200                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
201                     return goo(); // may throw.
202                 }
203
204               release() should not be used in code paths that branch. For example:
205
206                 void foo(...)
207                 {
208                     auto scope = DECLARE_THROW_SCOPE(vm);
209
210                     auto result = goo1(); // may throw.
211                     scope.release(); // WRONG !!! Don't do this.
212                     if (result)
213                         return;
214
215                     result = goo2(); // may throw.
216                     ...
217                     return result;
218                 }
219
220             The above will result in a verification error in goo2()'s ThrowScope.  The
221             proper way to fix this verification is to do either (6) or (7) below.
222
223          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
224
225             ThrowScope/CatchScope::exception() returns the thrown Exception object if
226             there is one pending.  Else, it returns nullptr.
227
228             It also clears the m_needExceptionCheck bit thereby indicating that we've
229             satisfied the needed exception check.  For example,
230
231                 void foo(...)
232                 {
233                     auto scope = DECLARE_THROW_SCOPE(vm);
234
235                     auto result = goo1(); // may throw.
236                     if (scope.exception())
237                         return;
238
239                     result = goo2(); // may throw.
240                     ...
241                     return result;
242                 }
243
244             But sometimes, for optimization reasons, we may choose to test the result of
245             the callee function instead doing a load of the VM exception value.  See (7)
246             below.
247
248          7. Checking exceptions by checking callee results
249
250             This approach should only be applied when it makes a difference to performance.
251             If we need to do this, we should add an ASSERT() that invokes the scope's
252             exception() method to verify the result.  Since exception scope verification
253             is only done on DEBUG builds, this ASSERT will satisfy the verification
254             requirements without impacting performance.  For example,
255
256                 void foo(...)
257                 {
258                     auto scope = DECLARE_THROW_SCOPE(vm);
259
260                     bool failed = goo1(); // may throw.
261                     ASSERT(!!scope.exception() == failed)
262                     if (failed)
263                         return;
264
265                     result = goo2(); // may throw.
266                     ...
267                     return result;
268                 }
269
270          8. Debugging verification errors
271
272             a. When verification fails, you will see a message followed by an assertion
273                failure.  For example:
274
275             ERROR: Unchecked JS exception:
276                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
277                     (ExceptionScope::m_recursionDepth was ...)
278                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
279                     (ExceptionScope::m_recursionDepth was ...)
280                 [ backtrace here ]
281
282                The message tells you that failure was detected at in varargsSetup() at
283                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
284                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
285                line 1245 and it.
286
287                If that is insufficient information, you can ...
288
289             b. Dump simulated throws
290
291                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
292                back traces at each simulated throw.
293
294             c. Narrowing down the source of a simulated throw
295
296                Another technique for narrowing down the source of simulated throws is by
297                further dividing a function to smaller regions by separating each region
298                with additional local throw scopes.  For example,
299
300                 ... // Region 1
301                 { auto scope = DECLARE_THROW_SCOPE(vm); }
302                 ... // Region 2
303                 { auto scope = DECLARE_THROW_SCOPE(vm); }
304                 ... // Region 3
305
306         * API/APIUtils.h:
307         (handleExceptionIfNeeded):
308         * CMakeLists.txt:
309         * JavaScriptCore.xcodeproj/project.pbxproj:
310         * bindings/ScriptFunctionCall.cpp:
311         (Deprecated::ScriptFunctionCall::call):
312         * bindings/ScriptValue.cpp:
313         (Deprecated::ScriptValue::toString):
314         * debugger/Debugger.cpp:
315         (JSC::Debugger::pauseIfNeeded):
316         * debugger/DebuggerCallFrame.cpp:
317         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
318         * dfg/DFGOSRExitCompiler.cpp:
319         * dfg/DFGOperations.cpp:
320         (JSC::DFG::operationPutByValInternal):
321         * inspector/InjectedScriptManager.cpp:
322         (Inspector::InjectedScriptManager::createInjectedScript):
323         * inspector/JSGlobalObjectInspectorController.cpp:
324         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
325         * inspector/JSInjectedScriptHost.cpp:
326         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
327         (Inspector::JSInjectedScriptHost::getInternalProperties):
328         (Inspector::JSInjectedScriptHost::weakMapEntries):
329         (Inspector::JSInjectedScriptHost::weakSetEntries):
330         (Inspector::JSInjectedScriptHost::iteratorEntries):
331         * inspector/JSJavaScriptCallFrame.cpp:
332         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
333         * inspector/ScriptCallStackFactory.cpp:
334         (Inspector::extractSourceInformationFromException):
335         * interpreter/CachedCall.h:
336         (JSC::CachedCall::CachedCall):
337         * interpreter/CallFrame.h:
338         (JSC::ExecState::clearException): Deleted.
339         (JSC::ExecState::exception): Deleted.
340         (JSC::ExecState::hadException): Deleted.
341         (JSC::ExecState::lastException): Deleted.
342         (JSC::ExecState::clearLastException): Deleted.
343         * interpreter/Interpreter.cpp:
344         (JSC::eval):
345         (JSC::sizeOfVarargs):
346         (JSC::notifyDebuggerOfUnwinding):
347         (JSC::Interpreter::unwind):
348         (JSC::Interpreter::execute):
349         (JSC::Interpreter::executeCall):
350         (JSC::Interpreter::executeConstruct):
351         (JSC::Interpreter::prepareForRepeatCall):
352         (JSC::Interpreter::debug):
353         * interpreter/Interpreter.h:
354         (JSC::SuspendExceptionScope::SuspendExceptionScope):
355         * interpreter/ShadowChicken.cpp:
356         (JSC::ShadowChicken::functionsOnStack):
357         * jit/JITCode.cpp:
358         (JSC::JITCode::execute):
359         * jit/JITExceptions.cpp:
360         (JSC::genericUnwind):
361         * jit/JITOperations.cpp:
362         (JSC::getByVal):
363         * jsc.cpp:
364         (WTF::ImpureGetter::getOwnPropertySlot):
365         (GlobalObject::moduleLoaderResolve):
366         (GlobalObject::moduleLoaderFetch):
367         (functionCreateElement):
368         (functionRun):
369         (functionRunString):
370         (functionLoad):
371         (functionLoadString):
372         (functionReadFile):
373         (functionCheckSyntax):
374         (functionSetRandomSeed):
375         (functionLoadModule):
376         (functionCreateBuiltin):
377         (functionCheckModuleSyntax):
378         (functionGenerateHeapSnapshot):
379         (functionSamplingProfilerStackTraces):
380         (dumpException):
381         (checkUncaughtException):
382         (runWithScripts):
383         (runInteractive):
384         * llint/LLIntExceptions.cpp:
385         (JSC::LLInt::returnToThrow):
386         (JSC::LLInt::callToThrow):
387         * llint/LLIntSlowPaths.cpp:
388         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
389         * profiler/ProfilerBytecodeSequence.cpp:
390         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
391         * profiler/ProfilerCompilation.cpp:
392         (JSC::Profiler::Compilation::toJS):
393         * profiler/ProfilerDatabase.cpp:
394         (JSC::Profiler::Database::toJS):
395         * profiler/ProfilerOSRExitSite.cpp:
396         (JSC::Profiler::OSRExitSite::toJS):
397         * profiler/ProfilerOriginStack.cpp:
398         (JSC::Profiler::OriginStack::toJS):
399         * runtime/ArrayPrototype.cpp:
400         (JSC::speciesConstructArray):
401         (JSC::shift):
402         (JSC::unshift):
403         (JSC::arrayProtoFuncToString):
404         (JSC::arrayProtoFuncToLocaleString):
405         (JSC::slowJoin):
406         (JSC::fastJoin):
407         (JSC::arrayProtoFuncJoin):
408         (JSC::arrayProtoFuncPop):
409         (JSC::arrayProtoFuncPush):
410         (JSC::arrayProtoFuncReverse):
411         (JSC::arrayProtoFuncShift):
412         (JSC::arrayProtoFuncSlice):
413         (JSC::arrayProtoFuncSplice):
414         (JSC::arrayProtoFuncUnShift):
415         (JSC::arrayProtoFuncIndexOf):
416         (JSC::arrayProtoFuncLastIndexOf):
417         (JSC::moveElements):
418         (JSC::concatAppendOne):
419         (JSC::arrayProtoPrivateFuncConcatMemcpy):
420         * runtime/BooleanConstructor.cpp:
421         (JSC::constructWithBooleanConstructor):
422         * runtime/CallData.cpp:
423         (JSC::call):
424         * runtime/CatchScope.cpp: Added.
425         (JSC::CatchScope::CatchScope):
426         (JSC::CatchScope::~CatchScope):
427         * runtime/CatchScope.h: Added.
428         (JSC::CatchScope::clearException):
429         (JSC::CatchScope::CatchScope):
430         * runtime/CommonSlowPaths.cpp:
431         (JSC::SLOW_PATH_DECL):
432         * runtime/CommonSlowPaths.h:
433         (JSC::CommonSlowPaths::opIn):
434         * runtime/CommonSlowPathsExceptions.cpp:
435         (JSC::CommonSlowPaths::interpreterThrowInCaller):
436         * runtime/Completion.cpp:
437         (JSC::evaluate):
438         (JSC::rejectPromise):
439         (JSC::loadAndEvaluateModule):
440         (JSC::loadModule):
441         * runtime/ConsoleObject.cpp:
442         (JSC::consoleProtoFuncAssert):
443         (JSC::consoleProtoFuncProfile):
444         (JSC::consoleProtoFuncProfileEnd):
445         (JSC::consoleProtoFuncTakeHeapSnapshot):
446         (JSC::consoleProtoFuncTime):
447         (JSC::consoleProtoFuncTimeEnd):
448         * runtime/DateConstructor.cpp:
449         (JSC::constructDate):
450         (JSC::dateParse):
451         * runtime/DatePrototype.cpp:
452         (JSC::dateProtoFuncToPrimitiveSymbol):
453         (JSC::dateProtoFuncToJSON):
454         * runtime/ErrorConstructor.cpp:
455         (JSC::Interpreter::constructWithErrorConstructor):
456         * runtime/ErrorInstance.cpp:
457         (JSC::ErrorInstance::sanitizedToString):
458         * runtime/ErrorPrototype.cpp:
459         (JSC::errorProtoFuncToString):
460         * runtime/ExceptionEventLocation.cpp: Added.
461         (WTF::printInternal):
462         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
463         (JSC::ExceptionEventLocation::ExceptionEventLocation):
464         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
465         * runtime/ExceptionHelpers.h:
466         * runtime/ExceptionScope.cpp: Added.
467         (JSC::ExceptionScope::ExceptionScope):
468         (JSC::ExceptionScope::~ExceptionScope):
469         * runtime/ExceptionScope.h: Added.
470         (JSC::ExceptionScope::vm):
471         (JSC::ExceptionScope::recursionDepth):
472         (JSC::ExceptionScope::exception):
473         (JSC::ExceptionScope::ExceptionScope):
474         * runtime/FunctionConstructor.cpp:
475         (JSC::constructFunctionSkippingEvalEnabledCheck):
476         * runtime/FunctionPrototype.cpp:
477         (JSC::functionProtoFuncBind):
478         * runtime/GenericArgumentsInlines.h:
479         (JSC::GenericArguments<Type>::copyToArguments):
480         * runtime/GetterSetter.cpp:
481         (JSC::callGetter):
482         * runtime/InspectorInstrumentationObject.cpp:
483         (JSC::inspectorInstrumentationObjectLog):
484         * runtime/InternalFunction.cpp:
485         (JSC::InternalFunction::createSubclassStructure):
486         * runtime/IntlCollator.cpp:
487         (JSC::IntlCollator::initializeCollator):
488         (JSC::IntlCollator::createCollator):
489         (JSC::IntlCollator::resolvedOptions):
490         * runtime/IntlCollatorConstructor.cpp:
491         (JSC::constructIntlCollator):
492         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
493         * runtime/IntlCollatorPrototype.cpp:
494         (JSC::IntlCollatorFuncCompare):
495         (JSC::IntlCollatorPrototypeGetterCompare):
496         * runtime/IntlDateTimeFormat.cpp:
497         (JSC::toDateTimeOptionsAnyDate):
498         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
499         (JSC::IntlDateTimeFormat::resolvedOptions):
500         (JSC::IntlDateTimeFormat::format):
501         * runtime/IntlDateTimeFormatConstructor.cpp:
502         (JSC::constructIntlDateTimeFormat):
503         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
504         * runtime/IntlDateTimeFormatPrototype.cpp:
505         (JSC::IntlDateTimeFormatFuncFormatDateTime):
506         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
507         * runtime/IntlNumberFormat.cpp:
508         (JSC::IntlNumberFormat::initializeNumberFormat):
509         (JSC::IntlNumberFormat::createNumberFormat):
510         (JSC::IntlNumberFormat::resolvedOptions):
511         * runtime/IntlNumberFormatConstructor.cpp:
512         (JSC::constructIntlNumberFormat):
513         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
514         * runtime/IntlNumberFormatPrototype.cpp:
515         (JSC::IntlNumberFormatFuncFormatNumber):
516         (JSC::IntlNumberFormatPrototypeGetterFormat):
517         * runtime/IntlObject.cpp:
518         (JSC::intlBooleanOption):
519         (JSC::intlStringOption):
520         (JSC::intlNumberOption):
521         (JSC::canonicalizeLocaleList):
522         (JSC::supportedLocales):
523         * runtime/IntlObjectInlines.h:
524         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
525         * runtime/IteratorOperations.cpp:
526         (JSC::iteratorNext):
527         (JSC::iteratorStep):
528         (JSC::iteratorClose):
529         (JSC::iteratorForIterable):
530         * runtime/IteratorOperations.h:
531         (JSC::forEachInIterable):
532         * runtime/JSArray.cpp:
533         (JSC::JSArray::pop):
534         (JSC::JSArray::push):
535         (JSC::JSArray::copyToArguments):
536         * runtime/JSArrayBufferConstructor.cpp:
537         (JSC::constructArrayBuffer):
538         * runtime/JSArrayBufferPrototype.cpp:
539         (JSC::arrayBufferProtoFuncSlice):
540         * runtime/JSArrayInlines.h:
541         (JSC::getLength):
542         (JSC::toLength):
543         * runtime/JSBoundFunction.cpp:
544         (JSC::getBoundFunctionStructure):
545         (JSC::JSBoundFunction::create):
546         * runtime/JSCJSValue.cpp:
547         (JSC::JSValue::putToPrimitive):
548         (JSC::JSValue::putToPrimitiveByIndex):
549         (JSC::JSValue::toStringSlowCase):
550         * runtime/JSCJSValueInlines.h:
551         (JSC::toPreferredPrimitiveType):
552         (JSC::JSValue::getPropertySlot):
553         (JSC::JSValue::equalSlowCaseInline):
554         * runtime/JSDataViewPrototype.cpp:
555         (JSC::getData):
556         (JSC::setData):
557         * runtime/JSFunction.cpp:
558         (JSC::JSFunction::setFunctionName):
559         * runtime/JSGenericTypedArrayView.h:
560         (JSC::JSGenericTypedArrayView::setIndex):
561         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
562         (JSC::constructGenericTypedArrayViewFromIterator):
563         (JSC::constructGenericTypedArrayViewWithArguments):
564         (JSC::constructGenericTypedArrayView):
565         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
566         (JSC::speciesConstruct):
567         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
568         (JSC::genericTypedArrayViewProtoFuncIncludes):
569         (JSC::genericTypedArrayViewProtoFuncIndexOf):
570         (JSC::genericTypedArrayViewProtoFuncJoin):
571         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
572         (JSC::genericTypedArrayViewProtoFuncSlice):
573         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
574         * runtime/JSGlobalObject.h:
575         (JSC::constructEmptyArray):
576         (JSC::constructArray):
577         (JSC::constructArrayNegativeIndexed):
578         * runtime/JSGlobalObjectFunctions.cpp:
579         (JSC::globalFuncEval):
580         * runtime/JSJob.cpp:
581         (JSC::JSJobMicrotask::run):
582         * runtime/JSModuleEnvironment.cpp:
583         (JSC::JSModuleEnvironment::getOwnPropertySlot):
584         * runtime/JSModuleLoader.cpp:
585         (JSC::JSModuleLoader::fetch):
586         * runtime/JSModuleNamespaceObject.cpp:
587         (JSC::JSModuleNamespaceObject::finishCreation):
588         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
589         * runtime/JSModuleRecord.cpp:
590         (JSC::JSModuleRecord::instantiateDeclarations):
591         * runtime/JSONObject.cpp:
592         (JSC::Stringifier::Stringifier):
593         (JSC::Stringifier::stringify):
594         (JSC::Stringifier::toJSON):
595         (JSC::Stringifier::appendStringifiedValue):
596         (JSC::Stringifier::Holder::appendNextProperty):
597         (JSC::Walker::walk):
598         (JSC::JSONProtoFuncParse):
599         * runtime/JSObject.cpp:
600         (JSC::ordinarySetSlow):
601         (JSC::JSObject::setPrototypeWithCycleCheck):
602         (JSC::callToPrimitiveFunction):
603         (JSC::JSObject::ordinaryToPrimitive):
604         (JSC::JSObject::defaultHasInstance):
605         (JSC::JSObject::getPropertyNames):
606         (JSC::JSObject::toNumber):
607         (JSC::JSObject::toString):
608         (JSC::JSObject::defineOwnNonIndexProperty):
609         (JSC::JSObject::getGenericPropertyNames):
610         (JSC::JSObject::getMethod):
611         * runtime/JSObjectInlines.h:
612         (JSC::createListFromArrayLike):
613         (JSC::JSObject::getPropertySlot):
614         (JSC::JSObject::getNonIndexPropertySlot):
615         * runtime/JSPromiseConstructor.cpp:
616         (JSC::constructPromise):
617         * runtime/JSPropertyNameEnumerator.h:
618         (JSC::propertyNameEnumerator):
619         * runtime/JSPropertyNameIterator.cpp:
620         (JSC::JSPropertyNameIterator::create):
621         * runtime/JSScope.cpp:
622         (JSC::isUnscopable):
623         (JSC::JSScope::resolve):
624         * runtime/JSString.cpp:
625         (JSC::JSString::equalSlowCase):
626         * runtime/JSStringJoiner.cpp:
627         (JSC::JSStringJoiner::join):
628         * runtime/LiteralParser.cpp:
629         (JSC::LiteralParser<CharType>::parse):
630         * runtime/MapConstructor.cpp:
631         (JSC::constructMap):
632         * runtime/MathObject.cpp:
633         (JSC::mathProtoFuncClz32):
634         (JSC::mathProtoFuncHypot):
635         (JSC::mathProtoFuncIMul):
636         * runtime/ModuleLoaderPrototype.cpp:
637         (JSC::moduleLoaderPrototypeParseModule):
638         (JSC::moduleLoaderPrototypeRequestedModules):
639         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
640         * runtime/NativeErrorConstructor.cpp:
641         (JSC::Interpreter::constructWithNativeErrorConstructor):
642         * runtime/NumberConstructor.cpp:
643         (JSC::constructWithNumberConstructor):
644         * runtime/ObjectConstructor.cpp:
645         (JSC::constructObject):
646         (JSC::objectConstructorGetPrototypeOf):
647         (JSC::objectConstructorSetPrototypeOf):
648         (JSC::objectConstructorGetOwnPropertyDescriptor):
649         (JSC::objectConstructorGetOwnPropertyDescriptors):
650         (JSC::objectConstructorGetOwnPropertyNames):
651         (JSC::objectConstructorGetOwnPropertySymbols):
652         (JSC::objectConstructorKeys):
653         (JSC::ownEnumerablePropertyKeys):
654         (JSC::toPropertyDescriptor):
655         (JSC::objectConstructorDefineProperty):
656         (JSC::defineProperties):
657         (JSC::objectConstructorSeal):
658         (JSC::objectConstructorFreeze):
659         (JSC::objectConstructorIsSealed):
660         (JSC::objectConstructorIsFrozen):
661         (JSC::objectConstructorIsExtensible):
662         (JSC::ownPropertyKeys):
663         * runtime/ObjectConstructor.h:
664         (JSC::constructObjectFromPropertyDescriptor):
665         * runtime/ObjectPrototype.cpp:
666         (JSC::objectProtoFuncHasOwnProperty):
667         (JSC::objectProtoFuncIsPrototypeOf):
668         (JSC::objectProtoFuncDefineGetter):
669         (JSC::objectProtoFuncDefineSetter):
670         (JSC::objectProtoFuncLookupGetter):
671         (JSC::objectProtoFuncLookupSetter):
672         (JSC::objectProtoFuncPropertyIsEnumerable):
673         (JSC::objectProtoFuncToLocaleString):
674         (JSC::objectProtoFuncToString):
675         * runtime/Operations.cpp:
676         (JSC::jsAddSlowCase):
677         * runtime/Options.h:
678         * runtime/PropertyDescriptor.cpp:
679         (JSC::PropertyDescriptor::slowGetterSetter):
680         * runtime/ProxyConstructor.cpp:
681         (JSC::makeRevocableProxy):
682         * runtime/ProxyObject.cpp:
683         (JSC::ProxyObject::toStringName):
684         (JSC::performProxyGet):
685         (JSC::ProxyObject::performGet):
686         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
687         (JSC::ProxyObject::performHasProperty):
688         (JSC::ProxyObject::performPut):
689         (JSC::ProxyObject::putByIndexCommon):
690         (JSC::performProxyCall):
691         (JSC::performProxyConstruct):
692         (JSC::ProxyObject::performDelete):
693         (JSC::ProxyObject::performPreventExtensions):
694         (JSC::ProxyObject::performIsExtensible):
695         (JSC::ProxyObject::performDefineOwnProperty):
696         (JSC::ProxyObject::performGetOwnPropertyNames):
697         (JSC::ProxyObject::performSetPrototype):
698         (JSC::ProxyObject::performGetPrototype):
699         * runtime/ReflectObject.cpp:
700         (JSC::reflectObjectConstruct):
701         (JSC::reflectObjectDefineProperty):
702         (JSC::reflectObjectGet):
703         (JSC::reflectObjectGetOwnPropertyDescriptor):
704         (JSC::reflectObjectIsExtensible):
705         (JSC::reflectObjectPreventExtensions):
706         (JSC::reflectObjectSet):
707         (JSC::reflectObjectSetPrototypeOf):
708         * runtime/RegExpConstructor.cpp:
709         (JSC::toFlags):
710         (JSC::regExpCreate):
711         (JSC::constructRegExp):
712         * runtime/RegExpConstructor.h:
713         (JSC::isRegExp):
714         * runtime/RegExpObject.cpp:
715         (JSC::collectMatches):
716         (JSC::RegExpObject::matchGlobal):
717         * runtime/RegExpPrototype.cpp:
718         (JSC::regExpProtoFuncCompile):
719         (JSC::flagsString):
720         (JSC::regExpProtoFuncToString):
721         (JSC::regExpProtoGetterFlags):
722         (JSC::regExpProtoFuncSearchFast):
723         (JSC::regExpProtoFuncSplitFast):
724         * runtime/SetConstructor.cpp:
725         (JSC::constructSet):
726         * runtime/StringConstructor.cpp:
727         (JSC::stringFromCodePoint):
728         (JSC::constructWithStringConstructor):
729         * runtime/StringObject.cpp:
730         (JSC::StringObject::defineOwnProperty):
731         * runtime/StringPrototype.cpp:
732         (JSC::replaceUsingRegExpSearch):
733         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
734         (JSC::replaceUsingStringSearch):
735         (JSC::replace):
736         (JSC::stringProtoFuncReplaceUsingRegExp):
737         (JSC::stringProtoFuncReplaceUsingStringSearch):
738         (JSC::stringProtoFuncCodePointAt):
739         (JSC::stringProtoFuncSlice):
740         (JSC::stringProtoFuncSplitFast):
741         (JSC::stringProtoFuncSubstr):
742         (JSC::stringProtoFuncSubstring):
743         (JSC::stringProtoFuncLocaleCompare):
744         (JSC::toLocaleCase):
745         (JSC::stringProtoFuncBig):
746         (JSC::stringProtoFuncSmall):
747         (JSC::stringProtoFuncBlink):
748         (JSC::stringProtoFuncBold):
749         (JSC::stringProtoFuncFixed):
750         (JSC::stringProtoFuncItalics):
751         (JSC::stringProtoFuncStrike):
752         (JSC::stringProtoFuncSub):
753         (JSC::stringProtoFuncSup):
754         (JSC::stringProtoFuncFontcolor):
755         (JSC::stringProtoFuncFontsize):
756         (JSC::stringProtoFuncAnchor):
757         (JSC::stringProtoFuncLink):
758         (JSC::trimString):
759         (JSC::stringProtoFuncStartsWith):
760         (JSC::stringProtoFuncEndsWith):
761         (JSC::stringIncludesImpl):
762         (JSC::stringProtoFuncIncludes):
763         (JSC::builtinStringIncludesInternal):
764         (JSC::stringProtoFuncNormalize):
765         * runtime/SymbolConstructor.cpp:
766         (JSC::symbolConstructorFor):
767         * runtime/TemplateRegistry.cpp:
768         (JSC::TemplateRegistry::getTemplateObject):
769         * runtime/ThrowScope.cpp:
770         (JSC::ThrowScope::ThrowScope):
771         (JSC::ThrowScope::~ThrowScope):
772         (JSC::ThrowScope::throwException):
773         (JSC::ThrowScope::simulateThrow):
774         (JSC::ThrowScope::printIfNeedCheck): Deleted.
775         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
776         * runtime/ThrowScope.h:
777         (JSC::ThrowScope::release):
778         (JSC::ThrowScope::ThrowScope):
779         (JSC::ThrowScope::throwException):
780         (JSC::ThrowScope::vm): Deleted.
781         (JSC::ThrowScope::exception): Deleted.
782         * runtime/ThrowScopeLocation.h: Removed.
783         * runtime/VM.cpp:
784         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
785         * runtime/VM.h:
786         (JSC::VM::exception):
787         (JSC::VM::clearException):
788         (JSC::VM::setException): Deleted.
789         * runtime/WeakMapConstructor.cpp:
790         (JSC::constructWeakMap):
791         * runtime/WeakSetConstructor.cpp:
792         (JSC::constructWeakSet):
793         * tools/JSDollarVMPrototype.cpp:
794         (JSC::functionPrint):
795
796 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
797
798         [INTL] some valid language tags cause errors in Intl constructors
799         https://bugs.webkit.org/show_bug.cgi?id=161672
800
801         Reviewed by Mark Lam.
802
803         Fix private use tag parsing to match spec, allowing single character parts.
804         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
805
806         ```
807         privateuse    = "x" 1*("-" (1*8alphanum))
808         ```
809
810         * runtime/IntlObject.cpp:
811         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
812
813 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
814
815         [JSC] Remove a couple of useless forward declaration
816         https://bugs.webkit.org/show_bug.cgi?id=161676
817
818         Reviewed by Mark Lam.
819
820         JITMathICForwards.h should take care of declarating the Math ICs.
821
822         * bytecode/CodeBlock.h:
823         * jit/JITOperations.h:
824
825 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
826
827         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
828         https://bugs.webkit.org/show_bug.cgi?id=161706
829
830         Reviewed by Geoffrey Garen.
831         
832         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
833         have to do something different.
834
835         * jit/AssemblyHelpers.h:
836         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
837
838 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
839
840         Unreviewed CMake build fix after r205552
841
842         * CMakeLists.txt:
843
844 2016-09-03  Keith Miller  <keith_miller@apple.com>
845
846         Add support for WASM Loops and Branches
847         https://bugs.webkit.org/show_bug.cgi?id=161569
848
849         Reviewed by Benjamin Poulain.
850
851         This patch adds support for loops and branches to WASM. In order
852         to support loops, we needed to change the way the B3IRGenerator
853         tracked control information. Now, the control data holds three
854         pieces of information: The continuation block, the loop branch
855         target, and variables exiting the block. Whenever we branch to
856         some control point we first check if it is a loop by checking that
857         the loop branch target is non-null. If the branch is not targeting
858         a loop, we map the stack values to the associated B3 variables for
859         that stack slot.
860
861         Another interesting thing of note is that we now only allocate the
862         continuation basic block lazily. This is beneficial when the
863         continuation would just fall through to another block anyway. For
864         example, in code like: (block ... (block (add 1 2) end) end) the
865         continuation for the inner block just falls through to the outer
866         block's continuation so we don't need an extra block.
867
868         * B3CallingConventions.cpp:
869         (JSC::B3::jscCallingConvention): Deleted.
870         * B3CallingConventions.h:
871         (JSC::B3::CallingConvention::CallingConvention): Deleted.
872         (JSC::B3::CallingConvention::iterate): Deleted.
873         (JSC::B3::nextJSCOffset): Deleted.
874         * JavaScriptCore.xcodeproj/project.pbxproj:
875         * b3/B3Type.h:
876         * testWASM.cpp:
877         (runWASMTests):
878         * wasm/WASMB3IRGenerator.cpp:
879         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
880         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
881         (JSC::WASM::B3IRGenerator::LazyBlock::get):
882         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
883         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
884         (JSC::WASM::B3IRGenerator::ControlData::dump):
885         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
886         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
887         (JSC::WASM::B3IRGenerator::addLocal):
888         (JSC::WASM::B3IRGenerator::addArguments):
889         (JSC::WASM::B3IRGenerator::setLocal):
890         (JSC::WASM::B3IRGenerator::addBlock):
891         (JSC::WASM::B3IRGenerator::addLoop):
892         (JSC::WASM::B3IRGenerator::endBlock):
893         (JSC::WASM::B3IRGenerator::addReturn):
894         (JSC::WASM::B3IRGenerator::addBranch):
895         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
896         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
897         (JSC::WASM::B3IRGenerator::controlDataForLevel):
898         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
899         (JSC::WASM::parseAndCompile):
900         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
901         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
902         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
903         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
904         (JSC::WASM::jscCallingConvention):
905         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
906         (JSC::WASM::CallingConvention::CallingConvention):
907         (JSC::WASM::CallingConvention::iterate):
908         (JSC::WASM::nextJSCOffset):
909         * wasm/WASMFormat.h:
910         (JSC::WASM::toB3Type):
911         (JSC::WASM::isValueType):
912         * wasm/WASMFunctionParser.h:
913         (JSC::WASM::FunctionParser<Context>::parse):
914         (JSC::WASM::FunctionParser<Context>::parseExpression):
915         * wasm/WASMModuleParser.cpp:
916         (JSC::WASM::ModuleParser::parseFunctionTypes):
917         * wasm/WASMOps.h:
918
919 2016-09-07  Youenn Fablet  <youenn@apple.com>
920
921         [Streams API] Separate compile flag for ReadableStream and WritableStream
922         https://bugs.webkit.org/show_bug.cgi?id=161044
923
924         Reviewed by Alex Christensen.
925
926         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
927         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
928
929         * Configurations/FeatureDefines.xcconfig:
930         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
931         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
932         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
933
934 2016-09-07  Csaba Osztrogonác  <ossy@webkit.org>
935
936         Fix the ENABLE(WEBASSEMBLY) build on Linux
937         https://bugs.webkit.org/show_bug.cgi?id=161685
938
939         Unreviewed buildfix.
940
941         * wasm/JSWASMModule.cpp:
942
943 2016-09-06  Saam Barati  <sbarati@apple.com>
944
945         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
946         https://bugs.webkit.org/show_bug.cgi?id=161558
947
948         Reviewed by Benjamin Poulain.
949
950         ProxyObject had ObjectPrototype as its direct prototype.
951         This could lead to infinite loops when doing a getDirectPrototype()
952         loop.
953
954         Fixing this bug revealed another bug, which I made when implementing Proxy.
955         We should not special case "__proto__" in get and set for Proxy Object's
956         hooks. "__proto__" should just go through the normal set and get path.
957
958         * runtime/JSGlobalObject.cpp:
959         (JSC::JSGlobalObject::init):
960         * runtime/ProxyObject.cpp:
961         (JSC::performProxyGet):
962         (JSC::ProxyObject::put):
963
964 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
965
966         Make JSC::PrivateName copyable
967         https://bugs.webkit.org/show_bug.cgi?id=161666
968
969         Reviewed by Ryosuke Niwa.
970
971         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
972         And since the custom copy constructor deletes the default move constructor, we explcitly define
973         it by `= default;`.
974
975         * runtime/PrivateName.h:
976         (JSC::PrivateName::PrivateName):
977
978 2016-09-06  Daniel Bates  <dabates@apple.com>
979
980         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
981         https://bugs.webkit.org/show_bug.cgi?id=161296
982
983         Reviewed by Dan Bernstein.
984
985         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
986         with the iOS 10 beta SDK.
987
988         * Configurations/Base.xcconfig:
989
990 2016-09-06  Saam Barati  <sbarati@apple.com>
991
992         Unreviewed build fix for 32-bit platforms after r205520.
993
994         * dfg/DFGSpeculativeJIT.h:
995         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
996
997 2016-09-06  Saam Barati  <sbarati@apple.com>
998
999         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1000         https://bugs.webkit.org/show_bug.cgi?id=160870
1001
1002         Reviewed by Darin Adler.
1003
1004         Credit goes to Jonathan Bedard for finding this bug using the undefined
1005         behavior sanitizer.
1006
1007         The rule for MaterializeNewObject inside AI was assuming that the graph
1008         is in SSA form. This used to be true when MaterializeNewObject was only
1009         inserted by the allocation sinking phase. However, Filip added more uses
1010         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1011         the bug by using the structure set inside the Node's OpInfo rather than
1012         generating it from m_phiChildren inside AI.
1013
1014         * dfg/DFGAbstractInterpreterInlines.h:
1015         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1016
1017 2016-09-06  Saam Barati  <sbarati@apple.com>
1018
1019         Make JSMap and JSSet faster
1020         https://bugs.webkit.org/show_bug.cgi?id=160989
1021
1022         Reviewed by Filip Pizlo.
1023
1024         This patch revamps how we implement Map and Set. It uses
1025         a new hash map implementation. The hash map uses linear
1026         probing and it uses Wang's 64 bit hash function for JSValues
1027         that aren't strings. Strings use StringImpl's hash function.
1028         The reason I wanted to roll our own HashTable is twofold:
1029         I didn't want to inline WTF::HashMap's implementation into our
1030         JIT, since that seems error prone and unmaintainable. Also, I wanted
1031         a different structure for hash map buckets where buckets also exist in
1032         a linked list.
1033
1034         The reason for making buckets part of a linked list is that iteration
1035         is now simple. Iteration works by just traversing a linked list.
1036         This design also allows for a simple implementation when doing iteration
1037         while the hash table is mutating. Whenever we remove a bucket from
1038         the hash table, it is removed from the list, meaning items in the
1039         list don't point to it. However, the removed bucket will still point
1040         to things that are either in the list, or have also been removed.
1041         e.g, from a removed bucket, you can always follow pointers until you
1042         either find an item in the list, or you find the tail of the list.
1043         This is a really nice property because it means that a Map or Set
1044         does not need to reason about the all the iterators that point
1045         into its list. Also, whenever we add items to the Map or Set, we
1046         hijack the tail as the new item, and make the new item point to a newly
1047         created tail. This means that any iterator that pointed to the "tail" now
1048         points to non-tail items. This makes the implementation of adding things
1049         to the Map/Set while iterating easy.
1050
1051         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1052         into intrinsics in the DFG. The IR can now reason about hash map
1053         operations and can even do CSE over Wang's hash function, hash map
1054         bucket lookups, hash map bucket loads, and testing if a key is in
1055         the hash table. This makes code patterns for Map like so, super fast
1056         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1057
1058         ```
1059         function getKeyIfPresent(map, key) {
1060             if (map.has(key))
1061                 return map.get(key);
1062         }
1063         ```
1064
1065         This patch is roughly an 8% speedup on ES6SampleBench.
1066
1067
1068         * CMakeLists.txt:
1069         * JavaScriptCore.xcodeproj/project.pbxproj:
1070         * assembler/MacroAssemblerARM64.h:
1071         (JSC::MacroAssemblerARM64::not64):
1072         * bytecode/SpeculatedType.cpp:
1073         (JSC::speculationFromClassInfo):
1074         * bytecode/SpeculatedType.h:
1075         * dfg/DFGAbstractInterpreterInlines.h:
1076         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1077         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1078         * dfg/DFGByteCodeParser.cpp:
1079         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1080         * dfg/DFGClobberize.h:
1081         (JSC::DFG::clobberize):
1082         * dfg/DFGDoesGC.cpp:
1083         (JSC::DFG::doesGC):
1084         * dfg/DFGEdge.h:
1085         (JSC::DFG::Edge::shift):
1086         (JSC::DFG::Edge::makeWord):
1087         * dfg/DFGFixupPhase.cpp:
1088         (JSC::DFG::FixupPhase::fixupNode):
1089         * dfg/DFGHeapLocation.cpp:
1090         (WTF::printInternal):
1091         * dfg/DFGHeapLocation.h:
1092         * dfg/DFGNode.h:
1093         (JSC::DFG::Node::hasHeapPrediction):
1094         * dfg/DFGNodeType.h:
1095         * dfg/DFGOperations.cpp:
1096         * dfg/DFGOperations.h:
1097         * dfg/DFGPredictionPropagationPhase.cpp:
1098         * dfg/DFGSafeToExecute.h:
1099         (JSC::DFG::SafeToExecuteEdge::operator()):
1100         (JSC::DFG::safeToExecute):
1101         * dfg/DFGSpeculativeJIT.cpp:
1102         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1103         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1104         (JSC::DFG::SpeculativeJIT::speculate):
1105         * dfg/DFGSpeculativeJIT.h:
1106         (JSC::DFG::SpeculativeJIT::callOperation):
1107         * dfg/DFGSpeculativeJIT32_64.cpp:
1108         (JSC::DFG::SpeculativeJIT::compile):
1109         * dfg/DFGSpeculativeJIT64.cpp:
1110         (JSC::DFG::SpeculativeJIT::compile):
1111         * dfg/DFGUseKind.cpp:
1112         (WTF::printInternal):
1113         * dfg/DFGUseKind.h:
1114         (JSC::DFG::typeFilterFor):
1115         (JSC::DFG::isCell):
1116         * ftl/FTLAbstractHeapRepository.h:
1117         * ftl/FTLCapabilities.cpp:
1118         (JSC::FTL::canCompile):
1119         * ftl/FTLLowerDFGToB3.cpp:
1120         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1121         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1122         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1123         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1124         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1125         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1126         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1127         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1128         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1129         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1130         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1131         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1132         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1133         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1134         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1135         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1136         * jit/AssemblyHelpers.cpp:
1137         (JSC::AssemblyHelpers::wangsInt64Hash):
1138         * jit/AssemblyHelpers.h:
1139         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1140         * jit/JITOperations.h:
1141         * parser/ModuleAnalyzer.cpp:
1142         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1143         * runtime/HashMapImpl.cpp: Added.
1144         (JSC::HashMapBucket<Data>::visitChildren):
1145         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1146         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1147         * runtime/HashMapImpl.h: Added.
1148         (JSC::HashMapBucket::selectStructure):
1149         (JSC::HashMapBucket::createStructure):
1150         (JSC::HashMapBucket::create):
1151         (JSC::HashMapBucket::HashMapBucket):
1152         (JSC::HashMapBucket::setNext):
1153         (JSC::HashMapBucket::setPrev):
1154         (JSC::HashMapBucket::setKey):
1155         (JSC::HashMapBucket::setValue):
1156         (JSC::HashMapBucket::key):
1157         (JSC::HashMapBucket::value):
1158         (JSC::HashMapBucket::next):
1159         (JSC::HashMapBucket::prev):
1160         (JSC::HashMapBucket::deleted):
1161         (JSC::HashMapBucket::setDeleted):
1162         (JSC::HashMapBucket::offsetOfKey):
1163         (JSC::HashMapBucket::offsetOfValue):
1164         (JSC::HashMapBuffer::allocationSize):
1165         (JSC::HashMapBuffer::buffer):
1166         (JSC::HashMapBuffer::create):
1167         (JSC::areKeysEqual):
1168         (JSC::normalizeMapKey):
1169         (JSC::jsMapHash):
1170         (JSC::HashMapImpl::selectStructure):
1171         (JSC::HashMapImpl::createStructure):
1172         (JSC::HashMapImpl::create):
1173         (JSC::HashMapImpl::HashMapImpl):
1174         (JSC::HashMapImpl::buffer):
1175         (JSC::HashMapImpl::finishCreation):
1176         (JSC::HashMapImpl::emptyValue):
1177         (JSC::HashMapImpl::isEmpty):
1178         (JSC::HashMapImpl::deletedValue):
1179         (JSC::HashMapImpl::isDeleted):
1180         (JSC::HashMapImpl::findBucket):
1181         (JSC::HashMapImpl::get):
1182         (JSC::HashMapImpl::has):
1183         (JSC::HashMapImpl::add):
1184         (JSC::HashMapImpl::remove):
1185         (JSC::HashMapImpl::size):
1186         (JSC::HashMapImpl::clear):
1187         (JSC::HashMapImpl::bufferSizeInBytes):
1188         (JSC::HashMapImpl::offsetOfBuffer):
1189         (JSC::HashMapImpl::offsetOfCapacity):
1190         (JSC::HashMapImpl::head):
1191         (JSC::HashMapImpl::tail):
1192         (JSC::HashMapImpl::approximateSize):
1193         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1194         (JSC::HashMapImpl::rehash):
1195         (JSC::HashMapImpl::makeAndSetNewBuffer):
1196         * runtime/Intrinsic.h:
1197         * runtime/JSCJSValue.h:
1198         * runtime/JSCJSValueInlines.h:
1199         (JSC::sameValue):
1200         * runtime/JSGlobalObject.cpp:
1201         (JSC::JSGlobalObject::init):
1202         * runtime/JSMap.cpp:
1203         (JSC::JSMap::destroy): Deleted.
1204         (JSC::JSMap::estimatedSize): Deleted.
1205         (JSC::JSMap::visitChildren): Deleted.
1206         (JSC::JSMap::copyBackingStore): Deleted.
1207         (JSC::JSMap::has): Deleted.
1208         (JSC::JSMap::size): Deleted.
1209         (JSC::JSMap::get): Deleted.
1210         (JSC::JSMap::set): Deleted.
1211         (JSC::JSMap::clear): Deleted.
1212         (JSC::JSMap::remove): Deleted.
1213         * runtime/JSMap.h:
1214         (JSC::JSMap::createStructure):
1215         (JSC::JSMap::create):
1216         (JSC::JSMap::get):
1217         (JSC::JSMap::set):
1218         (JSC::JSMap::JSMap):
1219         (JSC::JSMap::Entry::key): Deleted.
1220         (JSC::JSMap::Entry::value): Deleted.
1221         (JSC::JSMap::Entry::visitChildren): Deleted.
1222         (JSC::JSMap::Entry::setKey): Deleted.
1223         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1224         (JSC::JSMap::Entry::setValue): Deleted.
1225         (JSC::JSMap::Entry::clear): Deleted.
1226         * runtime/JSMapIterator.cpp:
1227         (JSC::JSMapIterator::finishCreation):
1228         (JSC::JSMapIterator::visitChildren):
1229         (JSC::JSMapIterator::clone):
1230         * runtime/JSMapIterator.h:
1231         (JSC::JSMapIterator::advanceIter):
1232         (JSC::JSMapIterator::next):
1233         (JSC::JSMapIterator::nextKeyValue):
1234         (JSC::JSMapIterator::JSMapIterator):
1235         (JSC::JSMapIterator::setIterator):
1236         (JSC::JSMapIterator::finish): Deleted.
1237         (JSC::JSMapIterator::iteratorData): Deleted.
1238         * runtime/JSModuleLoader.cpp:
1239         (JSC::JSModuleLoader::finishCreation):
1240         * runtime/JSModuleLoader.h:
1241         (JSC::JSModuleLoader::create):
1242         * runtime/JSModuleRecord.cpp:
1243         (JSC::JSModuleRecord::finishCreation):
1244         * runtime/JSModuleRecord.h:
1245         (JSC::JSModuleRecord::create):
1246         * runtime/JSSet.cpp:
1247         (JSC::JSSet::destroy): Deleted.
1248         (JSC::JSSet::estimatedSize): Deleted.
1249         (JSC::JSSet::visitChildren): Deleted.
1250         (JSC::JSSet::copyBackingStore): Deleted.
1251         (JSC::JSSet::has): Deleted.
1252         (JSC::JSSet::size): Deleted.
1253         (JSC::JSSet::add): Deleted.
1254         (JSC::JSSet::clear): Deleted.
1255         (JSC::JSSet::remove): Deleted.
1256         * runtime/JSSet.h:
1257         (JSC::JSSet::createStructure):
1258         (JSC::JSSet::create):
1259         (JSC::JSSet::add):
1260         (JSC::JSSet::JSSet):
1261         (JSC::JSSet::Entry::key): Deleted.
1262         (JSC::JSSet::Entry::value): Deleted.
1263         (JSC::JSSet::Entry::visitChildren): Deleted.
1264         (JSC::JSSet::Entry::setKey): Deleted.
1265         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1266         (JSC::JSSet::Entry::setValue): Deleted.
1267         (JSC::JSSet::Entry::clear): Deleted.
1268         * runtime/JSSetIterator.cpp:
1269         (JSC::JSSetIterator::finishCreation):
1270         (JSC::JSSetIterator::visitChildren):
1271         (JSC::JSSetIterator::clone):
1272         * runtime/JSSetIterator.h:
1273         (JSC::JSSetIterator::advanceIter):
1274         (JSC::JSSetIterator::next):
1275         (JSC::JSSetIterator::JSSetIterator):
1276         (JSC::JSSetIterator::setIterator):
1277         (JSC::JSSetIterator::finish): Deleted.
1278         (JSC::JSSetIterator::iteratorData): Deleted.
1279         * runtime/JSType.h:
1280         * runtime/MapBase.cpp: Added.
1281         (JSC::MapBase<HashMapBucketType>::visitChildren):
1282         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1283         * runtime/MapBase.h: Added.
1284         (JSC::MapBase::size):
1285         (JSC::MapBase::has):
1286         (JSC::MapBase::clear):
1287         (JSC::MapBase::remove):
1288         (JSC::MapBase::findBucket):
1289         (JSC::MapBase::offsetOfHashMapImpl):
1290         (JSC::MapBase::impl):
1291         (JSC::MapBase::finishCreation):
1292         (JSC::MapBase::MapBase):
1293         * runtime/MapConstructor.cpp:
1294         (JSC::constructMap):
1295         * runtime/MapIteratorPrototype.cpp:
1296         (JSC::MapIteratorPrototypeFuncNext):
1297         * runtime/MapPrototype.cpp:
1298         (JSC::MapPrototype::finishCreation):
1299         (JSC::getMap):
1300         (JSC::privateFuncIsMap):
1301         (JSC::privateFuncMapIteratorNext):
1302         * runtime/PropertyDescriptor.cpp:
1303         (JSC::sameValue): Deleted.
1304         * runtime/PropertyDescriptor.h:
1305         * runtime/SetConstructor.cpp:
1306         (JSC::constructSet):
1307         * runtime/SetIteratorPrototype.cpp:
1308         (JSC::SetIteratorPrototypeFuncNext):
1309         * runtime/SetPrototype.cpp:
1310         (JSC::SetPrototype::finishCreation):
1311         (JSC::getSet):
1312         (JSC::privateFuncSetIteratorNext):
1313         * runtime/VM.cpp:
1314         (JSC::VM::VM):
1315         * runtime/VM.h:
1316
1317 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1318
1319         [JSC] Make ArithClz32 work with Cell arguments
1320         https://bugs.webkit.org/show_bug.cgi?id=161369
1321
1322         Reviewed by Geoffrey Garen.
1323
1324         ArithClz32 was already working with all primitive types
1325         thanks to the magic of ValueToInt32.
1326         This patch adds support for cell arguments through a function
1327         call.
1328
1329         * dfg/DFGAbstractInterpreterInlines.h:
1330         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1331         * dfg/DFGClobberize.h:
1332         (JSC::DFG::clobberize):
1333         * dfg/DFGFixupPhase.cpp:
1334         (JSC::DFG::FixupPhase::fixupNode):
1335         * dfg/DFGNodeType.h:
1336         * dfg/DFGOperations.cpp:
1337         * dfg/DFGOperations.h:
1338         * dfg/DFGSpeculativeJIT.cpp:
1339         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1340         * dfg/DFGSpeculativeJIT.h:
1341         (JSC::DFG::SpeculativeJIT::callOperation):
1342         * ftl/FTLLowerDFGToB3.cpp:
1343         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1344
1345 2016-09-06  Mark Lam  <mark.lam@apple.com>
1346
1347         Gardening: change to use old header guard to appease Win EWS.
1348
1349         Not reviewed.
1350
1351         * runtime/AuxiliaryBarrier.h:
1352
1353 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1354
1355         Unreviewed, rolling out r205494.
1356         https://bugs.webkit.org/show_bug.cgi?id=161646
1357
1358         This change broke the Windows build (Requested by ryanhaddad
1359         on #webkit).
1360
1361         Reverted changeset:
1362
1363         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1364         https://bugs.webkit.org/show_bug.cgi?id=161100
1365         http://trac.webkit.org/changeset/205494
1366
1367 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1368
1369         Unreviewed, rolling out r205504.
1370         https://bugs.webkit.org/show_bug.cgi?id=161645
1371
1372         Broke the iOS device build (Requested by ryanhaddad on
1373         #webkit).
1374
1375         Reverted changeset:
1376
1377         "Make JSMap and JSSet faster"
1378         https://bugs.webkit.org/show_bug.cgi?id=160989
1379         http://trac.webkit.org/changeset/205504
1380
1381 2016-09-06  Saam Barati  <sbarati@apple.com>
1382
1383         Make JSMap and JSSet faster
1384         https://bugs.webkit.org/show_bug.cgi?id=160989
1385
1386         Reviewed by Filip Pizlo.
1387
1388         This patch revamps how we implement Map and Set. It uses
1389         a new hash map implementation. The hash map uses linear
1390         probing and it uses Wang's 64 bit hash function for JSValues
1391         that aren't strings. Strings use StringImpl's hash function.
1392         The reason I wanted to roll our own HashTable is twofold:
1393         I didn't want to inline WTF::HashMap's implementation into our
1394         JIT, since that seems error prone and unmaintainable. Also, I wanted
1395         a different structure for hash map buckets where buckets also exist in
1396         a linked list.
1397
1398         The reason for making buckets part of a linked list is that iteration
1399         is now simple. Iteration works by just traversing a linked list.
1400         This design also allows for a simple implementation when doing iteration
1401         while the hash table is mutating. Whenever we remove a bucket from
1402         the hash table, it is removed from the list, meaning items in the
1403         list don't point to it. However, the removed bucket will still point
1404         to things that are either in the list, or have also been removed.
1405         e.g, from a removed bucket, you can always follow pointers until you
1406         either find an item in the list, or you find the tail of the list.
1407         This is a really nice property because it means that a Map or Set
1408         does not need to reason about the all the iterators that point
1409         into its list. Also, whenever we add items to the Map or Set, we
1410         hijack the tail as the new item, and make the new item point to a newly
1411         created tail. This means that any iterator that pointed to the "tail" now
1412         points to non-tail items. This makes the implementation of adding things
1413         to the Map/Set while iterating easy.
1414
1415         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1416         into intrinsics in the DFG. The IR can now reason about hash map
1417         operations and can even do CSE over Wang's hash function, hash map
1418         bucket lookups, hash map bucket loads, and testing if a key is in
1419         the hash table. This makes code patterns for Map like so, super fast
1420         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1421
1422         ```
1423         function getKeyIfPresent(map, key) {
1424             if (map.has(key))
1425                 return map.get(key);
1426         }
1427         ```
1428
1429         This patch is roughly an 8% speedup on ES6SampleBench.
1430
1431         * CMakeLists.txt:
1432         * JavaScriptCore.xcodeproj/project.pbxproj:
1433         * bytecode/SpeculatedType.cpp:
1434         (JSC::speculationFromClassInfo):
1435         * bytecode/SpeculatedType.h:
1436         * dfg/DFGAbstractInterpreterInlines.h:
1437         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1438         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1439         * dfg/DFGByteCodeParser.cpp:
1440         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1441         * dfg/DFGClobberize.h:
1442         (JSC::DFG::clobberize):
1443         * dfg/DFGDoesGC.cpp:
1444         (JSC::DFG::doesGC):
1445         * dfg/DFGEdge.h:
1446         (JSC::DFG::Edge::shift):
1447         (JSC::DFG::Edge::makeWord):
1448         * dfg/DFGFixupPhase.cpp:
1449         (JSC::DFG::FixupPhase::fixupNode):
1450         * dfg/DFGHeapLocation.cpp:
1451         (WTF::printInternal):
1452         * dfg/DFGHeapLocation.h:
1453         * dfg/DFGNode.h:
1454         (JSC::DFG::Node::hasHeapPrediction):
1455         * dfg/DFGNodeType.h:
1456         * dfg/DFGOperations.cpp:
1457         * dfg/DFGOperations.h:
1458         * dfg/DFGPredictionPropagationPhase.cpp:
1459         * dfg/DFGSafeToExecute.h:
1460         (JSC::DFG::SafeToExecuteEdge::operator()):
1461         (JSC::DFG::safeToExecute):
1462         * dfg/DFGSpeculativeJIT.cpp:
1463         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1464         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1465         (JSC::DFG::SpeculativeJIT::speculate):
1466         * dfg/DFGSpeculativeJIT.h:
1467         (JSC::DFG::SpeculativeJIT::callOperation):
1468         * dfg/DFGSpeculativeJIT32_64.cpp:
1469         (JSC::DFG::SpeculativeJIT::compile):
1470         * dfg/DFGSpeculativeJIT64.cpp:
1471         (JSC::DFG::SpeculativeJIT::compile):
1472         * dfg/DFGUseKind.cpp:
1473         (WTF::printInternal):
1474         * dfg/DFGUseKind.h:
1475         (JSC::DFG::typeFilterFor):
1476         (JSC::DFG::isCell):
1477         * ftl/FTLAbstractHeapRepository.h:
1478         * ftl/FTLCapabilities.cpp:
1479         (JSC::FTL::canCompile):
1480         * ftl/FTLLowerDFGToB3.cpp:
1481         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1482         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1483         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1484         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1485         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1486         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1487         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1488         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1489         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1490         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1491         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1492         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1493         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1494         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1495         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1496         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1497         * jit/AssemblyHelpers.cpp:
1498         (JSC::AssemblyHelpers::wangsInt64Hash):
1499         * jit/AssemblyHelpers.h:
1500         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1501         * jit/JITOperations.h:
1502         * parser/ModuleAnalyzer.cpp:
1503         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1504         * runtime/HashMapImpl.cpp: Added.
1505         (JSC::HashMapBucket<Data>::visitChildren):
1506         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1507         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1508         * runtime/HashMapImpl.h: Added.
1509         (JSC::HashMapBucket::selectStructure):
1510         (JSC::HashMapBucket::createStructure):
1511         (JSC::HashMapBucket::create):
1512         (JSC::HashMapBucket::HashMapBucket):
1513         (JSC::HashMapBucket::setNext):
1514         (JSC::HashMapBucket::setPrev):
1515         (JSC::HashMapBucket::setKey):
1516         (JSC::HashMapBucket::setValue):
1517         (JSC::HashMapBucket::key):
1518         (JSC::HashMapBucket::value):
1519         (JSC::HashMapBucket::next):
1520         (JSC::HashMapBucket::prev):
1521         (JSC::HashMapBucket::deleted):
1522         (JSC::HashMapBucket::setDeleted):
1523         (JSC::HashMapBucket::offsetOfKey):
1524         (JSC::HashMapBucket::offsetOfValue):
1525         (JSC::HashMapBuffer::allocationSize):
1526         (JSC::HashMapBuffer::buffer):
1527         (JSC::HashMapBuffer::create):
1528         (JSC::areKeysEqual):
1529         (JSC::normalizeMapKey):
1530         (JSC::jsMapHash):
1531         (JSC::HashMapImpl::selectStructure):
1532         (JSC::HashMapImpl::createStructure):
1533         (JSC::HashMapImpl::create):
1534         (JSC::HashMapImpl::HashMapImpl):
1535         (JSC::HashMapImpl::buffer):
1536         (JSC::HashMapImpl::finishCreation):
1537         (JSC::HashMapImpl::emptyValue):
1538         (JSC::HashMapImpl::isEmpty):
1539         (JSC::HashMapImpl::deletedValue):
1540         (JSC::HashMapImpl::isDeleted):
1541         (JSC::HashMapImpl::findBucket):
1542         (JSC::HashMapImpl::get):
1543         (JSC::HashMapImpl::has):
1544         (JSC::HashMapImpl::add):
1545         (JSC::HashMapImpl::remove):
1546         (JSC::HashMapImpl::size):
1547         (JSC::HashMapImpl::clear):
1548         (JSC::HashMapImpl::bufferSizeInBytes):
1549         (JSC::HashMapImpl::offsetOfBuffer):
1550         (JSC::HashMapImpl::offsetOfCapacity):
1551         (JSC::HashMapImpl::head):
1552         (JSC::HashMapImpl::tail):
1553         (JSC::HashMapImpl::approximateSize):
1554         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1555         (JSC::HashMapImpl::rehash):
1556         (JSC::HashMapImpl::makeAndSetNewBuffer):
1557         * runtime/Intrinsic.h:
1558         * runtime/JSCJSValue.h:
1559         * runtime/JSCJSValueInlines.h:
1560         (JSC::sameValue):
1561         * runtime/JSGlobalObject.cpp:
1562         (JSC::JSGlobalObject::init):
1563         * runtime/JSMap.cpp:
1564         (JSC::JSMap::destroy): Deleted.
1565         (JSC::JSMap::estimatedSize): Deleted.
1566         (JSC::JSMap::visitChildren): Deleted.
1567         (JSC::JSMap::copyBackingStore): Deleted.
1568         (JSC::JSMap::has): Deleted.
1569         (JSC::JSMap::size): Deleted.
1570         (JSC::JSMap::get): Deleted.
1571         (JSC::JSMap::set): Deleted.
1572         (JSC::JSMap::clear): Deleted.
1573         (JSC::JSMap::remove): Deleted.
1574         * runtime/JSMap.h:
1575         (JSC::JSMap::createStructure):
1576         (JSC::JSMap::create):
1577         (JSC::JSMap::get):
1578         (JSC::JSMap::set):
1579         (JSC::JSMap::JSMap):
1580         (JSC::JSMap::Entry::key): Deleted.
1581         (JSC::JSMap::Entry::value): Deleted.
1582         (JSC::JSMap::Entry::visitChildren): Deleted.
1583         (JSC::JSMap::Entry::setKey): Deleted.
1584         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1585         (JSC::JSMap::Entry::setValue): Deleted.
1586         (JSC::JSMap::Entry::clear): Deleted.
1587         * runtime/JSMapIterator.cpp:
1588         (JSC::JSMapIterator::finishCreation):
1589         (JSC::JSMapIterator::visitChildren):
1590         (JSC::JSMapIterator::clone):
1591         * runtime/JSMapIterator.h:
1592         (JSC::JSMapIterator::advanceIter):
1593         (JSC::JSMapIterator::next):
1594         (JSC::JSMapIterator::nextKeyValue):
1595         (JSC::JSMapIterator::JSMapIterator):
1596         (JSC::JSMapIterator::setIterator):
1597         (JSC::JSMapIterator::finish): Deleted.
1598         (JSC::JSMapIterator::iteratorData): Deleted.
1599         * runtime/JSModuleLoader.cpp:
1600         (JSC::JSModuleLoader::finishCreation):
1601         * runtime/JSModuleLoader.h:
1602         (JSC::JSModuleLoader::create):
1603         * runtime/JSModuleRecord.cpp:
1604         (JSC::JSModuleRecord::finishCreation):
1605         * runtime/JSModuleRecord.h:
1606         (JSC::JSModuleRecord::create):
1607         * runtime/JSSet.cpp:
1608         (JSC::JSSet::destroy): Deleted.
1609         (JSC::JSSet::estimatedSize): Deleted.
1610         (JSC::JSSet::visitChildren): Deleted.
1611         (JSC::JSSet::copyBackingStore): Deleted.
1612         (JSC::JSSet::has): Deleted.
1613         (JSC::JSSet::size): Deleted.
1614         (JSC::JSSet::add): Deleted.
1615         (JSC::JSSet::clear): Deleted.
1616         (JSC::JSSet::remove): Deleted.
1617         * runtime/JSSet.h:
1618         (JSC::JSSet::createStructure):
1619         (JSC::JSSet::create):
1620         (JSC::JSSet::add):
1621         (JSC::JSSet::JSSet):
1622         (JSC::JSSet::Entry::key): Deleted.
1623         (JSC::JSSet::Entry::value): Deleted.
1624         (JSC::JSSet::Entry::visitChildren): Deleted.
1625         (JSC::JSSet::Entry::setKey): Deleted.
1626         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1627         (JSC::JSSet::Entry::setValue): Deleted.
1628         (JSC::JSSet::Entry::clear): Deleted.
1629         * runtime/JSSetIterator.cpp:
1630         (JSC::JSSetIterator::finishCreation):
1631         (JSC::JSSetIterator::visitChildren):
1632         (JSC::JSSetIterator::clone):
1633         * runtime/JSSetIterator.h:
1634         (JSC::JSSetIterator::advanceIter):
1635         (JSC::JSSetIterator::next):
1636         (JSC::JSSetIterator::JSSetIterator):
1637         (JSC::JSSetIterator::setIterator):
1638         (JSC::JSSetIterator::finish): Deleted.
1639         (JSC::JSSetIterator::iteratorData): Deleted.
1640         * runtime/JSType.h:
1641         * runtime/MapBase.cpp: Added.
1642         (JSC::MapBase<HashMapBucketType>::visitChildren):
1643         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1644         * runtime/MapBase.h: Added.
1645         (JSC::MapBase::size):
1646         (JSC::MapBase::has):
1647         (JSC::MapBase::clear):
1648         (JSC::MapBase::remove):
1649         (JSC::MapBase::findBucket):
1650         (JSC::MapBase::offsetOfHashMapImpl):
1651         (JSC::MapBase::impl):
1652         (JSC::MapBase::finishCreation):
1653         (JSC::MapBase::MapBase):
1654         * runtime/MapConstructor.cpp:
1655         (JSC::constructMap):
1656         * runtime/MapIteratorPrototype.cpp:
1657         (JSC::MapIteratorPrototypeFuncNext):
1658         * runtime/MapPrototype.cpp:
1659         (JSC::MapPrototype::finishCreation):
1660         (JSC::getMap):
1661         (JSC::privateFuncIsMap):
1662         (JSC::privateFuncMapIteratorNext):
1663         * runtime/PropertyDescriptor.cpp:
1664         (JSC::sameValue): Deleted.
1665         * runtime/PropertyDescriptor.h:
1666         * runtime/SetConstructor.cpp:
1667         (JSC::constructSet):
1668         * runtime/SetIteratorPrototype.cpp:
1669         (JSC::SetIteratorPrototypeFuncNext):
1670         * runtime/SetPrototype.cpp:
1671         (JSC::SetPrototype::finishCreation):
1672         (JSC::getSet):
1673         (JSC::privateFuncSetIteratorNext):
1674         * runtime/VM.cpp:
1675         (JSC::VM::VM):
1676         * runtime/VM.h:
1677
1678 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
1679
1680         Typed arrays should use MarkedSpace instead of CopiedSpace
1681         https://bugs.webkit.org/show_bug.cgi?id=161100
1682
1683         Reviewed by Geoffrey Garen.
1684         
1685         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
1686         
1687         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
1688         everything that typed arrays want.
1689
1690         * dfg/DFGOperations.cpp:
1691         (JSC::DFG::newTypedArrayWithSize):
1692         * dfg/DFGOperations.h:
1693         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1694         * dfg/DFGSpeculativeJIT.cpp:
1695         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1696         * dfg/DFGSpeculativeJIT.h:
1697         (JSC::DFG::SpeculativeJIT::callOperation):
1698         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
1699         * ftl/FTLLowerDFGToB3.cpp:
1700         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1701         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1702         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
1703         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
1704         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
1705         * heap/CopyToken.h:
1706         * heap/SlotVisitor.cpp:
1707         (JSC::SlotVisitor::markAuxiliary):
1708         * jit/JITOperations.h:
1709         * runtime/JSArrayBufferView.cpp:
1710         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1711         (JSC::JSArrayBufferView::JSArrayBufferView):
1712         * runtime/JSArrayBufferView.h:
1713         * runtime/JSGenericTypedArrayView.h:
1714         * runtime/JSGenericTypedArrayViewInlines.h:
1715         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
1716         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1717         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1718         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
1719
1720 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
1721
1722         Silence GCC warning spam introduced in r205462
1723
1724         Rubber-stamped by Filip Pizlo.
1725
1726         * bytecode/Opcode.h:
1727         (JSC::padOpcodeName):
1728
1729 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1730
1731         Heap::isMarked() should use concurrent lazy flipping
1732         https://bugs.webkit.org/show_bug.cgi?id=161613
1733
1734         Reviewed by Michael Catanzaro.
1735         
1736         I found out about this race condition via
1737         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
1738         
1739         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
1740         phase. So, they need to lazy-flip in a non-racy way.
1741
1742         * heap/HeapInlines.h:
1743         (JSC::Heap::isLive):
1744         (JSC::Heap::isMarked):
1745
1746 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1747
1748         Unreviewed, reset generator test results after the butterflies.
1749
1750         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1751         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1752         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1753         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1754         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1755         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1756         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1757         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1758         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1759         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1760         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1761         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1762         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1763         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1764
1765 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1766
1767         Unreviewed, fix cloop build.
1768
1769         * bytecode/SuperSampler.cpp:
1770
1771 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
1772
1773         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
1774         https://bugs.webkit.org/show_bug.cgi?id=160125
1775
1776         Reviewed by Geoffrey Garen and Keith Miller.
1777
1778         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
1779         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
1780         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
1781         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
1782         to get rid of copied space. This change moves copied space's biggest client over to marked
1783         space.
1784         
1785         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
1786         allocation path. This is a fairly mechanical change, but it caused performance regressions
1787         everywhere, so this change also fixes MarkedSpace's performance issues.
1788         
1789         At a high level the mechanical changes are:
1790         
1791         - We use AuxiliaryBarrier instead of CopyBarrier.
1792         
1793         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
1794           CheckedBoolean stuff, since it's so much more trouble than it's worth.
1795         
1796         - The JITs have to emit inlined marked space allocations instead of inline copy space
1797           allocations.
1798         
1799         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
1800           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
1801           space doesn't.
1802         
1803         That's about 1/3 of this change. But this led to performance problems, which I fixed with
1804         optimizations that amounted to a major MarkedSpace rewrite:
1805         
1806         - MarkedSpace always causes internal fragmentation for array allocations because the vector
1807           length we choose when we resize usually leads to a cell size that doesn't correspond to any
1808           size class. I got around this by making array allocations usually round up vectorLength to
1809           the maximum allowed by the size class that we would have allocated in. Also,
1810           ensureLengthSlow() and friends first make sure that the requested length can't just be
1811           fulfilled with the current allocation size. This safeguard means that not every array
1812           allocation has to do size class queries. For example, the fast path of new Array(length)
1813           never does any size class queries, under the assumption that (1) the speed gained from
1814           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
1815           size class query, is too small to offset the speed lost by doing the query on every
1816           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
1817           likely.
1818         
1819         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
1820           changes MarkedSpace size classes to use a linear progression for very small sizes followed
1821           by a geometric progression that naturally transitions to a hyperbolic progression. We want
1822           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
1823           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
1824           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
1825           size (80 bytes), we proceed using a geometric progression, but round up each size to
1826           minimize slop at the end of the block. This naturally causes the geometric progression to
1827           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
1828           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
1829         
1830         - Large allocations caused massive internal fragmentation, since the smallest large
1831           allocation had to use exactly blockSize, and the largest small allocation used
1832           blockSize / 2. The next size up - the first large allocation size to require two blocks -
1833           also had 50% internal fragmentation. This is because we required large allocations to be
1834           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
1835           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
1836           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
1837           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
1838           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
1839           out great since (1) typed arrays won't use large allocations anyway since they have their
1840           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
1841           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
1842           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
1843           rare as possible; for example, ExecState::vm() skips the check because we know that callees
1844           must be small allocations. It's also possible to use template tricks to do one check for
1845           cell container kind, and then invoke a function specialized for MarkedBlock or a function
1846           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
1847           that get used from functions that are template-specialized like this. That's mostly to
1848           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
1849           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
1850           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
1851           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
1852           cutoff for large allocations is runtime-configurable, so long as you don't choose something
1853           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
1854           that the MarkedBlock size classes end up being:
1855           
1856           16, 32, 48, 64, 80, 112, 160, 224, 320
1857           
1858           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
1859           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
1860           size classes you end up with by doing --dumpSizeClasses=true.
1861         
1862         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
1863           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
1864           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
1865           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
1866           side, for better locality during a sequential walk. It's no longer necessary to scan
1867           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
1868           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
1869           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
1870           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
1871           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
1872           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
1873           together, these optimizations allowed me to reduce block size to 16KB without losing much
1874           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
1875           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
1876           progression on membuster. That's not possible yet, since there is still enough per-block
1877           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
1878           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
1879         
1880         - Even after all of that, copying butterflies was still faster because it allowed us to skip
1881           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
1882           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
1883           larger than O(live), especially in an eden collection. Copying satisfies this premise while
1884           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
1885           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
1886           that we walk the block to build a free list. This means walking dead space. The new
1887           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
1888           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
1889           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
1890           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
1891           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
1892           is completely empty, which is the common case because of the generational hypothesis: the
1893           number of objects that survive an eden collection is a tiny fraction of the number of
1894           objects that had been allocated, and this fraction is so small that there are typically
1895           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
1896           win over tip-of-tree.
1897         
1898         - FTL now shares the same allocation fast paths as everything else, which is great, because
1899           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
1900           control flow, since it won't be able to improve the machine code we write ourselves. GC
1901           fast paths are best written in assembly. So, I've empowered B3 to have even better support
1902           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
1903           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
1904           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
1905           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
1906           ability to constant-fold some allocator logic (in case we first assume that we're doing a
1907           variable-length allocation but then realize that the length is known). I think it makes
1908           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
1909           since this makes lowering easier (you can constant fold during lowering more easily) and it
1910           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
1911           constant-fold this code. That would require allowing loads to be constant-folded, which is
1912           doable but hella tricky.
1913         
1914         - It used to be that if a logical object allocation required two physical allocations (first
1915           the butterfly and then the cell), then the JIT would emit the code in such a way that a
1916           failure in the second fast path would cause us to forget the successful first physical
1917           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
1918           register to storing either the butterfly or null, because the butterfly register is anyway
1919           going to be free inside the first allocation. The only overhead here is zeroing the
1920           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
1921           path, which can then either allocate a butterfly or not. So now we never waste a successful
1922           allocation. This patch implements such a solution both in DFG (where it's easy to do this
1923           since we control registers already) and in FTL (where it's annoying, because mutable
1924           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
1925           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
1926           one version of this patch, this wastage would resonate with some Kraken benchmark: the
1927           benchmark would always allocate N small things followed by one bigger thing. The problem
1928           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
1929           the JSObject size class, which both the small and big thing shared for their cell, could
1930           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
1931           it allocated the big thing. So, it would end up having to allocate the big thing's large
1932           butterfly twice, every single time! Ouch!
1933         
1934         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
1935           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
1936           of the allocator to initialize the object to whatever state they need. It used to be that
1937           we would just use a dumb loop. I initially changed this so that we would end up in memset
1938           for large allocations, but this didn't actually help performance that much. I got a much
1939           better result by playing with different memsets written in assembly. First I wrote one
1940           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
1941           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
1942           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
1943           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
1944           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
1945           of stores (if the size is known), but those paths in the JIT won't trigger for
1946           NewArrayWithSize() if the size is large, since that takes us to the
1947           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
1948           optimizations here are all in JSArray::create() - that's the hot place for large arrays
1949           that need to be filled with holes.
1950         
1951         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
1952         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
1953         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
1954         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
1955         difference, but take the hit for now because it's a crazy corner case. By comparison, the
1956         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
1957         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
1958         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
1959         marking barrier and we simply won't need a copying barrier. This change gets us there for
1960         the purposes of our benchmarks, since the remaining clients of copied space are not very
1961         important. On the other hand, if we keep copying, then getting barrier-ready would mean
1962         adding back the copy barrier, which costs more perf.
1963         
1964         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
1965         typed arrays and a few other weird things over to Aux MarkedSpace.
1966         
1967         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
1968         and CellContainer meant that I had to include those files from everywhere. Fortunately,
1969         just including JSCInlines.h (instead of manually including the files that includes) is
1970         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
1971         that we were already basically doing. In places where JSCInlines.h would be too much, I just
1972         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
1973         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
1974         meant having to manually include HeapInlines.h from the places that previously got it
1975         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
1976         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
1977         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
1978         made it impossible to include it from outside JSC. This was a lot of work, but it was
1979         necessary to get the patch to build on all ports. It's also a net win. There were many places
1980         in WebCore that were transitively including a *ton* of JSC headers just because of the
1981         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
1982         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
1983
1984         * API/JSManagedValue.mm:
1985         (-[JSManagedValue initWithValue:]):
1986         * API/JSTypedArray.cpp:
1987         * API/ObjCCallbackFunction.mm:
1988         * API/tests/testapi.mm:
1989         (testObjectiveCAPI):
1990         (testWeakValue): Deleted.
1991         * CMakeLists.txt:
1992         * JavaScriptCore.xcodeproj/project.pbxproj:
1993         * Scripts/builtins/builtins_generate_combined_implementation.py:
1994         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
1995         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1996         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
1997         * Scripts/builtins/builtins_generate_separate_implementation.py:
1998         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
1999         * assembler/AbstractMacroAssembler.h:
2000         (JSC::AbstractMacroAssembler::JumpList::link):
2001         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2002         * assembler/MacroAssembler.h:
2003         * assembler/MacroAssemblerARM64.h:
2004         (JSC::MacroAssemblerARM64::add32):
2005         * assembler/MacroAssemblerCodeRef.cpp: Added.
2006         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2007         (JSC::MacroAssemblerCodePtr::dumpWithName):
2008         (JSC::MacroAssemblerCodePtr::dump):
2009         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2010         (JSC::MacroAssemblerCodeRef::dump):
2011         * assembler/MacroAssemblerCodeRef.h:
2012         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2013         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2014         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2015         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2016         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2017         * b3/B3BasicBlock.cpp:
2018         (JSC::B3::BasicBlock::appendBoolConstant):
2019         * b3/B3BasicBlock.h:
2020         * b3/B3DuplicateTails.cpp:
2021         * b3/B3StackmapGenerationParams.h:
2022         * b3/testb3.cpp:
2023         (JSC::B3::testPatchpointTerminalReturnValue):
2024         (JSC::B3::run):
2025         * bindings/ScriptValue.cpp:
2026         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2027         * bytecode/BytecodeBasicBlock.cpp:
2028         * bytecode/BytecodeLivenessAnalysis.cpp:
2029         * bytecode/BytecodeUseDef.h:
2030         * bytecode/CallLinkInfo.cpp:
2031         (JSC::CallLinkInfo::callTypeFor):
2032         * bytecode/CallLinkInfo.h:
2033         (JSC::CallLinkInfo::callTypeFor): Deleted.
2034         * bytecode/CallLinkStatus.cpp:
2035         * bytecode/CodeBlock.cpp:
2036         (JSC::CodeBlock::finishCreation):
2037         (JSC::CodeBlock::clearLLIntGetByIdCache):
2038         (JSC::CodeBlock::predictedMachineCodeSize):
2039         * bytecode/CodeBlock.h:
2040         (JSC::CodeBlock::jitCodeMap): Deleted.
2041         (JSC::clearLLIntGetByIdCache): Deleted.
2042         * bytecode/ExecutionCounter.h:
2043         * bytecode/Instruction.h:
2044         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2045         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2046         * bytecode/ObjectAllocationProfile.h:
2047         (JSC::ObjectAllocationProfile::isNull):
2048         (JSC::ObjectAllocationProfile::initialize):
2049         * bytecode/Opcode.h:
2050         (JSC::padOpcodeName):
2051         * bytecode/PolymorphicAccess.cpp:
2052         (JSC::AccessCase::generateImpl):
2053         (JSC::PolymorphicAccess::regenerate):
2054         * bytecode/PolymorphicAccess.h:
2055         * bytecode/PreciseJumpTargets.cpp:
2056         * bytecode/StructureStubInfo.cpp:
2057         * bytecode/StructureStubInfo.h:
2058         * bytecode/UnlinkedCodeBlock.cpp:
2059         (JSC::UnlinkedCodeBlock::vm): Deleted.
2060         * bytecode/UnlinkedCodeBlock.h:
2061         * bytecode/UnlinkedInstructionStream.cpp:
2062         * bytecode/UnlinkedInstructionStream.h:
2063         * dfg/DFGOperations.cpp:
2064         * dfg/DFGSpeculativeJIT.cpp:
2065         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2066         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2067         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2068         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2069         * dfg/DFGSpeculativeJIT.h:
2070         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2071         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2072         * dfg/DFGSpeculativeJIT32_64.cpp:
2073         (JSC::DFG::SpeculativeJIT::compile):
2074         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2075         * dfg/DFGSpeculativeJIT64.cpp:
2076         (JSC::DFG::SpeculativeJIT::compile):
2077         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2078         * dfg/DFGStrengthReductionPhase.cpp:
2079         (JSC::DFG::StrengthReductionPhase::handleNode):
2080         * ftl/FTLAbstractHeapRepository.h:
2081         * ftl/FTLCompile.cpp:
2082         * ftl/FTLJITFinalizer.cpp:
2083         * ftl/FTLLowerDFGToB3.cpp:
2084         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2085         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2086         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2087         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2088         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2089         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2090         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2091         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2092         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2093         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2094         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2095         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2096         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2097         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2098         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2099         * ftl/FTLOutput.cpp:
2100         (JSC::FTL::Output::constBool):
2101         (JSC::FTL::Output::add):
2102         (JSC::FTL::Output::shl):
2103         (JSC::FTL::Output::aShr):
2104         (JSC::FTL::Output::lShr):
2105         (JSC::FTL::Output::zeroExt):
2106         (JSC::FTL::Output::equal):
2107         (JSC::FTL::Output::notEqual):
2108         (JSC::FTL::Output::above):
2109         (JSC::FTL::Output::aboveOrEqual):
2110         (JSC::FTL::Output::below):
2111         (JSC::FTL::Output::belowOrEqual):
2112         (JSC::FTL::Output::greaterThan):
2113         (JSC::FTL::Output::greaterThanOrEqual):
2114         (JSC::FTL::Output::lessThan):
2115         (JSC::FTL::Output::lessThanOrEqual):
2116         (JSC::FTL::Output::select):
2117         (JSC::FTL::Output::appendSuccessor):
2118         (JSC::FTL::Output::addIncomingToPhi):
2119         * ftl/FTLOutput.h:
2120         * ftl/FTLValueFromBlock.h:
2121         (JSC::FTL::ValueFromBlock::operator bool):
2122         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2123         * ftl/FTLWeightedTarget.h:
2124         (JSC::FTL::WeightedTarget::frequentedBlock):
2125         * heap/CellContainer.h: Added.
2126         (JSC::CellContainer::CellContainer):
2127         (JSC::CellContainer::operator bool):
2128         (JSC::CellContainer::isMarkedBlock):
2129         (JSC::CellContainer::isLargeAllocation):
2130         (JSC::CellContainer::markedBlock):
2131         (JSC::CellContainer::largeAllocation):
2132         * heap/CellContainerInlines.h: Added.
2133         (JSC::CellContainer::isMarked):
2134         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2135         (JSC::CellContainer::noteMarked):
2136         (JSC::CellContainer::cellSize):
2137         (JSC::CellContainer::weakSet):
2138         (JSC::CellContainer::flipIfNecessary):
2139         * heap/ConservativeRoots.cpp:
2140         (JSC::ConservativeRoots::ConservativeRoots):
2141         (JSC::ConservativeRoots::~ConservativeRoots):
2142         (JSC::ConservativeRoots::grow):
2143         (JSC::ConservativeRoots::genericAddPointer):
2144         (JSC::ConservativeRoots::genericAddSpan):
2145         * heap/ConservativeRoots.h:
2146         (JSC::ConservativeRoots::roots):
2147         * heap/CopyToken.h:
2148         * heap/FreeList.cpp: Added.
2149         (JSC::FreeList::dump):
2150         * heap/FreeList.h: Added.
2151         (JSC::FreeList::FreeList):
2152         (JSC::FreeList::list):
2153         (JSC::FreeList::bump):
2154         (JSC::FreeList::operator==):
2155         (JSC::FreeList::operator!=):
2156         (JSC::FreeList::operator bool):
2157         (JSC::FreeList::allocationWillFail):
2158         (JSC::FreeList::allocationWillSucceed):
2159         * heap/GCTypeMap.h: Added.
2160         (JSC::GCTypeMap::operator[]):
2161         * heap/Heap.cpp:
2162         (JSC::Heap::Heap):
2163         (JSC::Heap::lastChanceToFinalize):
2164         (JSC::Heap::finalizeUnconditionalFinalizers):
2165         (JSC::Heap::markRoots):
2166         (JSC::Heap::copyBackingStores):
2167         (JSC::Heap::gatherStackRoots):
2168         (JSC::Heap::gatherJSStackRoots):
2169         (JSC::Heap::gatherScratchBufferRoots):
2170         (JSC::Heap::clearLivenessData):
2171         (JSC::Heap::visitSmallStrings):
2172         (JSC::Heap::visitConservativeRoots):
2173         (JSC::Heap::removeDeadCompilerWorklistEntries):
2174         (JSC::Heap::gatherExtraHeapSnapshotData):
2175         (JSC::Heap::removeDeadHeapSnapshotNodes):
2176         (JSC::Heap::visitProtectedObjects):
2177         (JSC::Heap::visitArgumentBuffers):
2178         (JSC::Heap::visitException):
2179         (JSC::Heap::visitStrongHandles):
2180         (JSC::Heap::visitHandleStack):
2181         (JSC::Heap::visitSamplingProfiler):
2182         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2183         (JSC::Heap::converge):
2184         (JSC::Heap::visitWeakHandles):
2185         (JSC::Heap::updateObjectCounts):
2186         (JSC::Heap::clearUnmarkedExecutables):
2187         (JSC::Heap::deleteUnmarkedCompiledCode):
2188         (JSC::Heap::collectAllGarbage):
2189         (JSC::Heap::collect):
2190         (JSC::Heap::collectWithoutAnySweep):
2191         (JSC::Heap::collectImpl):
2192         (JSC::Heap::suspendCompilerThreads):
2193         (JSC::Heap::willStartCollection):
2194         (JSC::Heap::flushOldStructureIDTables):
2195         (JSC::Heap::flushWriteBarrierBuffer):
2196         (JSC::Heap::stopAllocation):
2197         (JSC::Heap::prepareForMarking):
2198         (JSC::Heap::reapWeakHandles):
2199         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2200         (JSC::Heap::sweepArrayBuffers):
2201         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2202         (JSC::MarkedBlockSnapshotFunctor::operator()):
2203         (JSC::Heap::snapshotMarkedSpace):
2204         (JSC::Heap::deleteSourceProviderCaches):
2205         (JSC::Heap::notifyIncrementalSweeper):
2206         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2207         (JSC::Heap::resetAllocators):
2208         (JSC::Heap::updateAllocationLimits):
2209         (JSC::Heap::didFinishCollection):
2210         (JSC::Heap::resumeCompilerThreads):
2211         (JSC::Zombify::visit):
2212         (JSC::Heap::forEachCodeBlockImpl):
2213         * heap/Heap.h:
2214         (JSC::Heap::allocatorForObjectWithoutDestructor):
2215         (JSC::Heap::allocatorForObjectWithDestructor):
2216         (JSC::Heap::allocatorForAuxiliaryData):
2217         (JSC::Heap::jitStubRoutines):
2218         (JSC::Heap::codeBlockSet):
2219         (JSC::Heap::storageAllocator): Deleted.
2220         * heap/HeapCell.h:
2221         (JSC::HeapCell::isZapped): Deleted.
2222         * heap/HeapCellInlines.h: Added.
2223         (JSC::HeapCell::isLargeAllocation):
2224         (JSC::HeapCell::cellContainer):
2225         (JSC::HeapCell::markedBlock):
2226         (JSC::HeapCell::largeAllocation):
2227         (JSC::HeapCell::heap):
2228         (JSC::HeapCell::vm):
2229         (JSC::HeapCell::cellSize):
2230         (JSC::HeapCell::allocatorAttributes):
2231         (JSC::HeapCell::destructionMode):
2232         (JSC::HeapCell::cellKind):
2233         * heap/HeapInlines.h:
2234         (JSC::Heap::heap):
2235         (JSC::Heap::isLive):
2236         (JSC::Heap::isMarked):
2237         (JSC::Heap::testAndSetMarked):
2238         (JSC::Heap::setMarked):
2239         (JSC::Heap::cellSize):
2240         (JSC::Heap::forEachCodeBlock):
2241         (JSC::Heap::allocateObjectOfType):
2242         (JSC::Heap::subspaceForObjectOfType):
2243         (JSC::Heap::allocatorForObjectOfType):
2244         (JSC::Heap::allocateAuxiliary):
2245         (JSC::Heap::tryAllocateAuxiliary):
2246         (JSC::Heap::tryReallocateAuxiliary):
2247         (JSC::Heap::isPointerGCObject): Deleted.
2248         (JSC::Heap::isValueGCObject): Deleted.
2249         * heap/HeapOperation.cpp: Added.
2250         (WTF::printInternal):
2251         * heap/HeapOperation.h:
2252         * heap/HeapUtil.h: Added.
2253         (JSC::HeapUtil::findGCObjectPointersForMarking):
2254         (JSC::HeapUtil::isPointerGCObjectJSCell):
2255         (JSC::HeapUtil::isValueGCObject):
2256         * heap/IncrementalSweeper.cpp:
2257         (JSC::IncrementalSweeper::sweepNextBlock):
2258         * heap/IncrementalSweeper.h:
2259         * heap/LargeAllocation.cpp: Added.
2260         (JSC::LargeAllocation::tryCreate):
2261         (JSC::LargeAllocation::LargeAllocation):
2262         (JSC::LargeAllocation::lastChanceToFinalize):
2263         (JSC::LargeAllocation::shrink):
2264         (JSC::LargeAllocation::visitWeakSet):
2265         (JSC::LargeAllocation::reapWeakSet):
2266         (JSC::LargeAllocation::flip):
2267         (JSC::LargeAllocation::isEmpty):
2268         (JSC::LargeAllocation::sweep):
2269         (JSC::LargeAllocation::destroy):
2270         (JSC::LargeAllocation::dump):
2271         * heap/LargeAllocation.h: Added.
2272         (JSC::LargeAllocation::fromCell):
2273         (JSC::LargeAllocation::cell):
2274         (JSC::LargeAllocation::isLargeAllocation):
2275         (JSC::LargeAllocation::heap):
2276         (JSC::LargeAllocation::vm):
2277         (JSC::LargeAllocation::weakSet):
2278         (JSC::LargeAllocation::clearNewlyAllocated):
2279         (JSC::LargeAllocation::isNewlyAllocated):
2280         (JSC::LargeAllocation::isMarked):
2281         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2282         (JSC::LargeAllocation::isLive):
2283         (JSC::LargeAllocation::hasValidCell):
2284         (JSC::LargeAllocation::cellSize):
2285         (JSC::LargeAllocation::aboveLowerBound):
2286         (JSC::LargeAllocation::belowUpperBound):
2287         (JSC::LargeAllocation::contains):
2288         (JSC::LargeAllocation::attributes):
2289         (JSC::LargeAllocation::flipIfNecessary):
2290         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2291         (JSC::LargeAllocation::testAndSetMarked):
2292         (JSC::LargeAllocation::setMarked):
2293         (JSC::LargeAllocation::clearMarked):
2294         (JSC::LargeAllocation::noteMarked):
2295         (JSC::LargeAllocation::headerSize):
2296         * heap/MarkedAllocator.cpp:
2297         (JSC::MarkedAllocator::MarkedAllocator):
2298         (JSC::MarkedAllocator::isPagedOut):
2299         (JSC::MarkedAllocator::retire):
2300         (JSC::MarkedAllocator::filterNextBlock):
2301         (JSC::MarkedAllocator::setNextBlockToSweep):
2302         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2303         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2304         (JSC::MarkedAllocator::allocateSlowCase):
2305         (JSC::MarkedAllocator::tryAllocateSlowCase):
2306         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2307         (JSC::blockHeaderSize):
2308         (JSC::MarkedAllocator::blockSizeForBytes):
2309         (JSC::MarkedAllocator::tryAllocateBlock):
2310         (JSC::MarkedAllocator::addBlock):
2311         (JSC::MarkedAllocator::removeBlock):
2312         (JSC::MarkedAllocator::stopAllocating):
2313         (JSC::MarkedAllocator::reset):
2314         (JSC::MarkedAllocator::lastChanceToFinalize):
2315         (JSC::MarkedAllocator::setFreeList):
2316         (JSC::isListPagedOut): Deleted.
2317         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2318         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2319         (JSC::MarkedAllocator::tryAllocate): Deleted.
2320         (JSC::MarkedAllocator::allocateBlock): Deleted.
2321         * heap/MarkedAllocator.h:
2322         (JSC::MarkedAllocator::takeLastActiveBlock):
2323         (JSC::MarkedAllocator::offsetOfFreeList):
2324         (JSC::MarkedAllocator::offsetOfCellSize):
2325         (JSC::MarkedAllocator::tryAllocate):
2326         (JSC::MarkedAllocator::allocate):
2327         (JSC::MarkedAllocator::forEachBlock):
2328         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2329         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2330         (JSC::MarkedAllocator::init): Deleted.
2331         (JSC::MarkedAllocator::stopAllocating): Deleted.
2332         * heap/MarkedBlock.cpp:
2333         (JSC::MarkedBlock::tryCreate):
2334         (JSC::MarkedBlock::Handle::Handle):
2335         (JSC::MarkedBlock::Handle::~Handle):
2336         (JSC::MarkedBlock::MarkedBlock):
2337         (JSC::MarkedBlock::Handle::specializedSweep):
2338         (JSC::MarkedBlock::Handle::sweep):
2339         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2340         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2341         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2342         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2343         (JSC::SetNewlyAllocatedFunctor::operator()):
2344         (JSC::MarkedBlock::Handle::stopAllocating):
2345         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2346         (JSC::MarkedBlock::Handle::resumeAllocating):
2347         (JSC::MarkedBlock::Handle::zap):
2348         (JSC::MarkedBlock::Handle::forEachFreeCell):
2349         (JSC::MarkedBlock::flipIfNecessary):
2350         (JSC::MarkedBlock::Handle::flipIfNecessary):
2351         (JSC::MarkedBlock::flipIfNecessarySlow):
2352         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2353         (JSC::MarkedBlock::clearMarks):
2354         (JSC::MarkedBlock::assertFlipped):
2355         (JSC::MarkedBlock::needsFlip):
2356         (JSC::MarkedBlock::Handle::needsFlip):
2357         (JSC::MarkedBlock::Handle::willRemoveBlock):
2358         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2359         (JSC::MarkedBlock::markCount):
2360         (JSC::MarkedBlock::Handle::isEmpty):
2361         (JSC::MarkedBlock::clearHasAnyMarked):
2362         (JSC::MarkedBlock::noteMarkedSlow):
2363         (WTF::printInternal):
2364         (JSC::MarkedBlock::create): Deleted.
2365         (JSC::MarkedBlock::destroy): Deleted.
2366         (JSC::MarkedBlock::callDestructor): Deleted.
2367         (JSC::MarkedBlock::specializedSweep): Deleted.
2368         (JSC::MarkedBlock::sweep): Deleted.
2369         (JSC::MarkedBlock::sweepHelper): Deleted.
2370         (JSC::MarkedBlock::stopAllocating): Deleted.
2371         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2372         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2373         (JSC::MarkedBlock::resumeAllocating): Deleted.
2374         (JSC::MarkedBlock::didRetireBlock): Deleted.
2375         * heap/MarkedBlock.h:
2376         (JSC::MarkedBlock::VoidFunctor::returnValue):
2377         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2378         (JSC::MarkedBlock::CountFunctor::count):
2379         (JSC::MarkedBlock::CountFunctor::returnValue):
2380         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2381         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2382         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2383         (JSC::MarkedBlock::Handle::state):
2384         (JSC::MarkedBlock::needsDestruction):
2385         (JSC::MarkedBlock::handle):
2386         (JSC::MarkedBlock::Handle::block):
2387         (JSC::MarkedBlock::firstAtom):
2388         (JSC::MarkedBlock::atoms):
2389         (JSC::MarkedBlock::isAtomAligned):
2390         (JSC::MarkedBlock::Handle::cellAlign):
2391         (JSC::MarkedBlock::blockFor):
2392         (JSC::MarkedBlock::Handle::allocator):
2393         (JSC::MarkedBlock::Handle::heap):
2394         (JSC::MarkedBlock::Handle::vm):
2395         (JSC::MarkedBlock::vm):
2396         (JSC::MarkedBlock::Handle::weakSet):
2397         (JSC::MarkedBlock::weakSet):
2398         (JSC::MarkedBlock::Handle::shrink):
2399         (JSC::MarkedBlock::Handle::visitWeakSet):
2400         (JSC::MarkedBlock::Handle::reapWeakSet):
2401         (JSC::MarkedBlock::Handle::cellSize):
2402         (JSC::MarkedBlock::cellSize):
2403         (JSC::MarkedBlock::Handle::attributes):
2404         (JSC::MarkedBlock::attributes):
2405         (JSC::MarkedBlock::Handle::needsDestruction):
2406         (JSC::MarkedBlock::Handle::destruction):
2407         (JSC::MarkedBlock::Handle::cellKind):
2408         (JSC::MarkedBlock::Handle::markCount):
2409         (JSC::MarkedBlock::Handle::size):
2410         (JSC::MarkedBlock::atomNumber):
2411         (JSC::MarkedBlock::flipIfNecessary):
2412         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2413         (JSC::MarkedBlock::Handle::flipIfNecessary):
2414         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2415         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2416         (JSC::MarkedBlock::assertFlipped):
2417         (JSC::MarkedBlock::Handle::assertFlipped):
2418         (JSC::MarkedBlock::isMarked):
2419         (JSC::MarkedBlock::testAndSetMarked):
2420         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2421         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2422         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2423         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2424         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2425         (JSC::MarkedBlock::Handle::isLive):
2426         (JSC::MarkedBlock::isAtom):
2427         (JSC::MarkedBlock::Handle::isLiveCell):
2428         (JSC::MarkedBlock::Handle::forEachCell):
2429         (JSC::MarkedBlock::Handle::forEachLiveCell):
2430         (JSC::MarkedBlock::Handle::forEachDeadCell):
2431         (JSC::MarkedBlock::Handle::needsSweeping):
2432         (JSC::MarkedBlock::Handle::isAllocated):
2433         (JSC::MarkedBlock::Handle::isMarked):
2434         (JSC::MarkedBlock::Handle::isFreeListed):
2435         (JSC::MarkedBlock::hasAnyMarked):
2436         (JSC::MarkedBlock::noteMarked):
2437         (WTF::MarkedBlockHash::hash):
2438         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2439         (JSC::MarkedBlock::allocator): Deleted.
2440         (JSC::MarkedBlock::heap): Deleted.
2441         (JSC::MarkedBlock::shrink): Deleted.
2442         (JSC::MarkedBlock::visitWeakSet): Deleted.
2443         (JSC::MarkedBlock::reapWeakSet): Deleted.
2444         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2445         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2446         (JSC::MarkedBlock::markCount): Deleted.
2447         (JSC::MarkedBlock::isEmpty): Deleted.
2448         (JSC::MarkedBlock::destruction): Deleted.
2449         (JSC::MarkedBlock::cellKind): Deleted.
2450         (JSC::MarkedBlock::size): Deleted.
2451         (JSC::MarkedBlock::capacity): Deleted.
2452         (JSC::MarkedBlock::setMarked): Deleted.
2453         (JSC::MarkedBlock::clearMarked): Deleted.
2454         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2455         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2456         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2457         (JSC::MarkedBlock::isLive): Deleted.
2458         (JSC::MarkedBlock::isLiveCell): Deleted.
2459         (JSC::MarkedBlock::forEachCell): Deleted.
2460         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2461         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2462         (JSC::MarkedBlock::needsSweeping): Deleted.
2463         (JSC::MarkedBlock::isAllocated): Deleted.
2464         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2465         * heap/MarkedSpace.cpp:
2466         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2467         (JSC::MarkedSpace::MarkedSpace):
2468         (JSC::MarkedSpace::~MarkedSpace):
2469         (JSC::MarkedSpace::lastChanceToFinalize):
2470         (JSC::MarkedSpace::allocate):
2471         (JSC::MarkedSpace::tryAllocate):
2472         (JSC::MarkedSpace::allocateLarge):
2473         (JSC::MarkedSpace::tryAllocateLarge):
2474         (JSC::MarkedSpace::sweep):
2475         (JSC::MarkedSpace::sweepLargeAllocations):
2476         (JSC::MarkedSpace::zombifySweep):
2477         (JSC::MarkedSpace::resetAllocators):
2478         (JSC::MarkedSpace::visitWeakSets):
2479         (JSC::MarkedSpace::reapWeakSets):
2480         (JSC::MarkedSpace::stopAllocating):
2481         (JSC::MarkedSpace::prepareForMarking):
2482         (JSC::MarkedSpace::resumeAllocating):
2483         (JSC::MarkedSpace::isPagedOut):
2484         (JSC::MarkedSpace::freeBlock):
2485         (JSC::MarkedSpace::freeOrShrinkBlock):
2486         (JSC::MarkedSpace::shrink):
2487         (JSC::MarkedSpace::clearNewlyAllocated):
2488         (JSC::VerifyMarked::operator()):
2489         (JSC::MarkedSpace::flip):
2490         (JSC::MarkedSpace::objectCount):
2491         (JSC::MarkedSpace::size):
2492         (JSC::MarkedSpace::capacity):
2493         (JSC::MarkedSpace::addActiveWeakSet):
2494         (JSC::MarkedSpace::didAddBlock):
2495         (JSC::MarkedSpace::didAllocateInBlock):
2496         (JSC::MarkedSpace::forEachAllocator): Deleted.
2497         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2498         (JSC::MarkedSpace::clearMarks): Deleted.
2499         * heap/MarkedSpace.h:
2500         (JSC::MarkedSpace::sizeClassToIndex):
2501         (JSC::MarkedSpace::indexToSizeClass):
2502         (JSC::MarkedSpace::version):
2503         (JSC::MarkedSpace::blocksWithNewObjects):
2504         (JSC::MarkedSpace::largeAllocations):
2505         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2506         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2507         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2508         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2509         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2510         (JSC::MarkedSpace::forEachLiveCell):
2511         (JSC::MarkedSpace::forEachDeadCell):
2512         (JSC::MarkedSpace::allocatorFor):
2513         (JSC::MarkedSpace::destructorAllocatorFor):
2514         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2515         (JSC::MarkedSpace::allocateWithoutDestructor):
2516         (JSC::MarkedSpace::allocateWithDestructor):
2517         (JSC::MarkedSpace::allocateAuxiliary):
2518         (JSC::MarkedSpace::tryAllocateAuxiliary):
2519         (JSC::MarkedSpace::forEachBlock):
2520         (JSC::MarkedSpace::forEachAllocator):
2521         (JSC::MarkedSpace::optimalSizeFor):
2522         (JSC::MarkedSpace::didAddBlock): Deleted.
2523         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2524         (JSC::MarkedSpace::objectCount): Deleted.
2525         (JSC::MarkedSpace::size): Deleted.
2526         (JSC::MarkedSpace::capacity): Deleted.
2527         * heap/SlotVisitor.cpp:
2528         (JSC::SlotVisitor::SlotVisitor):
2529         (JSC::SlotVisitor::didStartMarking):
2530         (JSC::SlotVisitor::reset):
2531         (JSC::SlotVisitor::append):
2532         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2533         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2534         (JSC::SlotVisitor::appendToMarkStack):
2535         (JSC::SlotVisitor::markAuxiliary):
2536         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2537         (JSC::SlotVisitor::visitChildren):
2538         * heap/SlotVisitor.h:
2539         * heap/WeakBlock.cpp:
2540         (JSC::WeakBlock::create):
2541         (JSC::WeakBlock::WeakBlock):
2542         (JSC::WeakBlock::visit):
2543         (JSC::WeakBlock::reap):
2544         * heap/WeakBlock.h:
2545         (JSC::WeakBlock::disconnectContainer):
2546         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
2547         * heap/WeakSet.cpp:
2548         (JSC::WeakSet::~WeakSet):
2549         (JSC::WeakSet::sweep):
2550         (JSC::WeakSet::shrink):
2551         (JSC::WeakSet::addAllocator):
2552         * heap/WeakSet.h:
2553         (JSC::WeakSet::container):
2554         (JSC::WeakSet::setContainer):
2555         (JSC::WeakSet::WeakSet):
2556         (JSC::WeakSet::visit):
2557         (JSC::WeakSet::shrink): Deleted.
2558         * heap/WeakSetInlines.h:
2559         (JSC::WeakSet::allocate):
2560         * inspector/InjectedScriptManager.cpp:
2561         * inspector/JSGlobalObjectInspectorController.cpp:
2562         * inspector/JSJavaScriptCallFrame.cpp:
2563         * inspector/ScriptDebugServer.cpp:
2564         * inspector/agents/InspectorDebuggerAgent.cpp:
2565         * interpreter/CachedCall.h:
2566         (JSC::CachedCall::CachedCall):
2567         * interpreter/Interpreter.cpp:
2568         (JSC::loadVarargs):
2569         (JSC::StackFrame::sourceID): Deleted.
2570         (JSC::StackFrame::sourceURL): Deleted.
2571         (JSC::StackFrame::functionName): Deleted.
2572         (JSC::StackFrame::computeLineAndColumn): Deleted.
2573         (JSC::StackFrame::toString): Deleted.
2574         * interpreter/Interpreter.h:
2575         (JSC::StackFrame::isNative): Deleted.
2576         * jit/AssemblyHelpers.h:
2577         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2578         (JSC::AssemblyHelpers::emitAllocate):
2579         (JSC::AssemblyHelpers::emitAllocateJSCell):
2580         (JSC::AssemblyHelpers::emitAllocateJSObject):
2581         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2582         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2583         * jit/GCAwareJITStubRoutine.cpp:
2584         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2585         * jit/JIT.cpp:
2586         (JSC::JIT::compileCTINativeCall):
2587         (JSC::JIT::link):
2588         * jit/JIT.h:
2589         (JSC::JIT::compileCTINativeCall): Deleted.
2590         * jit/JITExceptions.cpp:
2591         (JSC::genericUnwind):
2592         * jit/JITExceptions.h:
2593         * jit/JITOpcodes.cpp:
2594         (JSC::JIT::emit_op_new_object):
2595         (JSC::JIT::emitSlow_op_new_object):
2596         (JSC::JIT::emit_op_create_this):
2597         (JSC::JIT::emitSlow_op_create_this):
2598         * jit/JITOpcodes32_64.cpp:
2599         (JSC::JIT::emit_op_new_object):
2600         (JSC::JIT::emitSlow_op_new_object):
2601         (JSC::JIT::emit_op_create_this):
2602         (JSC::JIT::emitSlow_op_create_this):
2603         * jit/JITOperations.cpp:
2604         * jit/JITOperations.h:
2605         * jit/JITPropertyAccess.cpp:
2606         (JSC::JIT::emitWriteBarrier):
2607         * jit/JITThunks.cpp:
2608         * jit/JITThunks.h:
2609         * jsc.cpp:
2610         (functionDescribeArray):
2611         (main):
2612         * llint/LLIntData.cpp:
2613         (JSC::LLInt::Data::performAssertions):
2614         * llint/LLIntExceptions.cpp:
2615         * llint/LLIntThunks.cpp:
2616         * llint/LLIntThunks.h:
2617         * llint/LowLevelInterpreter.asm:
2618         * llint/LowLevelInterpreter.cpp:
2619         * llint/LowLevelInterpreter32_64.asm:
2620         * llint/LowLevelInterpreter64.asm:
2621         * parser/ModuleAnalyzer.cpp:
2622         * parser/NodeConstructors.h:
2623         * parser/Nodes.h:
2624         * profiler/ProfilerBytecode.cpp:
2625         * profiler/ProfilerBytecode.h:
2626         * profiler/ProfilerBytecodeSequence.cpp:
2627         * runtime/ArrayConventions.h:
2628         (JSC::indexingHeaderForArrayStorage):
2629         (JSC::baseIndexingHeaderForArrayStorage):
2630         (JSC::indexingHeaderForArray): Deleted.
2631         (JSC::baseIndexingHeaderForArray): Deleted.
2632         * runtime/ArrayPrototype.cpp:
2633         (JSC::arrayProtoFuncSplice):
2634         (JSC::concatAppendOne):
2635         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2636         * runtime/ArrayStorage.h:
2637         (JSC::ArrayStorage::vectorLength):
2638         (JSC::ArrayStorage::totalSizeFor):
2639         (JSC::ArrayStorage::totalSize):
2640         (JSC::ArrayStorage::availableVectorLength):
2641         (JSC::ArrayStorage::optimalVectorLength):
2642         (JSC::ArrayStorage::sizeFor): Deleted.
2643         * runtime/AuxiliaryBarrier.h: Added.
2644         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
2645         (JSC::AuxiliaryBarrier::clear):
2646         (JSC::AuxiliaryBarrier::get):
2647         (JSC::AuxiliaryBarrier::slot):
2648         (JSC::AuxiliaryBarrier::operator bool):
2649         (JSC::AuxiliaryBarrier::setWithoutBarrier):
2650         * runtime/AuxiliaryBarrierInlines.h: Added.
2651         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
2652         (JSC::AuxiliaryBarrier<T>::set):
2653         * runtime/Butterfly.h:
2654         * runtime/ButterflyInlines.h:
2655         (JSC::Butterfly::availableContiguousVectorLength):
2656         (JSC::Butterfly::optimalContiguousVectorLength):
2657         (JSC::Butterfly::createUninitialized):
2658         (JSC::Butterfly::growArrayRight):
2659         * runtime/ClonedArguments.cpp:
2660         (JSC::ClonedArguments::createEmpty):
2661         * runtime/CommonSlowPathsExceptions.cpp:
2662         * runtime/CommonSlowPathsExceptions.h:
2663         * runtime/DataView.cpp:
2664         * runtime/DirectArguments.h:
2665         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2666         * runtime/Error.cpp:
2667         * runtime/Error.h:
2668         * runtime/ErrorInstance.cpp:
2669         * runtime/ErrorInstance.h:
2670         * runtime/Exception.cpp:
2671         * runtime/Exception.h:
2672         * runtime/GeneratorFrame.cpp:
2673         * runtime/GeneratorPrototype.cpp:
2674         * runtime/InternalFunction.cpp:
2675         (JSC::InternalFunction::InternalFunction):
2676         * runtime/IntlCollator.cpp:
2677         * runtime/IntlCollatorConstructor.cpp:
2678         * runtime/IntlCollatorPrototype.cpp:
2679         * runtime/IntlDateTimeFormat.cpp:
2680         * runtime/IntlDateTimeFormatConstructor.cpp:
2681         * runtime/IntlDateTimeFormatPrototype.cpp:
2682         * runtime/IntlNumberFormat.cpp:
2683         * runtime/IntlNumberFormatConstructor.cpp:
2684         * runtime/IntlNumberFormatPrototype.cpp:
2685         * runtime/IntlObject.cpp:
2686         * runtime/IteratorPrototype.cpp:
2687         * runtime/JSArray.cpp:
2688         (JSC::JSArray::tryCreateUninitialized):
2689         (JSC::JSArray::setLengthWritable):
2690         (JSC::JSArray::unshiftCountSlowCase):
2691         (JSC::JSArray::setLengthWithArrayStorage):
2692         (JSC::JSArray::appendMemcpy):
2693         (JSC::JSArray::setLength):
2694         (JSC::JSArray::pop):
2695         (JSC::JSArray::push):
2696         (JSC::JSArray::fastSlice):
2697         (JSC::JSArray::shiftCountWithArrayStorage):
2698         (JSC::JSArray::shiftCountWithAnyIndexingType):
2699         (JSC::JSArray::unshiftCountWithArrayStorage):
2700         (JSC::JSArray::fillArgList):
2701         (JSC::JSArray::copyToArguments):
2702         * runtime/JSArray.h:
2703         (JSC::createContiguousArrayButterfly):
2704         (JSC::createArrayButterfly):
2705         (JSC::JSArray::create):
2706         (JSC::JSArray::tryCreateUninitialized): Deleted.
2707         * runtime/JSArrayBufferView.h:
2708         * runtime/JSCInlines.h:
2709         * runtime/JSCJSValue.cpp:
2710         (JSC::JSValue::dumpInContextAssumingStructure):
2711         * runtime/JSCallee.cpp:
2712         (JSC::JSCallee::JSCallee):
2713         * runtime/JSCell.cpp:
2714         (JSC::JSCell::estimatedSize):
2715         * runtime/JSCell.h:
2716         (JSC::JSCell::cellStateOffset): Deleted.
2717         * runtime/JSCellInlines.h:
2718         (JSC::ExecState::vm):
2719         (JSC::JSCell::classInfo):
2720         (JSC::JSCell::callDestructor):
2721         (JSC::JSCell::vm): Deleted.
2722         * runtime/JSFunction.cpp:
2723         (JSC::JSFunction::create):
2724         (JSC::JSFunction::allocateAndInitializeRareData):
2725         (JSC::JSFunction::initializeRareData):
2726         (JSC::JSFunction::getOwnPropertySlot):
2727         (JSC::JSFunction::put):
2728         (JSC::JSFunction::deleteProperty):
2729         (JSC::JSFunction::defineOwnProperty):
2730         (JSC::JSFunction::setFunctionName):
2731         (JSC::JSFunction::reifyLength):
2732         (JSC::JSFunction::reifyName):
2733         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2734         (JSC::JSFunction::reifyBoundNameIfNeeded):
2735         * runtime/JSFunction.h:
2736         * runtime/JSFunctionInlines.h:
2737         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2738         (JSC::JSFunction::JSFunction):
2739         * runtime/JSGenericTypedArrayViewInlines.h:
2740         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2741         * runtime/JSInternalPromise.cpp:
2742         * runtime/JSInternalPromiseConstructor.cpp:
2743         * runtime/JSInternalPromiseDeferred.cpp:
2744         * runtime/JSInternalPromisePrototype.cpp:
2745         * runtime/JSJob.cpp:
2746         * runtime/JSMapIterator.cpp:
2747         * runtime/JSModuleNamespaceObject.cpp:
2748         * runtime/JSModuleRecord.cpp:
2749         * runtime/JSObject.cpp:
2750         (JSC::JSObject::visitButterfly):
2751         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2752         (JSC::JSObject::createInitialIndexedStorage):
2753         (JSC::JSObject::createInitialUndecided):
2754         (JSC::JSObject::createInitialInt32):
2755         (JSC::JSObject::createInitialDouble):
2756         (JSC::JSObject::createInitialContiguous):
2757         (JSC::JSObject::createArrayStorage):
2758         (JSC::JSObject::createInitialArrayStorage):
2759         (JSC::JSObject::convertUndecidedToInt32):
2760         (JSC::JSObject::convertUndecidedToContiguous):
2761         (JSC::JSObject::convertUndecidedToArrayStorage):
2762         (JSC::JSObject::convertInt32ToDouble):
2763         (JSC::JSObject::convertInt32ToArrayStorage):
2764         (JSC::JSObject::convertDoubleToArrayStorage):
2765         (JSC::JSObject::convertContiguousToArrayStorage):
2766         (JSC::JSObject::putByIndexBeyondVectorLength):
2767         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2768         (JSC::JSObject::getNewVectorLength):
2769         (JSC::JSObject::increaseVectorLength):
2770         (JSC::JSObject::ensureLengthSlow):
2771         (JSC::JSObject::growOutOfLineStorage):
2772         (JSC::JSObject::copyButterfly): Deleted.
2773         (JSC::JSObject::copyBackingStore): Deleted.
2774         * runtime/JSObject.h:
2775         (JSC::JSObject::globalObject):
2776         (JSC::JSObject::putDirectInternal):
2777         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
2778         * runtime/JSObjectInlines.h:
2779         * runtime/JSPromise.cpp:
2780         * runtime/JSPromiseConstructor.cpp:
2781         * runtime/JSPromiseDeferred.cpp:
2782         * runtime/JSPromisePrototype.cpp:
2783         * runtime/JSPropertyNameIterator.cpp:
2784         * runtime/JSScope.cpp:
2785         (JSC::JSScope::resolve):
2786         * runtime/JSScope.h:
2787         (JSC::JSScope::globalObject):
2788         (JSC::JSScope::vm): Deleted.
2789         * runtime/JSSetIterator.cpp:
2790         * runtime/JSStringIterator.cpp:
2791         * runtime/JSTemplateRegistryKey.cpp:
2792         * runtime/JSTypedArrayViewConstructor.cpp:
2793         * runtime/JSTypedArrayViewPrototype.cpp:
2794         * runtime/JSWeakMap.cpp:
2795         * runtime/JSWeakSet.cpp:
2796         * runtime/MapConstructor.cpp:
2797         * runtime/MapIteratorPrototype.cpp:
2798         * runtime/MapPrototype.cpp:
2799         * runtime/NativeErrorConstructor.cpp:
2800         * runtime/NativeStdFunctionCell.cpp:
2801         * runtime/Operations.h:
2802         (JSC::scribbleFreeCells):
2803         (JSC::scribble):
2804         * runtime/Options.h:
2805         * runtime/PropertyTable.cpp:
2806         * runtime/ProxyConstructor.cpp:
2807         * runtime/ProxyObject.cpp:
2808         * runtime/ProxyRevoke.cpp:
2809         * runtime/RegExp.cpp:
2810         (JSC::RegExp::match):
2811         (JSC::RegExp::matchConcurrently):
2812         (JSC::RegExp::matchCompareWithInterpreter):
2813         * runtime/RegExp.h:
2814         * runtime/RegExpConstructor.h:
2815         * runtime/RegExpInlines.h:
2816         (JSC::RegExp::matchInline):
2817         * runtime/RegExpMatchesArray.h:
2818         (JSC::tryCreateUninitializedRegExpMatchesArray):
2819         (JSC::createRegExpMatchesArray):
2820         * runtime/RegExpPrototype.cpp:
2821         (JSC::genericSplit):
2822         * runtime/RuntimeType.cpp:
2823         * runtime/SamplingProfiler.cpp:
2824         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2825         * runtime/SetConstructor.cpp:
2826         * runtime/SetIteratorPrototype.cpp:
2827         * runtime/SetPrototype.cpp:
2828         * runtime/StackFrame.cpp: Added.
2829         (JSC::StackFrame::sourceID):
2830         (JSC::StackFrame::sourceURL):
2831         (JSC::StackFrame::functionName):
2832         (JSC::StackFrame::computeLineAndColumn):
2833         (JSC::StackFrame::toString):
2834         * runtime/StackFrame.h: Added.
2835         (JSC::StackFrame::isNative):
2836         * runtime/StringConstructor.cpp:
2837         * runtime/StringIteratorPrototype.cpp:
2838         * runtime/StructureInlines.h:
2839         (JSC::Structure::propertyTable):
2840         * runtime/TemplateRegistry.cpp:
2841         * runtime/TestRunnerUtils.cpp:
2842         (JSC::finalizeStatsAtEndOfTesting):
2843         * runtime/TestRunnerUtils.h:
2844         * runtime/TypeProfilerLog.cpp:
2845         * runtime/TypeSet.cpp:
2846         * runtime/VM.cpp:
2847         (JSC::VM::VM):
2848         (JSC::VM::ensureStackCapacityForCLoop):
2849         (JSC::VM::isSafeToRecurseSoftCLoop):
2850         * runtime/VM.h:
2851         * runtime/VMEntryScope.h:
2852         * runtime/VMInlines.h:
2853         (JSC::VM::ensureStackCapacityFor):
2854         (JSC::VM::isSafeToRecurseSoft):
2855         * runtime/WeakMapConstructor.cpp:
2856         * runtime/WeakMapData.cpp:
2857         * runtime/WeakMapPrototype.cpp:
2858         * runtime/WeakSetConstructor.cpp:
2859         * runtime/WeakSetPrototype.cpp:
2860         * testRegExp.cpp:
2861         (testOneRegExp):
2862         * tools/JSDollarVM.cpp:
2863         * tools/JSDollarVMPrototype.cpp:
2864         (JSC::JSDollarVMPrototype::isInObjectSpace):
2865
2866 2016-09-04  Commit Queue  <commit-queue@webkit.org>
2867
2868         Unreviewed, rolling out r205415.
2869         https://bugs.webkit.org/show_bug.cgi?id=161573
2870
2871         Many bots see inspector test failures, rolling out now and
2872         investigating later. (Requested by brrian on #webkit).
2873
2874         Reverted changeset:
2875
2876         "Web Inspector: unify Main.html and Test.html sources and
2877         generate different copies with the preprocessor"
2878         https://bugs.webkit.org/show_bug.cgi?id=161212
2879         http://trac.webkit.org/changeset/205415
2880
2881 2016-09-01  Brian Burg  <bburg@apple.com>
2882
2883         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
2884         https://bugs.webkit.org/show_bug.cgi?id=161212
2885         <rdar://problem/28017961>
2886
2887         Reviewed by Joseph Pecoraro.
2888
2889         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
2890
2891 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
2892
2893         Use ASCIILiteral in some more places
2894         https://bugs.webkit.org/show_bug.cgi?id=161557
2895
2896         Reviewed by Darin Adler.
2897
2898         * runtime/TypeSet.h:
2899         (JSC::StructureShape::setConstructorName):
2900
2901 2016-09-01  Michael Saboff  <msaboff@apple.com>
2902
2903         Import Chakra tests to JSC
2904         https://bugs.webkit.org/show_bug.cgi?id=154697
2905
2906         Reviewed by Saam Barati.
2907
2908         Added --dumpException option to jsc command line utility to dump uncaught exception
2909         text even for the last exception that matches --exception.  This is used to
2910         check the exception text for a text that is expected to end on an exception.
2911         Chakra has several tests of this form and does the same thing when such a test
2912         ends with an exception.  Tests that rely on this behavior have had their expected
2913         output updated for JSC specific text.
2914
2915         * jsc.cpp:
2916
2917 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
2918
2919         [JSC] Remove some more useless cases from FTL Capabilities
2920         https://bugs.webkit.org/show_bug.cgi?id=161466
2921
2922         Reviewed by Geoffrey Garen.
2923
2924         Some cases do not make sense:
2925         -In: Fixup only generate CellUse.
2926         -PutByIdXXX: same.
2927         -GetIndexedPropertyStorage: those cases are the only ones supported
2928          by DFG. We would have crashed in SpeculativeJIT if other modes
2929          were generated.
2930
2931         * ftl/FTLCapabilities.cpp:
2932         (JSC::FTL::canCompile):
2933         * ftl/FTLLowerDFGToB3.cpp:
2934         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2935         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2936         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2937
2938 2016-09-02  Chris Dumez  <cdumez@apple.com>
2939
2940         Unreviewed, roll out r205354 because it caused JSC test failures
2941
2942         * jsc.cpp:
2943         * runtime/JSGlobalObject.cpp:
2944         * runtime/JSGlobalObject.h:
2945         (JSC::JSGlobalObject::allowsAccessFrom):
2946         (JSC::JSGlobalObject::setDebugger): Deleted.
2947         * runtime/JSGlobalObjectFunctions.cpp:
2948         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
2949         (JSC::GlobalFuncProtoGetterFunctor::result):
2950         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2951         (JSC::globalFuncProtoGetter):
2952         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
2953         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
2954         (JSC::GlobalFuncProtoSetterFunctor::operator()):
2955         (JSC::checkProtoSetterAccessAllowed):
2956         (JSC::globalFuncProtoSetter):
2957         * runtime/JSGlobalObjectFunctions.h:
2958         * runtime/JSObject.cpp:
2959         (JSC::JSObject::setPrototypeWithCycleCheck):
2960         (JSC::JSObject::allowsAccessFrom):
2961         * runtime/JSObject.h:
2962         * runtime/JSProxy.cpp:
2963         * runtime/JSProxy.h:
2964         * runtime/ObjectConstructor.cpp:
2965         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
2966         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
2967         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2968         (JSC::objectConstructorGetPrototypeOf):
2969         (JSC::objectConstructorSetPrototypeOf):
2970         * runtime/ObjectConstructor.h:
2971         * runtime/ReflectObject.cpp:
2972         (JSC::reflectObjectGetPrototypeOf):
2973         (JSC::reflectObjectSetPrototypeOf):
2974
2975 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
2976
2977         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
2978         https://bugs.webkit.org/show_bug.cgi?id=160802
2979
2980         Reviewed by Saam Barati.
2981
2982         This patch is fixing a broken mechanism of MathIC that avoids allocate
2983         a register to LHS or RHS if one of these operands are proven as valid
2984         constant for JIT*Generator. In previous implementation, even if the
2985         JIT*Generator was not using an operand register because it was proven as a
2986         constant, compileMathIC and emitICFast were allocating a register for
2987         it. This was broken because mathIC->isLeftOperandValidConstant and
2988         mathIC->isLeftOperandValidConstant were being called before its Generator be
2989         properly initialized. We changed this mechanism to enable Generators write
2990         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
2991         and isRightOperandValidConstant(SnippetOperand).
2992
2993         * dfg/DFGSpeculativeJIT.cpp:
2994         (JSC::DFG::SpeculativeJIT::compileMathIC):
2995         * jit/JITAddGenerator.h:
2996         (JSC::JITAddGenerator::JITAddGenerator):
2997         (JSC::JITAddGenerator::isLeftOperandValidConstant):
2998         (JSC::JITAddGenerator::isRightOperandValidConstant):
2999         * jit/JITArithmetic.cpp:
3000         (JSC::JIT::emitMathICFast):
3001         * jit/JITMathIC.h:
3002         * jit/JITMulGenerator.h:
3003         (JSC::JITMulGenerator::JITMulGenerator):
3004         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3005         (JSC::JITMulGenerator::isRightOperandValidConstant):
3006         * jit/JITSubGenerator.h:
3007         (JSC::JITSubGenerator::isLeftOperandValidConstant):
3008         (JSC::JITSubGenerator::isRightOperandValidConstant):
3009
3010 2016-09-02  JF Bastien  <jfbastien@apple.com>
3011
3012         GetByValWithThis: fix opInfo in DFG creation
3013         https://bugs.webkit.org/show_bug.cgi?id=161541
3014
3015         Reviewed by Saam Barati.
3016
3017         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
3018
3019         * dfg/DFGByteCodeParser.cpp:
3020         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
3021
3022 2016-09-02  Chris Dumez  <cdumez@apple.com>
3023
3024         Object.preventExtensions() should throw cross-origin
3025         https://bugs.webkit.org/show_bug.cgi?id=161486
3026
3027         Reviewed by Geoffrey Garen.
3028
3029         Update JSProxy to forward preventExtensions() calls to its target.
3030
3031         * runtime/JSProxy.cpp:
3032         (JSC::JSProxy::preventExtensions):
3033         * runtime/JSProxy.h:
3034
3035 2016-09-02  Chris Dumez  <cdumez@apple.com>
3036
3037         Align proto getter / setter behavior with other browsers
3038         https://bugs.webkit.org/show_bug.cgi?id=161455
3039
3040         Reviewed by Mark Lam.
3041
3042         Drop allowsAccessFrom from the methodTable and delegate cross-origin
3043         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
3044         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
3045
3046         * jsc.cpp:
3047         * runtime/JSGlobalObject.cpp:
3048         * runtime/JSGlobalObject.h:
3049         * runtime/JSGlobalObjectFunctions.cpp:
3050         (JSC::globalFuncProtoGetter):
3051         (JSC::globalFuncProtoSetter):
3052         (JSC::globalFuncBuiltinLog): Deleted.
3053         * runtime/JSGlobalObjectFunctions.h:
3054         * runtime/JSObject.h:
3055         (JSC::JSObject::getArrayLength): Deleted.
3056         * runtime/JSProxy.cpp:
3057         (JSC::JSProxy::setPrototype):
3058         (JSC::JSProxy::getPrototype):
3059         * runtime/JSProxy.h:
3060         * runtime/ObjectConstructor.cpp:
3061         (JSC::objectConstructorGetPrototypeOf):
3062         (JSC::objectConstructorSetPrototypeOf):
3063         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
3064         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
3065         * runtime/ObjectConstructor.h:
3066         * runtime/ReflectObject.cpp:
3067         (JSC::reflectObjectGetPrototypeOf):
3068         (JSC::reflectObjectSetPrototypeOf):
3069
3070         * runtime/JSObject.cpp:
3071         (JSC::JSObject::setPrototypeWithCycleCheck):
3072         Comment out check added in r197648. This check was added to match
3073         the latest EcmaScript spec:
3074         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
3075         This check allowed for [[Prototype]] chain cycles if the prototype
3076         chain includes objects that do not use the ordinary object definitions
3077         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
3078         The issue is that the rest of our code base does not properly handle
3079         such cycles and we can end up in infinite loops. This became obvious
3080         because this patch updates Window / Location so that they no longer
3081         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
3082         comment out this check, I get an infinite loop in
3083         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
3084         called from JSObject::setPrototypeDirect(), when running the following
3085         layout test:
3086         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
3087         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
3088         issue.
3089
3090 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3091
3092         Add toJS for JSC::PrivateName
3093         https://bugs.webkit.org/show_bug.cgi?id=161522
3094
3095         Reviewed by Ryosuke Niwa.
3096
3097         Add the export annotation.
3098         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
3099         since PrivateName never holds null SymbolImpl pointer. And along with this change,
3100         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
3101
3102         * runtime/Completion.cpp:
3103         (JSC::createSymbolForEntryPointModule):
3104         * runtime/IdentifierInlines.h:
3105         (JSC::Identifier::fromUid):
3106         * runtime/JSFunction.cpp:
3107         (JSC::JSFunction::setFunctionName):
3108         * runtime/PrivateName.h:
3109         (JSC::PrivateName::PrivateName):
3110         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
3111         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
3112         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
3113         (JSC::PrivateName::operator==):
3114         (JSC::PrivateName::operator!=):
3115         * runtime/PropertyName.h:
3116         (JSC::PropertyName::PropertyName):
3117         * runtime/Symbol.cpp:
3118         (JSC::Symbol::finishCreation):
3119         * runtime/Symbol.h:
3120         * runtime/SymbolConstructor.cpp:
3121         (JSC::symbolConstructorKeyFor):
3122
3123 2016-09-01  Dan Bernstein  <mitz@apple.com>
3124
3125         Build fix.
3126
3127         * Configurations/FeatureDefines.xcconfig:
3128
3129 2016-09-01  JF Bastien  <jfbastien@apple.com>
3130
3131         jsc: fix cmake build missing symbol getPropertySlot
3132         https://bugs.webkit.org/show_bug.cgi?id=161521
3133
3134         Reviewed by Saam Barati.
3135
3136         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
3137         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
3138
3139 2016-09-01  JF Bastien  <jfbastien@apple.com>
3140
3141         jsc: provide printErr()
3142         https://bugs.webkit.org/show_bug.cgi?id=161513
3143
3144         Reviewed by Mark Lam.
3145
3146         * jsc.cpp:
3147         (GlobalObject::finishCreation):
3148         (printInternal): renamed from functionPrint, add error checking
3149         (functionPrintStdOut): punt to printInternal
3150         (functionPrintStdErr): punt to printInternal
3151         (functionPrint): Deleted.
3152
3153 2016-09-01  Mark Lam  <mark.lam@apple.com>
3154
3155         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
3156         https://bugs.webkit.org/show_bug.cgi?id=161499
3157
3158         Reviewed by Saam Barati.
3159
3160         This is just a refactoring patch to move some inline functions to their Inlines.h
3161         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
3162         later.
3163
3164         * bindings/ScriptValue.cpp:
3165         * interpreter/Interpreter.cpp:
3166         * runtime/IntlDateTimeFormatPrototype.cpp:
3167         * runtime/IntlNumberFormatPrototype.cpp:
3168         * runtime/JSArray.cpp:
3169         * runtime/JSArray.h:
3170         (JSC::getLength): Deleted.
3171         (JSC::toLength): Deleted.
3172         * runtime/JSArrayInlines.h:
3173         (JSC::JSArray::mergeIndexingTypeForCopying):
3174         (JSC::JSArray::canFastCopy):
3175         (JSC::getLength):
3176         (JSC::toLength):
3177         * runtime/JSInternalPromise.cpp:
3178         * runtime/JSInternalPromiseDeferred.cpp:
3179         * runtime/JSJob.cpp:
3180         * runtime/JSModuleRecord.cpp:
3181         * runtime/JSObject.h:
3182         (JSC::JSObject::getPropertySlot): Deleted.
3183         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
3184         * runtime/JSObjectInlines.h:
3185         (JSC::JSObject::getPropertySlot):
3186         (JSC::JSObject::getNonIndexPropertySlot):
3187         * runtime/JSPromiseDeferred.cpp:
3188         * runtime/JSTypedArrayViewPrototype.cpp:
3189         * runtime/MapConstructor.cpp:
3190         * runtime/SamplingProfiler.cpp:
3191         * runtime/SetConstructor.cpp:
3192         * runtime/WeakMapConstructor.cpp:
3193         * runtime/WeakSetConstructor.cpp:
3194
3195 2016-09-01  JF Bastien  <jfbastien@apple.com>
3196
3197         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
3198         https://bugs.webkit.org/show_bug.cgi?id=160922
3199
3200         Reviewed by Keith Miller.
3201
3202         Add value profiling to GetBy{Id,Val}WithThis.
3203
3204         * bytecode/BytecodeList.json:
3205         * bytecode/CodeBlock.cpp:
3206         (JSC::CodeBlock::dumpBytecode):
3207         (JSC::CodeBlock::finishCreation):
3208         * bytecompiler/BytecodeGenerator.cpp:
3209         (JSC::BytecodeGenerator::emitGetById):
3210         (JSC::BytecodeGenerator::emitGetByVal):
3211         * dfg/DFGByteCodeParser.cpp:
3212         (JSC::DFG::ByteCodeParser::parseBlock):
3213         * dfg/DFGNode.h:
3214         (JSC::DFG::Node::hasHeapPrediction):
3215         * dfg/DFGPredictionPropagationPhase.cpp:
3216         * llint/LowLevelInterpreter.asm:
3217         * runtime/CommonSlowPaths.cpp:
3218         (JSC::SLOW_PATH_DECL):
3219
3220 2016-09-01  Keith Miller  <keith_miller@apple.com>
3221
3222         WASM functions should be able to use arguments
3223         https://bugs.webkit.org/show_bug.cgi?id=161471
3224
3225         Reviewed by Benjamin Poulain.
3226
3227         This patch does a couple of changes:
3228
3229         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
3230
3231         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
3232
3233         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
3234
3235         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
3236         (JSC::B3::jscCallingConvention):
3237         * B3CallingConventions.h: Added.
3238         (JSC::B3::CallingConvention::CallingConvention):
3239         (JSC::B3::CallingConvention::iterate):
3240         (JSC::B3::nextJSCOffset):
3241         * JavaScriptCore.xcodeproj/project.pbxproj:
3242         * interpreter/ProtoCallFrame.h:
3243         * llint/LLIntThunks.cpp:
3244         (JSC::vmEntryToWASM):
3245         * llint/LLIntThunks.h:
3246         * testWASM.cpp:
3247         (invoke):
3248         (box):
3249         (runWASMTests):
3250         * wasm/WASMB3IRGenerator.cpp:
3251         (JSC::WASM::B3IRGenerator::addLocal):
3252         (JSC::WASM::B3IRGenerator::addArguments):
3253         (JSC::WASM::B3IRGenerator::getLocal):
3254         * wasm/WASMFormat.h:
3255         * wasm/WASMFunctionParser.h:
3256         (JSC::WASM::FunctionParser<Context>::FunctionParser):
3257         (JSC::WASM::FunctionParser<Context>::parseExpression):
3258         * wasm/WASMModuleParser.cpp:
3259         (JSC::WASM::ModuleParser::parseFunctionTypes):
3260         (JSC::WASM::ModuleParser::parseFunctionSignatures):
3261         * wasm/WASMModuleParser.h:
3262         * wasm/WASMOps.h:
3263
3264 2016-09-01  Keith Miller  <keith_miller@apple.com>
3265
3266         Rename WASM classes dropping the WASM prefix
3267         https://bugs.webkit.org/show_bug.cgi?id=161500
3268
3269         Reviewed by Mark Lam.
3270
3271         Having to write WASM::WASMModule seems silly. Also, this patch
3272         merges WASMFunctionReturnType and WASMValueType into one type
3273         that is a typedef of B3::Type. Using B3::Type as the WASM
3274         primitive type makes it trivial to convert a Vector of WASM
3275         types into a Vector of B3 types.
3276
3277         * b3/B3Type.h:
3278         * wasm/JSWASMModule.h:
3279         (JSC::JSWASMModule::signatures):
3280         (JSC::JSWASMModule::functionImports):
3281         (JSC::JSWASMModule::functionImportSignatures):
3282         (JSC::JSWASMModule::globalVariableTypes):
3283         (JSC::JSWASMModule::functionDeclarations):
3284         (JSC::JSWASMModule::functionPointerTables):
3285         * wasm/WASMB3IRGenerator.cpp:
3286         (JSC::WASM::toB3Op):
3287         (JSC::WASM::B3IRGenerator::addLocal):
3288         (JSC::WASM::B3IRGenerator::unaryOp):
3289         (JSC::WASM::B3IRGenerator::binaryOp):
3290         (JSC::WASM::B3IRGenerator::addConstant):
3291         (JSC::WASM::parseAndCompile):
3292         * wasm/WASMB3IRGenerator.h:
3293         * wasm/WASMFormat.h:
3294         * wasm/WASMFunctionParser.h:
3295         (JSC::WASM::FunctionParser<Context>::FunctionParser):
3296         (JSC::WASM::FunctionParser<Context>::parse):
3297         (JSC::WASM::FunctionParser<Context>::parseBlock):
3298         (JSC::WASM::FunctionParser<Context>::parseExpression):
3299         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
3300         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
3301         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
3302         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
3303         * wasm/WASMModuleParser.cpp:
3304         (JSC::WASM::ModuleParser::parse):
3305         (JSC::WASM::ModuleParser::parseFunctionTypes):
3306         (JSC::WASM::ModuleParser::parseFunctionSignatures):
3307         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
3308         (JSC::WASM::WASMModuleParser::parse): Deleted.
3309         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
3310         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
3311         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
3312         * wasm/WASMModuleParser.h:
3313         (JSC::WASM::ModuleParser::ModuleParser):
3314         (JSC::WASM::ModuleParser::functionInformation):
3315         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
3316         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
3317         * wasm/WASMOps.h:
3318         * wasm/WASMParser.h:
3319         (JSC::WASM::Parser::Parser):
3320         (JSC::WASM::Parser::consumeCharacter):
3321         (JSC::WASM::Parser::consumeString):
3322         (JSC::WASM::Parser::parseUInt32):
3323         (JSC::WASM::Parser::parseUInt7):
3324         (JSC::WASM::Parser::parseVarUInt1):
3325         (JSC::WASM::Parser::parseValueType):
3326         (JSC::WASM::WASMParser::WASMParser): Deleted.
3327         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
3328         (JSC::WASM::WASMParser::consumeString): Deleted.
3329         (JSC::WASM::WASMParser::parseUInt32): Deleted.
3330         (JSC::WASM::WASMParser::parseUInt7): Deleted.
3331         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
3332         (JSC::WASM::WASMParser::parseValueType): Deleted.
3333         * wasm/WASMPlan.cpp:
3334         (JSC::WASM::Plan::Plan):
3335         * wasm/WASMSections.cpp:
3336         (JSC::WASM::Sections::lookup):
3337         (JSC::WASM::WASMSections::lookup): Deleted.
3338         * wasm/WASMSections.h:
3339         (JSC::WASM::Sections::validateOrder):
3340         (JSC::WASM::WASMSections::validateOrder): Deleted.
3341
3342 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
3343
3344         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
3345         https://bugs.webkit.org/show_bug.cgi?id=161492
3346
3347         Reviewed by Mark Lam.
3348         
3349         If you materialize a sunken object that is referenced from another sunken object, then you
3350         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
3351         object rather than to the old sunken one.
3352         
3353         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
3354         did it when the PromotedLocationDescriptor for the field used for referring to the other
3355         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
3356         I can sort of imagine why we thought that would be right - neededForMaterialization() means
3357         it's a special meta-data field initialized on construction. But just because it's immutable
3358         and special doesn't mean that materialization can't change its physical representation.
3359         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
3360         regress anything.
3361
3362         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3363
3364 2016-09-01  Chris Dumez  <cdumez@apple.com>
3365
3366         Unreviewed, rolling out r205297.
3367
3368         Caused some JSC test failures
3369
3370         Reverted changeset:
3371
3372         "Align cross-origin proto getter / setter behavior with the
3373         specification"
3374         https://bugs.webkit.org/show_bug.cgi?id=161455
3375         http://trac.webkit.org/changeset/205297
3376
3377 2016-09-01  Chris Dumez  <cdumez@apple.com>
3378
3379         Align cross-origin proto getter / setter behavior with the specification
3380         https://bugs.webkit.org/show_bug.cgi?id=161455
3381
3382         Reviewed by Mark Lam.
3383
3384         Align cross-origin proto getter / setter behavior with the specification:
3385
3386         The setter should throw a TypeError:
3387         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
3388         - https://html.spec.whatwg.org/#location-setprototypeof
3389         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
3390
3391         The getter should return null:
3392         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
3393         - https://html.spec.whatwg.org/#location-getprototypeof
3394
3395         I have verified that this aligns our behavior with Firefox and Chrome.
3396
3397         * runtime/JSGlobalObjectFunctions.cpp:
3398         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3399         (JSC::globalFuncProtoSetter):
3400
3401 2016-09-01  Csaba Osztrogonác  <ossy@webkit.org>
3402
3403         Unreviewed ARM buildfix after r205283.
3404
3405         * assembler/ARMAssembler.h:
3406         (JSC::ARMAssembler::patchableJumpSize):
3407         * assembler/MacroAssemblerARM.h:
3408         (JSC::MacroAssemblerARM::patchableJumpSize):
3409
3410 2016-09-01  Saam Barati  <sbarati@apple.com>
3411
3412         JITMathIC was misusing maxJumpReplacementSize
3413         https://bugs.webkit.org/show_bug.cgi?id=161356
3414         <rdar://problem/28065560>
3415
3416         Reviewed by Benjamin Poulain.
3417
3418         JITMathIC was assuming that maxJumpReplacementSize is the size
3419         you'd get if you emitted a patchableJump() using the macro assembler.
3420         This is not true, however. It happens to be true on arm64, x86 and x86-64,
3421         however, it is not true on armv7. This patch introduces an alternative to
3422         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
3423         to use that number instead.
3424
3425         * assembler/ARM64Assembler.h:
3426         (JSC::ARM64Assembler::patchableJumpSize):
3427         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
3428         * assembler/ARMv7Assembler.h:
3429         (JSC::ARMv7Assembler::patchableJumpSize):
3430         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
3431         * assembler/MacroAssemblerARM64.h:
3432         (JSC::MacroAssemblerARM64::patchableJumpSize):
3433         * assembler/MacroAssemblerARMv7.h:
3434         (JSC::MacroAssemblerARMv7::patchableJumpSize):
3435         * assembler/MacroAssemblerX86Common.h:
3436         (JSC::MacroAssemblerX86Common::patchableJumpSize):
3437         * assembler/X86Assembler.h:
3438         (JSC::X86Assembler::patchableJumpSize):
3439         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
3440         * jit/JITMathIC.h:
3441         (JSC::JITMathIC::generateInline):
3442
3443 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3444
3445         [JSC] Add initiator parameter to module pipeline
3446         https://bugs.webkit.org/show_bug.cgi?id=161470
3447
3448         Reviewed by Saam Barati.
3449
3450         The fetching semantics of the <script type="module"> tag has per module-tag context.
3451         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
3452         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
3453         to the module loader pipeline. We are planning to transfer information by this parameter.
3454
3455         At the same time, we also perform some clean up.
3456
3457         - Use arrow function in ModuleLoaderPrototype.js.
3458         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
3459
3460         * builtins/ModuleLoaderPrototype.js:
3461         (newRegistryEntry):
3462         (commitInstantiated):
3463         (requestFetch):
3464         (requestTranslate):
3465         (requestInstantiate):
3466         (requestSatisfy):
3467         (requestInstantiateAll):
3468         (requestLink):
3469         (moduleEvaluation):
3470         (provide):
3471         (loadAndEvaluateModule):
3472         (requestResolveDependencies.): Deleted.
3473         (requestResolveDependencies): Deleted.
3474         (requestReady): Deleted.
3475         (link): Deleted.
3476         (loadModule): Deleted.
3477         (linkAndEvaluateModule): Deleted.
3478         * bytecode/BytecodeIntrinsicRegistry.cpp:
3479         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3480         * bytecode/BytecodeIntrinsicRegistry.h:
3481         * jsc.cpp:
3482         (GlobalObject::moduleLoaderResolve):
3483         (GlobalObject::moduleLoaderFetch):
3484         * runtime/Completion.cpp:
3485         (JSC::loadAndEvaluateModule):
3486         (JSC::loadModule):
3487         (JSC::linkAndEvaluateModule):
3488         * runtime/Completion.h:
3489         * runtime/JSGlobalObject.h:
3490         * runtime/JSModuleLoader.cpp:
3491         (JSC::JSModuleLoader::loadAndEvaluateModule):
3492         (JSC::JSModuleLoader::loadModule):
3493         (JSC::JSModuleLoader::linkAndEvaluateModule):
3494         (JSC::JSModuleLoader::resolve):
3495         (JSC::JSModuleLoader::fetch):
3496         (JSC::JSModuleLoader::translate):
3497         (JSC::JSModuleLoader::instantiate):
3498         (JSC::JSModuleLoader::evaluate):
3499         * runtime/JSModuleLoader.h:
3500         * runtime/ModuleLoaderPrototype.cpp:
3501         (JSC::moduleLoaderPrototypeResolve):
3502         (JSC::moduleLoaderPrototypeFetch):
3503         (JSC::moduleLoaderPrototypeTranslate):
3504         (JSC::moduleLoaderPrototypeInstantiate):
3505         (JSC::moduleLoaderPrototypeEvaluate):
3506
3507 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3508
3509         [JSC] linking and evaluating the modules are done in a sync manner
3510         https://bugs.webkit.org/show_bug.cgi?id=161467
3511
3512         Reviewed by Saam Barati.
3513
3514         While the fetching and the other stages are done in an asynchronous manner,
3515         linking and evaluating are done in a sync manner.
3516         Just return the result value and do not wrap them with the internal promise.
3517
3518         * builtins/ModuleLoaderPrototype.js:
3519         (linkAndEvaluateModule):
3520         * runtime/Completion.cpp:
3521         (JSC::linkAndEvaluateModule):
3522         * runtime/Completion.h:
3523         * runtime/JSModuleLoader.cpp:
3524         (JSC::JSModuleLoader::linkAndEvaluateModule):
3525         * runtime/JSModuleLoader.h:
3526
3527 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3528
3529         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
3530         https://bugs.webkit.org/show_bug.cgi?id=161436
3531
3532         Reviewed by Filip Pizlo.
3533
3534         * jsc.cpp:
3535         (GlobalObject::finishCreation):
3536         (functionGetRandomSeed):
3537         (functionSetRandomSeed):
3538         * runtime/JSGlobalObject.h:
3539         (JSC::JSGlobalObject::weakRandom):
3540         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
3541
3542 2016-08-31  Chris Dumez  <cdumez@apple.com>
3543
3544         Object.getPrototypeOf() should return null cross-origin
3545         https://bugs.webkit.org/show_bug.cgi?id=161393
3546
3547         Reviewed by Geoffrey Garen.
3548
3549         Object.getPrototypeOf() should return null cross-origin:
3550         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
3551         - https://html.spec.whatwg.org/#location-getprototypeof
3552
3553         Firefox and Chrome return null. However, WebKit was returning undefined.
3554
3555         * runtime/ObjectConstructor.cpp:
3556         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3557
3558 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3559
3560         [JSC] AbstractValue can contain padding which is not zero-filled
3561         https://bugs.webkit.org/show_bug.cgi?id=161427
3562
3563         Reviewed by Saam Barati.
3564
3565         We checked that AbstractValue is zero-filled when initializing it to ensure
3566         that zero-filled memory can be used as the initialized AbstractValue.
3567         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
3568         padding now. And this padding is not ensured that it is initialized with zeros.
3569         So debug assertion fails when building with GCC.
3570
3571         This patch changes the strategy. Instead of checking the initialized
3572         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
3573         considered to be equal to the initialized AbstractValue.
3574
3575         * dfg/DFGAbstractValue.cpp:
3576         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
3577         * dfg/DFGAbstractValue.h:
3578         (JSC::DFG::AbstractValue::AbstractValue):
3579
3580 2016-08-31  Brady Eidson  <beidson@apple.com>
3581
3582         WK2 Gamepad provider on iOS.
3583         https://bugs.webkit.org/show_bug.cgi?id=161412
3584
3585         Reviewed by Tim Horton.
3586
3587         * Configurations/FeatureDefines.xcconfig:
3588
3589 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
3590
3591         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
3592         https://bugs.webkit.org/show_bug.cgi?id=161410
3593
3594         Reviewed by Geoffrey Garen.
3595
3596         * dfg/DFGFixupPhase.cpp:
3597         (JSC::DFG::FixupPhase::fixupNode):
3598         DoubleRep is able to convert numbers, undefined, booleans and null.
3599         I was too pessimistic when I gated the double implementations
3600         on number-or-boolean speculation. We can just let DoubleRep convert
3601         the other cases as long as it is not a Cell.
3602
3603 2016-08-30  Chris Dumez  <cdumez@apple.com>
3604
3605         Unreviewed, fix build after r205205.
3606
3607         * runtime/ObjectConstructor.cpp:
3608         (JSC::objectConstructorSetPrototypeOf):
3609
3610 2016-08-30  Chris Dumez  <cdumez@apple.com>
3611
3612         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
3613         https://bugs.webkit.org/show_bug.cgi?id=161396
3614
3615         Reviewed by Ryosuke Niwa.
3616
3617         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
3618         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
3619         - https://html.spec.whatwg.org/#location-setprototypeof
3620         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
3621
3622         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
3623
3624         Note that technically, we should also throw in the same origin case.
3625         However, not all browsers agree on this yet so I haven't not changed
3626         the behavior for the same origin case.
3627
3628         * runtime/ObjectConstructor.cpp:
3629         (JSC::objectConstructorSetPrototypeOf):
3630
3631 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
3632
3633         [JSC] Clean up the remaining compare nodes in FTLCapabilities
3634         https://bugs.webkit.org/show_bug.cgi?id=161400
3635
3636         Reviewed by Geoffrey Garen.
3637
3638         It looks like we implemented all the cases without realizing it.
3639
3640         * ftl/FTLCapabilities.cpp:
3641         (JSC::FTL::canCompile):
3642         * ftl/FTLLowerDFGToB3.cpp:
3643         (JSC::FTL::DFG::LowerDFGToB3::compare):
3644
3645 2016-08-30  Mark Lam  <mark.lam@apple.com>
3646
3647         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
3648         https://bugs.webkit.org/show_bug.cgi?id=161171
3649
3650         Reviewed by Filip Pizlo and Geoffrey Garen.
3651
3652         This is the first step towards having a mechanism (using the ThrowScope) to
3653         verify that we're properly checking for exceptions in all the needed places.
3654         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
3655
3656         This patch only introduces the ThrowScope, and changes all throw sites to throw
3657         using a ThrowScope instance.  VM::throwException() functions are now private, and
3658         cannot be accessed directly.  All throws must now go through a ThrowScope.
3659
3660         Verification is disabled for the moment until we can fix all the verification
3661         failures that will show up.
3662
3663         I also did a smoke test of the ThrowScope mechanisms by running verification on
3664         the JSTests/stress/op-add-exceptions.js test with a local build with verification
3665         turned on.
3666
3667         Performance is neutral on aggregate with this patch.
3668
3669         Misc other changes:
3670         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
3671         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
3672
3673         * API/APICallbackFunction.h:
3674         (JSC::APICallbackFunction::call):
3675         (JSC::APICallbackFunction::construct):
3676         * API/JSCallbackObjectFunctions.h:
3677         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
3678         (JSC::JSCallbackObject<Parent>::defaultValue):
3679         (JSC::JSCallbackObject<Parent>::put):
3680         (JSC::JSCallbackObject<Parent>::putByIndex):
3681         (JSC::JSCallbackObject<Parent>::deleteProperty):
3682         (JSC::JSCallbackObject<Parent>::construct):
3683         (JSC::JSCallbackObject<Parent>::customHasInstance):
3684         (JSC::JSCallbackObject<Parent>::call):
3685         (JSC::JSCallbackObject<Parent>::getStaticValue):
3686         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3687         (JSC::JSCallbackObject<Parent>::callbackGetter):
3688         * API/JSTypedArray.cpp:
3689         (createTypedArray):
3690         * CMakeLists.txt:
3691         * JavaScriptCore.xcodeproj/project.pbxproj:
3692         * dfg/DFGOperations.cpp:
3693         (JSC::DFG::newTypedArrayWithSize):
3694         * inspector/JSInjectedScriptHost.cpp:
3695         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3696         * inspector/JSInjectedScriptHostPrototype.cpp:
3697         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
3698         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
3699         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
3700         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
3701         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
3702         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
3703         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
3704         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
3705         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
3706         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
3707         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
3708         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
3709         * inspector/JSJavaScriptCallFrame.cpp:
3710         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3711         * inspector/JSJavaScriptCallFramePrototype.cpp:
3712         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3713         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
3714         (Inspector::jsJavaScriptCallFrameAttributeCaller):
3715         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
3716         (Inspector::jsJavaScriptCallFrameAttributeLine):
3717         (Inspector::jsJavaScriptCallFrameAttributeColumn):
3718         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
3719         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
3720         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
3721         (Inspector::jsJavaScriptCallFrameAttributeType):
3722         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
3723         * interpreter/CachedCall.h:
3724         (JSC::CachedCall::CachedCall):
3725         * interpreter/Interpreter.cpp:
3726         (JSC::eval):
3727         (JSC::sizeOfVarargs):
3728         (JSC::sizeFrameForForwardArguments):
3729         (JSC::sizeFrameForVarargs):
3730         (JSC::Interpreter::execute):
3731         (JSC::Interpreter::executeCall):
3732         (JSC::Interpreter::executeConstruct):
3733         (JSC::Interpreter::prepareForRepeatCall):
3734         * jit/JITOperations.cpp:
3735         * jsc.cpp:
3736         (WTF::CustomGetter::customGetter):
3737         (WTF::RuntimeArray::lengthGetter):
3738         (functionCreateElement):
3739         (functionRun):
3740         (functionRunString):
3741         (functionLoad):
3742         (functionLoadString):
3743         (functionReadFile):
3744         (functionCheckSyntax):
3745         (functionTransferArrayBuffer):
3746         (functionLoadModule):
3747         (functionCheckModuleSyntax):
3748         (functionSamplingProfilerStackTraces):
3749         * llint/LLIntSlowPaths.cpp:
3750         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3751         (JSC::LLInt::getByVal):
3752         (JSC::LLInt::handleHostCall):
3753         (JSC::LLInt::setUpCall):
3754         (JSC::LLInt::llint_throw_stack_overflow_error):
3755         * runtime/ArrayConstructor.cpp:
3756         (JSC::constructArrayWithSizeQuirk):
3757         * runtime/ArrayConstructor.h:
3758         (JSC::isArray):
3759         * runtime/ArrayPrototype.cpp:
3760         (JSC::shift):
3761         (JSC::unshift):
3762         (JSC::arrayProtoFuncToString):
3763         (JSC::arrayProtoFuncPop):
3764         (JSC::arrayProtoFuncReverse):
3765         (JSC::arrayProtoFuncSplice):
3766         (JSC::concatAppendOne):
3767         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3768         * runtime/BooleanPrototype.cpp:
3769         (JSC::booleanProtoFuncToString):
3770         (JSC::booleanProtoFuncValueOf):
3771         * runtime/CommonSlowPaths.cpp:
3772         * runtime/CommonSlowPaths.h:
3773         (JSC::CommonSlowPaths::opIn):
3774         * runtime/CommonSlowPathsExceptions.cpp:
3775         (JSC::CommonSlowPaths::interpreterThrowInCaller):
3776         * runtime/ConstructData.cpp:
3777         (JSC::construct):
3778         * runtime/DatePrototype.cpp:
3779         (JSC::formateDateInstance):
3780         (JSC::dateProtoFuncToISOString):
3781         (JSC::dateProtoFuncToLocaleString):
3782         (JSC::dateProtoFuncToLocaleDateString):
3783         (JSC::dateProtoFuncToLocaleTimeString):
3784         (JSC::dateProtoFuncToPrimitiveSymbol):
3785         (JSC::dateProtoFuncGetTime):
3786         (JSC::dateProtoFuncGetFullYear):
3787         (JSC::dateProtoFuncGetUTCFullYear):
3788         (JSC::dateProtoFuncGetMonth):
3789         (JSC::dateProtoFuncGetUTCMonth):
3790         (JSC::dateProtoFuncGetDate):
3791         (JSC::dateProtoFuncGetUTCDate):
3792         (JSC::dateProtoFuncGetDay):
3793         (JSC::dateProtoFuncGetUTCDay):
3794         (JSC::dateProtoFuncGetHours):
3795         (JSC::dateProtoFuncGetUTCHours):
3796         (JSC::dateProtoFuncGetMinutes):
3797         (JSC::dateProtoFuncGetUTCMinutes):
3798         (JSC::dateProtoFuncGetSeconds):
3799         (JSC::dateProtoFuncGetUTCSeconds):
3800         (JSC::dateProtoFuncGetMilliSeconds):
3801         (JSC::dateProtoFuncGetUTCMilliseconds):
3802         (JSC::dateProtoFuncGetTimezoneOffset):
3803         (JSC::dateProtoFuncSetTime):
3804         (JSC::setNewValueFromTimeArgs):
3805         (JSC::setNewValueFromDateArgs):
3806         (JSC::dateProtoFuncSetYear):
3807         (JSC::dateProtoFuncGetYear):
3808         (JSC::dateProtoFuncToJSON):
3809         * runtime/Error.cpp:
3810         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
3811         (JSC::throwTypeError):
3812         (JSC::throwSyntaxError):
3813         * runtime/Error.h:
3814         (JSC::throwRangeError):
3815         (JSC::throwVMError):
3816         (JSC::throwVMTypeError):
3817         (JSC::throwVMRangeError):
3818         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
3819         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
3820         * runtime/ErrorPrototype.cpp:
3821         (JSC::errorProtoFuncToString):
3822         * runtime/ExceptionFuzz.cpp:
3823         (JSC::doExceptionFuzzing):
3824         * runtime/ExceptionHelpers.cpp:
3825         (JSC::throwOutOfMemoryError):
3826         (JSC::throwStackOverflowError):
3827         (JSC::throwTerminatedExecutionException):
3828         * runtime/ExceptionHelpers.h:
3829         * runtime/Executable.cpp:
3830         (JSC::ScriptExecutable::newCodeBlockFor):
3831         (JSC::EvalExecutable::create):
3832         * runtime/FunctionConstructor.cpp:
3833         (JSC::constructFunction):
3834         (JSC::constructFunctionSkippingEvalEnabledCheck):
3835         * runtime/FunctionPrototype.cpp:
3836         (JSC::functionProtoFuncToString):
3837         (JSC::functionProtoFuncBind):
3838         * runtime/GetterSetter.cpp:
3839         (JSC::callSetter):
3840         * runtime/IntlCollator.cpp:
3841         (JSC::IntlCollator::compareStrings):
3842         * runtime/IntlCollatorPrototype.cpp:
3843         (JSC::IntlCollatorPrototypeGetterCompare):
3844         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3845         * runtime/IntlDateTimeFormat.cpp:
3846         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3847         (JSC::IntlDateTimeFormat::format):
3848         * runtime/IntlDateTimeFormatPrototype.cpp:
3849         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3850         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3851         * runtime/IntlNumberFormat.cpp:
3852         (JSC::IntlNumberFormat::initializeNumberFormat):
3853         (JSC::IntlNumberFormat::formatNumber):
3854         * runtime/IntlNumberFormatPrototype.cpp:
3855         (JSC::IntlNumb