42b6d60edd17a3f6fb46a7fcb690759f2aee1c04
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-08  Saam Barati  <sbarati@apple.com>
2
3         We should inline operationConvertJSValueToBoolean into JIT code
4         https://bugs.webkit.org/show_bug.cgi?id=161729
5
6         Reviewed by Filip Pizlo.
7
8         This patch introduces an AssemblyHelpers emitter function
9         that replaces operationConvertJSValueToBoolean. This operation
10         was showing up when I was doing performance analysis for the
11         speedometer benchmark. I saw that it was spending about 1% of
12         its time in this function. Hopefully this patch can help us speedup
13         up speedometer by a little bit.
14
15         * dfg/DFGSpeculativeJIT32_64.cpp:
16         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
17         (JSC::DFG::SpeculativeJIT::emitBranch):
18         * dfg/DFGSpeculativeJIT64.cpp:
19         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
20         (JSC::DFG::SpeculativeJIT::emitBranch):
21         * jit/AssemblyHelpers.cpp:
22         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
23         * jit/AssemblyHelpers.h:
24         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
25         * jit/JIT.cpp:
26         (JSC::JIT::privateCompileSlowCases):
27         * jit/JIT.h:
28         * jit/JITOpcodes.cpp:
29         (JSC::JIT::emit_op_jfalse):
30         (JSC::JIT::emit_op_jtrue):
31         (JSC::JIT::emitSlow_op_jfalse): Deleted.
32         (JSC::JIT::emitSlow_op_jtrue): Deleted.
33         * jit/JITOpcodes32_64.cpp:
34         (JSC::JIT::emit_op_jfalse):
35         (JSC::JIT::emit_op_jtrue):
36         (JSC::JIT::emitSlow_op_jfalse): Deleted.
37         (JSC::JIT::emitSlow_op_jtrue): Deleted.
38         * jit/JITOperations.cpp:
39         * jit/JITOperations.h:
40
41 2016-09-08  Chris Dumez  <cdumez@apple.com>
42
43         Align proto getter / setter behavior with other browsers
44         https://bugs.webkit.org/show_bug.cgi?id=161455
45
46         Reviewed by Saam Barati.
47
48         Drop allowsAccessFrom from the methodTable and delegate cross-origin
49         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
50         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
51
52         * jsc.cpp:
53         * runtime/JSGlobalObject.cpp:
54         * runtime/JSGlobalObject.h:
55         * runtime/JSGlobalObjectFunctions.cpp:
56         (JSC::globalFuncProtoGetter):
57         (JSC::globalFuncProtoSetter):
58         (JSC::globalFuncBuiltinLog): Deleted.
59         * runtime/JSGlobalObjectFunctions.h:
60         * runtime/JSObject.cpp:
61         (JSC::JSObject::setPrototypeWithCycleCheck):
62         Remove check added in r197648. This check was added to match
63         the latest EcmaScript spec:
64         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
65         This check allowed for [[Prototype]] chain cycles if the prototype
66         chain includes objects that do not use the ordinary object definitions
67         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
68         The issue is that the rest of our code base does not properly handle
69         such cycles and we can end up in infinite loops. This became obvious
70         because this patch updates Window / Location so that they no longer
71         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
72         remove this check, I get an infinite loop in
73         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
74         called from JSObject::setPrototypeDirect(), when running the following
75         layout test:
76         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
77         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
78         issue.
79
80         * runtime/JSObject.h:
81         (JSC::JSObject::getArrayLength): Deleted.
82         * runtime/JSProxy.cpp:
83         (JSC::JSProxy::setPrototype):
84         (JSC::JSProxy::getPrototype):
85         * runtime/JSProxy.h:
86         * runtime/ObjectConstructor.cpp:
87         (JSC::objectConstructorGetPrototypeOf):
88         (JSC::objectConstructorSetPrototypeOf):
89         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
90         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
91         * runtime/ObjectConstructor.h:
92         * runtime/ReflectObject.cpp:
93         (JSC::reflectObjectGetPrototypeOf):
94         (JSC::reflectObjectSetPrototypeOf):
95
96 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
97
98         Remove CopiedSpace and use MarkedSpace instead
99         https://bugs.webkit.org/show_bug.cgi?id=159658
100
101         Reviewed by Keith Miller.
102         
103         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
104         is a simple change.
105         
106         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
107         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
108         
109         The rest of this patch is deleting CopiedSpace.
110
111         * API/JSObjectRef.cpp:
112         * CMakeLists.txt:
113         * JavaScriptCore.xcodeproj/project.pbxproj:
114         * dfg/DFGOperations.cpp:
115         * heap/ConservativeRoots.cpp:
116         (JSC::ConservativeRoots::genericAddPointer):
117         * heap/CopiedAllocator.h: Removed.
118         * heap/CopiedBlock.cpp: Removed.
119         * heap/CopiedBlock.h: Removed.
120         * heap/CopiedBlockInlines.h: Removed.
121         * heap/CopiedSpace.cpp: Removed.
122         * heap/CopiedSpace.h: Removed.
123         * heap/CopiedSpaceInlines.h: Removed.
124         * heap/CopyBarrier.h: Removed.
125         * heap/CopyToken.h: Removed.
126         * heap/CopyVisitor.cpp: Removed.
127         * heap/CopyVisitor.h: Removed.
128         * heap/CopyVisitorInlines.h: Removed.
129         * heap/CopyWorkList.h: Removed.
130         * heap/Heap.cpp:
131         (JSC::Heap::Heap):
132         (JSC::Heap::isPagedOut):
133         (JSC::Heap::updateObjectCounts):
134         (JSC::Heap::size):
135         (JSC::Heap::capacity):
136         (JSC::Heap::collectImpl):
137         (JSC::Heap::stopAllocation):
138         (JSC::Heap::updateAllocationLimits):
139         (JSC::Heap::copyBackingStores): Deleted.
140         (JSC::Heap::threadBytesCopied): Deleted.
141         * heap/Heap.h:
142         (JSC::Heap::objectSpace):
143         (JSC::Heap::allocatorForAuxiliaryData):
144         (JSC::Heap::storageSpace): Deleted.
145         (JSC::Heap::storageAllocator): Deleted.
146         * heap/HeapCellInlines.h:
147         * heap/HeapInlines.h:
148         (JSC::Heap::tryAllocateStorage): Deleted.
149         (JSC::Heap::tryReallocateStorage): Deleted.
150         * heap/HeapVerifier.cpp:
151         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
152         (JSC::HeapVerifier::reportObject):
153         (JSC::getButterflyDetails): Deleted.
154         * heap/SlotVisitor.cpp:
155         (JSC::SlotVisitor::copyLater): Deleted.
156         * heap/SlotVisitor.h:
157         * jit/AssemblyHelpers.h:
158         * jit/JITOpcodes.cpp:
159         * jsc.cpp:
160         * runtime/ArrayConstructor.cpp:
161         * runtime/ArrayPrototype.cpp:
162         * runtime/Butterfly.h:
163         * runtime/ButterflyInlines.h:
164         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
165         * runtime/ClassInfo.h:
166         * runtime/DirectArguments.cpp:
167         (JSC::DirectArguments::visitChildren):
168         (JSC::DirectArguments::overrideThings):
169         (JSC::DirectArguments::copyBackingStore): Deleted.
170         * runtime/DirectArguments.h:
171         * runtime/JSArray.cpp:
172         * runtime/JSCell.cpp:
173         (JSC::JSCell::copyBackingStore): Deleted.
174         * runtime/JSCell.h:
175         * runtime/JSLexicalEnvironment.h:
176         * runtime/JSObject.cpp:
177         * runtime/JSTypedArrays.cpp:
178         * runtime/LiteralParser.cpp:
179         * runtime/ObjectConstructor.cpp:
180         * runtime/RegExpObject.cpp:
181         * runtime/StringPrototype.cpp:
182         * runtime/WeakMapData.cpp:
183         * tools/JSDollarVMPrototype.cpp:
184         (JSC::JSDollarVMPrototype::isInStorageSpace):
185
186 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
187
188         Heap version should be 32-bit
189         https://bugs.webkit.org/show_bug.cgi?id=161751
190
191         Reviewed by Mark Lam.
192         
193         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
194         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
195         easy to handle.
196
197         * heap/CellContainer.h:
198         * heap/CellContainerInlines.h:
199         (JSC::CellContainer::flipIfNecessary):
200         * heap/ConservativeRoots.cpp:
201         (JSC::ConservativeRoots::genericAddPointer):
202         (JSC::ConservativeRoots::genericAddSpan):
203         * heap/ConservativeRoots.h:
204         * heap/Heap.h:
205         * heap/HeapInlines.h:
206         (JSC::Heap::testAndSetMarked):
207         * heap/HeapUtil.h:
208         (JSC::HeapUtil::findGCObjectPointersForMarking):
209         * heap/MarkedBlock.cpp:
210         (JSC::MarkedBlock::MarkedBlock):
211         * heap/MarkedBlock.h:
212         (JSC::MarkedBlock::flipIfNecessary):
213         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
214         (JSC::MarkedBlock::Handle::flipIfNecessary):
215         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
216         * heap/MarkedSpace.cpp:
217         (JSC::MarkedSpace::flip):
218         * heap/MarkedSpace.h:
219         (JSC::MarkedSpace::version):
220         * heap/SlotVisitor.cpp:
221         (JSC::SlotVisitor::SlotVisitor):
222         * heap/SlotVisitor.h:
223
224 2016-09-08  Mark Lam  <mark.lam@apple.com>
225
226         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
227         https://bugs.webkit.org/show_bug.cgi?id=161724
228
229         Reviewed by Filip Pizlo.
230
231         ARM architectures support ternary sub instructions.  We should make use of them
232         in emitAllocateWithNonNullAllocator().
233
234         * assembler/MacroAssemblerARM.h:
235         (JSC::MacroAssemblerARM::sub32):
236         * assembler/MacroAssemblerARM64.h:
237         (JSC::MacroAssemblerARM64::sub32):
238         * assembler/MacroAssemblerARMv7.h:
239         (JSC::MacroAssemblerARMv7::sub32):
240         * assembler/MacroAssemblerSH4.h:
241         (JSC::MacroAssemblerSH4::sub32):
242         * assembler/MacroAssemblerX86Common.h:
243         (JSC::MacroAssemblerX86Common::sub32):
244         * b3/air/AirOpcode.opcodes:
245         * b3/testb3.cpp:
246         (JSC::B3::testTernarySubInstructionSelection):
247         (JSC::B3::run):
248         * jit/AssemblyHelpers.h:
249         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
250
251 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
252
253         Move JSMap/JSSet over to Auxiliary MarkedSpace
254         https://bugs.webkit.org/show_bug.cgi?id=161744
255
256         Reviewed by Saam Barati.
257         
258         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
259         
260         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
261         speak of CopiedSpace.
262         
263         This is a purely mechanical change.
264
265         * JavaScriptCore.xcodeproj/project.pbxproj:
266         * heap/CopyToken.h:
267         * runtime/HashMapImpl.cpp:
268         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
269         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
270         * runtime/HashMapImpl.h:
271         (JSC::HashMapBuffer::create):
272         * runtime/JSMapIterator.cpp:
273         * runtime/JSMapIterator.h:
274         * runtime/JSSetIterator.cpp:
275         * runtime/JSSetIterator.h:
276         * runtime/MapBase.cpp:
277         * runtime/MapData.h: Removed.
278         * runtime/MapDataInlines.h: Removed.
279         * runtime/MapPrototype.cpp:
280         * runtime/SetConstructor.cpp:
281         * runtime/SetPrototype.cpp:
282         * runtime/VM.cpp:
283
284 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
285
286         Typed arrays should use MarkedSpace instead of CopiedSpace
287         https://bugs.webkit.org/show_bug.cgi?id=161100
288
289         Reviewed by Geoffrey Garen.
290         
291         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
292         
293         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
294         everything that typed arrays want.
295
296         * dfg/DFGOperations.cpp:
297         (JSC::DFG::newTypedArrayWithSize):
298         * dfg/DFGOperations.h:
299         (JSC::DFG::operationNewTypedArrayWithSizeForType):
300         * dfg/DFGSpeculativeJIT.cpp:
301         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
302         * dfg/DFGSpeculativeJIT.h:
303         (JSC::DFG::SpeculativeJIT::callOperation):
304         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
305         * ftl/FTLLowerDFGToB3.cpp:
306         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
307         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
308         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
309         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
310         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
311         * heap/CopyToken.h:
312         * heap/SlotVisitor.cpp:
313         (JSC::SlotVisitor::markAuxiliary):
314         * jit/JITOperations.h:
315         * runtime/JSArrayBufferView.cpp:
316         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
317         (JSC::JSArrayBufferView::JSArrayBufferView):
318         * runtime/JSArrayBufferView.h:
319         * runtime/JSGenericTypedArrayView.h:
320         * runtime/JSGenericTypedArrayViewInlines.h:
321         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
322         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
323         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
324         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
325
326 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
327
328         [Win64] Compile fixes.
329         https://bugs.webkit.org/show_bug.cgi?id=161682
330
331         Reviewed by Brent Fulgham.
332
333         * dfg/DFGSpeculativeJIT64.cpp:
334         (JSC::DFG::SpeculativeJIT::emitCall):
335         * jit/JITCall.cpp:
336         (JSC::JIT::compileOpCall):
337         * runtime/ArrayConventions.cpp:
338         (JSC::clearArrayMemset):
339
340 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
341
342         [Win] Exception fuzz tests fail
343         https://bugs.webkit.org/show_bug.cgi?id=140928
344
345         Reviewed by Mark Lam.
346
347         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
348         The tests depend on the output to stdout being written in the correct order.
349
350         * runtime/ExceptionFuzz.cpp:
351         (JSC::doExceptionFuzzing):
352
353 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
354
355         Enable the <meter> element on iOS
356         https://bugs.webkit.org/show_bug.cgi?id=161714
357         rdar://problem/8978410
358
359         Reviewed by Tim Horton.
360
361         Define ENABLE_METER_ELEMENT unconditionally now.
362
363         * Configurations/FeatureDefines.xcconfig:
364
365 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
366
367         Modernize Debugger to use nullptr
368         https://bugs.webkit.org/show_bug.cgi?id=161718
369
370         Reviewed by Mark Lam.
371
372         * debugger/Debugger.cpp:
373         (JSC::Debugger::Debugger):
374         (JSC::Debugger::~Debugger):
375         (JSC::Debugger::detach):
376         (JSC::Debugger::stepOutOfFunction):
377         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
378         * debugger/Debugger.h:
379
380 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
381
382         Web Inspector: Remove always false case in Debugger
383         https://bugs.webkit.org/show_bug.cgi?id=161717
384
385         Reviewed by Brian Burg.
386
387         * debugger/Debugger.cpp:
388         (JSC::Debugger::didExecuteProgram):
389         We would have earlier returned a few statements ago if this case was true.
390         And we would have crashed in the previous statement if this case was true.
391
392 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
393
394         Unreviewed, build fix after r205569
395
396         Tweak CMakeLists.txt
397
398         * CMakeLists.txt:
399
400 2016-09-07  Mark Lam  <mark.lam@apple.com>
401
402         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
403         https://bugs.webkit.org/show_bug.cgi?id=161498
404
405         Reviewed by Geoffrey Garen.
406
407         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
408         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
409         introduced.
410
411         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
412         which is a more suitable name now.
413
414         Note: exception scope verification is still disabled by default.  There are still
415         many places that need to be fixed up or re-expressed in a way that is friendly
416         to the verification.  I'll address those in subsequent patches.
417
418         After this patch, the code will statically enforce that:
419         1. all calls to throwException() go through a ThrowScope.
420         2. all calls to clearException() go through a CatchScope.
421         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
422            or CatchScope.
423
424         A Summary of how to use ExceptionScopes
425         =======================================
426         1. If a function can throw a JS exception, it should declare a ThrowScope at the
427            top of the function (as early as possible).
428
429         2. If a function can clear JS exceptions, it should declare a CatchScope at the
430            top of the function (as early as possible).
431
432         Declaring a ThrowScope in a function means that the function may throw an exception
433         that its caller will have to handle.  Declaring a CatchScope in a function means
434         that the function intends to clear pending exceptions before returning to its
435         caller. 
436
437         For more details, see the notes below.
438         
439         Everything you may want to know about ExceptionScopes
440         =====================================================
441         ExceptionScope verification works to simulate exception throws and detect cases
442         where exception checks are missing.  The notes below will cover:
443
444             1. The VM::m_needExceptionCheck bit
445             2. ThrowScopes and CatchScopes
446             3. Verification of needed exception checks
447             3. Checking Exceptions
448             4. Simulating throws
449             5. Using ThrowScope::release()
450             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
451             7. Checking exceptions by checking callee results
452             8. Debugging verification errors
453
454         1. The VM::m_needExceptionCheck bit
455
456            The VM has a m_needExceptionCheck bit that indicates when an exception may be
457            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
458            throw.
459
460         2. ThrowScopes and CatchScopes
461
462            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
463
464            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
465            at the top of its function (as early as possible) e.g.
466  
467                 void foo(...)
468                 {
469                     auto scope = DECLARE_THROW_SCOPE(vm);
470                     ...
471                     throwException(exec, scope, ...);
472                 }
473
474            Note: by convention, every throw helper function must take a ThrowScope argument
475            instead of instantiating its own ThrowScope.  This allows the throw to be
476            attributed to the client code rather than the throw helper itself.
477
478            Every catch site (i.e. a site that calls clearException()) must declare a
479            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
480
481            If a function can both throw or clear exceptions, then the ThrowScope should
482            be declared first so that it can simulate a throw to the function's caller.
483
484            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
485            can be aware if there's an enclosing CatchScope between it and the point where
486            C++ code returns to JS code.  This is needed to determine if the ThrowScope
487            should simulate a re-throw or not.  See (4) below for more details on returning
488            to JS code.
489
490         3. Verification of needed exception checks
491
492            a. On construction, each ThrowScope and CatchScope will verify that
493               VM::m_needExceptionCheck is not set.
494  
495               This ensures that the caller of the current function has checked for exceptions
496               where needed before doing more work which lead to calling the current function.
497
498            b. On destruction, each ThrowScope and CatchScope will verify that
499               VM::m_needExceptionCheck is not set. This verification will be skipped if
500               the ThrowScope has been released (see (5) below).
501
502               This ensures that the function that owns this exception scope is not missing
503               any exception checks before returning.
504
505            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
506               is not already set, unless it's been ask to rethrow the same Exception object.
507
508         4. Simulating throws
509
510            Throws are simulated by setting the m_needExceptionCheck bit.
511
512            The bit will only be set in the ThrowScope destructor except when the ThrowScope
513            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
514            check for exceptions after a host C++ function returns to it.  However, they will
515            not clear the m_needExceptionCheck bit.
516
517            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
518            it will just skip the setting of the bit.
519
520            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
521            throwException methods.  This is because, in practice, we always return
522            immediately after throwing an exception.  It doesn't make sense to set the bit in
523            the throw just to have to clear it immediately after before we do verification in
524            the ThrowScope destructor.
525
526         5. Using ThrowScope::release()
527
528            Calling release() means that the scope is released from its obligation to
529            verify the VM::m_needExceptionCheck bit on destruction.
530
531            release() should only be used at the bottom of a function if:
532
533            a. This function is going to let its caller check and handle the exception, e.g.
534
535                 void foo(...)
536                 {
537                     auto scope = DECLARE_THROW_SCOPE(vm);
538                     auto result = goo(); // may throw.
539
540                     ... // Code that will are not affected by a pending exceptions.
541
542                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
543                     return result;
544                 }
545
546            b. This function is going to do a tail call that may throw.
547
548                 void foo(...)
549                 {
550                     auto scope = DECLARE_THROW_SCOPE(vm);
551                     ...
552                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
553                     return goo(); // may throw.
554                 }
555
556               release() should not be used in code paths that branch. For example:
557
558                 void foo(...)
559                 {
560                     auto scope = DECLARE_THROW_SCOPE(vm);
561
562                     auto result = goo1(); // may throw.
563                     scope.release(); // WRONG !!! Don't do this.
564                     if (result)
565                         return;
566
567                     result = goo2(); // may throw.
568                     ...
569                     return result;
570                 }
571
572             The above will result in a verification error in goo2()'s ThrowScope.  The
573             proper way to fix this verification is to do either (6) or (7) below.
574
575          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
576
577             ThrowScope/CatchScope::exception() returns the thrown Exception object if
578             there is one pending.  Else, it returns nullptr.
579
580             It also clears the m_needExceptionCheck bit thereby indicating that we've
581             satisfied the needed exception check.  For example,
582
583                 void foo(...)
584                 {
585                     auto scope = DECLARE_THROW_SCOPE(vm);
586
587                     auto result = goo1(); // may throw.
588                     if (scope.exception())
589                         return;
590
591                     result = goo2(); // may throw.
592                     ...
593                     return result;
594                 }
595
596             But sometimes, for optimization reasons, we may choose to test the result of
597             the callee function instead doing a load of the VM exception value.  See (7)
598             below.
599
600          7. Checking exceptions by checking callee results
601
602             This approach should only be applied when it makes a difference to performance.
603             If we need to do this, we should add an ASSERT() that invokes the scope's
604             exception() method to verify the result.  Since exception scope verification
605             is only done on DEBUG builds, this ASSERT will satisfy the verification
606             requirements without impacting performance.  For example,
607
608                 void foo(...)
609                 {
610                     auto scope = DECLARE_THROW_SCOPE(vm);
611
612                     bool failed = goo1(); // may throw.
613                     ASSERT(!!scope.exception() == failed)
614                     if (failed)
615                         return;
616
617                     result = goo2(); // may throw.
618                     ...
619                     return result;
620                 }
621
622          8. Debugging verification errors
623
624             a. When verification fails, you will see a message followed by an assertion
625                failure.  For example:
626
627             ERROR: Unchecked JS exception:
628                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
629                     (ExceptionScope::m_recursionDepth was ...)
630                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
631                     (ExceptionScope::m_recursionDepth was ...)
632                 [ backtrace here ]
633
634                The message tells you that failure was detected at in varargsSetup() at
635                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
636                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
637                line 1245 and it.
638
639                If that is insufficient information, you can ...
640
641             b. Dump simulated throws
642
643                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
644                back traces at each simulated throw.
645
646             c. Narrowing down the source of a simulated throw
647
648                Another technique for narrowing down the source of simulated throws is by
649                further dividing a function to smaller regions by separating each region
650                with additional local throw scopes.  For example,
651
652                 ... // Region 1
653                 { auto scope = DECLARE_THROW_SCOPE(vm); }
654                 ... // Region 2
655                 { auto scope = DECLARE_THROW_SCOPE(vm); }
656                 ... // Region 3
657
658         * API/APIUtils.h:
659         (handleExceptionIfNeeded):
660         * CMakeLists.txt:
661         * JavaScriptCore.xcodeproj/project.pbxproj:
662         * bindings/ScriptFunctionCall.cpp:
663         (Deprecated::ScriptFunctionCall::call):
664         * bindings/ScriptValue.cpp:
665         (Deprecated::ScriptValue::toString):
666         * debugger/Debugger.cpp:
667         (JSC::Debugger::pauseIfNeeded):
668         * debugger/DebuggerCallFrame.cpp:
669         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
670         * dfg/DFGOSRExitCompiler.cpp:
671         * dfg/DFGOperations.cpp:
672         (JSC::DFG::operationPutByValInternal):
673         * inspector/InjectedScriptManager.cpp:
674         (Inspector::InjectedScriptManager::createInjectedScript):
675         * inspector/JSGlobalObjectInspectorController.cpp:
676         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
677         * inspector/JSInjectedScriptHost.cpp:
678         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
679         (Inspector::JSInjectedScriptHost::getInternalProperties):
680         (Inspector::JSInjectedScriptHost::weakMapEntries):
681         (Inspector::JSInjectedScriptHost::weakSetEntries):
682         (Inspector::JSInjectedScriptHost::iteratorEntries):
683         * inspector/JSJavaScriptCallFrame.cpp:
684         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
685         * inspector/ScriptCallStackFactory.cpp:
686         (Inspector::extractSourceInformationFromException):
687         * interpreter/CachedCall.h:
688         (JSC::CachedCall::CachedCall):
689         * interpreter/CallFrame.h:
690         (JSC::ExecState::clearException): Deleted.
691         (JSC::ExecState::exception): Deleted.
692         (JSC::ExecState::hadException): Deleted.
693         (JSC::ExecState::lastException): Deleted.
694         (JSC::ExecState::clearLastException): Deleted.
695         * interpreter/Interpreter.cpp:
696         (JSC::eval):
697         (JSC::sizeOfVarargs):
698         (JSC::notifyDebuggerOfUnwinding):
699         (JSC::Interpreter::unwind):
700         (JSC::Interpreter::execute):
701         (JSC::Interpreter::executeCall):
702         (JSC::Interpreter::executeConstruct):
703         (JSC::Interpreter::prepareForRepeatCall):
704         (JSC::Interpreter::debug):
705         * interpreter/Interpreter.h:
706         (JSC::SuspendExceptionScope::SuspendExceptionScope):
707         * interpreter/ShadowChicken.cpp:
708         (JSC::ShadowChicken::functionsOnStack):
709         * jit/JITCode.cpp:
710         (JSC::JITCode::execute):
711         * jit/JITExceptions.cpp:
712         (JSC::genericUnwind):
713         * jit/JITOperations.cpp:
714         (JSC::getByVal):
715         * jsc.cpp:
716         (WTF::ImpureGetter::getOwnPropertySlot):
717         (GlobalObject::moduleLoaderResolve):
718         (GlobalObject::moduleLoaderFetch):
719         (functionCreateElement):
720         (functionRun):
721         (functionRunString):
722         (functionLoad):
723         (functionLoadString):
724         (functionReadFile):
725         (functionCheckSyntax):
726         (functionSetRandomSeed):
727         (functionLoadModule):
728         (functionCreateBuiltin):
729         (functionCheckModuleSyntax):
730         (functionGenerateHeapSnapshot):
731         (functionSamplingProfilerStackTraces):
732         (dumpException):
733         (checkUncaughtException):
734         (runWithScripts):
735         (runInteractive):
736         * llint/LLIntExceptions.cpp:
737         (JSC::LLInt::returnToThrow):
738         (JSC::LLInt::callToThrow):
739         * llint/LLIntSlowPaths.cpp:
740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
741         * profiler/ProfilerBytecodeSequence.cpp:
742         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
743         * profiler/ProfilerCompilation.cpp:
744         (JSC::Profiler::Compilation::toJS):
745         * profiler/ProfilerDatabase.cpp:
746         (JSC::Profiler::Database::toJS):
747         * profiler/ProfilerOSRExitSite.cpp:
748         (JSC::Profiler::OSRExitSite::toJS):
749         * profiler/ProfilerOriginStack.cpp:
750         (JSC::Profiler::OriginStack::toJS):
751         * runtime/ArrayPrototype.cpp:
752         (JSC::speciesConstructArray):
753         (JSC::shift):
754         (JSC::unshift):
755         (JSC::arrayProtoFuncToString):
756         (JSC::arrayProtoFuncToLocaleString):
757         (JSC::slowJoin):
758         (JSC::fastJoin):
759         (JSC::arrayProtoFuncJoin):
760         (JSC::arrayProtoFuncPop):
761         (JSC::arrayProtoFuncPush):
762         (JSC::arrayProtoFuncReverse):
763         (JSC::arrayProtoFuncShift):
764         (JSC::arrayProtoFuncSlice):
765         (JSC::arrayProtoFuncSplice):
766         (JSC::arrayProtoFuncUnShift):
767         (JSC::arrayProtoFuncIndexOf):
768         (JSC::arrayProtoFuncLastIndexOf):
769         (JSC::moveElements):
770         (JSC::concatAppendOne):
771         (JSC::arrayProtoPrivateFuncConcatMemcpy):
772         * runtime/BooleanConstructor.cpp:
773         (JSC::constructWithBooleanConstructor):
774         * runtime/CallData.cpp:
775         (JSC::call):
776         * runtime/CatchScope.cpp: Added.
777         (JSC::CatchScope::CatchScope):
778         (JSC::CatchScope::~CatchScope):
779         * runtime/CatchScope.h: Added.
780         (JSC::CatchScope::clearException):
781         (JSC::CatchScope::CatchScope):
782         * runtime/CommonSlowPaths.cpp:
783         (JSC::SLOW_PATH_DECL):
784         * runtime/CommonSlowPaths.h:
785         (JSC::CommonSlowPaths::opIn):
786         * runtime/CommonSlowPathsExceptions.cpp:
787         (JSC::CommonSlowPaths::interpreterThrowInCaller):
788         * runtime/Completion.cpp:
789         (JSC::evaluate):
790         (JSC::rejectPromise):
791         (JSC::loadAndEvaluateModule):
792         (JSC::loadModule):
793         * runtime/ConsoleObject.cpp:
794         (JSC::consoleProtoFuncAssert):
795         (JSC::consoleProtoFuncProfile):
796         (JSC::consoleProtoFuncProfileEnd):
797         (JSC::consoleProtoFuncTakeHeapSnapshot):
798         (JSC::consoleProtoFuncTime):
799         (JSC::consoleProtoFuncTimeEnd):
800         * runtime/DateConstructor.cpp:
801         (JSC::constructDate):
802         (JSC::dateParse):
803         * runtime/DatePrototype.cpp:
804         (JSC::dateProtoFuncToPrimitiveSymbol):
805         (JSC::dateProtoFuncToJSON):
806         * runtime/ErrorConstructor.cpp:
807         (JSC::Interpreter::constructWithErrorConstructor):
808         * runtime/ErrorInstance.cpp:
809         (JSC::ErrorInstance::sanitizedToString):
810         * runtime/ErrorPrototype.cpp:
811         (JSC::errorProtoFuncToString):
812         * runtime/ExceptionEventLocation.cpp: Added.
813         (WTF::printInternal):
814         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
815         (JSC::ExceptionEventLocation::ExceptionEventLocation):
816         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
817         * runtime/ExceptionHelpers.h:
818         * runtime/ExceptionScope.cpp: Added.
819         (JSC::ExceptionScope::ExceptionScope):
820         (JSC::ExceptionScope::~ExceptionScope):
821         * runtime/ExceptionScope.h: Added.
822         (JSC::ExceptionScope::vm):
823         (JSC::ExceptionScope::recursionDepth):
824         (JSC::ExceptionScope::exception):
825         (JSC::ExceptionScope::ExceptionScope):
826         * runtime/FunctionConstructor.cpp:
827         (JSC::constructFunctionSkippingEvalEnabledCheck):
828         * runtime/FunctionPrototype.cpp:
829         (JSC::functionProtoFuncBind):
830         * runtime/GenericArgumentsInlines.h:
831         (JSC::GenericArguments<Type>::copyToArguments):
832         * runtime/GetterSetter.cpp:
833         (JSC::callGetter):
834         * runtime/InspectorInstrumentationObject.cpp:
835         (JSC::inspectorInstrumentationObjectLog):
836         * runtime/InternalFunction.cpp:
837         (JSC::InternalFunction::createSubclassStructure):
838         * runtime/IntlCollator.cpp:
839         (JSC::IntlCollator::initializeCollator):
840         (JSC::IntlCollator::createCollator):
841         (JSC::IntlCollator::resolvedOptions):
842         * runtime/IntlCollatorConstructor.cpp:
843         (JSC::constructIntlCollator):
844         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
845         * runtime/IntlCollatorPrototype.cpp:
846         (JSC::IntlCollatorFuncCompare):
847         (JSC::IntlCollatorPrototypeGetterCompare):
848         * runtime/IntlDateTimeFormat.cpp:
849         (JSC::toDateTimeOptionsAnyDate):
850         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
851         (JSC::IntlDateTimeFormat::resolvedOptions):
852         (JSC::IntlDateTimeFormat::format):
853         * runtime/IntlDateTimeFormatConstructor.cpp:
854         (JSC::constructIntlDateTimeFormat):
855         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
856         * runtime/IntlDateTimeFormatPrototype.cpp:
857         (JSC::IntlDateTimeFormatFuncFormatDateTime):
858         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
859         * runtime/IntlNumberFormat.cpp:
860         (JSC::IntlNumberFormat::initializeNumberFormat):
861         (JSC::IntlNumberFormat::createNumberFormat):
862         (JSC::IntlNumberFormat::resolvedOptions):
863         * runtime/IntlNumberFormatConstructor.cpp:
864         (JSC::constructIntlNumberFormat):
865         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
866         * runtime/IntlNumberFormatPrototype.cpp:
867         (JSC::IntlNumberFormatFuncFormatNumber):
868         (JSC::IntlNumberFormatPrototypeGetterFormat):
869         * runtime/IntlObject.cpp:
870         (JSC::intlBooleanOption):
871         (JSC::intlStringOption):
872         (JSC::intlNumberOption):
873         (JSC::canonicalizeLocaleList):
874         (JSC::supportedLocales):
875         * runtime/IntlObjectInlines.h:
876         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
877         * runtime/IteratorOperations.cpp:
878         (JSC::iteratorNext):
879         (JSC::iteratorStep):
880         (JSC::iteratorClose):
881         (JSC::iteratorForIterable):
882         * runtime/IteratorOperations.h:
883         (JSC::forEachInIterable):
884         * runtime/JSArray.cpp:
885         (JSC::JSArray::pop):
886         (JSC::JSArray::push):
887         (JSC::JSArray::copyToArguments):
888         * runtime/JSArrayBufferConstructor.cpp:
889         (JSC::constructArrayBuffer):
890         * runtime/JSArrayBufferPrototype.cpp:
891         (JSC::arrayBufferProtoFuncSlice):
892         * runtime/JSArrayInlines.h:
893         (JSC::getLength):
894         (JSC::toLength):
895         * runtime/JSBoundFunction.cpp:
896         (JSC::getBoundFunctionStructure):
897         (JSC::JSBoundFunction::create):
898         * runtime/JSCJSValue.cpp:
899         (JSC::JSValue::putToPrimitive):
900         (JSC::JSValue::putToPrimitiveByIndex):
901         (JSC::JSValue::toStringSlowCase):
902         * runtime/JSCJSValueInlines.h:
903         (JSC::toPreferredPrimitiveType):
904         (JSC::JSValue::getPropertySlot):
905         (JSC::JSValue::equalSlowCaseInline):
906         * runtime/JSDataViewPrototype.cpp:
907         (JSC::getData):
908         (JSC::setData):
909         * runtime/JSFunction.cpp:
910         (JSC::JSFunction::setFunctionName):
911         * runtime/JSGenericTypedArrayView.h:
912         (JSC::JSGenericTypedArrayView::setIndex):
913         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
914         (JSC::constructGenericTypedArrayViewFromIterator):
915         (JSC::constructGenericTypedArrayViewWithArguments):
916         (JSC::constructGenericTypedArrayView):
917         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
918         (JSC::speciesConstruct):
919         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
920         (JSC::genericTypedArrayViewProtoFuncIncludes):
921         (JSC::genericTypedArrayViewProtoFuncIndexOf):
922         (JSC::genericTypedArrayViewProtoFuncJoin):
923         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
924         (JSC::genericTypedArrayViewProtoFuncSlice):
925         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
926         * runtime/JSGlobalObject.h:
927         (JSC::constructEmptyArray):
928         (JSC::constructArray):
929         (JSC::constructArrayNegativeIndexed):
930         * runtime/JSGlobalObjectFunctions.cpp:
931         (JSC::globalFuncEval):
932         * runtime/JSJob.cpp:
933         (JSC::JSJobMicrotask::run):
934         * runtime/JSModuleEnvironment.cpp:
935         (JSC::JSModuleEnvironment::getOwnPropertySlot):
936         * runtime/JSModuleLoader.cpp:
937         (JSC::JSModuleLoader::fetch):
938         * runtime/JSModuleNamespaceObject.cpp:
939         (JSC::JSModuleNamespaceObject::finishCreation):
940         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
941         * runtime/JSModuleRecord.cpp:
942         (JSC::JSModuleRecord::instantiateDeclarations):
943         * runtime/JSONObject.cpp:
944         (JSC::Stringifier::Stringifier):
945         (JSC::Stringifier::stringify):
946         (JSC::Stringifier::toJSON):
947         (JSC::Stringifier::appendStringifiedValue):
948         (JSC::Stringifier::Holder::appendNextProperty):
949         (JSC::Walker::walk):
950         (JSC::JSONProtoFuncParse):
951         * runtime/JSObject.cpp:
952         (JSC::ordinarySetSlow):
953         (JSC::JSObject::setPrototypeWithCycleCheck):
954         (JSC::callToPrimitiveFunction):
955         (JSC::JSObject::ordinaryToPrimitive):
956         (JSC::JSObject::defaultHasInstance):
957         (JSC::JSObject::getPropertyNames):
958         (JSC::JSObject::toNumber):
959         (JSC::JSObject::toString):
960         (JSC::JSObject::defineOwnNonIndexProperty):
961         (JSC::JSObject::getGenericPropertyNames):
962         (JSC::JSObject::getMethod):
963         * runtime/JSObjectInlines.h:
964         (JSC::createListFromArrayLike):
965         (JSC::JSObject::getPropertySlot):
966         (JSC::JSObject::getNonIndexPropertySlot):
967         * runtime/JSPromiseConstructor.cpp:
968         (JSC::constructPromise):
969         * runtime/JSPropertyNameEnumerator.h:
970         (JSC::propertyNameEnumerator):
971         * runtime/JSPropertyNameIterator.cpp:
972         (JSC::JSPropertyNameIterator::create):
973         * runtime/JSScope.cpp:
974         (JSC::isUnscopable):
975         (JSC::JSScope::resolve):
976         * runtime/JSString.cpp:
977         (JSC::JSString::equalSlowCase):
978         * runtime/JSStringJoiner.cpp:
979         (JSC::JSStringJoiner::join):
980         * runtime/LiteralParser.cpp:
981         (JSC::LiteralParser<CharType>::parse):
982         * runtime/MapConstructor.cpp:
983         (JSC::constructMap):
984         * runtime/MathObject.cpp:
985         (JSC::mathProtoFuncClz32):
986         (JSC::mathProtoFuncHypot):
987         (JSC::mathProtoFuncIMul):
988         * runtime/ModuleLoaderPrototype.cpp:
989         (JSC::moduleLoaderPrototypeParseModule):
990         (JSC::moduleLoaderPrototypeRequestedModules):
991         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
992         * runtime/NativeErrorConstructor.cpp:
993         (JSC::Interpreter::constructWithNativeErrorConstructor):
994         * runtime/NumberConstructor.cpp:
995         (JSC::constructWithNumberConstructor):
996         * runtime/ObjectConstructor.cpp:
997         (JSC::constructObject):
998         (JSC::objectConstructorGetPrototypeOf):
999         (JSC::objectConstructorSetPrototypeOf):
1000         (JSC::objectConstructorGetOwnPropertyDescriptor):
1001         (JSC::objectConstructorGetOwnPropertyDescriptors):
1002         (JSC::objectConstructorGetOwnPropertyNames):
1003         (JSC::objectConstructorGetOwnPropertySymbols):
1004         (JSC::objectConstructorKeys):
1005         (JSC::ownEnumerablePropertyKeys):
1006         (JSC::toPropertyDescriptor):
1007         (JSC::objectConstructorDefineProperty):
1008         (JSC::defineProperties):
1009         (JSC::objectConstructorSeal):
1010         (JSC::objectConstructorFreeze):
1011         (JSC::objectConstructorIsSealed):
1012         (JSC::objectConstructorIsFrozen):
1013         (JSC::objectConstructorIsExtensible):
1014         (JSC::ownPropertyKeys):
1015         * runtime/ObjectConstructor.h:
1016         (JSC::constructObjectFromPropertyDescriptor):
1017         * runtime/ObjectPrototype.cpp:
1018         (JSC::objectProtoFuncHasOwnProperty):
1019         (JSC::objectProtoFuncIsPrototypeOf):
1020         (JSC::objectProtoFuncDefineGetter):
1021         (JSC::objectProtoFuncDefineSetter):
1022         (JSC::objectProtoFuncLookupGetter):
1023         (JSC::objectProtoFuncLookupSetter):
1024         (JSC::objectProtoFuncPropertyIsEnumerable):
1025         (JSC::objectProtoFuncToLocaleString):
1026         (JSC::objectProtoFuncToString):
1027         * runtime/Operations.cpp:
1028         (JSC::jsAddSlowCase):
1029         * runtime/Options.h:
1030         * runtime/PropertyDescriptor.cpp:
1031         (JSC::PropertyDescriptor::slowGetterSetter):
1032         * runtime/ProxyConstructor.cpp:
1033         (JSC::makeRevocableProxy):
1034         * runtime/ProxyObject.cpp:
1035         (JSC::ProxyObject::toStringName):
1036         (JSC::performProxyGet):
1037         (JSC::ProxyObject::performGet):
1038         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1039         (JSC::ProxyObject::performHasProperty):
1040         (JSC::ProxyObject::performPut):
1041         (JSC::ProxyObject::putByIndexCommon):
1042         (JSC::performProxyCall):
1043         (JSC::performProxyConstruct):
1044         (JSC::ProxyObject::performDelete):
1045         (JSC::ProxyObject::performPreventExtensions):
1046         (JSC::ProxyObject::performIsExtensible):
1047         (JSC::ProxyObject::performDefineOwnProperty):
1048         (JSC::ProxyObject::performGetOwnPropertyNames):
1049         (JSC::ProxyObject::performSetPrototype):
1050         (JSC::ProxyObject::performGetPrototype):
1051         * runtime/ReflectObject.cpp:
1052         (JSC::reflectObjectConstruct):
1053         (JSC::reflectObjectDefineProperty):
1054         (JSC::reflectObjectGet):
1055         (JSC::reflectObjectGetOwnPropertyDescriptor):
1056         (JSC::reflectObjectIsExtensible):
1057         (JSC::reflectObjectPreventExtensions):
1058         (JSC::reflectObjectSet):
1059         (JSC::reflectObjectSetPrototypeOf):
1060         * runtime/RegExpConstructor.cpp:
1061         (JSC::toFlags):
1062         (JSC::regExpCreate):
1063         (JSC::constructRegExp):
1064         * runtime/RegExpConstructor.h:
1065         (JSC::isRegExp):
1066         * runtime/RegExpObject.cpp:
1067         (JSC::collectMatches):
1068         (JSC::RegExpObject::matchGlobal):
1069         * runtime/RegExpPrototype.cpp:
1070         (JSC::regExpProtoFuncCompile):
1071         (JSC::flagsString):
1072         (JSC::regExpProtoFuncToString):
1073         (JSC::regExpProtoGetterFlags):
1074         (JSC::regExpProtoFuncSearchFast):
1075         (JSC::regExpProtoFuncSplitFast):
1076         * runtime/SetConstructor.cpp:
1077         (JSC::constructSet):
1078         * runtime/StringConstructor.cpp:
1079         (JSC::stringFromCodePoint):
1080         (JSC::constructWithStringConstructor):
1081         * runtime/StringObject.cpp:
1082         (JSC::StringObject::defineOwnProperty):
1083         * runtime/StringPrototype.cpp:
1084         (JSC::replaceUsingRegExpSearch):
1085         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1086         (JSC::replaceUsingStringSearch):
1087         (JSC::replace):
1088         (JSC::stringProtoFuncReplaceUsingRegExp):
1089         (JSC::stringProtoFuncReplaceUsingStringSearch):
1090         (JSC::stringProtoFuncCodePointAt):
1091         (JSC::stringProtoFuncSlice):
1092         (JSC::stringProtoFuncSplitFast):
1093         (JSC::stringProtoFuncSubstr):
1094         (JSC::stringProtoFuncSubstring):
1095         (JSC::stringProtoFuncLocaleCompare):
1096         (JSC::toLocaleCase):
1097         (JSC::stringProtoFuncBig):
1098         (JSC::stringProtoFuncSmall):
1099         (JSC::stringProtoFuncBlink):
1100         (JSC::stringProtoFuncBold):
1101         (JSC::stringProtoFuncFixed):
1102         (JSC::stringProtoFuncItalics):
1103         (JSC::stringProtoFuncStrike):
1104         (JSC::stringProtoFuncSub):
1105         (JSC::stringProtoFuncSup):
1106         (JSC::stringProtoFuncFontcolor):
1107         (JSC::stringProtoFuncFontsize):
1108         (JSC::stringProtoFuncAnchor):
1109         (JSC::stringProtoFuncLink):
1110         (JSC::trimString):
1111         (JSC::stringProtoFuncStartsWith):
1112         (JSC::stringProtoFuncEndsWith):
1113         (JSC::stringIncludesImpl):
1114         (JSC::stringProtoFuncIncludes):
1115         (JSC::builtinStringIncludesInternal):
1116         (JSC::stringProtoFuncNormalize):
1117         * runtime/SymbolConstructor.cpp:
1118         (JSC::symbolConstructorFor):
1119         * runtime/TemplateRegistry.cpp:
1120         (JSC::TemplateRegistry::getTemplateObject):
1121         * runtime/ThrowScope.cpp:
1122         (JSC::ThrowScope::ThrowScope):
1123         (JSC::ThrowScope::~ThrowScope):
1124         (JSC::ThrowScope::throwException):
1125         (JSC::ThrowScope::simulateThrow):
1126         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1127         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1128         * runtime/ThrowScope.h:
1129         (JSC::ThrowScope::release):
1130         (JSC::ThrowScope::ThrowScope):
1131         (JSC::ThrowScope::throwException):
1132         (JSC::ThrowScope::vm): Deleted.
1133         (JSC::ThrowScope::exception): Deleted.
1134         * runtime/ThrowScopeLocation.h: Removed.
1135         * runtime/VM.cpp:
1136         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1137         * runtime/VM.h:
1138         (JSC::VM::exception):
1139         (JSC::VM::clearException):
1140         (JSC::VM::setException): Deleted.
1141         * runtime/WeakMapConstructor.cpp:
1142         (JSC::constructWeakMap):
1143         * runtime/WeakSetConstructor.cpp:
1144         (JSC::constructWeakSet):
1145         * tools/JSDollarVMPrototype.cpp:
1146         (JSC::functionPrint):
1147
1148 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1149
1150         [INTL] some valid language tags cause errors in Intl constructors
1151         https://bugs.webkit.org/show_bug.cgi?id=161672
1152
1153         Reviewed by Mark Lam.
1154
1155         Fix private use tag parsing to match spec, allowing single character parts.
1156         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1157
1158         ```
1159         privateuse    = "x" 1*("-" (1*8alphanum))
1160         ```
1161
1162         * runtime/IntlObject.cpp:
1163         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1164
1165 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1166
1167         [JSC] Remove a couple of useless forward declaration
1168         https://bugs.webkit.org/show_bug.cgi?id=161676
1169
1170         Reviewed by Mark Lam.
1171
1172         JITMathICForwards.h should take care of declarating the Math ICs.
1173
1174         * bytecode/CodeBlock.h:
1175         * jit/JITOperations.h:
1176
1177 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1178
1179         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1180         https://bugs.webkit.org/show_bug.cgi?id=161706
1181
1182         Reviewed by Geoffrey Garen.
1183         
1184         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1185         have to do something different.
1186
1187         * jit/AssemblyHelpers.h:
1188         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1189
1190 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1191
1192         Unreviewed CMake build fix after r205552
1193
1194         * CMakeLists.txt:
1195
1196 2016-09-03  Keith Miller  <keith_miller@apple.com>
1197
1198         Add support for WASM Loops and Branches
1199         https://bugs.webkit.org/show_bug.cgi?id=161569
1200
1201         Reviewed by Benjamin Poulain.
1202
1203         This patch adds support for loops and branches to WASM. In order
1204         to support loops, we needed to change the way the B3IRGenerator
1205         tracked control information. Now, the control data holds three
1206         pieces of information: The continuation block, the loop branch
1207         target, and variables exiting the block. Whenever we branch to
1208         some control point we first check if it is a loop by checking that
1209         the loop branch target is non-null. If the branch is not targeting
1210         a loop, we map the stack values to the associated B3 variables for
1211         that stack slot.
1212
1213         Another interesting thing of note is that we now only allocate the
1214         continuation basic block lazily. This is beneficial when the
1215         continuation would just fall through to another block anyway. For
1216         example, in code like: (block ... (block (add 1 2) end) end) the
1217         continuation for the inner block just falls through to the outer
1218         block's continuation so we don't need an extra block.
1219
1220         * B3CallingConventions.cpp:
1221         (JSC::B3::jscCallingConvention): Deleted.
1222         * B3CallingConventions.h:
1223         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1224         (JSC::B3::CallingConvention::iterate): Deleted.
1225         (JSC::B3::nextJSCOffset): Deleted.
1226         * JavaScriptCore.xcodeproj/project.pbxproj:
1227         * b3/B3Type.h:
1228         * testWASM.cpp:
1229         (runWASMTests):
1230         * wasm/WASMB3IRGenerator.cpp:
1231         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1232         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1233         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1234         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1235         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1236         (JSC::WASM::B3IRGenerator::ControlData::dump):
1237         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1238         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1239         (JSC::WASM::B3IRGenerator::addLocal):
1240         (JSC::WASM::B3IRGenerator::addArguments):
1241         (JSC::WASM::B3IRGenerator::setLocal):
1242         (JSC::WASM::B3IRGenerator::addBlock):
1243         (JSC::WASM::B3IRGenerator::addLoop):
1244         (JSC::WASM::B3IRGenerator::endBlock):
1245         (JSC::WASM::B3IRGenerator::addReturn):
1246         (JSC::WASM::B3IRGenerator::addBranch):
1247         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1248         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1249         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1250         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1251         (JSC::WASM::parseAndCompile):
1252         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1253         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1254         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1255         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1256         (JSC::WASM::jscCallingConvention):
1257         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1258         (JSC::WASM::CallingConvention::CallingConvention):
1259         (JSC::WASM::CallingConvention::iterate):
1260         (JSC::WASM::nextJSCOffset):
1261         * wasm/WASMFormat.h:
1262         (JSC::WASM::toB3Type):
1263         (JSC::WASM::isValueType):
1264         * wasm/WASMFunctionParser.h:
1265         (JSC::WASM::FunctionParser<Context>::parse):
1266         (JSC::WASM::FunctionParser<Context>::parseExpression):
1267         * wasm/WASMModuleParser.cpp:
1268         (JSC::WASM::ModuleParser::parseFunctionTypes):
1269         * wasm/WASMOps.h:
1270
1271 2016-09-07  Youenn Fablet  <youenn@apple.com>
1272
1273         [Streams API] Separate compile flag for ReadableStream and WritableStream
1274         https://bugs.webkit.org/show_bug.cgi?id=161044
1275
1276         Reviewed by Alex Christensen.
1277
1278         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1279         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1280
1281         * Configurations/FeatureDefines.xcconfig:
1282         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1283         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1284         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1285
1286 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1287
1288         Fix the ENABLE(WEBASSEMBLY) build on Linux
1289         https://bugs.webkit.org/show_bug.cgi?id=161685
1290
1291         Unreviewed buildfix.
1292
1293         * wasm/JSWASMModule.cpp:
1294
1295 2016-09-06  Saam Barati  <sbarati@apple.com>
1296
1297         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1298         https://bugs.webkit.org/show_bug.cgi?id=161558
1299
1300         Reviewed by Benjamin Poulain.
1301
1302         ProxyObject had ObjectPrototype as its direct prototype.
1303         This could lead to infinite loops when doing a getDirectPrototype()
1304         loop.
1305
1306         Fixing this bug revealed another bug, which I made when implementing Proxy.
1307         We should not special case "__proto__" in get and set for Proxy Object's
1308         hooks. "__proto__" should just go through the normal set and get path.
1309
1310         * runtime/JSGlobalObject.cpp:
1311         (JSC::JSGlobalObject::init):
1312         * runtime/ProxyObject.cpp:
1313         (JSC::performProxyGet):
1314         (JSC::ProxyObject::put):
1315
1316 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1317
1318         Make JSC::PrivateName copyable
1319         https://bugs.webkit.org/show_bug.cgi?id=161666
1320
1321         Reviewed by Ryosuke Niwa.
1322
1323         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1324         And since the custom copy constructor deletes the default move constructor, we explcitly define
1325         it by `= default;`.
1326
1327         * runtime/PrivateName.h:
1328         (JSC::PrivateName::PrivateName):
1329
1330 2016-09-06  Daniel Bates  <dabates@apple.com>
1331
1332         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1333         https://bugs.webkit.org/show_bug.cgi?id=161296
1334
1335         Reviewed by Dan Bernstein.
1336
1337         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1338         with the iOS 10 beta SDK.
1339
1340         * Configurations/Base.xcconfig:
1341
1342 2016-09-06  Saam Barati  <sbarati@apple.com>
1343
1344         Unreviewed build fix for 32-bit platforms after r205520.
1345
1346         * dfg/DFGSpeculativeJIT.h:
1347         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1348
1349 2016-09-06  Saam Barati  <sbarati@apple.com>
1350
1351         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1352         https://bugs.webkit.org/show_bug.cgi?id=160870
1353
1354         Reviewed by Darin Adler.
1355
1356         Credit goes to Jonathan Bedard for finding this bug using the undefined
1357         behavior sanitizer.
1358
1359         The rule for MaterializeNewObject inside AI was assuming that the graph
1360         is in SSA form. This used to be true when MaterializeNewObject was only
1361         inserted by the allocation sinking phase. However, Filip added more uses
1362         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1363         the bug by using the structure set inside the Node's OpInfo rather than
1364         generating it from m_phiChildren inside AI.
1365
1366         * dfg/DFGAbstractInterpreterInlines.h:
1367         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1368
1369 2016-09-06  Saam Barati  <sbarati@apple.com>
1370
1371         Make JSMap and JSSet faster
1372         https://bugs.webkit.org/show_bug.cgi?id=160989
1373
1374         Reviewed by Filip Pizlo.
1375
1376         This patch revamps how we implement Map and Set. It uses
1377         a new hash map implementation. The hash map uses linear
1378         probing and it uses Wang's 64 bit hash function for JSValues
1379         that aren't strings. Strings use StringImpl's hash function.
1380         The reason I wanted to roll our own HashTable is twofold:
1381         I didn't want to inline WTF::HashMap's implementation into our
1382         JIT, since that seems error prone and unmaintainable. Also, I wanted
1383         a different structure for hash map buckets where buckets also exist in
1384         a linked list.
1385
1386         The reason for making buckets part of a linked list is that iteration
1387         is now simple. Iteration works by just traversing a linked list.
1388         This design also allows for a simple implementation when doing iteration
1389         while the hash table is mutating. Whenever we remove a bucket from
1390         the hash table, it is removed from the list, meaning items in the
1391         list don't point to it. However, the removed bucket will still point
1392         to things that are either in the list, or have also been removed.
1393         e.g, from a removed bucket, you can always follow pointers until you
1394         either find an item in the list, or you find the tail of the list.
1395         This is a really nice property because it means that a Map or Set
1396         does not need to reason about the all the iterators that point
1397         into its list. Also, whenever we add items to the Map or Set, we
1398         hijack the tail as the new item, and make the new item point to a newly
1399         created tail. This means that any iterator that pointed to the "tail" now
1400         points to non-tail items. This makes the implementation of adding things
1401         to the Map/Set while iterating easy.
1402
1403         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1404         into intrinsics in the DFG. The IR can now reason about hash map
1405         operations and can even do CSE over Wang's hash function, hash map
1406         bucket lookups, hash map bucket loads, and testing if a key is in
1407         the hash table. This makes code patterns for Map like so, super fast
1408         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1409
1410         ```
1411         function getKeyIfPresent(map, key) {
1412             if (map.has(key))
1413                 return map.get(key);
1414         }
1415         ```
1416
1417         This patch is roughly an 8% speedup on ES6SampleBench.
1418
1419
1420         * CMakeLists.txt:
1421         * JavaScriptCore.xcodeproj/project.pbxproj:
1422         * assembler/MacroAssemblerARM64.h:
1423         (JSC::MacroAssemblerARM64::not64):
1424         * bytecode/SpeculatedType.cpp:
1425         (JSC::speculationFromClassInfo):
1426         * bytecode/SpeculatedType.h:
1427         * dfg/DFGAbstractInterpreterInlines.h:
1428         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1429         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1430         * dfg/DFGByteCodeParser.cpp:
1431         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1432         * dfg/DFGClobberize.h:
1433         (JSC::DFG::clobberize):
1434         * dfg/DFGDoesGC.cpp:
1435         (JSC::DFG::doesGC):
1436         * dfg/DFGEdge.h:
1437         (JSC::DFG::Edge::shift):
1438         (JSC::DFG::Edge::makeWord):
1439         * dfg/DFGFixupPhase.cpp:
1440         (JSC::DFG::FixupPhase::fixupNode):
1441         * dfg/DFGHeapLocation.cpp:
1442         (WTF::printInternal):
1443         * dfg/DFGHeapLocation.h:
1444         * dfg/DFGNode.h:
1445         (JSC::DFG::Node::hasHeapPrediction):
1446         * dfg/DFGNodeType.h:
1447         * dfg/DFGOperations.cpp:
1448         * dfg/DFGOperations.h:
1449         * dfg/DFGPredictionPropagationPhase.cpp:
1450         * dfg/DFGSafeToExecute.h:
1451         (JSC::DFG::SafeToExecuteEdge::operator()):
1452         (JSC::DFG::safeToExecute):
1453         * dfg/DFGSpeculativeJIT.cpp:
1454         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1455         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1456         (JSC::DFG::SpeculativeJIT::speculate):
1457         * dfg/DFGSpeculativeJIT.h:
1458         (JSC::DFG::SpeculativeJIT::callOperation):
1459         * dfg/DFGSpeculativeJIT32_64.cpp:
1460         (JSC::DFG::SpeculativeJIT::compile):
1461         * dfg/DFGSpeculativeJIT64.cpp:
1462         (JSC::DFG::SpeculativeJIT::compile):
1463         * dfg/DFGUseKind.cpp:
1464         (WTF::printInternal):
1465         * dfg/DFGUseKind.h:
1466         (JSC::DFG::typeFilterFor):
1467         (JSC::DFG::isCell):
1468         * ftl/FTLAbstractHeapRepository.h:
1469         * ftl/FTLCapabilities.cpp:
1470         (JSC::FTL::canCompile):
1471         * ftl/FTLLowerDFGToB3.cpp:
1472         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1473         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1474         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1475         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1476         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1477         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1478         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1479         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1480         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1481         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1482         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1483         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1484         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1485         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1486         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1487         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1488         * jit/AssemblyHelpers.cpp:
1489         (JSC::AssemblyHelpers::wangsInt64Hash):
1490         * jit/AssemblyHelpers.h:
1491         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1492         * jit/JITOperations.h:
1493         * parser/ModuleAnalyzer.cpp:
1494         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1495         * runtime/HashMapImpl.cpp: Added.
1496         (JSC::HashMapBucket<Data>::visitChildren):
1497         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1498         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1499         * runtime/HashMapImpl.h: Added.
1500         (JSC::HashMapBucket::selectStructure):
1501         (JSC::HashMapBucket::createStructure):
1502         (JSC::HashMapBucket::create):
1503         (JSC::HashMapBucket::HashMapBucket):
1504         (JSC::HashMapBucket::setNext):
1505         (JSC::HashMapBucket::setPrev):
1506         (JSC::HashMapBucket::setKey):
1507         (JSC::HashMapBucket::setValue):
1508         (JSC::HashMapBucket::key):
1509         (JSC::HashMapBucket::value):
1510         (JSC::HashMapBucket::next):
1511         (JSC::HashMapBucket::prev):
1512         (JSC::HashMapBucket::deleted):
1513         (JSC::HashMapBucket::setDeleted):
1514         (JSC::HashMapBucket::offsetOfKey):
1515         (JSC::HashMapBucket::offsetOfValue):
1516         (JSC::HashMapBuffer::allocationSize):
1517         (JSC::HashMapBuffer::buffer):
1518         (JSC::HashMapBuffer::create):
1519         (JSC::areKeysEqual):
1520         (JSC::normalizeMapKey):
1521         (JSC::jsMapHash):
1522         (JSC::HashMapImpl::selectStructure):
1523         (JSC::HashMapImpl::createStructure):
1524         (JSC::HashMapImpl::create):
1525         (JSC::HashMapImpl::HashMapImpl):
1526         (JSC::HashMapImpl::buffer):
1527         (JSC::HashMapImpl::finishCreation):
1528         (JSC::HashMapImpl::emptyValue):
1529         (JSC::HashMapImpl::isEmpty):
1530         (JSC::HashMapImpl::deletedValue):
1531         (JSC::HashMapImpl::isDeleted):
1532         (JSC::HashMapImpl::findBucket):
1533         (JSC::HashMapImpl::get):
1534         (JSC::HashMapImpl::has):
1535         (JSC::HashMapImpl::add):
1536         (JSC::HashMapImpl::remove):
1537         (JSC::HashMapImpl::size):
1538         (JSC::HashMapImpl::clear):
1539         (JSC::HashMapImpl::bufferSizeInBytes):
1540         (JSC::HashMapImpl::offsetOfBuffer):
1541         (JSC::HashMapImpl::offsetOfCapacity):
1542         (JSC::HashMapImpl::head):
1543         (JSC::HashMapImpl::tail):
1544         (JSC::HashMapImpl::approximateSize):
1545         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1546         (JSC::HashMapImpl::rehash):
1547         (JSC::HashMapImpl::makeAndSetNewBuffer):
1548         * runtime/Intrinsic.h:
1549         * runtime/JSCJSValue.h:
1550         * runtime/JSCJSValueInlines.h:
1551         (JSC::sameValue):
1552         * runtime/JSGlobalObject.cpp:
1553         (JSC::JSGlobalObject::init):
1554         * runtime/JSMap.cpp:
1555         (JSC::JSMap::destroy): Deleted.
1556         (JSC::JSMap::estimatedSize): Deleted.
1557         (JSC::JSMap::visitChildren): Deleted.
1558         (JSC::JSMap::copyBackingStore): Deleted.
1559         (JSC::JSMap::has): Deleted.
1560         (JSC::JSMap::size): Deleted.
1561         (JSC::JSMap::get): Deleted.
1562         (JSC::JSMap::set): Deleted.
1563         (JSC::JSMap::clear): Deleted.
1564         (JSC::JSMap::remove): Deleted.
1565         * runtime/JSMap.h:
1566         (JSC::JSMap::createStructure):
1567         (JSC::JSMap::create):
1568         (JSC::JSMap::get):
1569         (JSC::JSMap::set):
1570         (JSC::JSMap::JSMap):
1571         (JSC::JSMap::Entry::key): Deleted.
1572         (JSC::JSMap::Entry::value): Deleted.
1573         (JSC::JSMap::Entry::visitChildren): Deleted.
1574         (JSC::JSMap::Entry::setKey): Deleted.
1575         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1576         (JSC::JSMap::Entry::setValue): Deleted.
1577         (JSC::JSMap::Entry::clear): Deleted.
1578         * runtime/JSMapIterator.cpp:
1579         (JSC::JSMapIterator::finishCreation):
1580         (JSC::JSMapIterator::visitChildren):
1581         (JSC::JSMapIterator::clone):
1582         * runtime/JSMapIterator.h:
1583         (JSC::JSMapIterator::advanceIter):
1584         (JSC::JSMapIterator::next):
1585         (JSC::JSMapIterator::nextKeyValue):
1586         (JSC::JSMapIterator::JSMapIterator):
1587         (JSC::JSMapIterator::setIterator):
1588         (JSC::JSMapIterator::finish): Deleted.
1589         (JSC::JSMapIterator::iteratorData): Deleted.
1590         * runtime/JSModuleLoader.cpp:
1591         (JSC::JSModuleLoader::finishCreation):
1592         * runtime/JSModuleLoader.h:
1593         (JSC::JSModuleLoader::create):
1594         * runtime/JSModuleRecord.cpp:
1595         (JSC::JSModuleRecord::finishCreation):
1596         * runtime/JSModuleRecord.h:
1597         (JSC::JSModuleRecord::create):
1598         * runtime/JSSet.cpp:
1599         (JSC::JSSet::destroy): Deleted.
1600         (JSC::JSSet::estimatedSize): Deleted.
1601         (JSC::JSSet::visitChildren): Deleted.
1602         (JSC::JSSet::copyBackingStore): Deleted.
1603         (JSC::JSSet::has): Deleted.
1604         (JSC::JSSet::size): Deleted.
1605         (JSC::JSSet::add): Deleted.
1606         (JSC::JSSet::clear): Deleted.
1607         (JSC::JSSet::remove): Deleted.
1608         * runtime/JSSet.h:
1609         (JSC::JSSet::createStructure):
1610         (JSC::JSSet::create):
1611         (JSC::JSSet::add):
1612         (JSC::JSSet::JSSet):
1613         (JSC::JSSet::Entry::key): Deleted.
1614         (JSC::JSSet::Entry::value): Deleted.
1615         (JSC::JSSet::Entry::visitChildren): Deleted.
1616         (JSC::JSSet::Entry::setKey): Deleted.
1617         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1618         (JSC::JSSet::Entry::setValue): Deleted.
1619         (JSC::JSSet::Entry::clear): Deleted.
1620         * runtime/JSSetIterator.cpp:
1621         (JSC::JSSetIterator::finishCreation):
1622         (JSC::JSSetIterator::visitChildren):
1623         (JSC::JSSetIterator::clone):
1624         * runtime/JSSetIterator.h:
1625         (JSC::JSSetIterator::advanceIter):
1626         (JSC::JSSetIterator::next):
1627         (JSC::JSSetIterator::JSSetIterator):
1628         (JSC::JSSetIterator::setIterator):
1629         (JSC::JSSetIterator::finish): Deleted.
1630         (JSC::JSSetIterator::iteratorData): Deleted.
1631         * runtime/JSType.h:
1632         * runtime/MapBase.cpp: Added.
1633         (JSC::MapBase<HashMapBucketType>::visitChildren):
1634         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1635         * runtime/MapBase.h: Added.
1636         (JSC::MapBase::size):
1637         (JSC::MapBase::has):
1638         (JSC::MapBase::clear):
1639         (JSC::MapBase::remove):
1640         (JSC::MapBase::findBucket):
1641         (JSC::MapBase::offsetOfHashMapImpl):
1642         (JSC::MapBase::impl):
1643         (JSC::MapBase::finishCreation):
1644         (JSC::MapBase::MapBase):
1645         * runtime/MapConstructor.cpp:
1646         (JSC::constructMap):
1647         * runtime/MapIteratorPrototype.cpp:
1648         (JSC::MapIteratorPrototypeFuncNext):
1649         * runtime/MapPrototype.cpp:
1650         (JSC::MapPrototype::finishCreation):
1651         (JSC::getMap):
1652         (JSC::privateFuncIsMap):
1653         (JSC::privateFuncMapIteratorNext):
1654         * runtime/PropertyDescriptor.cpp:
1655         (JSC::sameValue): Deleted.
1656         * runtime/PropertyDescriptor.h:
1657         * runtime/SetConstructor.cpp:
1658         (JSC::constructSet):
1659         * runtime/SetIteratorPrototype.cpp:
1660         (JSC::SetIteratorPrototypeFuncNext):
1661         * runtime/SetPrototype.cpp:
1662         (JSC::SetPrototype::finishCreation):
1663         (JSC::getSet):
1664         (JSC::privateFuncSetIteratorNext):
1665         * runtime/VM.cpp:
1666         (JSC::VM::VM):
1667         * runtime/VM.h:
1668
1669 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1670
1671         [JSC] Make ArithClz32 work with Cell arguments
1672         https://bugs.webkit.org/show_bug.cgi?id=161369
1673
1674         Reviewed by Geoffrey Garen.
1675
1676         ArithClz32 was already working with all primitive types
1677         thanks to the magic of ValueToInt32.
1678         This patch adds support for cell arguments through a function
1679         call.
1680
1681         * dfg/DFGAbstractInterpreterInlines.h:
1682         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1683         * dfg/DFGClobberize.h:
1684         (JSC::DFG::clobberize):
1685         * dfg/DFGFixupPhase.cpp:
1686         (JSC::DFG::FixupPhase::fixupNode):
1687         * dfg/DFGNodeType.h:
1688         * dfg/DFGOperations.cpp:
1689         * dfg/DFGOperations.h:
1690         * dfg/DFGSpeculativeJIT.cpp:
1691         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1692         * dfg/DFGSpeculativeJIT.h:
1693         (JSC::DFG::SpeculativeJIT::callOperation):
1694         * ftl/FTLLowerDFGToB3.cpp:
1695         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1696
1697 2016-09-06  Mark Lam  <mark.lam@apple.com>
1698
1699         Gardening: change to use old header guard to appease Win EWS.
1700
1701         Not reviewed.
1702
1703         * runtime/AuxiliaryBarrier.h:
1704
1705 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1706
1707         Unreviewed, rolling out r205494.
1708         https://bugs.webkit.org/show_bug.cgi?id=161646
1709
1710         This change broke the Windows build (Requested by ryanhaddad
1711         on #webkit).
1712
1713         Reverted changeset:
1714
1715         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1716         https://bugs.webkit.org/show_bug.cgi?id=161100
1717         http://trac.webkit.org/changeset/205494
1718
1719 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1720
1721         Unreviewed, rolling out r205504.
1722         https://bugs.webkit.org/show_bug.cgi?id=161645
1723
1724         Broke the iOS device build (Requested by ryanhaddad on
1725         #webkit).
1726
1727         Reverted changeset:
1728
1729         "Make JSMap and JSSet faster"
1730         https://bugs.webkit.org/show_bug.cgi?id=160989
1731         http://trac.webkit.org/changeset/205504
1732
1733 2016-09-06  Saam Barati  <sbarati@apple.com>
1734
1735         Make JSMap and JSSet faster
1736         https://bugs.webkit.org/show_bug.cgi?id=160989
1737
1738         Reviewed by Filip Pizlo.
1739
1740         This patch revamps how we implement Map and Set. It uses
1741         a new hash map implementation. The hash map uses linear
1742         probing and it uses Wang's 64 bit hash function for JSValues
1743         that aren't strings. Strings use StringImpl's hash function.
1744         The reason I wanted to roll our own HashTable is twofold:
1745         I didn't want to inline WTF::HashMap's implementation into our
1746         JIT, since that seems error prone and unmaintainable. Also, I wanted
1747         a different structure for hash map buckets where buckets also exist in
1748         a linked list.
1749
1750         The reason for making buckets part of a linked list is that iteration
1751         is now simple. Iteration works by just traversing a linked list.
1752         This design also allows for a simple implementation when doing iteration
1753         while the hash table is mutating. Whenever we remove a bucket from
1754         the hash table, it is removed from the list, meaning items in the
1755         list don't point to it. However, the removed bucket will still point
1756         to things that are either in the list, or have also been removed.
1757         e.g, from a removed bucket, you can always follow pointers until you
1758         either find an item in the list, or you find the tail of the list.
1759         This is a really nice property because it means that a Map or Set
1760         does not need to reason about the all the iterators that point
1761         into its list. Also, whenever we add items to the Map or Set, we
1762         hijack the tail as the new item, and make the new item point to a newly
1763         created tail. This means that any iterator that pointed to the "tail" now
1764         points to non-tail items. This makes the implementation of adding things
1765         to the Map/Set while iterating easy.
1766
1767         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1768         into intrinsics in the DFG. The IR can now reason about hash map
1769         operations and can even do CSE over Wang's hash function, hash map
1770         bucket lookups, hash map bucket loads, and testing if a key is in
1771         the hash table. This makes code patterns for Map like so, super fast
1772         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1773
1774         ```
1775         function getKeyIfPresent(map, key) {
1776             if (map.has(key))
1777                 return map.get(key);
1778         }
1779         ```
1780
1781         This patch is roughly an 8% speedup on ES6SampleBench.
1782
1783         * CMakeLists.txt:
1784         * JavaScriptCore.xcodeproj/project.pbxproj:
1785         * bytecode/SpeculatedType.cpp:
1786         (JSC::speculationFromClassInfo):
1787         * bytecode/SpeculatedType.h:
1788         * dfg/DFGAbstractInterpreterInlines.h:
1789         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1790         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1791         * dfg/DFGByteCodeParser.cpp:
1792         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1793         * dfg/DFGClobberize.h:
1794         (JSC::DFG::clobberize):
1795         * dfg/DFGDoesGC.cpp:
1796         (JSC::DFG::doesGC):
1797         * dfg/DFGEdge.h:
1798         (JSC::DFG::Edge::shift):
1799         (JSC::DFG::Edge::makeWord):
1800         * dfg/DFGFixupPhase.cpp:
1801         (JSC::DFG::FixupPhase::fixupNode):
1802         * dfg/DFGHeapLocation.cpp:
1803         (WTF::printInternal):
1804         * dfg/DFGHeapLocation.h:
1805         * dfg/DFGNode.h:
1806         (JSC::DFG::Node::hasHeapPrediction):
1807         * dfg/DFGNodeType.h:
1808         * dfg/DFGOperations.cpp:
1809         * dfg/DFGOperations.h:
1810         * dfg/DFGPredictionPropagationPhase.cpp:
1811         * dfg/DFGSafeToExecute.h:
1812         (JSC::DFG::SafeToExecuteEdge::operator()):
1813         (JSC::DFG::safeToExecute):
1814         * dfg/DFGSpeculativeJIT.cpp:
1815         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1816         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1817         (JSC::DFG::SpeculativeJIT::speculate):
1818         * dfg/DFGSpeculativeJIT.h:
1819         (JSC::DFG::SpeculativeJIT::callOperation):
1820         * dfg/DFGSpeculativeJIT32_64.cpp:
1821         (JSC::DFG::SpeculativeJIT::compile):
1822         * dfg/DFGSpeculativeJIT64.cpp:
1823         (JSC::DFG::SpeculativeJIT::compile):
1824         * dfg/DFGUseKind.cpp:
1825         (WTF::printInternal):
1826         * dfg/DFGUseKind.h:
1827         (JSC::DFG::typeFilterFor):
1828         (JSC::DFG::isCell):
1829         * ftl/FTLAbstractHeapRepository.h:
1830         * ftl/FTLCapabilities.cpp:
1831         (JSC::FTL::canCompile):
1832         * ftl/FTLLowerDFGToB3.cpp:
1833         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1834         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1835         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1836         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1837         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1838         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1839         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1840         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1841         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1842         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1843         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1844         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1845         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1846         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1847         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1848         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1849         * jit/AssemblyHelpers.cpp:
1850         (JSC::AssemblyHelpers::wangsInt64Hash):
1851         * jit/AssemblyHelpers.h:
1852         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1853         * jit/JITOperations.h:
1854         * parser/ModuleAnalyzer.cpp:
1855         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1856         * runtime/HashMapImpl.cpp: Added.
1857         (JSC::HashMapBucket<Data>::visitChildren):
1858         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1859         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1860         * runtime/HashMapImpl.h: Added.
1861         (JSC::HashMapBucket::selectStructure):
1862         (JSC::HashMapBucket::createStructure):
1863         (JSC::HashMapBucket::create):
1864         (JSC::HashMapBucket::HashMapBucket):
1865         (JSC::HashMapBucket::setNext):
1866         (JSC::HashMapBucket::setPrev):
1867         (JSC::HashMapBucket::setKey):
1868         (JSC::HashMapBucket::setValue):
1869         (JSC::HashMapBucket::key):
1870         (JSC::HashMapBucket::value):
1871         (JSC::HashMapBucket::next):
1872         (JSC::HashMapBucket::prev):
1873         (JSC::HashMapBucket::deleted):
1874         (JSC::HashMapBucket::setDeleted):
1875         (JSC::HashMapBucket::offsetOfKey):
1876         (JSC::HashMapBucket::offsetOfValue):
1877         (JSC::HashMapBuffer::allocationSize):
1878         (JSC::HashMapBuffer::buffer):
1879         (JSC::HashMapBuffer::create):
1880         (JSC::areKeysEqual):
1881         (JSC::normalizeMapKey):
1882         (JSC::jsMapHash):
1883         (JSC::HashMapImpl::selectStructure):
1884         (JSC::HashMapImpl::createStructure):
1885         (JSC::HashMapImpl::create):
1886         (JSC::HashMapImpl::HashMapImpl):
1887         (JSC::HashMapImpl::buffer):
1888         (JSC::HashMapImpl::finishCreation):
1889         (JSC::HashMapImpl::emptyValue):
1890         (JSC::HashMapImpl::isEmpty):
1891         (JSC::HashMapImpl::deletedValue):
1892         (JSC::HashMapImpl::isDeleted):
1893         (JSC::HashMapImpl::findBucket):
1894         (JSC::HashMapImpl::get):
1895         (JSC::HashMapImpl::has):
1896         (JSC::HashMapImpl::add):
1897         (JSC::HashMapImpl::remove):
1898         (JSC::HashMapImpl::size):
1899         (JSC::HashMapImpl::clear):
1900         (JSC::HashMapImpl::bufferSizeInBytes):
1901         (JSC::HashMapImpl::offsetOfBuffer):
1902         (JSC::HashMapImpl::offsetOfCapacity):
1903         (JSC::HashMapImpl::head):
1904         (JSC::HashMapImpl::tail):
1905         (JSC::HashMapImpl::approximateSize):
1906         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1907         (JSC::HashMapImpl::rehash):
1908         (JSC::HashMapImpl::makeAndSetNewBuffer):
1909         * runtime/Intrinsic.h:
1910         * runtime/JSCJSValue.h:
1911         * runtime/JSCJSValueInlines.h:
1912         (JSC::sameValue):
1913         * runtime/JSGlobalObject.cpp:
1914         (JSC::JSGlobalObject::init):
1915         * runtime/JSMap.cpp:
1916         (JSC::JSMap::destroy): Deleted.
1917         (JSC::JSMap::estimatedSize): Deleted.
1918         (JSC::JSMap::visitChildren): Deleted.
1919         (JSC::JSMap::copyBackingStore): Deleted.
1920         (JSC::JSMap::has): Deleted.
1921         (JSC::JSMap::size): Deleted.
1922         (JSC::JSMap::get): Deleted.
1923         (JSC::JSMap::set): Deleted.
1924         (JSC::JSMap::clear): Deleted.
1925         (JSC::JSMap::remove): Deleted.
1926         * runtime/JSMap.h:
1927         (JSC::JSMap::createStructure):
1928         (JSC::JSMap::create):
1929         (JSC::JSMap::get):
1930         (JSC::JSMap::set):
1931         (JSC::JSMap::JSMap):
1932         (JSC::JSMap::Entry::key): Deleted.
1933         (JSC::JSMap::Entry::value): Deleted.
1934         (JSC::JSMap::Entry::visitChildren): Deleted.
1935         (JSC::JSMap::Entry::setKey): Deleted.
1936         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1937         (JSC::JSMap::Entry::setValue): Deleted.
1938         (JSC::JSMap::Entry::clear): Deleted.
1939         * runtime/JSMapIterator.cpp:
1940         (JSC::JSMapIterator::finishCreation):
1941         (JSC::JSMapIterator::visitChildren):
1942         (JSC::JSMapIterator::clone):
1943         * runtime/JSMapIterator.h:
1944         (JSC::JSMapIterator::advanceIter):
1945         (JSC::JSMapIterator::next):
1946         (JSC::JSMapIterator::nextKeyValue):
1947         (JSC::JSMapIterator::JSMapIterator):
1948         (JSC::JSMapIterator::setIterator):
1949         (JSC::JSMapIterator::finish): Deleted.
1950         (JSC::JSMapIterator::iteratorData): Deleted.
1951         * runtime/JSModuleLoader.cpp:
1952         (JSC::JSModuleLoader::finishCreation):
1953         * runtime/JSModuleLoader.h:
1954         (JSC::JSModuleLoader::create):
1955         * runtime/JSModuleRecord.cpp:
1956         (JSC::JSModuleRecord::finishCreation):
1957         * runtime/JSModuleRecord.h:
1958         (JSC::JSModuleRecord::create):
1959         * runtime/JSSet.cpp:
1960         (JSC::JSSet::destroy): Deleted.
1961         (JSC::JSSet::estimatedSize): Deleted.
1962         (JSC::JSSet::visitChildren): Deleted.
1963         (JSC::JSSet::copyBackingStore): Deleted.
1964         (JSC::JSSet::has): Deleted.
1965         (JSC::JSSet::size): Deleted.
1966         (JSC::JSSet::add): Deleted.
1967         (JSC::JSSet::clear): Deleted.
1968         (JSC::JSSet::remove): Deleted.
1969         * runtime/JSSet.h:
1970         (JSC::JSSet::createStructure):
1971         (JSC::JSSet::create):
1972         (JSC::JSSet::add):
1973         (JSC::JSSet::JSSet):
1974         (JSC::JSSet::Entry::key): Deleted.
1975         (JSC::JSSet::Entry::value): Deleted.
1976         (JSC::JSSet::Entry::visitChildren): Deleted.
1977         (JSC::JSSet::Entry::setKey): Deleted.
1978         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1979         (JSC::JSSet::Entry::setValue): Deleted.
1980         (JSC::JSSet::Entry::clear): Deleted.
1981         * runtime/JSSetIterator.cpp:
1982         (JSC::JSSetIterator::finishCreation):
1983         (JSC::JSSetIterator::visitChildren):
1984         (JSC::JSSetIterator::clone):
1985         * runtime/JSSetIterator.h:
1986         (JSC::JSSetIterator::advanceIter):
1987         (JSC::JSSetIterator::next):
1988         (JSC::JSSetIterator::JSSetIterator):
1989         (JSC::JSSetIterator::setIterator):
1990         (JSC::JSSetIterator::finish): Deleted.
1991         (JSC::JSSetIterator::iteratorData): Deleted.
1992         * runtime/JSType.h:
1993         * runtime/MapBase.cpp: Added.
1994         (JSC::MapBase<HashMapBucketType>::visitChildren):
1995         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1996         * runtime/MapBase.h: Added.
1997         (JSC::MapBase::size):
1998         (JSC::MapBase::has):
1999         (JSC::MapBase::clear):
2000         (JSC::MapBase::remove):
2001         (JSC::MapBase::findBucket):
2002         (JSC::MapBase::offsetOfHashMapImpl):
2003         (JSC::MapBase::impl):
2004         (JSC::MapBase::finishCreation):
2005         (JSC::MapBase::MapBase):
2006         * runtime/MapConstructor.cpp:
2007         (JSC::constructMap):
2008         * runtime/MapIteratorPrototype.cpp:
2009         (JSC::MapIteratorPrototypeFuncNext):
2010         * runtime/MapPrototype.cpp:
2011         (JSC::MapPrototype::finishCreation):
2012         (JSC::getMap):
2013         (JSC::privateFuncIsMap):
2014         (JSC::privateFuncMapIteratorNext):
2015         * runtime/PropertyDescriptor.cpp:
2016         (JSC::sameValue): Deleted.
2017         * runtime/PropertyDescriptor.h:
2018         * runtime/SetConstructor.cpp:
2019         (JSC::constructSet):
2020         * runtime/SetIteratorPrototype.cpp:
2021         (JSC::SetIteratorPrototypeFuncNext):
2022         * runtime/SetPrototype.cpp:
2023         (JSC::SetPrototype::finishCreation):
2024         (JSC::getSet):
2025         (JSC::privateFuncSetIteratorNext):
2026         * runtime/VM.cpp:
2027         (JSC::VM::VM):
2028         * runtime/VM.h:
2029
2030 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2031
2032         Typed arrays should use MarkedSpace instead of CopiedSpace
2033         https://bugs.webkit.org/show_bug.cgi?id=161100
2034
2035         Reviewed by Geoffrey Garen.
2036         
2037         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2038         
2039         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2040         everything that typed arrays want.
2041
2042         * dfg/DFGOperations.cpp:
2043         (JSC::DFG::newTypedArrayWithSize):
2044         * dfg/DFGOperations.h:
2045         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2046         * dfg/DFGSpeculativeJIT.cpp:
2047         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2048         * dfg/DFGSpeculativeJIT.h:
2049         (JSC::DFG::SpeculativeJIT::callOperation):
2050         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2051         * ftl/FTLLowerDFGToB3.cpp:
2052         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2053         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2054         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2055         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2056         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2057         * heap/CopyToken.h:
2058         * heap/SlotVisitor.cpp:
2059         (JSC::SlotVisitor::markAuxiliary):
2060         * jit/JITOperations.h:
2061         * runtime/JSArrayBufferView.cpp:
2062         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2063         (JSC::JSArrayBufferView::JSArrayBufferView):
2064         * runtime/JSArrayBufferView.h:
2065         * runtime/JSGenericTypedArrayView.h:
2066         * runtime/JSGenericTypedArrayViewInlines.h:
2067         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2068         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2069         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2070         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2071
2072 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2073
2074         Silence GCC warning spam introduced in r205462
2075
2076         Rubber-stamped by Filip Pizlo.
2077
2078         * bytecode/Opcode.h:
2079         (JSC::padOpcodeName):
2080
2081 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2082
2083         Heap::isMarked() should use concurrent lazy flipping
2084         https://bugs.webkit.org/show_bug.cgi?id=161613
2085
2086         Reviewed by Michael Catanzaro.
2087         
2088         I found out about this race condition via
2089         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2090         
2091         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2092         phase. So, they need to lazy-flip in a non-racy way.
2093
2094         * heap/HeapInlines.h:
2095         (JSC::Heap::isLive):
2096         (JSC::Heap::isMarked):
2097
2098 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2099
2100         Unreviewed, reset generator test results after the butterflies.
2101
2102         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2103         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2104         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2105         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2106         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2107         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2108         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2109         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2110         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2111         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2112         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2113         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2114         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2115         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2116
2117 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2118
2119         Unreviewed, fix cloop build.
2120
2121         * bytecode/SuperSampler.cpp:
2122
2123 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2124
2125         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2126         https://bugs.webkit.org/show_bug.cgi?id=160125
2127
2128         Reviewed by Geoffrey Garen and Keith Miller.
2129
2130         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2131         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2132         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2133         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2134         to get rid of copied space. This change moves copied space's biggest client over to marked
2135         space.
2136         
2137         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2138         allocation path. This is a fairly mechanical change, but it caused performance regressions
2139         everywhere, so this change also fixes MarkedSpace's performance issues.
2140         
2141         At a high level the mechanical changes are:
2142         
2143         - We use AuxiliaryBarrier instead of CopyBarrier.
2144         
2145         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2146           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2147         
2148         - The JITs have to emit inlined marked space allocations instead of inline copy space
2149           allocations.
2150         
2151         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2152           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2153           space doesn't.
2154         
2155         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2156         optimizations that amounted to a major MarkedSpace rewrite:
2157         
2158         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2159           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2160           size class. I got around this by making array allocations usually round up vectorLength to
2161           the maximum allowed by the size class that we would have allocated in. Also,
2162           ensureLengthSlow() and friends first make sure that the requested length can't just be
2163           fulfilled with the current allocation size. This safeguard means that not every array
2164           allocation has to do size class queries. For example, the fast path of new Array(length)
2165           never does any size class queries, under the assumption that (1) the speed gained from
2166           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2167           size class query, is too small to offset the speed lost by doing the query on every
2168           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2169           likely.
2170         
2171         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2172           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2173           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2174           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2175           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2176           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2177           size (80 bytes), we proceed using a geometric progression, but round up each size to
2178           minimize slop at the end of the block. This naturally causes the geometric progression to
2179           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2180           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2181         
2182         - Large allocations caused massive internal fragmentation, since the smallest large
2183           allocation had to use exactly blockSize, and the largest small allocation used
2184           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2185           also had 50% internal fragmentation. This is because we required large allocations to be
2186           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2187           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2188           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2189           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2190           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2191           out great since (1) typed arrays won't use large allocations anyway since they have their
2192           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2193           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2194           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2195           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2196           must be small allocations. It's also possible to use template tricks to do one check for
2197           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2198           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2199           that get used from functions that are template-specialized like this. That's mostly to
2200           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2201           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2202           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2203           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2204           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2205           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2206           that the MarkedBlock size classes end up being:
2207           
2208           16, 32, 48, 64, 80, 112, 160, 224, 320
2209           
2210           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2211           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2212           size classes you end up with by doing --dumpSizeClasses=true.
2213         
2214         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2215           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2216           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2217           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2218           side, for better locality during a sequential walk. It's no longer necessary to scan
2219           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2220           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2221           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2222           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2223           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2224           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2225           together, these optimizations allowed me to reduce block size to 16KB without losing much
2226           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2227           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2228           progression on membuster. That's not possible yet, since there is still enough per-block
2229           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2230           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2231         
2232         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2233           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2234           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2235           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2236           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2237           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2238           that we walk the block to build a free list. This means walking dead space. The new
2239           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2240           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2241           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2242           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2243           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2244           is completely empty, which is the common case because of the generational hypothesis: the
2245           number of objects that survive an eden collection is a tiny fraction of the number of
2246           objects that had been allocated, and this fraction is so small that there are typically
2247           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2248           win over tip-of-tree.
2249         
2250         - FTL now shares the same allocation fast paths as everything else, which is great, because
2251           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2252           control flow, since it won't be able to improve the machine code we write ourselves. GC
2253           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2254           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2255           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2256           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2257           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2258           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2259           variable-length allocation but then realize that the length is known). I think it makes
2260           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2261           since this makes lowering easier (you can constant fold during lowering more easily) and it
2262           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2263           constant-fold this code. That would require allowing loads to be constant-folded, which is
2264           doable but hella tricky.
2265         
2266         - It used to be that if a logical object allocation required two physical allocations (first
2267           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2268           failure in the second fast path would cause us to forget the successful first physical
2269           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2270           register to storing either the butterfly or null, because the butterfly register is anyway
2271           going to be free inside the first allocation. The only overhead here is zeroing the
2272           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2273           path, which can then either allocate a butterfly or not. So now we never waste a successful
2274           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2275           since we control registers already) and in FTL (where it's annoying, because mutable
2276           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2277           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2278           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2279           benchmark would always allocate N small things followed by one bigger thing. The problem
2280           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2281           the JSObject size class, which both the small and big thing shared for their cell, could
2282           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2283           it allocated the big thing. So, it would end up having to allocate the big thing's large
2284           butterfly twice, every single time! Ouch!
2285         
2286         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2287           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2288           of the allocator to initialize the object to whatever state they need. It used to be that
2289           we would just use a dumb loop. I initially changed this so that we would end up in memset
2290           for large allocations, but this didn't actually help performance that much. I got a much
2291           better result by playing with different memsets written in assembly. First I wrote one
2292           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2293           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2294           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2295           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2296           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2297           of stores (if the size is known), but those paths in the JIT won't trigger for
2298           NewArrayWithSize() if the size is large, since that takes us to the
2299           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2300           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2301           that need to be filled with holes.
2302         
2303         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2304         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2305         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2306         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2307         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2308         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2309         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2310         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2311         marking barrier and we simply won't need a copying barrier. This change gets us there for
2312         the purposes of our benchmarks, since the remaining clients of copied space are not very
2313         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2314         adding back the copy barrier, which costs more perf.
2315         
2316         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2317         typed arrays and a few other weird things over to Aux MarkedSpace.
2318         
2319         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2320         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2321         just including JSCInlines.h (instead of manually including the files that includes) is
2322         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2323         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2324         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2325         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2326         meant having to manually include HeapInlines.h from the places that previously got it
2327         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2328         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2329         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2330         made it impossible to include it from outside JSC. This was a lot of work, but it was
2331         necessary to get the patch to build on all ports. It's also a net win. There were many places
2332         in WebCore that were transitively including a *ton* of JSC headers just because of the
2333         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2334         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2335
2336         * API/JSManagedValue.mm:
2337         (-[JSManagedValue initWithValue:]):
2338         * API/JSTypedArray.cpp:
2339         * API/ObjCCallbackFunction.mm:
2340         * API/tests/testapi.mm:
2341         (testObjectiveCAPI):
2342         (testWeakValue): Deleted.
2343         * CMakeLists.txt:
2344         * JavaScriptCore.xcodeproj/project.pbxproj:
2345         * Scripts/builtins/builtins_generate_combined_implementation.py:
2346         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2347         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2348         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2349         * Scripts/builtins/builtins_generate_separate_implementation.py:
2350         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2351         * assembler/AbstractMacroAssembler.h:
2352         (JSC::AbstractMacroAssembler::JumpList::link):
2353         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2354         * assembler/MacroAssembler.h:
2355         * assembler/MacroAssemblerARM64.h:
2356         (JSC::MacroAssemblerARM64::add32):
2357         * assembler/MacroAssemblerCodeRef.cpp: Added.
2358         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2359         (JSC::MacroAssemblerCodePtr::dumpWithName):
2360         (JSC::MacroAssemblerCodePtr::dump):
2361         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2362         (JSC::MacroAssemblerCodeRef::dump):
2363         * assembler/MacroAssemblerCodeRef.h:
2364         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2365         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2366         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2367         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2368         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2369         * b3/B3BasicBlock.cpp:
2370         (JSC::B3::BasicBlock::appendBoolConstant):
2371         * b3/B3BasicBlock.h:
2372         * b3/B3DuplicateTails.cpp:
2373         * b3/B3StackmapGenerationParams.h:
2374         * b3/testb3.cpp:
2375         (JSC::B3::testPatchpointTerminalReturnValue):
2376         (JSC::B3::run):
2377         * bindings/ScriptValue.cpp:
2378         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2379         * bytecode/BytecodeBasicBlock.cpp:
2380         * bytecode/BytecodeLivenessAnalysis.cpp:
2381         * bytecode/BytecodeUseDef.h:
2382         * bytecode/CallLinkInfo.cpp:
2383         (JSC::CallLinkInfo::callTypeFor):
2384         * bytecode/CallLinkInfo.h:
2385         (JSC::CallLinkInfo::callTypeFor): Deleted.
2386         * bytecode/CallLinkStatus.cpp:
2387         * bytecode/CodeBlock.cpp:
2388         (JSC::CodeBlock::finishCreation):
2389         (JSC::CodeBlock::clearLLIntGetByIdCache):
2390         (JSC::CodeBlock::predictedMachineCodeSize):
2391         * bytecode/CodeBlock.h:
2392         (JSC::CodeBlock::jitCodeMap): Deleted.
2393         (JSC::clearLLIntGetByIdCache): Deleted.
2394         * bytecode/ExecutionCounter.h:
2395         * bytecode/Instruction.h:
2396         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2397         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2398         * bytecode/ObjectAllocationProfile.h:
2399         (JSC::ObjectAllocationProfile::isNull):
2400         (JSC::ObjectAllocationProfile::initialize):
2401         * bytecode/Opcode.h:
2402         (JSC::padOpcodeName):
2403         * bytecode/PolymorphicAccess.cpp:
2404         (JSC::AccessCase::generateImpl):
2405         (JSC::PolymorphicAccess::regenerate):
2406         * bytecode/PolymorphicAccess.h:
2407         * bytecode/PreciseJumpTargets.cpp:
2408         * bytecode/StructureStubInfo.cpp:
2409         * bytecode/StructureStubInfo.h:
2410         * bytecode/UnlinkedCodeBlock.cpp:
2411         (JSC::UnlinkedCodeBlock::vm): Deleted.
2412         * bytecode/UnlinkedCodeBlock.h:
2413         * bytecode/UnlinkedInstructionStream.cpp:
2414         * bytecode/UnlinkedInstructionStream.h:
2415         * dfg/DFGOperations.cpp:
2416         * dfg/DFGSpeculativeJIT.cpp:
2417         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2418         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2419         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2420         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2421         * dfg/DFGSpeculativeJIT.h:
2422         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2423         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2424         * dfg/DFGSpeculativeJIT32_64.cpp:
2425         (JSC::DFG::SpeculativeJIT::compile):
2426         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2427         * dfg/DFGSpeculativeJIT64.cpp:
2428         (JSC::DFG::SpeculativeJIT::compile):
2429         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2430         * dfg/DFGStrengthReductionPhase.cpp:
2431         (JSC::DFG::StrengthReductionPhase::handleNode):
2432         * ftl/FTLAbstractHeapRepository.h:
2433         * ftl/FTLCompile.cpp:
2434         * ftl/FTLJITFinalizer.cpp:
2435         * ftl/FTLLowerDFGToB3.cpp:
2436         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2437         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2438         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2439         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2440         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2441         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2442         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2443         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2444         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2445         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2446         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2447         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2448         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2449         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2450         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2451         * ftl/FTLOutput.cpp:
2452         (JSC::FTL::Output::constBool):
2453         (JSC::FTL::Output::add):
2454         (JSC::FTL::Output::shl):
2455         (JSC::FTL::Output::aShr):
2456         (JSC::FTL::Output::lShr):
2457         (JSC::FTL::Output::zeroExt):
2458         (JSC::FTL::Output::equal):
2459         (JSC::FTL::Output::notEqual):
2460         (JSC::FTL::Output::above):
2461         (JSC::FTL::Output::aboveOrEqual):
2462         (JSC::FTL::Output::below):
2463         (JSC::FTL::Output::belowOrEqual):
2464         (JSC::FTL::Output::greaterThan):
2465         (JSC::FTL::Output::greaterThanOrEqual):
2466         (JSC::FTL::Output::lessThan):
2467         (JSC::FTL::Output::lessThanOrEqual):
2468         (JSC::FTL::Output::select):
2469         (JSC::FTL::Output::appendSuccessor):
2470         (JSC::FTL::Output::addIncomingToPhi):
2471         * ftl/FTLOutput.h:
2472         * ftl/FTLValueFromBlock.h:
2473         (JSC::FTL::ValueFromBlock::operator bool):
2474         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2475         * ftl/FTLWeightedTarget.h:
2476         (JSC::FTL::WeightedTarget::frequentedBlock):
2477         * heap/CellContainer.h: Added.
2478         (JSC::CellContainer::CellContainer):
2479         (JSC::CellContainer::operator bool):
2480         (JSC::CellContainer::isMarkedBlock):
2481         (JSC::CellContainer::isLargeAllocation):
2482         (JSC::CellContainer::markedBlock):
2483         (JSC::CellContainer::largeAllocation):
2484         * heap/CellContainerInlines.h: Added.
2485         (JSC::CellContainer::isMarked):
2486         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2487         (JSC::CellContainer::noteMarked):
2488         (JSC::CellContainer::cellSize):
2489         (JSC::CellContainer::weakSet):
2490         (JSC::CellContainer::flipIfNecessary):
2491         * heap/ConservativeRoots.cpp:
2492         (JSC::ConservativeRoots::ConservativeRoots):
2493         (JSC::ConservativeRoots::~ConservativeRoots):
2494         (JSC::ConservativeRoots::grow):
2495         (JSC::ConservativeRoots::genericAddPointer):
2496         (JSC::ConservativeRoots::genericAddSpan):
2497         * heap/ConservativeRoots.h:
2498         (JSC::ConservativeRoots::roots):
2499         * heap/CopyToken.h:
2500         * heap/FreeList.cpp: Added.
2501         (JSC::FreeList::dump):
2502         * heap/FreeList.h: Added.
2503         (JSC::FreeList::FreeList):
2504         (JSC::FreeList::list):
2505         (JSC::FreeList::bump):
2506         (JSC::FreeList::operator==):
2507         (JSC::FreeList::operator!=):
2508         (JSC::FreeList::operator bool):
2509         (JSC::FreeList::allocationWillFail):
2510         (JSC::FreeList::allocationWillSucceed):
2511         * heap/GCTypeMap.h: Added.
2512         (JSC::GCTypeMap::operator[]):
2513         * heap/Heap.cpp:
2514         (JSC::Heap::Heap):
2515         (JSC::Heap::lastChanceToFinalize):
2516         (JSC::Heap::finalizeUnconditionalFinalizers):
2517         (JSC::Heap::markRoots):
2518         (JSC::Heap::copyBackingStores):
2519         (JSC::Heap::gatherStackRoots):
2520         (JSC::Heap::gatherJSStackRoots):
2521         (JSC::Heap::gatherScratchBufferRoots):
2522         (JSC::Heap::clearLivenessData):
2523         (JSC::Heap::visitSmallStrings):
2524         (JSC::Heap::visitConservativeRoots):
2525         (JSC::Heap::removeDeadCompilerWorklistEntries):
2526         (JSC::Heap::gatherExtraHeapSnapshotData):
2527         (JSC::Heap::removeDeadHeapSnapshotNodes):
2528         (JSC::Heap::visitProtectedObjects):
2529         (JSC::Heap::visitArgumentBuffers):
2530         (JSC::Heap::visitException):
2531         (JSC::Heap::visitStrongHandles):
2532         (JSC::Heap::visitHandleStack):
2533         (JSC::Heap::visitSamplingProfiler):
2534         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2535         (JSC::Heap::converge):
2536         (JSC::Heap::visitWeakHandles):
2537         (JSC::Heap::updateObjectCounts):
2538         (JSC::Heap::clearUnmarkedExecutables):
2539         (JSC::Heap::deleteUnmarkedCompiledCode):
2540         (JSC::Heap::collectAllGarbage):
2541         (JSC::Heap::collect):
2542         (JSC::Heap::collectWithoutAnySweep):
2543         (JSC::Heap::collectImpl):
2544         (JSC::Heap::suspendCompilerThreads):
2545         (JSC::Heap::willStartCollection):
2546         (JSC::Heap::flushOldStructureIDTables):
2547         (JSC::Heap::flushWriteBarrierBuffer):
2548         (JSC::Heap::stopAllocation):
2549         (JSC::Heap::prepareForMarking):
2550         (JSC::Heap::reapWeakHandles):
2551         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2552         (JSC::Heap::sweepArrayBuffers):
2553         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2554         (JSC::MarkedBlockSnapshotFunctor::operator()):
2555         (JSC::Heap::snapshotMarkedSpace):
2556         (JSC::Heap::deleteSourceProviderCaches):
2557         (JSC::Heap::notifyIncrementalSweeper):
2558         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2559         (JSC::Heap::resetAllocators):
2560         (JSC::Heap::updateAllocationLimits):
2561         (JSC::Heap::didFinishCollection):
2562         (JSC::Heap::resumeCompilerThreads):
2563         (JSC::Zombify::visit):
2564         (JSC::Heap::forEachCodeBlockImpl):
2565         * heap/Heap.h:
2566         (JSC::Heap::allocatorForObjectWithoutDestructor):
2567         (JSC::Heap::allocatorForObjectWithDestructor):
2568         (JSC::Heap::allocatorForAuxiliaryData):
2569         (JSC::Heap::jitStubRoutines):
2570         (JSC::Heap::codeBlockSet):
2571         (JSC::Heap::storageAllocator): Deleted.
2572         * heap/HeapCell.h:
2573         (JSC::HeapCell::isZapped): Deleted.
2574         * heap/HeapCellInlines.h: Added.
2575         (JSC::HeapCell::isLargeAllocation):
2576         (JSC::HeapCell::cellContainer):
2577         (JSC::HeapCell::markedBlock):
2578         (JSC::HeapCell::largeAllocation):
2579         (JSC::HeapCell::heap):
2580         (JSC::HeapCell::vm):
2581         (JSC::HeapCell::cellSize):
2582         (JSC::HeapCell::allocatorAttributes):
2583         (JSC::HeapCell::destructionMode):
2584         (JSC::HeapCell::cellKind):
2585         * heap/HeapInlines.h:
2586         (JSC::Heap::heap):
2587         (JSC::Heap::isLive):
2588         (JSC::Heap::isMarked):
2589         (JSC::Heap::testAndSetMarked):
2590         (JSC::Heap::setMarked):
2591         (JSC::Heap::cellSize):
2592         (JSC::Heap::forEachCodeBlock):
2593         (JSC::Heap::allocateObjectOfType):
2594         (JSC::Heap::subspaceForObjectOfType):
2595         (JSC::Heap::allocatorForObjectOfType):
2596         (JSC::Heap::allocateAuxiliary):
2597         (JSC::Heap::tryAllocateAuxiliary):
2598         (JSC::Heap::tryReallocateAuxiliary):
2599         (JSC::Heap::isPointerGCObject): Deleted.
2600         (JSC::Heap::isValueGCObject): Deleted.
2601         * heap/HeapOperation.cpp: Added.
2602         (WTF::printInternal):
2603         * heap/HeapOperation.h:
2604         * heap/HeapUtil.h: Added.
2605         (JSC::HeapUtil::findGCObjectPointersForMarking):
2606         (JSC::HeapUtil::isPointerGCObjectJSCell):
2607         (JSC::HeapUtil::isValueGCObject):
2608         * heap/IncrementalSweeper.cpp:
2609         (JSC::IncrementalSweeper::sweepNextBlock):
2610         * heap/IncrementalSweeper.h:
2611         * heap/LargeAllocation.cpp: Added.
2612         (JSC::LargeAllocation::tryCreate):
2613         (JSC::LargeAllocation::LargeAllocation):
2614         (JSC::LargeAllocation::lastChanceToFinalize):
2615         (JSC::LargeAllocation::shrink):
2616         (JSC::LargeAllocation::visitWeakSet):
2617         (JSC::LargeAllocation::reapWeakSet):
2618         (JSC::LargeAllocation::flip):
2619         (JSC::LargeAllocation::isEmpty):
2620         (JSC::LargeAllocation::sweep):
2621         (JSC::LargeAllocation::destroy):
2622         (JSC::LargeAllocation::dump):
2623         * heap/LargeAllocation.h: Added.
2624         (JSC::LargeAllocation::fromCell):
2625         (JSC::LargeAllocation::cell):
2626         (JSC::LargeAllocation::isLargeAllocation):
2627         (JSC::LargeAllocation::heap):
2628         (JSC::LargeAllocation::vm):
2629         (JSC::LargeAllocation::weakSet):
2630         (JSC::LargeAllocation::clearNewlyAllocated):
2631         (JSC::LargeAllocation::isNewlyAllocated):
2632         (JSC::LargeAllocation::isMarked):
2633         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2634         (JSC::LargeAllocation::isLive):
2635         (JSC::LargeAllocation::hasValidCell):
2636         (JSC::LargeAllocation::cellSize):
2637         (JSC::LargeAllocation::aboveLowerBound):
2638         (JSC::LargeAllocation::belowUpperBound):
2639         (JSC::LargeAllocation::contains):
2640         (JSC::LargeAllocation::attributes):
2641         (JSC::LargeAllocation::flipIfNecessary):
2642         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2643         (JSC::LargeAllocation::testAndSetMarked):
2644         (JSC::LargeAllocation::setMarked):
2645         (JSC::LargeAllocation::clearMarked):
2646         (JSC::LargeAllocation::noteMarked):
2647         (JSC::LargeAllocation::headerSize):
2648         * heap/MarkedAllocator.cpp:
2649         (JSC::MarkedAllocator::MarkedAllocator):
2650         (JSC::MarkedAllocator::isPagedOut):
2651         (JSC::MarkedAllocator::retire):
2652         (JSC::MarkedAllocator::filterNextBlock):
2653         (JSC::MarkedAllocator::setNextBlockToSweep):
2654         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2655         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2656         (JSC::MarkedAllocator::allocateSlowCase):
2657         (JSC::MarkedAllocator::tryAllocateSlowCase):
2658         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2659         (JSC::blockHeaderSize):
2660         (JSC::MarkedAllocator::blockSizeForBytes):
2661         (JSC::MarkedAllocator::tryAllocateBlock):
2662         (JSC::MarkedAllocator::addBlock):
2663         (JSC::MarkedAllocator::removeBlock):
2664         (JSC::MarkedAllocator::stopAllocating):
2665         (JSC::MarkedAllocator::reset):
2666         (JSC::MarkedAllocator::lastChanceToFinalize):
2667         (JSC::MarkedAllocator::setFreeList):
2668         (JSC::isListPagedOut): Deleted.
2669         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2670         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2671         (JSC::MarkedAllocator::tryAllocate): Deleted.
2672         (JSC::MarkedAllocator::allocateBlock): Deleted.
2673         * heap/MarkedAllocator.h:
2674         (JSC::MarkedAllocator::takeLastActiveBlock):
2675         (JSC::MarkedAllocator::offsetOfFreeList):
2676         (JSC::MarkedAllocator::offsetOfCellSize):
2677         (JSC::MarkedAllocator::tryAllocate):
2678         (JSC::MarkedAllocator::allocate):
2679         (JSC::MarkedAllocator::forEachBlock):
2680         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2681         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2682         (JSC::MarkedAllocator::init): Deleted.
2683         (JSC::MarkedAllocator::stopAllocating): Deleted.
2684         * heap/MarkedBlock.cpp:
2685         (JSC::MarkedBlock::tryCreate):
2686         (JSC::MarkedBlock::Handle::Handle):
2687         (JSC::MarkedBlock::Handle::~Handle):
2688         (JSC::MarkedBlock::MarkedBlock):
2689         (JSC::MarkedBlock::Handle::specializedSweep):
2690         (JSC::MarkedBlock::Handle::sweep):
2691         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2692         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2693         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2694         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2695         (JSC::SetNewlyAllocatedFunctor::operator()):
2696         (JSC::MarkedBlock::Handle::stopAllocating):
2697         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2698         (JSC::MarkedBlock::Handle::resumeAllocating):
2699         (JSC::MarkedBlock::Handle::zap):
2700         (JSC::MarkedBlock::Handle::forEachFreeCell):
2701         (JSC::MarkedBlock::flipIfNecessary):
2702         (JSC::MarkedBlock::Handle::flipIfNecessary):
2703         (JSC::MarkedBlock::flipIfNecessarySlow):
2704         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2705         (JSC::MarkedBlock::clearMarks):
2706         (JSC::MarkedBlock::assertFlipped):
2707         (JSC::MarkedBlock::needsFlip):
2708         (JSC::MarkedBlock::Handle::needsFlip):
2709         (JSC::MarkedBlock::Handle::willRemoveBlock):
2710         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2711         (JSC::MarkedBlock::markCount):
2712         (JSC::MarkedBlock::Handle::isEmpty):
2713         (JSC::MarkedBlock::clearHasAnyMarked):
2714         (JSC::MarkedBlock::noteMarkedSlow):
2715         (WTF::printInternal):
2716         (JSC::MarkedBlock::create): Deleted.
2717         (JSC::MarkedBlock::destroy): Deleted.
2718         (JSC::MarkedBlock::callDestructor): Deleted.
2719         (JSC::MarkedBlock::specializedSweep): Deleted.
2720         (JSC::MarkedBlock::sweep): Deleted.
2721         (JSC::MarkedBlock::sweepHelper): Deleted.
2722         (JSC::MarkedBlock::stopAllocating): Deleted.
2723         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2724         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2725         (JSC::MarkedBlock::resumeAllocating): Deleted.
2726         (JSC::MarkedBlock::didRetireBlock): Deleted.
2727         * heap/MarkedBlock.h:
2728         (JSC::MarkedBlock::VoidFunctor::returnValue):
2729         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2730         (JSC::MarkedBlock::CountFunctor::count):
2731         (JSC::MarkedBlock::CountFunctor::returnValue):
2732         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2733         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2734         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2735         (JSC::MarkedBlock::Handle::state):
2736         (JSC::MarkedBlock::needsDestruction):
2737         (JSC::MarkedBlock::handle):
2738         (JSC::MarkedBlock::Handle::block):
2739         (JSC::MarkedBlock::firstAtom):
2740         (JSC::MarkedBlock::atoms):
2741         (JSC::MarkedBlock::isAtomAligned):
2742         (JSC::MarkedBlock::Handle::cellAlign):
2743         (JSC::MarkedBlock::blockFor):
2744         (JSC::MarkedBlock::Handle::allocator):
2745         (JSC::MarkedBlock::Handle::heap):
2746         (JSC::MarkedBlock::Handle::vm):
2747         (JSC::MarkedBlock::vm):
2748         (JSC::MarkedBlock::Handle::weakSet):
2749         (JSC::MarkedBlock::weakSet):
2750         (JSC::MarkedBlock::Handle::shrink):
2751         (JSC::MarkedBlock::Handle::visitWeakSet):
2752         (JSC::MarkedBlock::Handle::reapWeakSet):
2753         (JSC::MarkedBlock::Handle::cellSize):
2754         (JSC::MarkedBlock::cellSize):
2755         (JSC::MarkedBlock::Handle::attributes):
2756         (JSC::MarkedBlock::attributes):
2757         (JSC::MarkedBlock::Handle::needsDestruction):
2758         (JSC::MarkedBlock::Handle::destruction):
2759         (JSC::MarkedBlock::Handle::cellKind):
2760         (JSC::MarkedBlock::Handle::markCount):
2761         (JSC::MarkedBlock::Handle::size):
2762         (JSC::MarkedBlock::atomNumber):
2763         (JSC::MarkedBlock::flipIfNecessary):
2764         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2765         (JSC::MarkedBlock::Handle::flipIfNecessary):
2766         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2767         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2768         (JSC::MarkedBlock::assertFlipped):
2769         (JSC::MarkedBlock::Handle::assertFlipped):
2770         (JSC::MarkedBlock::isMarked):
2771         (JSC::MarkedBlock::testAndSetMarked):
2772         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2773         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2774         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2775         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2776         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2777         (JSC::MarkedBlock::Handle::isLive):
2778         (JSC::MarkedBlock::isAtom):
2779         (JSC::MarkedBlock::Handle::isLiveCell):
2780         (JSC::MarkedBlock::Handle::forEachCell):
2781         (JSC::MarkedBlock::Handle::forEachLiveCell):
2782         (JSC::MarkedBlock::Handle::forEachDeadCell):
2783         (JSC::MarkedBlock::Handle::needsSweeping):
2784         (JSC::MarkedBlock::Handle::isAllocated):
2785         (JSC::MarkedBlock::Handle::isMarked):
2786         (JSC::MarkedBlock::Handle::isFreeListed):
2787         (JSC::MarkedBlock::hasAnyMarked):
2788         (JSC::MarkedBlock::noteMarked):
2789         (WTF::MarkedBlockHash::hash):
2790         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2791         (JSC::MarkedBlock::allocator): Deleted.
2792         (JSC::MarkedBlock::heap): Deleted.
2793         (JSC::MarkedBlock::shrink): Deleted.
2794         (JSC::MarkedBlock::visitWeakSet): Deleted.
2795         (JSC::MarkedBlock::reapWeakSet): Deleted.
2796         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2797         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2798         (JSC::MarkedBlock::markCount): Deleted.
2799         (JSC::MarkedBlock::isEmpty): Deleted.
2800         (JSC::MarkedBlock::destruction): Deleted.
2801         (JSC::MarkedBlock::cellKind): Deleted.
2802         (JSC::MarkedBlock::size): Deleted.
2803         (JSC::MarkedBlock::capacity): Deleted.
2804         (JSC::MarkedBlock::setMarked): Deleted.
2805         (JSC::MarkedBlock::clearMarked): Deleted.
2806         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2807         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2808         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2809         (JSC::MarkedBlock::isLive): Deleted.
2810         (JSC::MarkedBlock::isLiveCell): Deleted.
2811         (JSC::MarkedBlock::forEachCell): Deleted.
2812         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2813         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2814         (JSC::MarkedBlock::needsSweeping): Deleted.
2815         (JSC::MarkedBlock::isAllocated): Deleted.
2816         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2817         * heap/MarkedSpace.cpp:
2818         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2819         (JSC::MarkedSpace::MarkedSpace):
2820         (JSC::MarkedSpace::~MarkedSpace):
2821         (JSC::MarkedSpace::lastChanceToFinalize):
2822         (JSC::MarkedSpace::allocate):
2823         (JSC::MarkedSpace::tryAllocate):
2824         (JSC::MarkedSpace::allocateLarge):
2825         (JSC::MarkedSpace::tryAllocateLarge):
2826         (JSC::MarkedSpace::sweep):
2827         (JSC::MarkedSpace::sweepLargeAllocations):
2828         (JSC::MarkedSpace::zombifySweep):
2829         (JSC::MarkedSpace::resetAllocators):
2830         (JSC::MarkedSpace::visitWeakSets):
2831         (JSC::MarkedSpace::reapWeakSets):
2832         (JSC::MarkedSpace::stopAllocating):
2833         (JSC::MarkedSpace::prepareForMarking):
2834         (JSC::MarkedSpace::resumeAllocating):
2835         (JSC::MarkedSpace::isPagedOut):
2836         (JSC::MarkedSpace::freeBlock):
2837         (JSC::MarkedSpace::freeOrShrinkBlock):
2838         (JSC::MarkedSpace::shrink):
2839         (JSC::MarkedSpace::clearNewlyAllocated):
2840         (JSC::VerifyMarked::operator()):
2841         (JSC::MarkedSpace::flip):
2842         (JSC::MarkedSpace::objectCount):
2843         (JSC::MarkedSpace::size):
2844         (JSC::MarkedSpace::capacity):
2845         (JSC::MarkedSpace::addActiveWeakSet):
2846         (JSC::MarkedSpace::didAddBlock):
2847         (JSC::MarkedSpace::didAllocateInBlock):
2848         (JSC::MarkedSpace::forEachAllocator): Deleted.
2849         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2850         (JSC::MarkedSpace::clearMarks): Deleted.
2851         * heap/MarkedSpace.h:
2852         (JSC::MarkedSpace::sizeClassToIndex):
2853         (JSC::MarkedSpace::indexToSizeClass):
2854         (JSC::MarkedSpace::version):
2855         (JSC::MarkedSpace::blocksWithNewObjects):
2856         (JSC::MarkedSpace::largeAllocations):
2857         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2858         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2859         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2860         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2861         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2862         (JSC::MarkedSpace::forEachLiveCell):
2863         (JSC::MarkedSpace::forEachDeadCell):
2864         (JSC::MarkedSpace::allocatorFor):
2865         (JSC::MarkedSpace::destructorAllocatorFor):
2866         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2867         (JSC::MarkedSpace::allocateWithoutDestructor):
2868         (JSC::MarkedSpace::allocateWithDestructor):
2869         (JSC::MarkedSpace::allocateAuxiliary):
2870         (JSC::MarkedSpace::tryAllocateAuxiliary):
2871         (JSC::MarkedSpace::forEachBlock):
2872         (JSC::MarkedSpace::forEachAllocator):
2873         (JSC::MarkedSpace::optimalSizeFor):
2874         (JSC::MarkedSpace::didAddBlock): Deleted.
2875         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2876         (JSC::MarkedSpace::objectCount): Deleted.
2877         (JSC::MarkedSpace::size): Deleted.
2878         (JSC::MarkedSpace::capacity): Deleted.
2879         * heap/SlotVisitor.cpp:
2880         (JSC::SlotVisitor::SlotVisitor):
2881         (JSC::SlotVisitor::didStartMarking):
2882         (JSC::SlotVisitor::reset):
2883         (JSC::SlotVisitor::append):
2884         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2885         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2886         (JSC::SlotVisitor::appendToMarkStack):
2887         (JSC::SlotVisitor::markAuxiliary):
2888         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2889         (JSC::SlotVisitor::visitChildren):
2890         * heap/SlotVisitor.h:
2891         * heap/WeakBlock.cpp:
2892         (JSC::WeakBlock::create):
2893         (JSC::WeakBlock::WeakBlock):
2894         (JSC::WeakBlock::visit):
2895         (JSC::WeakBlock::reap):
2896         * heap/WeakBlock.h:
2897         (JSC::WeakBlock::disconnectContainer):
2898         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
2899         * heap/WeakSet.cpp:
2900         (JSC::WeakSet::~WeakSet):
2901         (JSC::WeakSet::sweep):
2902         (JSC::WeakSet::shrink):
2903         (JSC::WeakSet::addAllocator):
2904         * heap/WeakSet.h:
2905         (JSC::WeakSet::container):
2906         (JSC::WeakSet::setContainer):
2907         (JSC::WeakSet::WeakSet):
2908         (JSC::WeakSet::visit):
2909         (JSC::WeakSet::shrink): Deleted.
2910         * heap/WeakSetInlines.h:
2911         (JSC::WeakSet::allocate):
2912         * inspector/InjectedScriptManager.cpp:
2913         * inspector/JSGlobalObjectInspectorController.cpp:
2914         * inspector/JSJavaScriptCallFrame.cpp:
2915         * inspector/ScriptDebugServer.cpp:
2916         * inspector/agents/InspectorDebuggerAgent.cpp:
2917         * interpreter/CachedCall.h:
2918         (JSC::CachedCall::CachedCall):
2919         * interpreter/Interpreter.cpp:
2920         (JSC::loadVarargs):
2921         (JSC::StackFrame::sourceID): Deleted.
2922         (JSC::StackFrame::sourceURL): Deleted.
2923         (JSC::StackFrame::functionName): Deleted.
2924         (JSC::StackFrame::computeLineAndColumn): Deleted.
2925         (JSC::StackFrame::toString): Deleted.
2926         * interpreter/Interpreter.h:
2927         (JSC::StackFrame::isNative): Deleted.
2928         * jit/AssemblyHelpers.h:
2929         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2930         (JSC::AssemblyHelpers::emitAllocate):
2931         (JSC::AssemblyHelpers::emitAllocateJSCell):
2932         (JSC::AssemblyHelpers::emitAllocateJSObject):
2933         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2934         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2935         * jit/GCAwareJITStubRoutine.cpp:
2936         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2937         * jit/JIT.cpp:
2938         (JSC::JIT::compileCTINativeCall):
2939         (JSC::JIT::link):
2940         * jit/JIT.h:
2941         (JSC::JIT::compileCTINativeCall): Deleted.
2942         * jit/JITExceptions.cpp:
2943         (JSC::genericUnwind):
2944         * jit/JITExceptions.h:
2945         * jit/JITOpcodes.cpp:
2946         (JSC::JIT::emit_op_new_object):
2947         (JSC::JIT::emitSlow_op_new_object):
2948         (JSC::JIT::emit_op_create_this):
2949         (JSC::JIT::emitSlow_op_create_this):
2950         * jit/JITOpcodes32_64.cpp:
2951         (JSC::JIT::emit_op_new_object):
2952         (JSC::JIT::emitSlow_op_new_object):
2953         (JSC::JIT::emit_op_create_this):
2954         (JSC::JIT::emitSlow_op_create_this):
2955         * jit/JITOperations.cpp:
2956         * jit/JITOperations.h:
2957         * jit/JITPropertyAccess.cpp:
2958         (JSC::JIT::emitWriteBarrier):
2959         * jit/JITThunks.cpp:
2960         * jit/JITThunks.h:
2961         * jsc.cpp:
2962         (functionDescribeArray):
2963         (main):
2964         * llint/LLIntData.cpp:
2965         (JSC::LLInt::Data::performAssertions):
2966         * llint/LLIntExceptions.cpp:
2967         * llint/LLIntThunks.cpp:
2968         * llint/LLIntThunks.h:
2969         * llint/LowLevelInterpreter.asm:
2970         * llint/LowLevelInterpreter.cpp:
2971         * llint/LowLevelInterpreter32_64.asm:
2972         * llint/LowLevelInterpreter64.asm:
2973         * parser/ModuleAnalyzer.cpp:
2974         * parser/NodeConstructors.h:
2975         * parser/Nodes.h:
2976         * profiler/ProfilerBytecode.cpp:
2977         * profiler/ProfilerBytecode.h:
2978         * profiler/ProfilerBytecodeSequence.cpp:
2979         * runtime/ArrayConventions.h:
2980         (JSC::indexingHeaderForArrayStorage):
2981         (JSC::baseIndexingHeaderForArrayStorage):
2982         (JSC::indexingHeaderForArray): Deleted.
2983         (JSC::baseIndexingHeaderForArray): Deleted.
2984         * runtime/ArrayPrototype.cpp:
2985         (JSC::arrayProtoFuncSplice):
2986         (JSC::concatAppendOne):
2987         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2988         * runtime/ArrayStorage.h:
2989         (JSC::ArrayStorage::vectorLength):
2990         (JSC::ArrayStorage::totalSizeFor):
2991         (JSC::ArrayStorage::totalSize):
2992         (JSC::ArrayStorage::availableVectorLength):
2993         (JSC::ArrayStorage::optimalVectorLength):
2994         (JSC::ArrayStorage::sizeFor): Deleted.
2995         * runtime/AuxiliaryBarrier.h: Added.
2996         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
2997         (JSC::AuxiliaryBarrier::clear):
2998         (JSC::AuxiliaryBarrier::get):
2999         (JSC::AuxiliaryBarrier::slot):
3000         (JSC::AuxiliaryBarrier::operator bool):
3001         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3002         * runtime/AuxiliaryBarrierInlines.h: Added.
3003         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3004         (JSC::AuxiliaryBarrier<T>::set):
3005         * runtime/Butterfly.h:
3006         * runtime/ButterflyInlines.h:
3007         (JSC::Butterfly::availableContiguousVectorLength):
3008         (JSC::Butterfly::optimalContiguousVectorLength):
3009         (JSC::Butterfly::createUninitialized):
3010         (JSC::Butterfly::growArrayRight):
3011         * runtime/ClonedArguments.cpp:
3012         (JSC::ClonedArguments::createEmpty):
3013         * runtime/CommonSlowPathsExceptions.cpp:
3014         * runtime/CommonSlowPathsExceptions.h:
3015         * runtime/DataView.cpp:
3016         * runtime/DirectArguments.h:
3017         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3018         * runtime/Error.cpp:
3019         * runtime/Error.h:
3020         * runtime/ErrorInstance.cpp:
3021         * runtime/ErrorInstance.h:
3022         * runtime/Exception.cpp:
3023         * runtime/Exception.h:
3024         * runtime/GeneratorFrame.cpp:
3025         * runtime/GeneratorPrototype.cpp:
3026         * runtime/InternalFunction.cpp:
3027         (JSC::InternalFunction::InternalFunction):
3028         * runtime/IntlCollator.cpp:
3029         * runtime/IntlCollatorConstructor.cpp:
3030         * runtime/IntlCollatorPrototype.cpp:
3031         * runtime/IntlDateTimeFormat.cpp:
3032         * runtime/IntlDateTimeFormatConstructor.cpp:
3033         * runtime/IntlDateTimeFormatPrototype.cpp:
3034         * runtime/IntlNumberFormat.cpp:
3035         * runtime/IntlNumberFormatConstructor.cpp:
3036         * runtime/IntlNumberFormatPrototype.cpp:
3037         * runtime/IntlObject.cpp:
3038         * runtime/IteratorPrototype.cpp:
3039         * runtime/JSArray.cpp:
3040         (JSC::JSArray::tryCreateUninitialized):
3041         (JSC::JSArray::setLengthWritable):
3042         (JSC::JSArray::unshiftCountSlowCase):
3043         (JSC::JSArray::setLengthWithArrayStorage):
3044         (JSC::JSArray::appendMemcpy):
3045         (JSC::JSArray::setLength):
3046         (JSC::JSArray::pop):
3047         (JSC::JSArray::push):
3048         (JSC::JSArray::fastSlice):
3049         (JSC::JSArray::shiftCountWithArrayStorage):
3050         (JSC::JSArray::shiftCountWithAnyIndexingType):
3051         (JSC::JSArray::unshiftCountWithArrayStorage):
3052         (JSC::JSArray::fillArgList):
3053         (JSC::JSArray::copyToArguments):
3054         * runtime/JSArray.h:
3055         (JSC::createContiguousArrayButterfly):
3056         (JSC::createArrayButterfly):
3057         (JSC::JSArray::create):
3058         (JSC::JSArray::tryCreateUninitialized): Deleted.
3059         * runtime/JSArrayBufferView.h:
3060         * runtime/JSCInlines.h:
3061         * runtime/JSCJSValue.cpp:
3062         (JSC::JSValue::dumpInContextAssumingStructure):
3063         * runtime/JSCallee.cpp:
3064         (JSC::JSCallee::JSCallee):
3065         * runtime/JSCell.cpp:
3066         (JSC::JSCell::estimatedSize):
3067         * runtime/JSCell.h:
3068         (JSC::JSCell::cellStateOffset): Deleted.
3069         * runtime/JSCellInlines.h:
3070         (JSC::ExecState::vm):
3071         (JSC::JSCell::classInfo):
3072         (JSC::JSCell::callDestructor):
3073         (JSC::JSCell::vm): Deleted.
3074         * runtime/JSFunction.cpp:
3075         (JSC::JSFunction::create):
3076         (JSC::JSFunction::allocateAndInitializeRareData):
3077         (JSC::JSFunction::initializeRareData):
3078         (JSC::JSFunction::getOwnPropertySlot):
3079         (JSC::JSFunction::put):
3080         (JSC::JSFunction::deleteProperty):
3081         (JSC::JSFunction::defineOwnProperty):
3082         (JSC::JSFunction::setFunctionName):
3083         (JSC::JSFunction::reifyLength):
3084         (JSC::JSFunction::reifyName):
3085         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3086         (JSC::JSFunction::reifyBoundNameIfNeeded):
3087         * runtime/JSFunction.h:
3088         * runtime/JSFunctionInlines.h:
3089         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3090         (JSC::JSFunction::JSFunction):
3091         * runtime/JSGenericTypedArrayViewInlines.h:
3092         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3093         * runtime/JSInternalPromise.cpp:
3094         * runtime/JSInternalPromiseConstructor.cpp:
3095         * runtime/JSInternalPromiseDeferred.cpp:
3096         * runtime/JSInternalPromisePrototype.cpp:
3097         * runtime/JSJob.cpp:
3098         * runtime/JSMapIterator.cpp:
3099         * runtime/JSModuleNamespaceObject.cpp:
3100         * runtime/JSModuleRecord.cpp:
3101         * runtime/JSObject.cpp:
3102         (JSC::JSObject::visitButterfly):
3103         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3104         (JSC::JSObject::createInitialIndexedStorage):
3105         (JSC::JSObject::createInitialUndecided):
3106         (JSC::JSObject::createInitialInt32):
3107         (JSC::JSObject::createInitialDouble):
3108         (JSC::JSObject::createInitialContiguous):
3109         (JSC::JSObject::createArrayStorage):
3110         (JSC::JSObject::createInitialArrayStorage):
3111         (JSC::JSObject::convertUndecidedToInt32):
3112         (JSC::JSObject::convertUndecidedToContiguous):
3113         (JSC::JSObject::convertUndecidedToArrayStorage):
3114         (JSC::JSObject::convertInt32ToDouble):
3115         (JSC::JSObject::convertInt32ToArrayStorage):
3116         (JSC::JSObject::convertDoubleToArrayStorage):
3117         (JSC::JSObject::convertContiguousToArrayStorage):
3118         (JSC::JSObject::putByIndexBeyondVectorLength):
3119         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3120         (JSC::JSObject::getNewVectorLength):
3121         (JSC::JSObject::increaseVectorLength):
3122         (JSC::JSObject::ensureLengthSlow):
3123         (JSC::JSObject::growOutOfLineStorage):
3124         (JSC::JSObject::copyButterfly): Deleted.
3125         (JSC::JSObject::copyBackingStore): Deleted.
3126         * runtime/JSObject.h:
3127         (JSC::JSObject::globalObject):
3128         (JSC::JSObject::putDirectInternal):
3129         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3130         * runtime/JSObjectInlines.h:
3131         * runtime/JSPromise.cpp:
3132         * runtime/JSPromiseConstructor.cpp:
3133         * runtime/JSPromiseDeferred.cpp:
3134         * runtime/JSPromisePrototype.cpp:
3135         * runtime/JSPropertyNameIterator.cpp:
3136         * runtime/JSScope.cpp:
3137         (JSC::JSScope::resolve):
3138         * runtime/JSScope.h:
3139         (JSC::JSScope::globalObject):
3140         (JSC::JSScope::vm): Deleted.
3141         * runtime/JSSetIterator.cpp:
3142         * runtime/JSStringIterator.cpp:
3143         * runtime/JSTemplateRegistryKey.cpp:
3144         * runtime/JSTypedArrayViewConstructor.cpp:
3145         * runtime/JSTypedArrayViewPrototype.cpp:
3146         * runtime/JSWeakMap.cpp:
3147         * runtime/JSWeakSet.cpp:
3148         * runtime/MapConstructor.cpp:
3149         * runtime/MapIteratorPrototype.cpp:
3150         * runtime/MapPrototype.cpp:
3151         * runtime/NativeErrorConstructor.cpp:
3152         * runtime/NativeStdFunctionCell.cpp:
3153         * runtime/Operations.h:
3154         (JSC::scribbleFreeCells):
3155         (JSC::scribble):
3156         * runtime/Options.h:
3157         * runtime/PropertyTable.cpp:
3158         * runtime/ProxyConstructor.cpp:
3159         * runtime/ProxyObject.cpp:
3160         * runtime/ProxyRevoke.cpp:
3161         * runtime/RegExp.cpp:
3162         (JSC::RegExp::match):
3163         (JSC::RegExp::matchConcurrently):
3164         (JSC::RegExp::matchCompareWithInterpreter):
3165         * runtime/RegExp.h:
3166         * runtime/RegExpConstructor.h:
3167         * runtime/RegExpInlines.h:
3168         (JSC::RegExp::matchInline):
3169         * runtime/RegExpMatchesArray.h:
3170         (JSC::tryCreateUninitializedRegExpMatchesArray):
3171         (JSC::createRegExpMatchesArray):
3172         * runtime/RegExpPrototype.cpp:
3173         (JSC::genericSplit):
3174         * runtime/RuntimeType.cpp:
3175         * runtime/SamplingProfiler.cpp:
3176         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3177         * runtime/SetConstructor.cpp:
3178         * runtime/SetIteratorPrototype.cpp:
3179         * runtime/SetPrototype.cpp:
3180         * runtime/StackFrame.cpp: Added.
3181         (JSC::StackFrame::sourceID):
3182         (JSC::StackFrame::sourceURL):
3183         (JSC::StackFrame::functionName):
3184         (JSC::StackFrame::computeLineAndColumn):
3185         (JSC::StackFrame::toString):
3186         * runtime/StackFrame.h: Added.
3187         (JSC::StackFrame::isNative):
3188         * runtime/StringConstructor.cpp:
3189         * runtime/StringIteratorPrototype.cpp:
3190         * runtime/StructureInlines.h:
3191         (JSC::Structure::propertyTable):
3192         * runtime/TemplateRegistry.cpp:
3193         * runtime/TestRunnerUtils.cpp:
3194         (JSC::finalizeStatsAtEndOfTesting):
3195         * runtime/TestRunnerUtils.h:
3196         * runtime/TypeProfilerLog.cpp:
3197         * runtime/TypeSet.cpp:
3198         * runtime/VM.cpp:
3199         (JSC::VM::VM):
3200         (JSC::VM::ensureStackCapacityForCLoop):
3201         (JSC::VM::isSafeToRecurseSoftCLoop):
3202         * runtime/VM.h:
3203         * runtime/VMEntryScope.h:
3204         * runtime/VMInlines.h:
3205         (JSC::VM::ensureStackCapacityFor):
3206         (JSC::VM::isSafeToRecurseSoft):
3207         * runtime/WeakMapConstructor.cpp:
3208         * runtime/WeakMapData.cpp:
3209         * runtime/WeakMapPrototype.cpp:
3210         * runtime/WeakSetConstructor.cpp:
3211         * runtime/WeakSetPrototype.cpp:
3212         * testRegExp.cpp:
3213         (testOneRegExp):
3214         * tools/JSDollarVM.cpp:
3215         * tools/JSDollarVMPrototype.cpp:
3216         (JSC::JSDollarVMPrototype::isInObjectSpace):
3217
3218 2016-09-04  Commit Queue  <commit-queue@webkit.org>
3219
3220         Unreviewed, rolling out r205415.
3221         https://bugs.webkit.org/show_bug.cgi?id=161573
3222
3223         Many bots see inspector test failures, rolling out now and
3224         investigating later. (Requested by brrian on #webkit).
3225
3226         Reverted changeset:
3227
3228         "Web Inspector: unify Main.html and Test.html sources and
3229         generate different copies with the preprocessor"
3230         https://bugs.webkit.org/show_bug.cgi?id=161212
3231         http://trac.webkit.org/changeset/205415
3232
3233 2016-09-01  Brian Burg  <bburg@apple.com>
3234
3235         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
3236         https://bugs.webkit.org/show_bug.cgi?id=161212
3237         <rdar://problem/28017961>
3238
3239         Reviewed by Joseph Pecoraro.
3240
3241         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
3242
3243 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
3244
3245         Use ASCIILiteral in some more places
3246         https://bugs.webkit.org/show_bug.cgi?id=161557
3247
3248         Reviewed by Darin Adler.
3249
3250         * runtime/TypeSet.h:
3251         (JSC::StructureShape::setConstructorName):
3252
3253 2016-09-01  Michael Saboff  <msaboff@apple.com>
3254
3255         Import Chakra tests to JSC
3256         https://bugs.webkit.org/show_bug.cgi?id=154697
3257
3258         Reviewed by Saam Barati.
3259
3260         Added --dumpException option to jsc command line utility to dump uncaught exception
3261         text even for the last exception that matches --exception.  This is used to
3262         check the exception text for a text that is expected to end on an exception.
3263         Chakra has several tests of this form and does the same thing when such a test
3264         ends with an exception.  Tests that rely on this behavior have had their expected
3265         output updated for JSC specific text.
3266
3267         * jsc.cpp:
3268
3269 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
3270
3271         [JSC] Remove some more useless cases from FTL Capabilities
3272         https://bugs.webkit.org/show_bug.cgi?id=161466
3273
3274         Reviewed by Geoffrey Garen.
3275
3276         Some cases do not make sense:
3277         -In: Fixup only generate CellUse.
3278         -PutByIdXXX: same.
3279         -GetIndexedPropertyStorage: those cases are the only ones supported
3280          by DFG. We would have crashed in SpeculativeJIT if other modes
3281          were generated.
3282
3283         * ftl/FTLCapabilities.cpp:
3284         (JSC::FTL::canCompile):
3285         * ftl/FTLLowerDFGToB3.cpp:
3286         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
3287         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3288         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3289
3290 2016-09-02  Chris Dumez  <cdumez@apple.com>
3291
3292         Unreviewed, roll out r205354 because it caused JSC test failures
3293
3294         * jsc.cpp:
3295         * runtime/JSGlobalObject.cpp:
3296         * runtime/JSGlobalObject.h:
3297         (JSC::JSGlobalObject::allowsAccessFrom):
3298         (JSC::JSGlobalObject::setDebugger): Deleted.
3299         * runtime/JSGlobalObjectFunctions.cpp:
3300         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
3301         (JSC::GlobalFuncProtoGetterFunctor::result):
3302         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3303         (JSC::globalFuncProtoGetter):
3304         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
3305         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
3306         (JSC::GlobalFuncProtoSetterFunctor::operator()):
3307         (JSC::checkProtoSetterAccessAllowed):
3308         (JSC::globalFuncProtoSetter):
3309         * runtime/JSGlobalObjectFunctions.h:
3310         * runtime/JSObject.cpp:
3311         (JSC::JSObject::setPrototypeWithCycleCheck):
3312         (JSC::JSObject::allowsAccessFrom):
3313         * runtime/JSObject.h:
3314         * runtime/JSProxy.cpp:
3315         * runtime/JSProxy.h:
3316         * runtime/ObjectConstructor.cpp:
3317         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
3318         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
3319         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3320         (JSC::objectConstructorGetPrototypeOf):
3321         (JSC::objectConstructorSetPrototypeOf):
3322         * runtime/ObjectConstructor.h:
3323         * runtime/ReflectObject.cpp:
3324         (JSC::reflectObjectGetPrototypeOf):
3325         (JSC::reflectObjectSetPrototypeOf):
3326
3327 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
3328
3329         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
3330         https://bugs.webkit.org/show_bug.cgi?id=160802
3331
3332         Reviewed by Saam Barati.
3333
3334         This patch is fixing a broken mechanism of MathIC that avoids allocate
3335         a register to LHS or RHS if one of these operands are proven as valid
3336         constant for JIT*Generator. In previous implementation, even if the
3337         JIT*Generator was not using an operand register because it was proven as a
3338         constant, compileMathIC and emitICFast were allocating a register for
3339         it. This was broken because mathIC->isLeftOperandValidConstant and
3340         mathIC->isLeftOperandValidConstant were being called before its Generator be
3341         properly initialized. We changed this mechanism to enable Generators write
3342         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
3343         and isRightOperandValidConstant(SnippetOperand).
3344
3345         * dfg/DFGSpeculativeJIT.cpp:
3346         (JSC::DFG::SpeculativeJIT::compileMathIC):
3347         * jit/JITAddGenerator.h:
3348         (JSC::JITAddGenerator::JITAddGenerator):
3349         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3350         (JSC::JITAddGenerator::isRightOperandValidConstant):
3351         * jit/JITArithmetic.cpp:
3352         (JSC::JIT::emitMathICFast):
3353         * jit/JITMathIC.h:
3354         * jit/JITMulGenerator.h:
3355         (JSC::JITMulGenerator::JITMulGenerator):
3356         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3357         (JSC::JITMulGenerator::isRightOperandValidConstant):
3358         * jit/JITSubGenerator.h:
3359         (JSC::JITSubGenerator::isLeftOperandValidConstant):
3360         (JSC::JITSubGenerator::isRightOperandValidConstant):
3361
3362 2016-09-02  JF Bastien  <jfbastien@apple.com>
3363
3364         GetByValWithThis: fix opInfo in DFG creation
3365         https://bugs.webkit.org/show_bug.cgi?id=161541
3366
3367         Reviewed by Saam Barati.
3368
3369         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
3370
3371         * dfg/DFGByteCodeParser.cpp:
3372         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
3373
3374 2016-09-02  Chris Dumez  <cdumez@apple.com>
3375
3376         Object.preventExtensions() should throw cross-origin
3377         https://bugs.webkit.org/show_bug.cgi?id=161486
3378
3379         Reviewed by Geoffrey Garen.
3380
3381         Update JSProxy to forward preventExtensions() calls to its target.
3382
3383         * runtime/JSProxy.cpp:
3384         (JSC::JSProxy::preventExtensions):
3385         * runtime/JSProxy.h:
3386
3387 2016-09-02  Chris Dumez  <cdumez@apple.com>
3388
3389         Align proto getter / setter behavior with other browsers
3390         https://bugs.webkit.org/show_bug.cgi?id=161455
3391
3392         Reviewed by Mark Lam.
3393
3394         Drop allowsAccessFrom from the methodTable and delegate cross-origin
3395         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
3396         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
3397
3398         * jsc.cpp:
3399         * runtime/JSGlobalObject.cpp:
3400         * runtime/JSGlobalObject.h:
3401         * runtime/JSGlobalObjectFunctions.cpp:
3402         (JSC::globalFuncProtoGetter):
3403         (JSC::globalFuncProtoSetter):
3404         (JSC::globalFuncBuiltinLog): Deleted.
3405         * runtime/JSGlobalObjectFunctions.h:
3406         * runtime/JSObject.h:
3407         (JSC::JSObject::getArrayLength): Deleted.
3408         * runtime/JSProxy.cpp:
3409         (JSC::JSProxy::setPrototype):
3410         (JSC::JSProxy::getPrototype):
3411         * runtime/JSProxy.h:
3412         * runtime/ObjectConstructor.cpp:
3413         (JSC::objectConstructorGetPrototypeOf):
3414         (JSC::objectConstructorSetPrototypeOf):
3415         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
3416         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
3417         * runtime/ObjectConstructor.h:
3418         * runtime/ReflectObject.cpp:
3419         (JSC::reflectObjectGetPrototypeOf):
3420         (JSC::reflectObjectSetPrototypeOf):
3421
3422         * runtime/JSObject.cpp:
3423         (JSC::JSObject::setPrototypeWithCycleCheck):
3424         Comment out check added in r197648. This check was added to match
3425         the latest EcmaScript spec:
3426         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
3427         This check allowed for [[Prototype]] chain cycles if the prototype
3428         chain includes objects that do not use the ordinary object definitions
3429         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
3430         The issue is that the rest of our code base does not properly handle
3431         such cycles and we can end up in infinite loops. This became obvious
3432         because this patch updates Window / Location so that they no longer
3433         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
3434         comment out this check, I get an infinite loop in
3435         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
3436         called from JSObject::setPrototypeDirect(), when running the following
3437         layout test:
3438         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
3439         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
3440         issue.
3441
3442 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3443
3444         Add toJS for JSC::PrivateName
3445         https://bugs.webkit.org/show_bug.cgi?id=161522
3446
3447         Reviewed by Ryosuke Niwa.
3448
3449         Add the export annotation.
3450         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
3451         since PrivateName never holds null SymbolImpl pointer. And along with this change,
3452         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
3453
3454         * runtime/Completion.cpp:
3455         (JSC::createSymbolForEntryPointModule):
3456         * runtime/IdentifierInlines.h:
3457         (JSC::Identifier::fromUid):
3458         * runtime/JSFunction.cpp:
3459         (JSC::JSFunction::setFunctionName):
3460         * runtime/PrivateName.h:
3461         (JSC::PrivateName::PrivateName):
3462         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
3463         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
3464         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
3465         (JSC::PrivateName::operator==):
3466         (JSC::PrivateName::operator!=):
3467         * runtime/PropertyName.h:
3468         (JSC::PropertyName::PropertyName):
3469         * runtime/Symbol.cpp:
3470         (JSC::Symbol::finishCreation):
3471         * runtime/Symbol.h:
3472         * runtime/SymbolConstructor.cpp:
3473         (JSC::symbolConstructorKeyFor):
3474
3475 2016-09-01  Dan Bernstein  <mitz@apple.com>
3476
3477         Build fix.
3478
3479         * Configurations/FeatureDefines.xcconfig:
3480
3481 2016-09-01  JF Bastien  <jfbastien@apple.com>
3482
3483         jsc: fix cmake build missing symbol getPropertySlot
3484         https://bugs.webkit.org/show_bug.cgi?id=161521
3485
3486         Reviewed by Saam Barati.
3487
3488         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
3489         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
3490
3491 2016-09-01  JF Bastien  <jfbastien@apple.com>
3492
3493         jsc: provide printErr()
3494         https://bugs.webkit.org/show_bug.cgi?id=161513
3495
3496         Reviewed by Mark Lam.
3497
3498         * jsc.cpp:
3499         (GlobalObject::finishCreation):
3500         (printInternal): renamed from functionPrint, add error checking
3501         (functionPrintStdOut): punt to printInternal
3502         (functionPrintStdErr): punt to printInternal
3503         (functionPrint): Deleted.
3504
3505 2016-09-01  Mark Lam  <mark.lam@apple.com>
3506
3507         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
3508         https://bugs.webkit.org/show_bug.cgi?id=161499
3509
3510         Reviewed by Saam Barati.
3511
3512         This is just a refactoring patch to move some inline functions to their Inlines.h
3513         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
3514         later.
3515
3516         * bindings/ScriptValue.cpp:
3517         * interpreter/Interpreter.cpp:
3518         * runtime/IntlDateTimeFormatPrototype.cpp:
3519         * runtime/IntlNumberFormatPrototype.cpp:
3520         * runtime/JSArray.cpp:
3521         * runtime/JSArray.h:
3522         (JSC::getLength): Deleted.
3523         (JSC::toLength): Deleted.
3524         * runtime/JSArrayInlines.h:
3525         (JSC::JSArray::mergeIndexingTypeForCopying):
3526         (JSC::JSArray::canFastCopy):
3527         (JSC::getLength):
3528         (JSC::toLength):
3529         * runtime/JSInternalPromise.cpp:
3530         * runtime/JSInternalPromiseDeferred.cpp:
3531         * runtime/JSJob.cpp:
3532         * runtime/JSModuleRecord.cpp:
3533         * runtime/JSObject.h:
3534         (JSC::JSObject::getPropertySlot): Deleted.
3535         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
3536         * runtime/JSObjectInlines.h:
3537         (JSC::JSObject::getPropertySlot):
3538         (JSC::JSObject::getNonIndexPropertySlot):
3539         * runtime/JSPromiseDeferred.cpp:
3540         * runtime/JSTypedArrayViewPrototype.cpp:
3541         * runtime/MapConstructor.cpp:
3542         * runtime/SamplingProfiler.cpp:
3543         * runtime/SetConstructor.cpp:
3544         * runtime/WeakMapConstructor.cpp:
3545         * runtime/WeakSetConstructor.cpp:
3546
3547 2016-09-01  JF Bastien  <jfbastien@apple.com>
3548
3549         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
3550         https://bugs.webkit.org/show_bug.cgi?id=160922
3551
3552         Reviewed by Keith Miller.
3553
3554         Add value profiling to GetBy{Id,Val}WithThis.
3555
3556         * bytecode/BytecodeList.json:
3557         * bytecode/CodeBlock.cpp:
3558         (JSC::CodeBlock::dumpBytecode):
3559         (JSC::CodeBlock::finishCreation):
3560         * bytecompiler/BytecodeGenerator.cpp:
3561         (JSC::BytecodeGenerator::emitGetById):
3562         (JSC::BytecodeGenerator::emitGetByVal):
3563         * dfg/DFGByteCodeParser.cpp:
3564         (JSC::DFG::ByteCodeParser::parseBlock):
3565         * dfg/DFGNode.h:
3566         (JSC::DFG::Node::hasHeapPrediction):
3567         * dfg/DFGPredictionPropagationPhase.cpp:
3568         * llint/LowLevelInterpreter.asm:
3569         * runtime/CommonSlowPaths.cpp:
3570         (JSC::SLOW_PATH_DECL):
3571
3572 2016-09-01  Keith Miller  <keith_miller@apple.com>
3573
3574         WASM functions should be able to use arguments
3575         https://bugs.webkit.org/show_bug.cgi?id=161471
3576
3577         Reviewed by Benjamin Poulain.
3578
3579         This patch does a couple of changes:
3580
3581         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
3582
3583         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
3584
3585         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
3586
3587         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
3588         (JSC::B3::jscCallingConvention):
3589         * B3CallingConventions.h: Added.
3590         (JSC::B3::CallingConvention::CallingConvention):
3591         (JSC::B3::CallingConvention::iterate):
3592         (JSC::B3::nextJSCOffset):
3593         * JavaScriptCore.xcodeproj/project.pbxproj:
3594         * interpreter/ProtoCallFrame.h:
3595         * llint/LLIntThunks.cpp:
3596         (JSC::vmEntryToWASM):
3597         * llint/LLIntThunks.h:
3598         * testWASM.cpp:
3599         (invoke):
3600         (box):
3601         (runWASMTests):
3602         * wasm/WASMB3IRGenerator.cpp:
3603         (JSC::WASM::B3IRGenerator::addLocal):
3604         (JSC::WASM::B3IRGenerator::addArguments):
3605         (JSC::WASM::B3IRGenerator::getLocal):
3606         * wasm/WASMFormat.h:
3607         * wasm/WASMFunctionParser.h:
3608         (JSC::WASM::FunctionParser<Context>::FunctionParser):
3609         (JSC::WASM::FunctionParser<Context>::parseExpression):
3610         * wasm/WASMModuleParser.cpp:
3611         (JSC::WASM::ModuleParser::parseFunctionTypes):
3612         (JSC::WASM::ModuleParser::parseFunctionSignatures):
3613         * wasm/WASMModuleParser.h:
3614         * wasm/WASMOps.h:
3615
3616 2016-09-01  Keith Miller  <keith_miller@apple.com>
3617
3618         Rename WASM classes dropping the WASM prefix
3619         https://bugs.webkit.org/show_bug.cgi?id=161500
3620
3621         Reviewed by Mark Lam.
3622
3623         Having to write WASM::WASMModule seems silly. Also, this patch
3624         merges WASMFunctionReturnType and WASMValueType into one type
3625         that is a typedef of B3::Type. Using B3::Type as the WASM
3626         primitive type makes it trivial to convert a Vector of WASM
3627         types into a Vector of B3 types.
3628
3629         * b3/B3Type.h:
3630         * wasm/JSWASMModule.h:
3631         (JSC::JSWASMModule::signatures):
3632         (JSC::JSWASMModule::functionImports):
3633         (JSC::JSWASMModule::functionImportSignatures):
3634         (JSC::JSWASMModule::globalVariableTypes):
3635         (JSC::JSWASMModule::functionDeclarations):
3636         (JSC::JSWASMModule::functionPointerTables):
3637         * wasm/WASMB3IRGenerator.cpp:
3638         (JSC::WASM::toB3Op):
3639         (JSC::WASM::B3IRGenerator::addLocal):
3640         (JSC::WASM::B3IRGenerator::unaryOp):
3641         (JSC::WASM::B3IRGenerator::binaryOp):
3642         (JSC::WASM::B3IRGenerator::addConstant):
3643         (JSC::WASM::parseAndCompile):
3644         * wasm/WASMB3IRGenerator.h:
3645         * wasm/WASMFormat.h:
3646         * wasm/WASMFunctionParser.h:
3647         (JSC::WASM::FunctionParser<Context>::FunctionParser):
3648         (JSC::WASM::FunctionParser<Context>::parse):
3649         (JSC::WASM::FunctionParser<Context>::parseBlock):
3650         (JSC::WASM::FunctionParser<Context>::parseExpression):
3651         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
3652         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
3653         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
3654         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
3655         * wasm/WASMModuleParser.cpp:
3656         (JSC::WASM::ModuleParser::parse):
3657         (JSC::WASM::ModuleParser::parseFunctionTypes):
3658         (JSC::WASM::ModuleParser::parseFunctionSignatures):
3659         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
3660         (JSC::WASM::WASMModuleParser::parse): Deleted.
3661         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
3662         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
3663         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
3664         * wasm/WASMModuleParser.h:
3665         (JSC::WASM::ModuleParser::ModuleParser):
3666         (JSC::WASM::ModuleParser::functionInformation):
3667         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
3668         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
3669         * wasm/WASMOps.h:
3670         * wasm/WASMParser.h:
3671         (JSC::WASM::Parser::Parser):
3672         (JSC::WASM::Parser::consumeCharacter):
3673         (JSC::WASM::Parser::consumeString):
3674         (JSC::WASM::Parser::parseUInt32):
3675         (JSC::WASM::Parser::parseUInt7):
3676         (JSC::WASM::Parser::parseVarUInt1):
3677         (JSC::WASM::Parser::parseValueType):
3678         (JSC::WASM::WASMParser::WASMParser): Deleted.
3679         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
3680         (JSC::WASM::WASMParser::consumeString): Deleted.
3681         (JSC::WASM::WASMParser::parseUInt32): Deleted.
3682         (JSC::WASM::WASMParser::parseUInt7): Deleted.
3683         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
3684         (JSC::WASM::WASMParser::parseValueType): Deleted.
3685         * wasm/WASMPlan.cpp:
3686         (JSC::WASM::Plan::Plan):
3687         * wasm/WASMSections.cpp:
3688         (JSC::WASM::Sections::lookup):
3689         (JSC::WASM::WASMSections::lookup): Deleted.
3690         * wasm/WASMSections.h:
3691         (JSC::WASM::Sections::validateOrder):
3692         (JSC::WASM::WASMSections::validateOrder): Deleted.
3693
3694 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
3695
3696         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
3697         https://bugs.webkit.org/show_bug.cgi?id=161492
3698
3699         Reviewed by Mark Lam.
3700         
3701         If you materialize a sunken object that is referenced from another sunken object, then you
3702         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
3703         object rather than to the old sunken one.
3704         
3705         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
3706         did it when the PromotedLocationDescriptor for the field used for referring to the other
3707         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
3708         I can sort of imagine why we thought that would be right - neededForMaterialization() means
3709         it's a special meta-data field initialized on construction. But just because it's immutable
3710         and special doesn't mean that materialization can't change its physical representation.
3711         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
3712         regress anything.
3713
3714         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3715
3716 2016-09-01  Chris Dumez  <cdumez@apple.com>
3717
3718         Unreviewed, rolling out r205297.
3719
3720         Caused some JSC test failures
3721
3722         Reverted changeset:
3723
3724         "Align cross-origin proto getter / setter behavior with the
3725         specification"
3726         https://bugs.webkit.org/show_bug.cgi?id=161455
3727         http://trac.webkit.org/changeset/205297
3728
3729 2016-09-01  Chris Dumez  <cdumez@apple.com>
3730
3731         Align cross-origin proto getter / setter behavior with the specification
3732         https://bugs.webkit.org/show_bug.cgi?id=161455
3733
3734         Reviewed by Mark Lam.
3735
3736         Align cross-origin proto getter / setter behavior with the specification:
3737
3738         The setter should throw a TypeError:
3739         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
3740         - https://html.spec.whatwg.org/#location-setprototypeof
3741         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
3742
3743         The getter should return null:
3744         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
3745         - https://html.spec.whatwg.org/#location-getprototypeof
3746
3747         I have verified that this aligns our behavior with Firefox and Chrome.
3748
3749         * runtime/JSGlobalObjectFunctions.cpp:
3750         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3751         (JSC::globalFuncProtoSetter):
3752
3753 2016-09-01  Csaba Osztrogon√°c  <ossy@webkit.org>
3754
3755         Unreviewed ARM buildfix after r205283.
3756
3757         * assembler/ARMAssembler.h:
3758         (JSC::ARMAssembler::patchableJumpSize):
3759         * assembler/MacroAssemblerARM.h:
3760         (JSC::MacroAssemblerARM::patchableJumpSize):
3761
3762 2016-09-01  Saam Barati  <sbarati@apple.com>
3763
3764         JITMathIC was misusing maxJumpReplacementSize
3765         https://bugs.webkit.org/show_bug.cgi?id=161356
3766         <rdar://problem/28065560>
3767
3768         Reviewed by Benjamin Poulain.
3769
3770         JITMathIC was assuming that maxJumpReplacementSize is the size
3771         you'd get if you emitted a patchableJump() using the macro assembler.
3772         This is not true, however. It happens to be true on arm64, x86 and x86-64,
3773         however, it is not true on armv7. This patch introduces an alternative to
3774         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
3775         to use that number instead.
3776
3777         * assembler/ARM64Assembler.h:
3778         (JSC::ARM64Assembler::patchableJumpSize):
3779         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
3780         * assembler/ARMv7Assembler.h:
3781         (JSC::ARMv7Assembler::patchableJumpSize):
3782         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
3783         * assembler/MacroAssemblerARM64.h:
3784         (JSC::MacroAssemblerARM64::patchableJumpSize):
3785         * assembler/MacroAssemblerARMv7.h:
3786         (JSC::MacroAssemblerARMv7::patchableJumpSize):
3787         * assembler/MacroAssemblerX86Common.h:
3788         (JSC::MacroAssemblerX86Common::patchableJumpSize):
3789         * assembler/X86Assembler.h:
3790         (JSC::X86Assembler::patchableJumpSize):
3791         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
3792         * jit/JITMathIC.h:
3793         (JSC::JITMathIC::generateInline):
3794
3795 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3796
3797         [JSC] Add initiator parameter to module pipeline
3798         https://bugs.webkit.org/show_bug.cgi?id=161470
3799
3800         Reviewed by Saam Barati.
3801
3802         The fetching semantics of the <script type="module"> tag has per module-tag context.
3803         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
3804         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
3805         to the module loader pipeline. We are planning to transfer information by this parameter.
3806
3807         At the same time, we also perform some clean up.
3808
3809         - Use arrow function in ModuleLoaderPrototype.js.
3810         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
3811
3812         * builtins/ModuleLoaderPrototype.js:
3813         (newRegistryEntry):
3814         (commitInstantiated):
3815         (requestFetch):
3816         (requestTranslate):
3817         (requestInstantiate):
3818         (requestSatisfy):
3819         (requestInstantiateAll):
3820         (requestLink):
3821         (moduleEvaluation):
3822         (provide):
3823         (loadAndEvaluateModule):
3824         (requestResolveDependencies.): Deleted.
3825         (requestResolveDependencies): Deleted.
3826         (requestReady): Deleted.
3827         (link): Deleted.
3828         (loadModule): Deleted.
3829         (linkAndEvaluateModule): Deleted.
3830         * bytecode/BytecodeIntrinsicRegistry.cpp:
3831         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3832         * bytecode/BytecodeIntrinsicRegistry.h:
3833         * jsc.cpp:
3834         (GlobalObject::moduleLoaderResolve):
3835         (GlobalObject::moduleLoaderFetch):
3836         * runtime/Completion.cpp:
3837         (JSC::loadAndEvaluateModule):
3838         (JSC::loadModule):
3839         (JSC::linkAndEvaluateModule):
3840         * runtime/Completion.h:
3841         * runtime/JSGlobalObject.h:
3842         * runtime/JSModuleLoader.cpp:
3843         (JSC::JSModuleLoader::loadAndEvaluateModule):
3844         (JSC::JSModuleLoader::loadModule):
3845         (JSC::JSModuleLoader::linkAndEvaluateModule):
3846         (JSC::JSModuleLoader::resolve):
3847         (JSC::JSModuleLoader::fetch):
3848         (JSC::JSModuleLoader::translate):
3849         (JSC::JSModuleLoader::instantiate):
3850         (JSC::JSModuleLoader::evaluate):
3851         * runtime/JSModuleLoader.h:
3852         * runtime/ModuleLoaderPrototype.cpp:
3853         (JSC::moduleLoaderPrototypeResolve):
3854         (JSC::moduleLoaderPrototypeFetch):