Remove Heap::setMarked()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
2
3         Remove Heap::setMarked()
4
5         Rubber stamped by Keith Miller.
6         
7         Nobody uses this function.
8
9         * heap/Heap.h:
10         * heap/HeapInlines.h:
11         (JSC::Heap::setMarked): Deleted.
12         * heap/LargeAllocation.h:
13         (JSC::LargeAllocation::testAndSetMarked):
14         (JSC::LargeAllocation::setMarked): Deleted.
15         * heap/MarkedBlock.h:
16
17 2016-09-14  Mark Lam  <mark.lam@apple.com>
18
19         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
20         https://bugs.webkit.org/show_bug.cgi?id=161975
21
22         Reviewed by Keith Miller.
23
24         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
25         incremental work towards enabling checks all the time.
26
27         * runtime/Options.h:
28         * runtime/VM.cpp:
29         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
30         * runtime/VM.h:
31
32 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
33
34         TaggedTemplateString function calls should emit tail position calls
35         https://bugs.webkit.org/show_bug.cgi?id=161948
36
37         Reviewed by Yusuke Suzuki.
38
39         * bytecompiler/NodesCodegen.cpp:
40         (JSC::TaggedTemplateNode::emitBytecode):
41         The tagged template string function call can be a tail call:
42         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
43
44 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
45
46         test262: Array.prototype.slice should always set length
47         https://bugs.webkit.org/show_bug.cgi?id=161953
48
49         Reviewed by Mark Lam.
50
51         * runtime/ArrayPrototype.cpp:
52         (JSC::arrayProtoFuncSplice):
53
54 2016-09-13  Michael Saboff  <msaboff@apple.com>
55
56         Promises aren't resolved properly when making a ObjC API callback
57         https://bugs.webkit.org/show_bug.cgi?id=161929
58
59         Reviewed by Geoffrey Garen.
60
61         When we go to call out to an Objective C function registered via the API,
62         we first drop all JSC locks to make the call.  As part of dropping the locks,
63         we drain the microtask queue that is used among other things for handling deferred
64         promise resolution.  The DropAllLocks scope class that drops the locks while in
65         scope, resets the current thread's AtomicStringTable to the default table.  This
66         is wrong for two reasons, first it happens before we drain the microtask queue and
67         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
68         AtomicStringTable to the table before the lock was acquired.
69
70         In fact, the manipulation of the current thread's AtomicStringTable is already 
71         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
72         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
73         and destructor should be removed.
74
75         * API/tests/testapi.mm:
76         (testObjectiveCAPIMain): Added a new test.
77         * runtime/JSLock.cpp:
78         (JSC::JSLock::DropAllLocks::DropAllLocks):
79         (JSC::JSLock::DropAllLocks::~DropAllLocks):
80
81 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
82
83         Remove Heap::isLive()
84         https://bugs.webkit.org/show_bug.cgi?id=161933
85
86         Reviewed by Mark Lam.
87         
88         Before I put any more effort into maintaining this weird function, I decided to check how it
89         was used. It turns out it's not.
90
91         * heap/Heap.h:
92         * heap/HeapInlines.h:
93         (JSC::Heap::isLive): Deleted.
94
95 2016-09-13  Mark Lam  <mark.lam@apple.com>
96
97         DFG NewArrayBuffer node should watch for "have a bad time" state change.
98         https://bugs.webkit.org/show_bug.cgi?id=161927
99         <rdar://problem/27995222>
100
101         Reviewed by Geoffrey Garen.
102
103         * dfg/DFGFixupPhase.cpp:
104         (JSC::DFG::FixupPhase::fixupNode):
105
106 2016-09-13  JF Bastien  <jfbastien@apple.com>
107
108         Support jsc shell builtin `read`
109         https://bugs.webkit.org/show_bug.cgi?id=161662
110
111         Reviewed by Keith Miller.
112
113         The jsc shell currently supports a `readFile` method which returns
114         a string. SpiderMonkey's js shell and V8's d8 shell both support
115         similar file-to-string functions, as well as a
116         binary-file-to-Uint8Array function. jsc should support a similar
117         binary file method to simplify testing, including testing of
118         WebAssembly blobs.
119
120         Emscripten's shell.js (which is also used for some WebAssembly
121         things) has a polyfill [1] for a builtin called `read`. jsc should
122         therefore have a builtin with the same name if we want things to
123         "Just Work".
124
125           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
126
127         * jsc.cpp:
128         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
129         (functionReadFile): support binary files, as per SpiderMonkey.
130         * runtime/Error.h:
131         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
132         * runtime/JSTypedArrays.cpp:
133         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
134         * runtime/JSTypedArrays.h: expose private export.
135
136 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
137
138         ES6: Classes: Should be allowed to create a static method with name "arguments"
139         https://bugs.webkit.org/show_bug.cgi?id=152985
140
141         Reviewed by Keith Miller.
142
143         Current patch covered 16.2 Forbidden Extensions - first topic 
144         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
145         should not have own properties named "caller" or "arguments".
146         Also added possibility to declare static methods and getters with 
147         name 'arguments' and 'caller' for classes. i.e.:
148         class A { static arguments() { return 'value'; } }
149         A.arguments() === 'value';
150         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
151         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
152         property from Lazy to common because it necessary to use execState during init of the accessors 
153         properties.
154
155         * runtime/Executable.h:
156         * runtime/FunctionPrototype.cpp:
157         (JSC::FunctionPrototype::initRestrictedProperties):
158         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
159         * runtime/FunctionPrototype.h:
160         * runtime/JSFunction.cpp:
161         (JSC::JSFunction::getOwnPropertySlot):
162         (JSC::JSFunction::getOwnNonIndexPropertyNames):
163         (JSC::JSFunction::put):
164         (JSC::JSFunction::deleteProperty):
165         (JSC::JSFunction::defineOwnProperty):
166         * runtime/JSGlobalObject.cpp:
167         (JSC::JSGlobalObject::init):
168         (JSC::JSGlobalObject::visitChildren):
169         * runtime/JSGlobalObject.h:
170         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
171
172 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
173
174         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
175         https://bugs.webkit.org/show_bug.cgi?id=161869
176
177         Reviewed by Saam Barati.
178         
179         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
180         empty" hook, which will set a bit in the markingNotEmpty bitvector.
181         
182         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
183         If anyone else does it but they aren't marking new objects, then this prevents
184         flipIfNecessary() from triggering when the first object is marked, which means we won't
185         always detect when a block became non-empty.
186         
187         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
188         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
189         knows that it can trigger something like noteMarked(). The only places that were using
190         flipIfNecessary() should have been using needsFlip() anyway.
191
192         * heap/CellContainer.h:
193         * heap/CellContainerInlines.h:
194         (JSC::CellContainer::needsFlip):
195         * heap/Heap.cpp:
196         (JSC::Heap::markRoots):
197         (JSC::Heap::beginMarking):
198         (JSC::Heap::endMarking):
199         (JSC::Heap::clearLivenessData): Deleted.
200         (JSC::Heap::converge): Deleted.
201         (JSC::Heap::resetVisitors): Deleted.
202         * heap/Heap.h:
203         * heap/HeapInlines.h:
204         (JSC::Heap::testAndSetMarked):
205         * heap/LargeAllocation.h:
206         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
207         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
208         * heap/MarkedBlock.cpp:
209         (JSC::MarkedBlock::flipIfNecessarySlow):
210         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
211         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
212         * heap/MarkedBlock.h:
213         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
214         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
215         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
216         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
217         * heap/MarkedSpace.h:
218         (JSC::MarkedSpace::isMarking):
219         (JSC::MarkedSpace::setIsMarking):
220         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
221         * heap/SlotVisitor.cpp:
222         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
223         * heap/WeakBlock.cpp:
224         (JSC::WeakBlock::visit):
225
226 2016-09-12  Saam Barati  <sbarati@apple.com>
227
228         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
229         https://bugs.webkit.org/show_bug.cgi?id=161640
230
231         Reviewed by Geoffrey Garen.
232
233         HashMapImpl now takes into account m_deleteCount in its load factor.
234         It now knows how to rehash to either decrease its capacity, stay at
235         the same capacity, or increase its capacity. The reason we can sometimes
236         stay at the same capacity is that we can reduce the load factor enough
237         by rehashing that growing isn't warranted. The reason for this is that
238         anytime we rehash, we remove all deleted sentinels from the buffer.
239         Therefore, staying at the same same capacity, when there are deleted entries,
240         can still reduce the load factor because it removes all deleted sentinels.
241
242         * runtime/HashMapImpl.h:
243         (JSC::HashMapBuffer::create):
244         (JSC::HashMapBuffer::reset):
245         (JSC::HashMapImpl::HashMapImpl):
246         (JSC::HashMapImpl::add):
247         (JSC::HashMapImpl::remove):
248         (JSC::HashMapImpl::size):
249         (JSC::HashMapImpl::clear):
250         (JSC::HashMapImpl::approximateSize):
251         (JSC::HashMapImpl::shouldRehashAfterAdd):
252         (JSC::HashMapImpl::shouldShrink):
253         (JSC::HashMapImpl::rehash):
254         (JSC::HashMapImpl::checkConsistency):
255         (JSC::HashMapImpl::makeAndSetNewBuffer):
256         (JSC::HashMapImpl::assertBufferIsEmpty):
257
258 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
259
260         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
261         https://bugs.webkit.org/show_bug.cgi?id=161671
262
263         Reviewed by Geoffrey Garen.
264
265         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
266         it gets a butterfly with its length.
267         When we were querying that length, we were generating a generic GetById with inline cache.
268
269         This patch adds the missing bits to treat Undecided like the other types with storage.
270
271         * dfg/DFGArrayMode.cpp:
272         (JSC::DFG::canBecomeGetArrayLength):
273         (JSC::DFG::ArrayMode::refine):
274         * dfg/DFGArrayMode.h:
275         (JSC::DFG::ArrayMode::usesButterfly):
276         (JSC::DFG::ArrayMode::lengthNeedsStorage):
277         * dfg/DFGClobberize.h:
278         (JSC::DFG::clobberize):
279         * dfg/DFGFixupPhase.cpp:
280         (JSC::DFG::FixupPhase::checkArray):
281         * dfg/DFGSpeculativeJIT.cpp:
282         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
283         * ftl/FTLCapabilities.cpp:
284         (JSC::FTL::canCompile):
285         * ftl/FTLLowerDFGToB3.cpp:
286         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
287
288 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
289
290         [DFG][FTL] Add ArithTan
291         https://bugs.webkit.org/show_bug.cgi?id=161857
292
293         Reviewed by Filip Pizlo.
294
295         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
296         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
297
298         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
299         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
300         The microbenchmark shows the 9% perf improvement.
301
302             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
303
304         * dfg/DFGAbstractInterpreterInlines.h:
305         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
306         * dfg/DFGByteCodeParser.cpp:
307         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
308         * dfg/DFGClobberize.h:
309         (JSC::DFG::clobberize):
310         * dfg/DFGDoesGC.cpp:
311         (JSC::DFG::doesGC):
312         * dfg/DFGFixupPhase.cpp:
313         (JSC::DFG::FixupPhase::fixupNode):
314         * dfg/DFGNodeType.h:
315         * dfg/DFGOperations.cpp:
316         * dfg/DFGOperations.h:
317         * dfg/DFGPredictionPropagationPhase.cpp:
318         * dfg/DFGSafeToExecute.h:
319         (JSC::DFG::safeToExecute):
320         * dfg/DFGSpeculativeJIT.cpp:
321         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
322         (JSC::DFG::SpeculativeJIT::compileArithCos):
323         (JSC::DFG::SpeculativeJIT::compileArithTan):
324         (JSC::DFG::SpeculativeJIT::compileArithSin):
325         (JSC::DFG::SpeculativeJIT::compileArithLog):
326         * dfg/DFGSpeculativeJIT.h:
327         * dfg/DFGSpeculativeJIT32_64.cpp:
328         (JSC::DFG::SpeculativeJIT::compile):
329         * dfg/DFGSpeculativeJIT64.cpp:
330         (JSC::DFG::SpeculativeJIT::compile):
331         * ftl/FTLCapabilities.cpp:
332         (JSC::FTL::canCompile):
333         * ftl/FTLLowerDFGToB3.cpp:
334         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
335         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
336         * ftl/FTLOutput.cpp:
337         (JSC::FTL::Output::doubleTan):
338         * ftl/FTLOutput.h:
339         * runtime/Intrinsic.h:
340         * runtime/MathObject.cpp:
341         (JSC::MathObject::finishCreation):
342
343 2016-09-12  Saam Barati  <sbarati@apple.com>
344
345         MapHash should do constant folding when it has a constant argument and its legal to hash that value
346         https://bugs.webkit.org/show_bug.cgi?id=161639
347
348         Reviewed by Filip Pizlo.
349
350         We now constant fold the MapHash node. We're careful to not resolve
351         ropes from the compiler thread, and to only hash strings if they're
352         not too large. The microbenchmark I added runs about 12% faster with
353         this patch.
354
355         * dfg/DFGAbstractInterpreterInlines.h:
356         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
357         * runtime/HashMapImpl.h:
358         (JSC::wangsInt64Hash):
359         (JSC::jsMapHash):
360         (JSC::concurrentJSMapHash):
361
362 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
363
364         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
365         https://bugs.webkit.org/show_bug.cgi?id=161849
366
367         Reviewed by Saam Barati.
368         
369         This is a fairly obvious change. This turns a loop that would query each bit individually
370         into a loop that will process a word at a time. I would expect a very tiny progression in
371         DFG compile times.
372         
373         This also gave me an opportunity to test and fix the new FastBitVector functionality.
374
375         * dfg/DFGForAllKills.h:
376         (JSC::DFG::forAllKilledOperands):
377
378 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
379
380         FastBitVector should have efficient and easy-to-use vector-vector operations
381         https://bugs.webkit.org/show_bug.cgi?id=161847
382
383         Reviewed by Saam Barati.
384         
385         Adapt existing users of FastBitVector to the new API.
386
387         * bytecode/BytecodeLivenessAnalysis.cpp:
388         (JSC::BytecodeLivenessAnalysis::computeKills):
389         (JSC::BytecodeLivenessAnalysis::dumpResults):
390         * bytecode/BytecodeLivenessAnalysisInlines.h:
391         (JSC::operandThatIsNotAlwaysLiveIsLive):
392         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
393         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
394         * bytecode/CodeBlock.cpp:
395         (JSC::CodeBlock::validate):
396         * dfg/DFGByteCodeParser.cpp:
397         (JSC::DFG::ByteCodeParser::flushForTerminal):
398         * dfg/DFGForAllKills.h:
399         (JSC::DFG::forAllKilledOperands):
400         * dfg/DFGGraph.h:
401         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
402         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
403         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
404         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
405         * dfg/DFGNaturalLoops.cpp:
406         (JSC::DFG::NaturalLoops::NaturalLoops):
407         * dfg/DFGPlan.cpp:
408         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
409
410 2016-09-10  Chris Dumez  <cdumez@apple.com>
411
412         parseHTMLInteger() should take a StringView in parameter
413         https://bugs.webkit.org/show_bug.cgi?id=161669
414
415         Reviewed by Ryosuke Niwa.
416
417         * runtime/DateConversion.cpp:
418         (JSC::formatDateTime):
419         Explicitly construct a String from the const WCHAR* on Windows because
420         it is ambiguous otherwise now that there is a StringBuilder::append()
421         overload taking an AtomicString in.
422
423 2016-09-08  Keith Miller  <keith_miller@apple.com>
424
425         WASM should support if-then-else
426         https://bugs.webkit.org/show_bug.cgi?id=161778
427
428         Reviewed by Michael Saboff.
429
430         This patch makes some major changes to the way that the WASM
431         function parser works. First, the control stack has been moved
432         from the parser's context to the parser itself. This simplifies
433         the way that the parser works and allows us to make the decoder
434         iterative rather than recursive. Since the control stack has been
435         moved to the parser, any context operation that refers to some
436         block now receives that block by reference.
437
438         For any if block, regardless of whether or not it is an
439         if-then-else or not, we will allocate both the entire control flow
440         diamond. This is not a major issue in the if-then case since B3
441         will immediately cleanup these blocks. In order to support if-then
442         and if-then-else we needed to be able to distinguish what the type
443         of the top block on the control stack is. This will be necessary
444         when validating the else opcode in the future. In the B3 IR
445         generator we decide to the type of the block strictly by the
446         shape.
447
448         Currently, if blocks don't handle passed and returned stack values
449         correctly. I plan to fix this when I add support for the block
450         signatures. See: https://github.com/WebAssembly/design/pull/765
451
452         * testWASM.cpp:
453         (runWASMTests):
454         * wasm/WASMB3IRGenerator.cpp:
455         (dumpProcedure):
456         (JSC::WASM::parseAndCompile):
457         * wasm/WASMB3IRGenerator.h:
458         * wasm/WASMFunctionParser.h:
459         (JSC::WASM::FunctionParser<Context>::parseBlock):
460         (JSC::WASM::FunctionParser<Context>::parseExpression):
461         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
462         * wasm/WASMOps.h:
463
464 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
465
466         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
467         https://bugs.webkit.org/show_bug.cgi?id=161801
468
469         Reviewed by Keith Miller.
470         
471         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
472         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
473         that is to call initializeMainThread().
474
475         * jsc.cpp:
476         (jscmain):
477
478 2016-09-09  Saam Barati  <sbarati@apple.com>
479
480         Make hasOwnProperty ALWAYS_INLINE
481         https://bugs.webkit.org/show_bug.cgi?id=161775
482
483         Reviewed by Ryosuke Niwa.
484
485         Speedometer spends around 2.5% of its time in hasOwnProperty.
486         Let's reduce the overhead of calling that function by marking
487         it as inline. Also, it's likely that the function will call into
488         JSObject::getOwnPropertySlot. I added a check to see if that's
489         the function we're calling, if it is, we do a direct call instead
490         of an indirect call.
491
492         * runtime/JSObject.cpp:
493         (JSC::JSObject::hasOwnProperty): Deleted.
494         * runtime/JSObjectInlines.h:
495         (JSC::JSObject::hasOwnProperty):
496
497 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
498
499         HashMapImpl needs to m_buffer.clear() in its constructor
500         https://bugs.webkit.org/show_bug.cgi?id=161796
501
502         Reviewed by Keith Miller.
503         
504         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
505         itself. That seemed like a good idea because maybe sometimes the user knows better how to
506         initialize it. But, it's not worth it if it's a constant source of bugs.
507         
508         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
509         m_value.
510
511         * runtime/AuxiliaryBarrier.h:
512         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
513         * runtime/DirectArguments.cpp:
514         (JSC::DirectArguments::DirectArguments):
515
516 2016-09-09  Youenn Fablet  <youenn@apple.com>
517
518         ASSERTION FAILED: promise.inherits(JSPromise::info())
519         https://bugs.webkit.org/show_bug.cgi?id=161632
520         <rdar://problem/28184743>
521
522         Reviewed by Mark Lam.
523
524         * runtime/JSPromiseDeferred.cpp:
525         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
526
527 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
528
529         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
530         https://bugs.webkit.org/show_bug.cgi?id=161760
531
532         Reviewed by Mark Lam.
533         
534         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
535         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
536         
537         This introduces three unnecessary overheads:
538         
539         - isLive() is not called by marking, so that change was not necessary.
540         
541         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
542           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
543           isMarked().
544         
545         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
546           return false if the flip is necessary.
547         
548         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
549         during marking.
550         
551         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
552         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
553         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
554         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
555         thing.
556
557         * bytecode/CodeBlock.cpp:
558         (JSC::CodeBlock::visitWeakly):
559         (JSC::CodeBlock::shouldJettisonDueToOldAge):
560         (JSC::shouldMarkTransition):
561         (JSC::CodeBlock::propagateTransitions):
562         (JSC::CodeBlock::determineLiveness):
563         * bytecode/PolymorphicAccess.cpp:
564         (JSC::AccessCase::propagateTransitions):
565         * heap/Heap.h:
566         * heap/HeapInlines.h:
567         (JSC::Heap::isLive):
568         (JSC::Heap::isMarked):
569         (JSC::Heap::isMarkedConcurrently):
570         * heap/MarkedBlock.cpp:
571         (JSC::MarkedBlock::flipIfNecessarySlow):
572         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
573         (JSC::MarkedBlock::needsFlip):
574         * heap/MarkedBlock.h:
575         (JSC::MarkedBlock::needsFlip):
576         (JSC::MarkedBlock::flipIfNecessary):
577         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
578         * heap/SlotVisitor.cpp:
579         (JSC::SlotVisitor::appendToMarkStack):
580         (JSC::SlotVisitor::markAuxiliary):
581         (JSC::SlotVisitor::visitChildren):
582         * runtime/Structure.cpp:
583         (JSC::Structure::isCheapDuringGC):
584         (JSC::Structure::markIfCheap):
585
586 2016-09-08  Saam Barati  <sbarati@apple.com>
587
588         We should inline operationConvertJSValueToBoolean into JIT code
589         https://bugs.webkit.org/show_bug.cgi?id=161729
590
591         Reviewed by Filip Pizlo.
592
593         This patch introduces an AssemblyHelpers emitter function
594         that replaces operationConvertJSValueToBoolean. This operation
595         was showing up when I was doing performance analysis for the
596         speedometer benchmark. I saw that it was spending about 1% of
597         its time in this function. Hopefully this patch can help us speedup
598         up speedometer by a little bit.
599
600         * dfg/DFGSpeculativeJIT32_64.cpp:
601         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
602         (JSC::DFG::SpeculativeJIT::emitBranch):
603         * dfg/DFGSpeculativeJIT64.cpp:
604         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
605         (JSC::DFG::SpeculativeJIT::emitBranch):
606         * jit/AssemblyHelpers.cpp:
607         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
608         * jit/AssemblyHelpers.h:
609         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
610         * jit/JIT.cpp:
611         (JSC::JIT::privateCompileSlowCases):
612         * jit/JIT.h:
613         * jit/JITOpcodes.cpp:
614         (JSC::JIT::emit_op_jfalse):
615         (JSC::JIT::emit_op_jtrue):
616         (JSC::JIT::emitSlow_op_jfalse): Deleted.
617         (JSC::JIT::emitSlow_op_jtrue): Deleted.
618         * jit/JITOpcodes32_64.cpp:
619         (JSC::JIT::emit_op_jfalse):
620         (JSC::JIT::emit_op_jtrue):
621         (JSC::JIT::emitSlow_op_jfalse): Deleted.
622         (JSC::JIT::emitSlow_op_jtrue): Deleted.
623         * jit/JITOperations.cpp:
624         * jit/JITOperations.h:
625
626 2016-09-08  Chris Dumez  <cdumez@apple.com>
627
628         Align proto getter / setter behavior with other browsers
629         https://bugs.webkit.org/show_bug.cgi?id=161455
630
631         Reviewed by Saam Barati.
632
633         Drop allowsAccessFrom from the methodTable and delegate cross-origin
634         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
635         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
636
637         * jsc.cpp:
638         * runtime/JSGlobalObject.cpp:
639         * runtime/JSGlobalObject.h:
640         * runtime/JSGlobalObjectFunctions.cpp:
641         (JSC::globalFuncProtoGetter):
642         (JSC::globalFuncProtoSetter):
643         (JSC::globalFuncBuiltinLog): Deleted.
644         * runtime/JSGlobalObjectFunctions.h:
645         * runtime/JSObject.cpp:
646         (JSC::JSObject::setPrototypeWithCycleCheck):
647         Remove check added in r197648. This check was added to match
648         the latest EcmaScript spec:
649         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
650         This check allowed for [[Prototype]] chain cycles if the prototype
651         chain includes objects that do not use the ordinary object definitions
652         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
653         The issue is that the rest of our code base does not properly handle
654         such cycles and we can end up in infinite loops. This became obvious
655         because this patch updates Window / Location so that they no longer
656         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
657         remove this check, I get an infinite loop in
658         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
659         called from JSObject::setPrototypeDirect(), when running the following
660         layout test:
661         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
662         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
663         issue.
664
665         * runtime/JSObject.h:
666         (JSC::JSObject::getArrayLength): Deleted.
667         * runtime/JSProxy.cpp:
668         (JSC::JSProxy::setPrototype):
669         (JSC::JSProxy::getPrototype):
670         * runtime/JSProxy.h:
671         * runtime/ObjectConstructor.cpp:
672         (JSC::objectConstructorGetPrototypeOf):
673         (JSC::objectConstructorSetPrototypeOf):
674         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
675         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
676         * runtime/ObjectConstructor.h:
677         * runtime/ReflectObject.cpp:
678         (JSC::reflectObjectGetPrototypeOf):
679         (JSC::reflectObjectSetPrototypeOf):
680
681 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
682
683         Remove CopiedSpace and use MarkedSpace instead
684         https://bugs.webkit.org/show_bug.cgi?id=159658
685
686         Reviewed by Keith Miller.
687         
688         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
689         is a simple change.
690         
691         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
692         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
693         
694         The rest of this patch is deleting CopiedSpace.
695
696         * API/JSObjectRef.cpp:
697         * CMakeLists.txt:
698         * JavaScriptCore.xcodeproj/project.pbxproj:
699         * dfg/DFGOperations.cpp:
700         * heap/ConservativeRoots.cpp:
701         (JSC::ConservativeRoots::genericAddPointer):
702         * heap/CopiedAllocator.h: Removed.
703         * heap/CopiedBlock.cpp: Removed.
704         * heap/CopiedBlock.h: Removed.
705         * heap/CopiedBlockInlines.h: Removed.
706         * heap/CopiedSpace.cpp: Removed.
707         * heap/CopiedSpace.h: Removed.
708         * heap/CopiedSpaceInlines.h: Removed.
709         * heap/CopyBarrier.h: Removed.
710         * heap/CopyToken.h: Removed.
711         * heap/CopyVisitor.cpp: Removed.
712         * heap/CopyVisitor.h: Removed.
713         * heap/CopyVisitorInlines.h: Removed.
714         * heap/CopyWorkList.h: Removed.
715         * heap/Heap.cpp:
716         (JSC::Heap::Heap):
717         (JSC::Heap::isPagedOut):
718         (JSC::Heap::updateObjectCounts):
719         (JSC::Heap::size):
720         (JSC::Heap::capacity):
721         (JSC::Heap::collectImpl):
722         (JSC::Heap::stopAllocation):
723         (JSC::Heap::updateAllocationLimits):
724         (JSC::Heap::copyBackingStores): Deleted.
725         (JSC::Heap::threadBytesCopied): Deleted.
726         * heap/Heap.h:
727         (JSC::Heap::objectSpace):
728         (JSC::Heap::allocatorForAuxiliaryData):
729         (JSC::Heap::storageSpace): Deleted.
730         (JSC::Heap::storageAllocator): Deleted.
731         * heap/HeapCellInlines.h:
732         * heap/HeapInlines.h:
733         (JSC::Heap::tryAllocateStorage): Deleted.
734         (JSC::Heap::tryReallocateStorage): Deleted.
735         * heap/HeapVerifier.cpp:
736         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
737         (JSC::HeapVerifier::reportObject):
738         (JSC::getButterflyDetails): Deleted.
739         * heap/SlotVisitor.cpp:
740         (JSC::SlotVisitor::copyLater): Deleted.
741         * heap/SlotVisitor.h:
742         * jit/AssemblyHelpers.h:
743         * jit/JITOpcodes.cpp:
744         * jsc.cpp:
745         * runtime/ArrayConstructor.cpp:
746         * runtime/ArrayPrototype.cpp:
747         * runtime/Butterfly.h:
748         * runtime/ButterflyInlines.h:
749         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
750         * runtime/ClassInfo.h:
751         * runtime/DirectArguments.cpp:
752         (JSC::DirectArguments::visitChildren):
753         (JSC::DirectArguments::overrideThings):
754         (JSC::DirectArguments::copyBackingStore): Deleted.
755         * runtime/DirectArguments.h:
756         * runtime/JSArray.cpp:
757         * runtime/JSCell.cpp:
758         (JSC::JSCell::copyBackingStore): Deleted.
759         * runtime/JSCell.h:
760         * runtime/JSLexicalEnvironment.h:
761         * runtime/JSObject.cpp:
762         * runtime/JSTypedArrays.cpp:
763         * runtime/LiteralParser.cpp:
764         * runtime/ObjectConstructor.cpp:
765         * runtime/RegExpObject.cpp:
766         * runtime/StringPrototype.cpp:
767         * runtime/WeakMapData.cpp:
768         * tools/JSDollarVMPrototype.cpp:
769         (JSC::JSDollarVMPrototype::isInStorageSpace):
770
771 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
772
773         Heap version should be 32-bit
774         https://bugs.webkit.org/show_bug.cgi?id=161751
775
776         Reviewed by Mark Lam.
777         
778         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
779         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
780         easy to handle.
781
782         * heap/CellContainer.h:
783         * heap/CellContainerInlines.h:
784         (JSC::CellContainer::flipIfNecessary):
785         * heap/ConservativeRoots.cpp:
786         (JSC::ConservativeRoots::genericAddPointer):
787         (JSC::ConservativeRoots::genericAddSpan):
788         * heap/ConservativeRoots.h:
789         * heap/Heap.h:
790         * heap/HeapInlines.h:
791         (JSC::Heap::testAndSetMarked):
792         * heap/HeapUtil.h:
793         (JSC::HeapUtil::findGCObjectPointersForMarking):
794         * heap/MarkedBlock.cpp:
795         (JSC::MarkedBlock::MarkedBlock):
796         * heap/MarkedBlock.h:
797         (JSC::MarkedBlock::flipIfNecessary):
798         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
799         (JSC::MarkedBlock::Handle::flipIfNecessary):
800         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
801         * heap/MarkedSpace.cpp:
802         (JSC::MarkedSpace::flip):
803         * heap/MarkedSpace.h:
804         (JSC::MarkedSpace::version):
805         * heap/SlotVisitor.cpp:
806         (JSC::SlotVisitor::SlotVisitor):
807         * heap/SlotVisitor.h:
808
809 2016-09-08  Mark Lam  <mark.lam@apple.com>
810
811         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
812         https://bugs.webkit.org/show_bug.cgi?id=161724
813
814         Reviewed by Filip Pizlo.
815
816         ARM architectures support ternary sub instructions.  We should make use of them
817         in emitAllocateWithNonNullAllocator().
818
819         * assembler/MacroAssemblerARM.h:
820         (JSC::MacroAssemblerARM::sub32):
821         * assembler/MacroAssemblerARM64.h:
822         (JSC::MacroAssemblerARM64::sub32):
823         * assembler/MacroAssemblerARMv7.h:
824         (JSC::MacroAssemblerARMv7::sub32):
825         * assembler/MacroAssemblerSH4.h:
826         (JSC::MacroAssemblerSH4::sub32):
827         * assembler/MacroAssemblerX86Common.h:
828         (JSC::MacroAssemblerX86Common::sub32):
829         * b3/air/AirOpcode.opcodes:
830         * b3/testb3.cpp:
831         (JSC::B3::testTernarySubInstructionSelection):
832         (JSC::B3::run):
833         * jit/AssemblyHelpers.h:
834         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
835
836 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
837
838         Move JSMap/JSSet over to Auxiliary MarkedSpace
839         https://bugs.webkit.org/show_bug.cgi?id=161744
840
841         Reviewed by Saam Barati.
842         
843         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
844         
845         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
846         speak of CopiedSpace.
847         
848         This is a purely mechanical change.
849
850         * JavaScriptCore.xcodeproj/project.pbxproj:
851         * heap/CopyToken.h:
852         * runtime/HashMapImpl.cpp:
853         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
854         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
855         * runtime/HashMapImpl.h:
856         (JSC::HashMapBuffer::create):
857         * runtime/JSMapIterator.cpp:
858         * runtime/JSMapIterator.h:
859         * runtime/JSSetIterator.cpp:
860         * runtime/JSSetIterator.h:
861         * runtime/MapBase.cpp:
862         * runtime/MapData.h: Removed.
863         * runtime/MapDataInlines.h: Removed.
864         * runtime/MapPrototype.cpp:
865         * runtime/SetConstructor.cpp:
866         * runtime/SetPrototype.cpp:
867         * runtime/VM.cpp:
868
869 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
870
871         Typed arrays should use MarkedSpace instead of CopiedSpace
872         https://bugs.webkit.org/show_bug.cgi?id=161100
873
874         Reviewed by Geoffrey Garen.
875         
876         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
877         
878         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
879         everything that typed arrays want.
880
881         * dfg/DFGOperations.cpp:
882         (JSC::DFG::newTypedArrayWithSize):
883         * dfg/DFGOperations.h:
884         (JSC::DFG::operationNewTypedArrayWithSizeForType):
885         * dfg/DFGSpeculativeJIT.cpp:
886         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
887         * dfg/DFGSpeculativeJIT.h:
888         (JSC::DFG::SpeculativeJIT::callOperation):
889         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
890         * ftl/FTLLowerDFGToB3.cpp:
891         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
892         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
893         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
894         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
895         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
896         * heap/CopyToken.h:
897         * heap/SlotVisitor.cpp:
898         (JSC::SlotVisitor::markAuxiliary):
899         * jit/JITOperations.h:
900         * runtime/JSArrayBufferView.cpp:
901         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
902         (JSC::JSArrayBufferView::JSArrayBufferView):
903         * runtime/JSArrayBufferView.h:
904         * runtime/JSGenericTypedArrayView.h:
905         * runtime/JSGenericTypedArrayViewInlines.h:
906         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
907         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
908         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
909         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
910
911 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
912
913         [Win64] Compile fixes.
914         https://bugs.webkit.org/show_bug.cgi?id=161682
915
916         Reviewed by Brent Fulgham.
917
918         * dfg/DFGSpeculativeJIT64.cpp:
919         (JSC::DFG::SpeculativeJIT::emitCall):
920         * jit/JITCall.cpp:
921         (JSC::JIT::compileOpCall):
922         * runtime/ArrayConventions.cpp:
923         (JSC::clearArrayMemset):
924
925 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
926
927         [Win] Exception fuzz tests fail
928         https://bugs.webkit.org/show_bug.cgi?id=140928
929
930         Reviewed by Mark Lam.
931
932         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
933         The tests depend on the output to stdout being written in the correct order.
934
935         * runtime/ExceptionFuzz.cpp:
936         (JSC::doExceptionFuzzing):
937
938 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
939
940         Enable the <meter> element on iOS
941         https://bugs.webkit.org/show_bug.cgi?id=161714
942         rdar://problem/8978410
943
944         Reviewed by Tim Horton.
945
946         Define ENABLE_METER_ELEMENT unconditionally now.
947
948         * Configurations/FeatureDefines.xcconfig:
949
950 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
951
952         Modernize Debugger to use nullptr
953         https://bugs.webkit.org/show_bug.cgi?id=161718
954
955         Reviewed by Mark Lam.
956
957         * debugger/Debugger.cpp:
958         (JSC::Debugger::Debugger):
959         (JSC::Debugger::~Debugger):
960         (JSC::Debugger::detach):
961         (JSC::Debugger::stepOutOfFunction):
962         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
963         * debugger/Debugger.h:
964
965 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
966
967         Web Inspector: Remove always false case in Debugger
968         https://bugs.webkit.org/show_bug.cgi?id=161717
969
970         Reviewed by Brian Burg.
971
972         * debugger/Debugger.cpp:
973         (JSC::Debugger::didExecuteProgram):
974         We would have earlier returned a few statements ago if this case was true.
975         And we would have crashed in the previous statement if this case was true.
976
977 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         Unreviewed, build fix after r205569
980
981         Tweak CMakeLists.txt
982
983         * CMakeLists.txt:
984
985 2016-09-07  Mark Lam  <mark.lam@apple.com>
986
987         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
988         https://bugs.webkit.org/show_bug.cgi?id=161498
989
990         Reviewed by Geoffrey Garen.
991
992         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
993         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
994         introduced.
995
996         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
997         which is a more suitable name now.
998
999         Note: exception scope verification is still disabled by default.  There are still
1000         many places that need to be fixed up or re-expressed in a way that is friendly
1001         to the verification.  I'll address those in subsequent patches.
1002
1003         After this patch, the code will statically enforce that:
1004         1. all calls to throwException() go through a ThrowScope.
1005         2. all calls to clearException() go through a CatchScope.
1006         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
1007            or CatchScope.
1008
1009         A Summary of how to use ExceptionScopes
1010         =======================================
1011         1. If a function can throw a JS exception, it should declare a ThrowScope at the
1012            top of the function (as early as possible).
1013
1014         2. If a function can clear JS exceptions, it should declare a CatchScope at the
1015            top of the function (as early as possible).
1016
1017         Declaring a ThrowScope in a function means that the function may throw an exception
1018         that its caller will have to handle.  Declaring a CatchScope in a function means
1019         that the function intends to clear pending exceptions before returning to its
1020         caller. 
1021
1022         For more details, see the notes below.
1023         
1024         Everything you may want to know about ExceptionScopes
1025         =====================================================
1026         ExceptionScope verification works to simulate exception throws and detect cases
1027         where exception checks are missing.  The notes below will cover:
1028
1029             1. The VM::m_needExceptionCheck bit
1030             2. ThrowScopes and CatchScopes
1031             3. Verification of needed exception checks
1032             3. Checking Exceptions
1033             4. Simulating throws
1034             5. Using ThrowScope::release()
1035             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1036             7. Checking exceptions by checking callee results
1037             8. Debugging verification errors
1038
1039         1. The VM::m_needExceptionCheck bit
1040
1041            The VM has a m_needExceptionCheck bit that indicates when an exception may be
1042            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
1043            throw.
1044
1045         2. ThrowScopes and CatchScopes
1046
1047            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
1048
1049            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
1050            at the top of its function (as early as possible) e.g.
1051  
1052                 void foo(...)
1053                 {
1054                     auto scope = DECLARE_THROW_SCOPE(vm);
1055                     ...
1056                     throwException(exec, scope, ...);
1057                 }
1058
1059            Note: by convention, every throw helper function must take a ThrowScope argument
1060            instead of instantiating its own ThrowScope.  This allows the throw to be
1061            attributed to the client code rather than the throw helper itself.
1062
1063            Every catch site (i.e. a site that calls clearException()) must declare a
1064            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
1065
1066            If a function can both throw or clear exceptions, then the ThrowScope should
1067            be declared first so that it can simulate a throw to the function's caller.
1068
1069            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
1070            can be aware if there's an enclosing CatchScope between it and the point where
1071            C++ code returns to JS code.  This is needed to determine if the ThrowScope
1072            should simulate a re-throw or not.  See (4) below for more details on returning
1073            to JS code.
1074
1075         3. Verification of needed exception checks
1076
1077            a. On construction, each ThrowScope and CatchScope will verify that
1078               VM::m_needExceptionCheck is not set.
1079  
1080               This ensures that the caller of the current function has checked for exceptions
1081               where needed before doing more work which lead to calling the current function.
1082
1083            b. On destruction, each ThrowScope and CatchScope will verify that
1084               VM::m_needExceptionCheck is not set. This verification will be skipped if
1085               the ThrowScope has been released (see (5) below).
1086
1087               This ensures that the function that owns this exception scope is not missing
1088               any exception checks before returning.
1089
1090            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
1091               is not already set, unless it's been ask to rethrow the same Exception object.
1092
1093         4. Simulating throws
1094
1095            Throws are simulated by setting the m_needExceptionCheck bit.
1096
1097            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1098            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1099            check for exceptions after a host C++ function returns to it.  However, they will
1100            not clear the m_needExceptionCheck bit.
1101
1102            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1103            it will just skip the setting of the bit.
1104
1105            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1106            throwException methods.  This is because, in practice, we always return
1107            immediately after throwing an exception.  It doesn't make sense to set the bit in
1108            the throw just to have to clear it immediately after before we do verification in
1109            the ThrowScope destructor.
1110
1111         5. Using ThrowScope::release()
1112
1113            Calling release() means that the scope is released from its obligation to
1114            verify the VM::m_needExceptionCheck bit on destruction.
1115
1116            release() should only be used at the bottom of a function if:
1117
1118            a. This function is going to let its caller check and handle the exception, e.g.
1119
1120                 void foo(...)
1121                 {
1122                     auto scope = DECLARE_THROW_SCOPE(vm);
1123                     auto result = goo(); // may throw.
1124
1125                     ... // Code that will are not affected by a pending exceptions.
1126
1127                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1128                     return result;
1129                 }
1130
1131            b. This function is going to do a tail call that may throw.
1132
1133                 void foo(...)
1134                 {
1135                     auto scope = DECLARE_THROW_SCOPE(vm);
1136                     ...
1137                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1138                     return goo(); // may throw.
1139                 }
1140
1141               release() should not be used in code paths that branch. For example:
1142
1143                 void foo(...)
1144                 {
1145                     auto scope = DECLARE_THROW_SCOPE(vm);
1146
1147                     auto result = goo1(); // may throw.
1148                     scope.release(); // WRONG !!! Don't do this.
1149                     if (result)
1150                         return;
1151
1152                     result = goo2(); // may throw.
1153                     ...
1154                     return result;
1155                 }
1156
1157             The above will result in a verification error in goo2()'s ThrowScope.  The
1158             proper way to fix this verification is to do either (6) or (7) below.
1159
1160          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1161
1162             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1163             there is one pending.  Else, it returns nullptr.
1164
1165             It also clears the m_needExceptionCheck bit thereby indicating that we've
1166             satisfied the needed exception check.  For example,
1167
1168                 void foo(...)
1169                 {
1170                     auto scope = DECLARE_THROW_SCOPE(vm);
1171
1172                     auto result = goo1(); // may throw.
1173                     if (scope.exception())
1174                         return;
1175
1176                     result = goo2(); // may throw.
1177                     ...
1178                     return result;
1179                 }
1180
1181             But sometimes, for optimization reasons, we may choose to test the result of
1182             the callee function instead doing a load of the VM exception value.  See (7)
1183             below.
1184
1185          7. Checking exceptions by checking callee results
1186
1187             This approach should only be applied when it makes a difference to performance.
1188             If we need to do this, we should add an ASSERT() that invokes the scope's
1189             exception() method to verify the result.  Since exception scope verification
1190             is only done on DEBUG builds, this ASSERT will satisfy the verification
1191             requirements without impacting performance.  For example,
1192
1193                 void foo(...)
1194                 {
1195                     auto scope = DECLARE_THROW_SCOPE(vm);
1196
1197                     bool failed = goo1(); // may throw.
1198                     ASSERT(!!scope.exception() == failed)
1199                     if (failed)
1200                         return;
1201
1202                     result = goo2(); // may throw.
1203                     ...
1204                     return result;
1205                 }
1206
1207          8. Debugging verification errors
1208
1209             a. When verification fails, you will see a message followed by an assertion
1210                failure.  For example:
1211
1212             ERROR: Unchecked JS exception:
1213                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1214                     (ExceptionScope::m_recursionDepth was ...)
1215                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1216                     (ExceptionScope::m_recursionDepth was ...)
1217                 [ backtrace here ]
1218
1219                The message tells you that failure was detected at in varargsSetup() at
1220                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1221                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1222                line 1245 and it.
1223
1224                If that is insufficient information, you can ...
1225
1226             b. Dump simulated throws
1227
1228                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1229                back traces at each simulated throw.
1230
1231             c. Narrowing down the source of a simulated throw
1232
1233                Another technique for narrowing down the source of simulated throws is by
1234                further dividing a function to smaller regions by separating each region
1235                with additional local throw scopes.  For example,
1236
1237                 ... // Region 1
1238                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1239                 ... // Region 2
1240                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1241                 ... // Region 3
1242
1243         * API/APIUtils.h:
1244         (handleExceptionIfNeeded):
1245         * CMakeLists.txt:
1246         * JavaScriptCore.xcodeproj/project.pbxproj:
1247         * bindings/ScriptFunctionCall.cpp:
1248         (Deprecated::ScriptFunctionCall::call):
1249         * bindings/ScriptValue.cpp:
1250         (Deprecated::ScriptValue::toString):
1251         * debugger/Debugger.cpp:
1252         (JSC::Debugger::pauseIfNeeded):
1253         * debugger/DebuggerCallFrame.cpp:
1254         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1255         * dfg/DFGOSRExitCompiler.cpp:
1256         * dfg/DFGOperations.cpp:
1257         (JSC::DFG::operationPutByValInternal):
1258         * inspector/InjectedScriptManager.cpp:
1259         (Inspector::InjectedScriptManager::createInjectedScript):
1260         * inspector/JSGlobalObjectInspectorController.cpp:
1261         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1262         * inspector/JSInjectedScriptHost.cpp:
1263         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1264         (Inspector::JSInjectedScriptHost::getInternalProperties):
1265         (Inspector::JSInjectedScriptHost::weakMapEntries):
1266         (Inspector::JSInjectedScriptHost::weakSetEntries):
1267         (Inspector::JSInjectedScriptHost::iteratorEntries):
1268         * inspector/JSJavaScriptCallFrame.cpp:
1269         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1270         * inspector/ScriptCallStackFactory.cpp:
1271         (Inspector::extractSourceInformationFromException):
1272         * interpreter/CachedCall.h:
1273         (JSC::CachedCall::CachedCall):
1274         * interpreter/CallFrame.h:
1275         (JSC::ExecState::clearException): Deleted.
1276         (JSC::ExecState::exception): Deleted.
1277         (JSC::ExecState::hadException): Deleted.
1278         (JSC::ExecState::lastException): Deleted.
1279         (JSC::ExecState::clearLastException): Deleted.
1280         * interpreter/Interpreter.cpp:
1281         (JSC::eval):
1282         (JSC::sizeOfVarargs):
1283         (JSC::notifyDebuggerOfUnwinding):
1284         (JSC::Interpreter::unwind):
1285         (JSC::Interpreter::execute):
1286         (JSC::Interpreter::executeCall):
1287         (JSC::Interpreter::executeConstruct):
1288         (JSC::Interpreter::prepareForRepeatCall):
1289         (JSC::Interpreter::debug):
1290         * interpreter/Interpreter.h:
1291         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1292         * interpreter/ShadowChicken.cpp:
1293         (JSC::ShadowChicken::functionsOnStack):
1294         * jit/JITCode.cpp:
1295         (JSC::JITCode::execute):
1296         * jit/JITExceptions.cpp:
1297         (JSC::genericUnwind):
1298         * jit/JITOperations.cpp:
1299         (JSC::getByVal):
1300         * jsc.cpp:
1301         (WTF::ImpureGetter::getOwnPropertySlot):
1302         (GlobalObject::moduleLoaderResolve):
1303         (GlobalObject::moduleLoaderFetch):
1304         (functionCreateElement):
1305         (functionRun):
1306         (functionRunString):
1307         (functionLoad):
1308         (functionLoadString):
1309         (functionReadFile):
1310         (functionCheckSyntax):
1311         (functionSetRandomSeed):
1312         (functionLoadModule):
1313         (functionCreateBuiltin):
1314         (functionCheckModuleSyntax):
1315         (functionGenerateHeapSnapshot):
1316         (functionSamplingProfilerStackTraces):
1317         (dumpException):
1318         (checkUncaughtException):
1319         (runWithScripts):
1320         (runInteractive):
1321         * llint/LLIntExceptions.cpp:
1322         (JSC::LLInt::returnToThrow):
1323         (JSC::LLInt::callToThrow):
1324         * llint/LLIntSlowPaths.cpp:
1325         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1326         * profiler/ProfilerBytecodeSequence.cpp:
1327         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1328         * profiler/ProfilerCompilation.cpp:
1329         (JSC::Profiler::Compilation::toJS):
1330         * profiler/ProfilerDatabase.cpp:
1331         (JSC::Profiler::Database::toJS):
1332         * profiler/ProfilerOSRExitSite.cpp:
1333         (JSC::Profiler::OSRExitSite::toJS):
1334         * profiler/ProfilerOriginStack.cpp:
1335         (JSC::Profiler::OriginStack::toJS):
1336         * runtime/ArrayPrototype.cpp:
1337         (JSC::speciesConstructArray):
1338         (JSC::shift):
1339         (JSC::unshift):
1340         (JSC::arrayProtoFuncToString):
1341         (JSC::arrayProtoFuncToLocaleString):
1342         (JSC::slowJoin):
1343         (JSC::fastJoin):
1344         (JSC::arrayProtoFuncJoin):
1345         (JSC::arrayProtoFuncPop):
1346         (JSC::arrayProtoFuncPush):
1347         (JSC::arrayProtoFuncReverse):
1348         (JSC::arrayProtoFuncShift):
1349         (JSC::arrayProtoFuncSlice):
1350         (JSC::arrayProtoFuncSplice):
1351         (JSC::arrayProtoFuncUnShift):
1352         (JSC::arrayProtoFuncIndexOf):
1353         (JSC::arrayProtoFuncLastIndexOf):
1354         (JSC::moveElements):
1355         (JSC::concatAppendOne):
1356         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1357         * runtime/BooleanConstructor.cpp:
1358         (JSC::constructWithBooleanConstructor):
1359         * runtime/CallData.cpp:
1360         (JSC::call):
1361         * runtime/CatchScope.cpp: Added.
1362         (JSC::CatchScope::CatchScope):
1363         (JSC::CatchScope::~CatchScope):
1364         * runtime/CatchScope.h: Added.
1365         (JSC::CatchScope::clearException):
1366         (JSC::CatchScope::CatchScope):
1367         * runtime/CommonSlowPaths.cpp:
1368         (JSC::SLOW_PATH_DECL):
1369         * runtime/CommonSlowPaths.h:
1370         (JSC::CommonSlowPaths::opIn):
1371         * runtime/CommonSlowPathsExceptions.cpp:
1372         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1373         * runtime/Completion.cpp:
1374         (JSC::evaluate):
1375         (JSC::rejectPromise):
1376         (JSC::loadAndEvaluateModule):
1377         (JSC::loadModule):
1378         * runtime/ConsoleObject.cpp:
1379         (JSC::consoleProtoFuncAssert):
1380         (JSC::consoleProtoFuncProfile):
1381         (JSC::consoleProtoFuncProfileEnd):
1382         (JSC::consoleProtoFuncTakeHeapSnapshot):
1383         (JSC::consoleProtoFuncTime):
1384         (JSC::consoleProtoFuncTimeEnd):
1385         * runtime/DateConstructor.cpp:
1386         (JSC::constructDate):
1387         (JSC::dateParse):
1388         * runtime/DatePrototype.cpp:
1389         (JSC::dateProtoFuncToPrimitiveSymbol):
1390         (JSC::dateProtoFuncToJSON):
1391         * runtime/ErrorConstructor.cpp:
1392         (JSC::Interpreter::constructWithErrorConstructor):
1393         * runtime/ErrorInstance.cpp:
1394         (JSC::ErrorInstance::sanitizedToString):
1395         * runtime/ErrorPrototype.cpp:
1396         (JSC::errorProtoFuncToString):
1397         * runtime/ExceptionEventLocation.cpp: Added.
1398         (WTF::printInternal):
1399         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1400         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1401         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1402         * runtime/ExceptionHelpers.h:
1403         * runtime/ExceptionScope.cpp: Added.
1404         (JSC::ExceptionScope::ExceptionScope):
1405         (JSC::ExceptionScope::~ExceptionScope):
1406         * runtime/ExceptionScope.h: Added.
1407         (JSC::ExceptionScope::vm):
1408         (JSC::ExceptionScope::recursionDepth):
1409         (JSC::ExceptionScope::exception):
1410         (JSC::ExceptionScope::ExceptionScope):
1411         * runtime/FunctionConstructor.cpp:
1412         (JSC::constructFunctionSkippingEvalEnabledCheck):
1413         * runtime/FunctionPrototype.cpp:
1414         (JSC::functionProtoFuncBind):
1415         * runtime/GenericArgumentsInlines.h:
1416         (JSC::GenericArguments<Type>::copyToArguments):
1417         * runtime/GetterSetter.cpp:
1418         (JSC::callGetter):
1419         * runtime/InspectorInstrumentationObject.cpp:
1420         (JSC::inspectorInstrumentationObjectLog):
1421         * runtime/InternalFunction.cpp:
1422         (JSC::InternalFunction::createSubclassStructure):
1423         * runtime/IntlCollator.cpp:
1424         (JSC::IntlCollator::initializeCollator):
1425         (JSC::IntlCollator::createCollator):
1426         (JSC::IntlCollator::resolvedOptions):
1427         * runtime/IntlCollatorConstructor.cpp:
1428         (JSC::constructIntlCollator):
1429         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1430         * runtime/IntlCollatorPrototype.cpp:
1431         (JSC::IntlCollatorFuncCompare):
1432         (JSC::IntlCollatorPrototypeGetterCompare):
1433         * runtime/IntlDateTimeFormat.cpp:
1434         (JSC::toDateTimeOptionsAnyDate):
1435         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1436         (JSC::IntlDateTimeFormat::resolvedOptions):
1437         (JSC::IntlDateTimeFormat::format):
1438         * runtime/IntlDateTimeFormatConstructor.cpp:
1439         (JSC::constructIntlDateTimeFormat):
1440         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1441         * runtime/IntlDateTimeFormatPrototype.cpp:
1442         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1443         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1444         * runtime/IntlNumberFormat.cpp:
1445         (JSC::IntlNumberFormat::initializeNumberFormat):
1446         (JSC::IntlNumberFormat::createNumberFormat):
1447         (JSC::IntlNumberFormat::resolvedOptions):
1448         * runtime/IntlNumberFormatConstructor.cpp:
1449         (JSC::constructIntlNumberFormat):
1450         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1451         * runtime/IntlNumberFormatPrototype.cpp:
1452         (JSC::IntlNumberFormatFuncFormatNumber):
1453         (JSC::IntlNumberFormatPrototypeGetterFormat):
1454         * runtime/IntlObject.cpp:
1455         (JSC::intlBooleanOption):
1456         (JSC::intlStringOption):
1457         (JSC::intlNumberOption):
1458         (JSC::canonicalizeLocaleList):
1459         (JSC::supportedLocales):
1460         * runtime/IntlObjectInlines.h:
1461         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1462         * runtime/IteratorOperations.cpp:
1463         (JSC::iteratorNext):
1464         (JSC::iteratorStep):
1465         (JSC::iteratorClose):
1466         (JSC::iteratorForIterable):
1467         * runtime/IteratorOperations.h:
1468         (JSC::forEachInIterable):
1469         * runtime/JSArray.cpp:
1470         (JSC::JSArray::pop):
1471         (JSC::JSArray::push):
1472         (JSC::JSArray::copyToArguments):
1473         * runtime/JSArrayBufferConstructor.cpp:
1474         (JSC::constructArrayBuffer):
1475         * runtime/JSArrayBufferPrototype.cpp:
1476         (JSC::arrayBufferProtoFuncSlice):
1477         * runtime/JSArrayInlines.h:
1478         (JSC::getLength):
1479         (JSC::toLength):
1480         * runtime/JSBoundFunction.cpp:
1481         (JSC::getBoundFunctionStructure):
1482         (JSC::JSBoundFunction::create):
1483         * runtime/JSCJSValue.cpp:
1484         (JSC::JSValue::putToPrimitive):
1485         (JSC::JSValue::putToPrimitiveByIndex):
1486         (JSC::JSValue::toStringSlowCase):
1487         * runtime/JSCJSValueInlines.h:
1488         (JSC::toPreferredPrimitiveType):
1489         (JSC::JSValue::getPropertySlot):
1490         (JSC::JSValue::equalSlowCaseInline):
1491         * runtime/JSDataViewPrototype.cpp:
1492         (JSC::getData):
1493         (JSC::setData):
1494         * runtime/JSFunction.cpp:
1495         (JSC::JSFunction::setFunctionName):
1496         * runtime/JSGenericTypedArrayView.h:
1497         (JSC::JSGenericTypedArrayView::setIndex):
1498         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1499         (JSC::constructGenericTypedArrayViewFromIterator):
1500         (JSC::constructGenericTypedArrayViewWithArguments):
1501         (JSC::constructGenericTypedArrayView):
1502         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1503         (JSC::speciesConstruct):
1504         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1505         (JSC::genericTypedArrayViewProtoFuncIncludes):
1506         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1507         (JSC::genericTypedArrayViewProtoFuncJoin):
1508         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1509         (JSC::genericTypedArrayViewProtoFuncSlice):
1510         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1511         * runtime/JSGlobalObject.h:
1512         (JSC::constructEmptyArray):
1513         (JSC::constructArray):
1514         (JSC::constructArrayNegativeIndexed):
1515         * runtime/JSGlobalObjectFunctions.cpp:
1516         (JSC::globalFuncEval):
1517         * runtime/JSJob.cpp:
1518         (JSC::JSJobMicrotask::run):
1519         * runtime/JSModuleEnvironment.cpp:
1520         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1521         * runtime/JSModuleLoader.cpp:
1522         (JSC::JSModuleLoader::fetch):
1523         * runtime/JSModuleNamespaceObject.cpp:
1524         (JSC::JSModuleNamespaceObject::finishCreation):
1525         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1526         * runtime/JSModuleRecord.cpp:
1527         (JSC::JSModuleRecord::instantiateDeclarations):
1528         * runtime/JSONObject.cpp:
1529         (JSC::Stringifier::Stringifier):
1530         (JSC::Stringifier::stringify):
1531         (JSC::Stringifier::toJSON):
1532         (JSC::Stringifier::appendStringifiedValue):
1533         (JSC::Stringifier::Holder::appendNextProperty):
1534         (JSC::Walker::walk):
1535         (JSC::JSONProtoFuncParse):
1536         * runtime/JSObject.cpp:
1537         (JSC::ordinarySetSlow):
1538         (JSC::JSObject::setPrototypeWithCycleCheck):
1539         (JSC::callToPrimitiveFunction):
1540         (JSC::JSObject::ordinaryToPrimitive):
1541         (JSC::JSObject::defaultHasInstance):
1542         (JSC::JSObject::getPropertyNames):
1543         (JSC::JSObject::toNumber):
1544         (JSC::JSObject::toString):
1545         (JSC::JSObject::defineOwnNonIndexProperty):
1546         (JSC::JSObject::getGenericPropertyNames):
1547         (JSC::JSObject::getMethod):
1548         * runtime/JSObjectInlines.h:
1549         (JSC::createListFromArrayLike):
1550         (JSC::JSObject::getPropertySlot):
1551         (JSC::JSObject::getNonIndexPropertySlot):
1552         * runtime/JSPromiseConstructor.cpp:
1553         (JSC::constructPromise):
1554         * runtime/JSPropertyNameEnumerator.h:
1555         (JSC::propertyNameEnumerator):
1556         * runtime/JSPropertyNameIterator.cpp:
1557         (JSC::JSPropertyNameIterator::create):
1558         * runtime/JSScope.cpp:
1559         (JSC::isUnscopable):
1560         (JSC::JSScope::resolve):
1561         * runtime/JSString.cpp:
1562         (JSC::JSString::equalSlowCase):
1563         * runtime/JSStringJoiner.cpp:
1564         (JSC::JSStringJoiner::join):
1565         * runtime/LiteralParser.cpp:
1566         (JSC::LiteralParser<CharType>::parse):
1567         * runtime/MapConstructor.cpp:
1568         (JSC::constructMap):
1569         * runtime/MathObject.cpp:
1570         (JSC::mathProtoFuncClz32):
1571         (JSC::mathProtoFuncHypot):
1572         (JSC::mathProtoFuncIMul):
1573         * runtime/ModuleLoaderPrototype.cpp:
1574         (JSC::moduleLoaderPrototypeParseModule):
1575         (JSC::moduleLoaderPrototypeRequestedModules):
1576         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1577         * runtime/NativeErrorConstructor.cpp:
1578         (JSC::Interpreter::constructWithNativeErrorConstructor):
1579         * runtime/NumberConstructor.cpp:
1580         (JSC::constructWithNumberConstructor):
1581         * runtime/ObjectConstructor.cpp:
1582         (JSC::constructObject):
1583         (JSC::objectConstructorGetPrototypeOf):
1584         (JSC::objectConstructorSetPrototypeOf):
1585         (JSC::objectConstructorGetOwnPropertyDescriptor):
1586         (JSC::objectConstructorGetOwnPropertyDescriptors):
1587         (JSC::objectConstructorGetOwnPropertyNames):
1588         (JSC::objectConstructorGetOwnPropertySymbols):
1589         (JSC::objectConstructorKeys):
1590         (JSC::ownEnumerablePropertyKeys):
1591         (JSC::toPropertyDescriptor):
1592         (JSC::objectConstructorDefineProperty):
1593         (JSC::defineProperties):
1594         (JSC::objectConstructorSeal):
1595         (JSC::objectConstructorFreeze):
1596         (JSC::objectConstructorIsSealed):
1597         (JSC::objectConstructorIsFrozen):
1598         (JSC::objectConstructorIsExtensible):
1599         (JSC::ownPropertyKeys):
1600         * runtime/ObjectConstructor.h:
1601         (JSC::constructObjectFromPropertyDescriptor):
1602         * runtime/ObjectPrototype.cpp:
1603         (JSC::objectProtoFuncHasOwnProperty):
1604         (JSC::objectProtoFuncIsPrototypeOf):
1605         (JSC::objectProtoFuncDefineGetter):
1606         (JSC::objectProtoFuncDefineSetter):
1607         (JSC::objectProtoFuncLookupGetter):
1608         (JSC::objectProtoFuncLookupSetter):
1609         (JSC::objectProtoFuncPropertyIsEnumerable):
1610         (JSC::objectProtoFuncToLocaleString):
1611         (JSC::objectProtoFuncToString):
1612         * runtime/Operations.cpp:
1613         (JSC::jsAddSlowCase):
1614         * runtime/Options.h:
1615         * runtime/PropertyDescriptor.cpp:
1616         (JSC::PropertyDescriptor::slowGetterSetter):
1617         * runtime/ProxyConstructor.cpp:
1618         (JSC::makeRevocableProxy):
1619         * runtime/ProxyObject.cpp:
1620         (JSC::ProxyObject::toStringName):
1621         (JSC::performProxyGet):
1622         (JSC::ProxyObject::performGet):
1623         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1624         (JSC::ProxyObject::performHasProperty):
1625         (JSC::ProxyObject::performPut):
1626         (JSC::ProxyObject::putByIndexCommon):
1627         (JSC::performProxyCall):
1628         (JSC::performProxyConstruct):
1629         (JSC::ProxyObject::performDelete):
1630         (JSC::ProxyObject::performPreventExtensions):
1631         (JSC::ProxyObject::performIsExtensible):
1632         (JSC::ProxyObject::performDefineOwnProperty):
1633         (JSC::ProxyObject::performGetOwnPropertyNames):
1634         (JSC::ProxyObject::performSetPrototype):
1635         (JSC::ProxyObject::performGetPrototype):
1636         * runtime/ReflectObject.cpp:
1637         (JSC::reflectObjectConstruct):
1638         (JSC::reflectObjectDefineProperty):
1639         (JSC::reflectObjectGet):
1640         (JSC::reflectObjectGetOwnPropertyDescriptor):
1641         (JSC::reflectObjectIsExtensible):
1642         (JSC::reflectObjectPreventExtensions):
1643         (JSC::reflectObjectSet):
1644         (JSC::reflectObjectSetPrototypeOf):
1645         * runtime/RegExpConstructor.cpp:
1646         (JSC::toFlags):
1647         (JSC::regExpCreate):
1648         (JSC::constructRegExp):
1649         * runtime/RegExpConstructor.h:
1650         (JSC::isRegExp):
1651         * runtime/RegExpObject.cpp:
1652         (JSC::collectMatches):
1653         (JSC::RegExpObject::matchGlobal):
1654         * runtime/RegExpPrototype.cpp:
1655         (JSC::regExpProtoFuncCompile):
1656         (JSC::flagsString):
1657         (JSC::regExpProtoFuncToString):
1658         (JSC::regExpProtoGetterFlags):
1659         (JSC::regExpProtoFuncSearchFast):
1660         (JSC::regExpProtoFuncSplitFast):
1661         * runtime/SetConstructor.cpp:
1662         (JSC::constructSet):
1663         * runtime/StringConstructor.cpp:
1664         (JSC::stringFromCodePoint):
1665         (JSC::constructWithStringConstructor):
1666         * runtime/StringObject.cpp:
1667         (JSC::StringObject::defineOwnProperty):
1668         * runtime/StringPrototype.cpp:
1669         (JSC::replaceUsingRegExpSearch):
1670         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1671         (JSC::replaceUsingStringSearch):
1672         (JSC::replace):
1673         (JSC::stringProtoFuncReplaceUsingRegExp):
1674         (JSC::stringProtoFuncReplaceUsingStringSearch):
1675         (JSC::stringProtoFuncCodePointAt):
1676         (JSC::stringProtoFuncSlice):
1677         (JSC::stringProtoFuncSplitFast):
1678         (JSC::stringProtoFuncSubstr):
1679         (JSC::stringProtoFuncSubstring):
1680         (JSC::stringProtoFuncLocaleCompare):
1681         (JSC::toLocaleCase):
1682         (JSC::stringProtoFuncBig):
1683         (JSC::stringProtoFuncSmall):
1684         (JSC::stringProtoFuncBlink):
1685         (JSC::stringProtoFuncBold):
1686         (JSC::stringProtoFuncFixed):
1687         (JSC::stringProtoFuncItalics):
1688         (JSC::stringProtoFuncStrike):
1689         (JSC::stringProtoFuncSub):
1690         (JSC::stringProtoFuncSup):
1691         (JSC::stringProtoFuncFontcolor):
1692         (JSC::stringProtoFuncFontsize):
1693         (JSC::stringProtoFuncAnchor):
1694         (JSC::stringProtoFuncLink):
1695         (JSC::trimString):
1696         (JSC::stringProtoFuncStartsWith):
1697         (JSC::stringProtoFuncEndsWith):
1698         (JSC::stringIncludesImpl):
1699         (JSC::stringProtoFuncIncludes):
1700         (JSC::builtinStringIncludesInternal):
1701         (JSC::stringProtoFuncNormalize):
1702         * runtime/SymbolConstructor.cpp:
1703         (JSC::symbolConstructorFor):
1704         * runtime/TemplateRegistry.cpp:
1705         (JSC::TemplateRegistry::getTemplateObject):
1706         * runtime/ThrowScope.cpp:
1707         (JSC::ThrowScope::ThrowScope):
1708         (JSC::ThrowScope::~ThrowScope):
1709         (JSC::ThrowScope::throwException):
1710         (JSC::ThrowScope::simulateThrow):
1711         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1712         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1713         * runtime/ThrowScope.h:
1714         (JSC::ThrowScope::release):
1715         (JSC::ThrowScope::ThrowScope):
1716         (JSC::ThrowScope::throwException):
1717         (JSC::ThrowScope::vm): Deleted.
1718         (JSC::ThrowScope::exception): Deleted.
1719         * runtime/ThrowScopeLocation.h: Removed.
1720         * runtime/VM.cpp:
1721         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1722         * runtime/VM.h:
1723         (JSC::VM::exception):
1724         (JSC::VM::clearException):
1725         (JSC::VM::setException): Deleted.
1726         * runtime/WeakMapConstructor.cpp:
1727         (JSC::constructWeakMap):
1728         * runtime/WeakSetConstructor.cpp:
1729         (JSC::constructWeakSet):
1730         * tools/JSDollarVMPrototype.cpp:
1731         (JSC::functionPrint):
1732
1733 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1734
1735         [INTL] some valid language tags cause errors in Intl constructors
1736         https://bugs.webkit.org/show_bug.cgi?id=161672
1737
1738         Reviewed by Mark Lam.
1739
1740         Fix private use tag parsing to match spec, allowing single character parts.
1741         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1742
1743         ```
1744         privateuse    = "x" 1*("-" (1*8alphanum))
1745         ```
1746
1747         * runtime/IntlObject.cpp:
1748         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1749
1750 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1751
1752         [JSC] Remove a couple of useless forward declaration
1753         https://bugs.webkit.org/show_bug.cgi?id=161676
1754
1755         Reviewed by Mark Lam.
1756
1757         JITMathICForwards.h should take care of declarating the Math ICs.
1758
1759         * bytecode/CodeBlock.h:
1760         * jit/JITOperations.h:
1761
1762 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1763
1764         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1765         https://bugs.webkit.org/show_bug.cgi?id=161706
1766
1767         Reviewed by Geoffrey Garen.
1768         
1769         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1770         have to do something different.
1771
1772         * jit/AssemblyHelpers.h:
1773         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1774
1775 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1776
1777         Unreviewed CMake build fix after r205552
1778
1779         * CMakeLists.txt:
1780
1781 2016-09-03  Keith Miller  <keith_miller@apple.com>
1782
1783         Add support for WASM Loops and Branches
1784         https://bugs.webkit.org/show_bug.cgi?id=161569
1785
1786         Reviewed by Benjamin Poulain.
1787
1788         This patch adds support for loops and branches to WASM. In order
1789         to support loops, we needed to change the way the B3IRGenerator
1790         tracked control information. Now, the control data holds three
1791         pieces of information: The continuation block, the loop branch
1792         target, and variables exiting the block. Whenever we branch to
1793         some control point we first check if it is a loop by checking that
1794         the loop branch target is non-null. If the branch is not targeting
1795         a loop, we map the stack values to the associated B3 variables for
1796         that stack slot.
1797
1798         Another interesting thing of note is that we now only allocate the
1799         continuation basic block lazily. This is beneficial when the
1800         continuation would just fall through to another block anyway. For
1801         example, in code like: (block ... (block (add 1 2) end) end) the
1802         continuation for the inner block just falls through to the outer
1803         block's continuation so we don't need an extra block.
1804
1805         * B3CallingConventions.cpp:
1806         (JSC::B3::jscCallingConvention): Deleted.
1807         * B3CallingConventions.h:
1808         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1809         (JSC::B3::CallingConvention::iterate): Deleted.
1810         (JSC::B3::nextJSCOffset): Deleted.
1811         * JavaScriptCore.xcodeproj/project.pbxproj:
1812         * b3/B3Type.h:
1813         * testWASM.cpp:
1814         (runWASMTests):
1815         * wasm/WASMB3IRGenerator.cpp:
1816         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1817         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1818         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1819         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1820         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1821         (JSC::WASM::B3IRGenerator::ControlData::dump):
1822         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1823         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1824         (JSC::WASM::B3IRGenerator::addLocal):
1825         (JSC::WASM::B3IRGenerator::addArguments):
1826         (JSC::WASM::B3IRGenerator::setLocal):
1827         (JSC::WASM::B3IRGenerator::addBlock):
1828         (JSC::WASM::B3IRGenerator::addLoop):
1829         (JSC::WASM::B3IRGenerator::endBlock):
1830         (JSC::WASM::B3IRGenerator::addReturn):
1831         (JSC::WASM::B3IRGenerator::addBranch):
1832         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1833         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1834         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1835         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1836         (JSC::WASM::parseAndCompile):
1837         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1838         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1839         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1840         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1841         (JSC::WASM::jscCallingConvention):
1842         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1843         (JSC::WASM::CallingConvention::CallingConvention):
1844         (JSC::WASM::CallingConvention::iterate):
1845         (JSC::WASM::nextJSCOffset):
1846         * wasm/WASMFormat.h:
1847         (JSC::WASM::toB3Type):
1848         (JSC::WASM::isValueType):
1849         * wasm/WASMFunctionParser.h:
1850         (JSC::WASM::FunctionParser<Context>::parse):
1851         (JSC::WASM::FunctionParser<Context>::parseExpression):
1852         * wasm/WASMModuleParser.cpp:
1853         (JSC::WASM::ModuleParser::parseFunctionTypes):
1854         * wasm/WASMOps.h:
1855
1856 2016-09-07  Youenn Fablet  <youenn@apple.com>
1857
1858         [Streams API] Separate compile flag for ReadableStream and WritableStream
1859         https://bugs.webkit.org/show_bug.cgi?id=161044
1860
1861         Reviewed by Alex Christensen.
1862
1863         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1864         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1865
1866         * Configurations/FeatureDefines.xcconfig:
1867         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1868         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1869         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1870
1871 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1872
1873         Fix the ENABLE(WEBASSEMBLY) build on Linux
1874         https://bugs.webkit.org/show_bug.cgi?id=161685
1875
1876         Unreviewed buildfix.
1877
1878         * wasm/JSWASMModule.cpp:
1879
1880 2016-09-06  Saam Barati  <sbarati@apple.com>
1881
1882         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1883         https://bugs.webkit.org/show_bug.cgi?id=161558
1884
1885         Reviewed by Benjamin Poulain.
1886
1887         ProxyObject had ObjectPrototype as its direct prototype.
1888         This could lead to infinite loops when doing a getDirectPrototype()
1889         loop.
1890
1891         Fixing this bug revealed another bug, which I made when implementing Proxy.
1892         We should not special case "__proto__" in get and set for Proxy Object's
1893         hooks. "__proto__" should just go through the normal set and get path.
1894
1895         * runtime/JSGlobalObject.cpp:
1896         (JSC::JSGlobalObject::init):
1897         * runtime/ProxyObject.cpp:
1898         (JSC::performProxyGet):
1899         (JSC::ProxyObject::put):
1900
1901 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1902
1903         Make JSC::PrivateName copyable
1904         https://bugs.webkit.org/show_bug.cgi?id=161666
1905
1906         Reviewed by Ryosuke Niwa.
1907
1908         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1909         And since the custom copy constructor deletes the default move constructor, we explcitly define
1910         it by `= default;`.
1911
1912         * runtime/PrivateName.h:
1913         (JSC::PrivateName::PrivateName):
1914
1915 2016-09-06  Daniel Bates  <dabates@apple.com>
1916
1917         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1918         https://bugs.webkit.org/show_bug.cgi?id=161296
1919
1920         Reviewed by Dan Bernstein.
1921
1922         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1923         with the iOS 10 beta SDK.
1924
1925         * Configurations/Base.xcconfig:
1926
1927 2016-09-06  Saam Barati  <sbarati@apple.com>
1928
1929         Unreviewed build fix for 32-bit platforms after r205520.
1930
1931         * dfg/DFGSpeculativeJIT.h:
1932         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1933
1934 2016-09-06  Saam Barati  <sbarati@apple.com>
1935
1936         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1937         https://bugs.webkit.org/show_bug.cgi?id=160870
1938
1939         Reviewed by Darin Adler.
1940
1941         Credit goes to Jonathan Bedard for finding this bug using the undefined
1942         behavior sanitizer.
1943
1944         The rule for MaterializeNewObject inside AI was assuming that the graph
1945         is in SSA form. This used to be true when MaterializeNewObject was only
1946         inserted by the allocation sinking phase. However, Filip added more uses
1947         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1948         the bug by using the structure set inside the Node's OpInfo rather than
1949         generating it from m_phiChildren inside AI.
1950
1951         * dfg/DFGAbstractInterpreterInlines.h:
1952         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1953
1954 2016-09-06  Saam Barati  <sbarati@apple.com>
1955
1956         Make JSMap and JSSet faster
1957         https://bugs.webkit.org/show_bug.cgi?id=160989
1958
1959         Reviewed by Filip Pizlo.
1960
1961         This patch revamps how we implement Map and Set. It uses
1962         a new hash map implementation. The hash map uses linear
1963         probing and it uses Wang's 64 bit hash function for JSValues
1964         that aren't strings. Strings use StringImpl's hash function.
1965         The reason I wanted to roll our own HashTable is twofold:
1966         I didn't want to inline WTF::HashMap's implementation into our
1967         JIT, since that seems error prone and unmaintainable. Also, I wanted
1968         a different structure for hash map buckets where buckets also exist in
1969         a linked list.
1970
1971         The reason for making buckets part of a linked list is that iteration
1972         is now simple. Iteration works by just traversing a linked list.
1973         This design also allows for a simple implementation when doing iteration
1974         while the hash table is mutating. Whenever we remove a bucket from
1975         the hash table, it is removed from the list, meaning items in the
1976         list don't point to it. However, the removed bucket will still point
1977         to things that are either in the list, or have also been removed.
1978         e.g, from a removed bucket, you can always follow pointers until you
1979         either find an item in the list, or you find the tail of the list.
1980         This is a really nice property because it means that a Map or Set
1981         does not need to reason about the all the iterators that point
1982         into its list. Also, whenever we add items to the Map or Set, we
1983         hijack the tail as the new item, and make the new item point to a newly
1984         created tail. This means that any iterator that pointed to the "tail" now
1985         points to non-tail items. This makes the implementation of adding things
1986         to the Map/Set while iterating easy.
1987
1988         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1989         into intrinsics in the DFG. The IR can now reason about hash map
1990         operations and can even do CSE over Wang's hash function, hash map
1991         bucket lookups, hash map bucket loads, and testing if a key is in
1992         the hash table. This makes code patterns for Map like so, super fast
1993         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1994
1995         ```
1996         function getKeyIfPresent(map, key) {
1997             if (map.has(key))
1998                 return map.get(key);
1999         }
2000         ```
2001
2002         This patch is roughly an 8% speedup on ES6SampleBench.
2003
2004
2005         * CMakeLists.txt:
2006         * JavaScriptCore.xcodeproj/project.pbxproj:
2007         * assembler/MacroAssemblerARM64.h:
2008         (JSC::MacroAssemblerARM64::not64):
2009         * bytecode/SpeculatedType.cpp:
2010         (JSC::speculationFromClassInfo):
2011         * bytecode/SpeculatedType.h:
2012         * dfg/DFGAbstractInterpreterInlines.h:
2013         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2014         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2015         * dfg/DFGByteCodeParser.cpp:
2016         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2017         * dfg/DFGClobberize.h:
2018         (JSC::DFG::clobberize):
2019         * dfg/DFGDoesGC.cpp:
2020         (JSC::DFG::doesGC):
2021         * dfg/DFGEdge.h:
2022         (JSC::DFG::Edge::shift):
2023         (JSC::DFG::Edge::makeWord):
2024         * dfg/DFGFixupPhase.cpp:
2025         (JSC::DFG::FixupPhase::fixupNode):
2026         * dfg/DFGHeapLocation.cpp:
2027         (WTF::printInternal):
2028         * dfg/DFGHeapLocation.h:
2029         * dfg/DFGNode.h:
2030         (JSC::DFG::Node::hasHeapPrediction):
2031         * dfg/DFGNodeType.h:
2032         * dfg/DFGOperations.cpp:
2033         * dfg/DFGOperations.h:
2034         * dfg/DFGPredictionPropagationPhase.cpp:
2035         * dfg/DFGSafeToExecute.h:
2036         (JSC::DFG::SafeToExecuteEdge::operator()):
2037         (JSC::DFG::safeToExecute):
2038         * dfg/DFGSpeculativeJIT.cpp:
2039         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2040         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2041         (JSC::DFG::SpeculativeJIT::speculate):
2042         * dfg/DFGSpeculativeJIT.h:
2043         (JSC::DFG::SpeculativeJIT::callOperation):
2044         * dfg/DFGSpeculativeJIT32_64.cpp:
2045         (JSC::DFG::SpeculativeJIT::compile):
2046         * dfg/DFGSpeculativeJIT64.cpp:
2047         (JSC::DFG::SpeculativeJIT::compile):
2048         * dfg/DFGUseKind.cpp:
2049         (WTF::printInternal):
2050         * dfg/DFGUseKind.h:
2051         (JSC::DFG::typeFilterFor):
2052         (JSC::DFG::isCell):
2053         * ftl/FTLAbstractHeapRepository.h:
2054         * ftl/FTLCapabilities.cpp:
2055         (JSC::FTL::canCompile):
2056         * ftl/FTLLowerDFGToB3.cpp:
2057         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2058         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2059         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2060         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2061         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2062         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2063         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2064         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2065         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2066         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2067         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2068         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2069         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2070         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2071         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2072         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2073         * jit/AssemblyHelpers.cpp:
2074         (JSC::AssemblyHelpers::wangsInt64Hash):
2075         * jit/AssemblyHelpers.h:
2076         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2077         * jit/JITOperations.h:
2078         * parser/ModuleAnalyzer.cpp:
2079         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2080         * runtime/HashMapImpl.cpp: Added.
2081         (JSC::HashMapBucket<Data>::visitChildren):
2082         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2083         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2084         * runtime/HashMapImpl.h: Added.
2085         (JSC::HashMapBucket::selectStructure):
2086         (JSC::HashMapBucket::createStructure):
2087         (JSC::HashMapBucket::create):
2088         (JSC::HashMapBucket::HashMapBucket):
2089         (JSC::HashMapBucket::setNext):
2090         (JSC::HashMapBucket::setPrev):
2091         (JSC::HashMapBucket::setKey):
2092         (JSC::HashMapBucket::setValue):
2093         (JSC::HashMapBucket::key):
2094         (JSC::HashMapBucket::value):
2095         (JSC::HashMapBucket::next):
2096         (JSC::HashMapBucket::prev):
2097         (JSC::HashMapBucket::deleted):
2098         (JSC::HashMapBucket::setDeleted):
2099         (JSC::HashMapBucket::offsetOfKey):
2100         (JSC::HashMapBucket::offsetOfValue):
2101         (JSC::HashMapBuffer::allocationSize):
2102         (JSC::HashMapBuffer::buffer):
2103         (JSC::HashMapBuffer::create):
2104         (JSC::areKeysEqual):
2105         (JSC::normalizeMapKey):
2106         (JSC::jsMapHash):
2107         (JSC::HashMapImpl::selectStructure):
2108         (JSC::HashMapImpl::createStructure):
2109         (JSC::HashMapImpl::create):
2110         (JSC::HashMapImpl::HashMapImpl):
2111         (JSC::HashMapImpl::buffer):
2112         (JSC::HashMapImpl::finishCreation):
2113         (JSC::HashMapImpl::emptyValue):
2114         (JSC::HashMapImpl::isEmpty):
2115         (JSC::HashMapImpl::deletedValue):
2116         (JSC::HashMapImpl::isDeleted):
2117         (JSC::HashMapImpl::findBucket):
2118         (JSC::HashMapImpl::get):
2119         (JSC::HashMapImpl::has):
2120         (JSC::HashMapImpl::add):
2121         (JSC::HashMapImpl::remove):
2122         (JSC::HashMapImpl::size):
2123         (JSC::HashMapImpl::clear):
2124         (JSC::HashMapImpl::bufferSizeInBytes):
2125         (JSC::HashMapImpl::offsetOfBuffer):
2126         (JSC::HashMapImpl::offsetOfCapacity):
2127         (JSC::HashMapImpl::head):
2128         (JSC::HashMapImpl::tail):
2129         (JSC::HashMapImpl::approximateSize):
2130         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2131         (JSC::HashMapImpl::rehash):
2132         (JSC::HashMapImpl::makeAndSetNewBuffer):
2133         * runtime/Intrinsic.h:
2134         * runtime/JSCJSValue.h:
2135         * runtime/JSCJSValueInlines.h:
2136         (JSC::sameValue):
2137         * runtime/JSGlobalObject.cpp:
2138         (JSC::JSGlobalObject::init):
2139         * runtime/JSMap.cpp:
2140         (JSC::JSMap::destroy): Deleted.
2141         (JSC::JSMap::estimatedSize): Deleted.
2142         (JSC::JSMap::visitChildren): Deleted.
2143         (JSC::JSMap::copyBackingStore): Deleted.
2144         (JSC::JSMap::has): Deleted.
2145         (JSC::JSMap::size): Deleted.
2146         (JSC::JSMap::get): Deleted.
2147         (JSC::JSMap::set): Deleted.
2148         (JSC::JSMap::clear): Deleted.
2149         (JSC::JSMap::remove): Deleted.
2150         * runtime/JSMap.h:
2151         (JSC::JSMap::createStructure):
2152         (JSC::JSMap::create):
2153         (JSC::JSMap::get):
2154         (JSC::JSMap::set):
2155         (JSC::JSMap::JSMap):
2156         (JSC::JSMap::Entry::key): Deleted.
2157         (JSC::JSMap::Entry::value): Deleted.
2158         (JSC::JSMap::Entry::visitChildren): Deleted.
2159         (JSC::JSMap::Entry::setKey): Deleted.
2160         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2161         (JSC::JSMap::Entry::setValue): Deleted.
2162         (JSC::JSMap::Entry::clear): Deleted.
2163         * runtime/JSMapIterator.cpp:
2164         (JSC::JSMapIterator::finishCreation):
2165         (JSC::JSMapIterator::visitChildren):
2166         (JSC::JSMapIterator::clone):
2167         * runtime/JSMapIterator.h:
2168         (JSC::JSMapIterator::advanceIter):
2169         (JSC::JSMapIterator::next):
2170         (JSC::JSMapIterator::nextKeyValue):
2171         (JSC::JSMapIterator::JSMapIterator):
2172         (JSC::JSMapIterator::setIterator):
2173         (JSC::JSMapIterator::finish): Deleted.
2174         (JSC::JSMapIterator::iteratorData): Deleted.
2175         * runtime/JSModuleLoader.cpp:
2176         (JSC::JSModuleLoader::finishCreation):
2177         * runtime/JSModuleLoader.h:
2178         (JSC::JSModuleLoader::create):
2179         * runtime/JSModuleRecord.cpp:
2180         (JSC::JSModuleRecord::finishCreation):
2181         * runtime/JSModuleRecord.h:
2182         (JSC::JSModuleRecord::create):
2183         * runtime/JSSet.cpp:
2184         (JSC::JSSet::destroy): Deleted.
2185         (JSC::JSSet::estimatedSize): Deleted.
2186         (JSC::JSSet::visitChildren): Deleted.
2187         (JSC::JSSet::copyBackingStore): Deleted.
2188         (JSC::JSSet::has): Deleted.
2189         (JSC::JSSet::size): Deleted.
2190         (JSC::JSSet::add): Deleted.
2191         (JSC::JSSet::clear): Deleted.
2192         (JSC::JSSet::remove): Deleted.
2193         * runtime/JSSet.h:
2194         (JSC::JSSet::createStructure):
2195         (JSC::JSSet::create):
2196         (JSC::JSSet::add):
2197         (JSC::JSSet::JSSet):
2198         (JSC::JSSet::Entry::key): Deleted.
2199         (JSC::JSSet::Entry::value): Deleted.
2200         (JSC::JSSet::Entry::visitChildren): Deleted.
2201         (JSC::JSSet::Entry::setKey): Deleted.
2202         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2203         (JSC::JSSet::Entry::setValue): Deleted.
2204         (JSC::JSSet::Entry::clear): Deleted.
2205         * runtime/JSSetIterator.cpp:
2206         (JSC::JSSetIterator::finishCreation):
2207         (JSC::JSSetIterator::visitChildren):
2208         (JSC::JSSetIterator::clone):
2209         * runtime/JSSetIterator.h:
2210         (JSC::JSSetIterator::advanceIter):
2211         (JSC::JSSetIterator::next):
2212         (JSC::JSSetIterator::JSSetIterator):
2213         (JSC::JSSetIterator::setIterator):
2214         (JSC::JSSetIterator::finish): Deleted.
2215         (JSC::JSSetIterator::iteratorData): Deleted.
2216         * runtime/JSType.h:
2217         * runtime/MapBase.cpp: Added.
2218         (JSC::MapBase<HashMapBucketType>::visitChildren):
2219         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2220         * runtime/MapBase.h: Added.
2221         (JSC::MapBase::size):
2222         (JSC::MapBase::has):
2223         (JSC::MapBase::clear):
2224         (JSC::MapBase::remove):
2225         (JSC::MapBase::findBucket):
2226         (JSC::MapBase::offsetOfHashMapImpl):
2227         (JSC::MapBase::impl):
2228         (JSC::MapBase::finishCreation):
2229         (JSC::MapBase::MapBase):
2230         * runtime/MapConstructor.cpp:
2231         (JSC::constructMap):
2232         * runtime/MapIteratorPrototype.cpp:
2233         (JSC::MapIteratorPrototypeFuncNext):
2234         * runtime/MapPrototype.cpp:
2235         (JSC::MapPrototype::finishCreation):
2236         (JSC::getMap):
2237         (JSC::privateFuncIsMap):
2238         (JSC::privateFuncMapIteratorNext):
2239         * runtime/PropertyDescriptor.cpp:
2240         (JSC::sameValue): Deleted.
2241         * runtime/PropertyDescriptor.h:
2242         * runtime/SetConstructor.cpp:
2243         (JSC::constructSet):
2244         * runtime/SetIteratorPrototype.cpp:
2245         (JSC::SetIteratorPrototypeFuncNext):
2246         * runtime/SetPrototype.cpp:
2247         (JSC::SetPrototype::finishCreation):
2248         (JSC::getSet):
2249         (JSC::privateFuncSetIteratorNext):
2250         * runtime/VM.cpp:
2251         (JSC::VM::VM):
2252         * runtime/VM.h:
2253
2254 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2255
2256         [JSC] Make ArithClz32 work with Cell arguments
2257         https://bugs.webkit.org/show_bug.cgi?id=161369
2258
2259         Reviewed by Geoffrey Garen.
2260
2261         ArithClz32 was already working with all primitive types
2262         thanks to the magic of ValueToInt32.
2263         This patch adds support for cell arguments through a function
2264         call.
2265
2266         * dfg/DFGAbstractInterpreterInlines.h:
2267         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2268         * dfg/DFGClobberize.h:
2269         (JSC::DFG::clobberize):
2270         * dfg/DFGFixupPhase.cpp:
2271         (JSC::DFG::FixupPhase::fixupNode):
2272         * dfg/DFGNodeType.h:
2273         * dfg/DFGOperations.cpp:
2274         * dfg/DFGOperations.h:
2275         * dfg/DFGSpeculativeJIT.cpp:
2276         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2277         * dfg/DFGSpeculativeJIT.h:
2278         (JSC::DFG::SpeculativeJIT::callOperation):
2279         * ftl/FTLLowerDFGToB3.cpp:
2280         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2281
2282 2016-09-06  Mark Lam  <mark.lam@apple.com>
2283
2284         Gardening: change to use old header guard to appease Win EWS.
2285
2286         Not reviewed.
2287
2288         * runtime/AuxiliaryBarrier.h:
2289
2290 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2291
2292         Unreviewed, rolling out r205494.
2293         https://bugs.webkit.org/show_bug.cgi?id=161646
2294
2295         This change broke the Windows build (Requested by ryanhaddad
2296         on #webkit).
2297
2298         Reverted changeset:
2299
2300         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2301         https://bugs.webkit.org/show_bug.cgi?id=161100
2302         http://trac.webkit.org/changeset/205494
2303
2304 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2305
2306         Unreviewed, rolling out r205504.
2307         https://bugs.webkit.org/show_bug.cgi?id=161645
2308
2309         Broke the iOS device build (Requested by ryanhaddad on
2310         #webkit).
2311
2312         Reverted changeset:
2313
2314         "Make JSMap and JSSet faster"
2315         https://bugs.webkit.org/show_bug.cgi?id=160989
2316         http://trac.webkit.org/changeset/205504
2317
2318 2016-09-06  Saam Barati  <sbarati@apple.com>
2319
2320         Make JSMap and JSSet faster
2321         https://bugs.webkit.org/show_bug.cgi?id=160989
2322
2323         Reviewed by Filip Pizlo.
2324
2325         This patch revamps how we implement Map and Set. It uses
2326         a new hash map implementation. The hash map uses linear
2327         probing and it uses Wang's 64 bit hash function for JSValues
2328         that aren't strings. Strings use StringImpl's hash function.
2329         The reason I wanted to roll our own HashTable is twofold:
2330         I didn't want to inline WTF::HashMap's implementation into our
2331         JIT, since that seems error prone and unmaintainable. Also, I wanted
2332         a different structure for hash map buckets where buckets also exist in
2333         a linked list.
2334
2335         The reason for making buckets part of a linked list is that iteration
2336         is now simple. Iteration works by just traversing a linked list.
2337         This design also allows for a simple implementation when doing iteration
2338         while the hash table is mutating. Whenever we remove a bucket from
2339         the hash table, it is removed from the list, meaning items in the
2340         list don't point to it. However, the removed bucket will still point
2341         to things that are either in the list, or have also been removed.
2342         e.g, from a removed bucket, you can always follow pointers until you
2343         either find an item in the list, or you find the tail of the list.
2344         This is a really nice property because it means that a Map or Set
2345         does not need to reason about the all the iterators that point
2346         into its list. Also, whenever we add items to the Map or Set, we
2347         hijack the tail as the new item, and make the new item point to a newly
2348         created tail. This means that any iterator that pointed to the "tail" now
2349         points to non-tail items. This makes the implementation of adding things
2350         to the Map/Set while iterating easy.
2351
2352         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2353         into intrinsics in the DFG. The IR can now reason about hash map
2354         operations and can even do CSE over Wang's hash function, hash map
2355         bucket lookups, hash map bucket loads, and testing if a key is in
2356         the hash table. This makes code patterns for Map like so, super fast
2357         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2358
2359         ```
2360         function getKeyIfPresent(map, key) {
2361             if (map.has(key))
2362                 return map.get(key);
2363         }
2364         ```
2365
2366         This patch is roughly an 8% speedup on ES6SampleBench.
2367
2368         * CMakeLists.txt:
2369         * JavaScriptCore.xcodeproj/project.pbxproj:
2370         * bytecode/SpeculatedType.cpp:
2371         (JSC::speculationFromClassInfo):
2372         * bytecode/SpeculatedType.h:
2373         * dfg/DFGAbstractInterpreterInlines.h:
2374         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2375         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2376         * dfg/DFGByteCodeParser.cpp:
2377         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2378         * dfg/DFGClobberize.h:
2379         (JSC::DFG::clobberize):
2380         * dfg/DFGDoesGC.cpp:
2381         (JSC::DFG::doesGC):
2382         * dfg/DFGEdge.h:
2383         (JSC::DFG::Edge::shift):
2384         (JSC::DFG::Edge::makeWord):
2385         * dfg/DFGFixupPhase.cpp:
2386         (JSC::DFG::FixupPhase::fixupNode):
2387         * dfg/DFGHeapLocation.cpp:
2388         (WTF::printInternal):
2389         * dfg/DFGHeapLocation.h:
2390         * dfg/DFGNode.h:
2391         (JSC::DFG::Node::hasHeapPrediction):
2392         * dfg/DFGNodeType.h:
2393         * dfg/DFGOperations.cpp:
2394         * dfg/DFGOperations.h:
2395         * dfg/DFGPredictionPropagationPhase.cpp:
2396         * dfg/DFGSafeToExecute.h:
2397         (JSC::DFG::SafeToExecuteEdge::operator()):
2398         (JSC::DFG::safeToExecute):
2399         * dfg/DFGSpeculativeJIT.cpp:
2400         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2401         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2402         (JSC::DFG::SpeculativeJIT::speculate):
2403         * dfg/DFGSpeculativeJIT.h:
2404         (JSC::DFG::SpeculativeJIT::callOperation):
2405         * dfg/DFGSpeculativeJIT32_64.cpp:
2406         (JSC::DFG::SpeculativeJIT::compile):
2407         * dfg/DFGSpeculativeJIT64.cpp:
2408         (JSC::DFG::SpeculativeJIT::compile):
2409         * dfg/DFGUseKind.cpp:
2410         (WTF::printInternal):
2411         * dfg/DFGUseKind.h:
2412         (JSC::DFG::typeFilterFor):
2413         (JSC::DFG::isCell):
2414         * ftl/FTLAbstractHeapRepository.h:
2415         * ftl/FTLCapabilities.cpp:
2416         (JSC::FTL::canCompile):
2417         * ftl/FTLLowerDFGToB3.cpp:
2418         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2419         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2420         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2421         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2422         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2423         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2424         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2425         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2426         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2427         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2428         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2429         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2430         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2431         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2432         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2433         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2434         * jit/AssemblyHelpers.cpp:
2435         (JSC::AssemblyHelpers::wangsInt64Hash):
2436         * jit/AssemblyHelpers.h:
2437         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2438         * jit/JITOperations.h:
2439         * parser/ModuleAnalyzer.cpp:
2440         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2441         * runtime/HashMapImpl.cpp: Added.
2442         (JSC::HashMapBucket<Data>::visitChildren):
2443         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2444         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2445         * runtime/HashMapImpl.h: Added.
2446         (JSC::HashMapBucket::selectStructure):
2447         (JSC::HashMapBucket::createStructure):
2448         (JSC::HashMapBucket::create):
2449         (JSC::HashMapBucket::HashMapBucket):
2450         (JSC::HashMapBucket::setNext):
2451         (JSC::HashMapBucket::setPrev):
2452         (JSC::HashMapBucket::setKey):
2453         (JSC::HashMapBucket::setValue):
2454         (JSC::HashMapBucket::key):
2455         (JSC::HashMapBucket::value):
2456         (JSC::HashMapBucket::next):
2457         (JSC::HashMapBucket::prev):
2458         (JSC::HashMapBucket::deleted):
2459         (JSC::HashMapBucket::setDeleted):
2460         (JSC::HashMapBucket::offsetOfKey):
2461         (JSC::HashMapBucket::offsetOfValue):
2462         (JSC::HashMapBuffer::allocationSize):
2463         (JSC::HashMapBuffer::buffer):
2464         (JSC::HashMapBuffer::create):
2465         (JSC::areKeysEqual):
2466         (JSC::normalizeMapKey):
2467         (JSC::jsMapHash):
2468         (JSC::HashMapImpl::selectStructure):
2469         (JSC::HashMapImpl::createStructure):
2470         (JSC::HashMapImpl::create):
2471         (JSC::HashMapImpl::HashMapImpl):
2472         (JSC::HashMapImpl::buffer):
2473         (JSC::HashMapImpl::finishCreation):
2474         (JSC::HashMapImpl::emptyValue):
2475         (JSC::HashMapImpl::isEmpty):
2476         (JSC::HashMapImpl::deletedValue):
2477         (JSC::HashMapImpl::isDeleted):
2478         (JSC::HashMapImpl::findBucket):
2479         (JSC::HashMapImpl::get):
2480         (JSC::HashMapImpl::has):
2481         (JSC::HashMapImpl::add):
2482         (JSC::HashMapImpl::remove):
2483         (JSC::HashMapImpl::size):
2484         (JSC::HashMapImpl::clear):
2485         (JSC::HashMapImpl::bufferSizeInBytes):
2486         (JSC::HashMapImpl::offsetOfBuffer):
2487         (JSC::HashMapImpl::offsetOfCapacity):
2488         (JSC::HashMapImpl::head):
2489         (JSC::HashMapImpl::tail):
2490         (JSC::HashMapImpl::approximateSize):
2491         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2492         (JSC::HashMapImpl::rehash):
2493         (JSC::HashMapImpl::makeAndSetNewBuffer):
2494         * runtime/Intrinsic.h:
2495         * runtime/JSCJSValue.h:
2496         * runtime/JSCJSValueInlines.h:
2497         (JSC::sameValue):
2498         * runtime/JSGlobalObject.cpp:
2499         (JSC::JSGlobalObject::init):
2500         * runtime/JSMap.cpp:
2501         (JSC::JSMap::destroy): Deleted.
2502         (JSC::JSMap::estimatedSize): Deleted.
2503         (JSC::JSMap::visitChildren): Deleted.
2504         (JSC::JSMap::copyBackingStore): Deleted.
2505         (JSC::JSMap::has): Deleted.
2506         (JSC::JSMap::size): Deleted.
2507         (JSC::JSMap::get): Deleted.
2508         (JSC::JSMap::set): Deleted.
2509         (JSC::JSMap::clear): Deleted.
2510         (JSC::JSMap::remove): Deleted.
2511         * runtime/JSMap.h:
2512         (JSC::JSMap::createStructure):
2513         (JSC::JSMap::create):
2514         (JSC::JSMap::get):
2515         (JSC::JSMap::set):
2516         (JSC::JSMap::JSMap):
2517         (JSC::JSMap::Entry::key): Deleted.
2518         (JSC::JSMap::Entry::value): Deleted.
2519         (JSC::JSMap::Entry::visitChildren): Deleted.
2520         (JSC::JSMap::Entry::setKey): Deleted.
2521         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2522         (JSC::JSMap::Entry::setValue): Deleted.
2523         (JSC::JSMap::Entry::clear): Deleted.
2524         * runtime/JSMapIterator.cpp:
2525         (JSC::JSMapIterator::finishCreation):
2526         (JSC::JSMapIterator::visitChildren):
2527         (JSC::JSMapIterator::clone):
2528         * runtime/JSMapIterator.h:
2529         (JSC::JSMapIterator::advanceIter):
2530         (JSC::JSMapIterator::next):
2531         (JSC::JSMapIterator::nextKeyValue):
2532         (JSC::JSMapIterator::JSMapIterator):
2533         (JSC::JSMapIterator::setIterator):
2534         (JSC::JSMapIterator::finish): Deleted.
2535         (JSC::JSMapIterator::iteratorData): Deleted.
2536         * runtime/JSModuleLoader.cpp:
2537         (JSC::JSModuleLoader::finishCreation):
2538         * runtime/JSModuleLoader.h:
2539         (JSC::JSModuleLoader::create):
2540         * runtime/JSModuleRecord.cpp:
2541         (JSC::JSModuleRecord::finishCreation):
2542         * runtime/JSModuleRecord.h:
2543         (JSC::JSModuleRecord::create):
2544         * runtime/JSSet.cpp:
2545         (JSC::JSSet::destroy): Deleted.
2546         (JSC::JSSet::estimatedSize): Deleted.
2547         (JSC::JSSet::visitChildren): Deleted.
2548         (JSC::JSSet::copyBackingStore): Deleted.
2549         (JSC::JSSet::has): Deleted.
2550         (JSC::JSSet::size): Deleted.
2551         (JSC::JSSet::add): Deleted.
2552         (JSC::JSSet::clear): Deleted.
2553         (JSC::JSSet::remove): Deleted.
2554         * runtime/JSSet.h:
2555         (JSC::JSSet::createStructure):
2556         (JSC::JSSet::create):
2557         (JSC::JSSet::add):
2558         (JSC::JSSet::JSSet):
2559         (JSC::JSSet::Entry::key): Deleted.
2560         (JSC::JSSet::Entry::value): Deleted.
2561         (JSC::JSSet::Entry::visitChildren): Deleted.
2562         (JSC::JSSet::Entry::setKey): Deleted.
2563         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2564         (JSC::JSSet::Entry::setValue): Deleted.
2565         (JSC::JSSet::Entry::clear): Deleted.
2566         * runtime/JSSetIterator.cpp:
2567         (JSC::JSSetIterator::finishCreation):
2568         (JSC::JSSetIterator::visitChildren):
2569         (JSC::JSSetIterator::clone):
2570         * runtime/JSSetIterator.h:
2571         (JSC::JSSetIterator::advanceIter):
2572         (JSC::JSSetIterator::next):
2573         (JSC::JSSetIterator::JSSetIterator):
2574         (JSC::JSSetIterator::setIterator):
2575         (JSC::JSSetIterator::finish): Deleted.
2576         (JSC::JSSetIterator::iteratorData): Deleted.
2577         * runtime/JSType.h:
2578         * runtime/MapBase.cpp: Added.
2579         (JSC::MapBase<HashMapBucketType>::visitChildren):
2580         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2581         * runtime/MapBase.h: Added.
2582         (JSC::MapBase::size):
2583         (JSC::MapBase::has):
2584         (JSC::MapBase::clear):
2585         (JSC::MapBase::remove):
2586         (JSC::MapBase::findBucket):
2587         (JSC::MapBase::offsetOfHashMapImpl):
2588         (JSC::MapBase::impl):
2589         (JSC::MapBase::finishCreation):
2590         (JSC::MapBase::MapBase):
2591         * runtime/MapConstructor.cpp:
2592         (JSC::constructMap):
2593         * runtime/MapIteratorPrototype.cpp:
2594         (JSC::MapIteratorPrototypeFuncNext):
2595         * runtime/MapPrototype.cpp:
2596         (JSC::MapPrototype::finishCreation):
2597         (JSC::getMap):
2598         (JSC::privateFuncIsMap):
2599         (JSC::privateFuncMapIteratorNext):
2600         * runtime/PropertyDescriptor.cpp:
2601         (JSC::sameValue): Deleted.
2602         * runtime/PropertyDescriptor.h:
2603         * runtime/SetConstructor.cpp:
2604         (JSC::constructSet):
2605         * runtime/SetIteratorPrototype.cpp:
2606         (JSC::SetIteratorPrototypeFuncNext):
2607         * runtime/SetPrototype.cpp:
2608         (JSC::SetPrototype::finishCreation):
2609         (JSC::getSet):
2610         (JSC::privateFuncSetIteratorNext):
2611         * runtime/VM.cpp:
2612         (JSC::VM::VM):
2613         * runtime/VM.h:
2614
2615 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2616
2617         Typed arrays should use MarkedSpace instead of CopiedSpace
2618         https://bugs.webkit.org/show_bug.cgi?id=161100
2619
2620         Reviewed by Geoffrey Garen.
2621         
2622         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2623         
2624         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2625         everything that typed arrays want.
2626
2627         * dfg/DFGOperations.cpp:
2628         (JSC::DFG::newTypedArrayWithSize):
2629         * dfg/DFGOperations.h:
2630         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2631         * dfg/DFGSpeculativeJIT.cpp:
2632         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2633         * dfg/DFGSpeculativeJIT.h:
2634         (JSC::DFG::SpeculativeJIT::callOperation):
2635         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2636         * ftl/FTLLowerDFGToB3.cpp:
2637         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2638         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2639         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2640         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2641         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2642         * heap/CopyToken.h:
2643         * heap/SlotVisitor.cpp:
2644         (JSC::SlotVisitor::markAuxiliary):
2645         * jit/JITOperations.h:
2646         * runtime/JSArrayBufferView.cpp:
2647         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2648         (JSC::JSArrayBufferView::JSArrayBufferView):
2649         * runtime/JSArrayBufferView.h:
2650         * runtime/JSGenericTypedArrayView.h:
2651         * runtime/JSGenericTypedArrayViewInlines.h:
2652         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2653         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2654         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2655         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2656
2657 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2658
2659         Silence GCC warning spam introduced in r205462
2660
2661         Rubber-stamped by Filip Pizlo.
2662
2663         * bytecode/Opcode.h:
2664         (JSC::padOpcodeName):
2665
2666 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2667
2668         Heap::isMarked() should use concurrent lazy flipping
2669         https://bugs.webkit.org/show_bug.cgi?id=161613
2670
2671         Reviewed by Michael Catanzaro.
2672         
2673         I found out about this race condition via
2674         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2675         
2676         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2677         phase. So, they need to lazy-flip in a non-racy way.
2678
2679         * heap/HeapInlines.h:
2680         (JSC::Heap::isLive):
2681         (JSC::Heap::isMarked):
2682
2683 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2684
2685         Unreviewed, reset generator test results after the butterflies.
2686
2687         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2688         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2689         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2690         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2691         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2692         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2693         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2694         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2695         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2696         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2697         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2698         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2699         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2700         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2701
2702 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2703
2704         Unreviewed, fix cloop build.
2705
2706         * bytecode/SuperSampler.cpp:
2707
2708 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2709
2710         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2711         https://bugs.webkit.org/show_bug.cgi?id=160125
2712
2713         Reviewed by Geoffrey Garen and Keith Miller.
2714
2715         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2716         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2717         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2718         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2719         to get rid of copied space. This change moves copied space's biggest client over to marked
2720         space.
2721         
2722         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2723         allocation path. This is a fairly mechanical change, but it caused performance regressions
2724         everywhere, so this change also fixes MarkedSpace's performance issues.
2725         
2726         At a high level the mechanical changes are:
2727         
2728         - We use AuxiliaryBarrier instead of CopyBarrier.
2729         
2730         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2731           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2732         
2733         - The JITs have to emit inlined marked space allocations instead of inline copy space
2734           allocations.
2735         
2736         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2737           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2738           space doesn't.
2739         
2740         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2741         optimizations that amounted to a major MarkedSpace rewrite:
2742         
2743         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2744           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2745           size class. I got around this by making array allocations usually round up vectorLength to
2746           the maximum allowed by the size class that we would have allocated in. Also,
2747           ensureLengthSlow() and friends first make sure that the requested length can't just be
2748           fulfilled with the current allocation size. This safeguard means that not every array
2749           allocation has to do size class queries. For example, the fast path of new Array(length)
2750           never does any size class queries, under the assumption that (1) the speed gained from
2751           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2752           size class query, is too small to offset the speed lost by doing the query on every
2753           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2754           likely.
2755         
2756         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2757           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2758           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2759           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2760           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2761           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2762           size (80 bytes), we proceed using a geometric progression, but round up each size to
2763           minimize slop at the end of the block. This naturally causes the geometric progression to
2764           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2765           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2766         
2767         - Large allocations caused massive internal fragmentation, since the smallest large
2768           allocation had to use exactly blockSize, and the largest small allocation used
2769           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2770           also had 50% internal fragmentation. This is because we required large allocations to be
2771           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2772           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2773           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2774           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2775           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2776           out great since (1) typed arrays won't use large allocations anyway since they have their
2777           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2778           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2779           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2780           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2781           must be small allocations. It's also possible to use template tricks to do one check for
2782           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2783           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2784           that get used from functions that are template-specialized like this. That's mostly to
2785           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2786           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2787           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2788           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2789           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2790           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2791           that the MarkedBlock size classes end up being:
2792           
2793           16, 32, 48, 64, 80, 112, 160, 224, 320
2794           
2795           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2796           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2797           size classes you end up with by doing --dumpSizeClasses=true.
2798         
2799         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2800           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2801           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2802           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2803           side, for better locality during a sequential walk. It's no longer necessary to scan
2804           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2805           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2806           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2807           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2808           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2809           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2810           together, these optimizations allowed me to reduce block size to 16KB without losing much
2811           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2812           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2813           progression on membuster. That's not possible yet, since there is still enough per-block
2814           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2815           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2816         
2817         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2818           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2819           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2820           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2821           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2822           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2823           that we walk the block to build a free list. This means walking dead space. The new
2824           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2825           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2826           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2827           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2828           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2829           is completely empty, which is the common case because of the generational hypothesis: the
2830           number of objects that survive an eden collection is a tiny fraction of the number of
2831           objects that had been allocated, and this fraction is so small that there are typically
2832           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2833           win over tip-of-tree.
2834         
2835         - FTL now shares the same allocation fast paths as everything else, which is great, because
2836           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2837           control flow, since it won't be able to improve the machine code we write ourselves. GC
2838           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2839           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2840           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2841           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2842           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2843           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2844           variable-length allocation but then realize that the length is known). I think it makes
2845           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2846           since this makes lowering easier (you can constant fold during lowering more easily) and it
2847           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2848           constant-fold this code. That would require allowing loads to be constant-folded, which is
2849           doable but hella tricky.
2850         
2851         - It used to be that if a logical object allocation required two physical allocations (first
2852           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2853           failure in the second fast path would cause us to forget the successful first physical
2854           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2855           register to storing either the butterfly or null, because the butterfly register is anyway
2856           going to be free inside the first allocation. The only overhead here is zeroing the
2857           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2858           path, which can then either allocate a butterfly or not. So now we never waste a successful
2859           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2860           since we control registers already) and in FTL (where it's annoying, because mutable
2861           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2862           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2863           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2864           benchmark would always allocate N small things followed by one bigger thing. The problem
2865           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2866           the JSObject size class, which both the small and big thing shared for their cell, could
2867           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2868           it allocated the big thing. So, it would end up having to allocate the big thing's large
2869           butterfly twice, every single time! Ouch!
2870         
2871         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2872           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2873           of the allocator to initialize the object to whatever state they need. It used to be that
2874           we would just use a dumb loop. I initially changed this so that we would end up in memset
2875           for large allocations, but this didn't actually help performance that much. I got a much
2876           better result by playing with different memsets written in assembly. First I wrote one
2877           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2878           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2879           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2880           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2881           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2882           of stores (if the size is known), but those paths in the JIT won't trigger for
2883           NewArrayWithSize() if the size is large, since that takes us to the
2884           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2885           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2886           that need to be filled with holes.
2887         
2888         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2889         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2890         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2891         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2892         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2893         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2894         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2895         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2896         marking barrier and we simply won't need a copying barrier. This change gets us there for
2897         the purposes of our benchmarks, since the remaining clients of copied space are not very
2898         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2899         adding back the copy barrier, which costs more perf.
2900         
2901         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2902         typed arrays and a few other weird things over to Aux MarkedSpace.
2903         
2904         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2905         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2906         just including JSCInlines.h (instead of manually including the files that includes) is
2907         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2908         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2909         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2910         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2911         meant having to manually include HeapInlines.h from the places that previously got it
2912         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2913         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2914         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2915         made it impossible to include it from outside JSC. This was a lot of work, but it was
2916         necessary to get the patch to build on all ports. It's also a net win. There were many places
2917         in WebCore that were transitively including a *ton* of JSC headers just because of the
2918         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2919         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2920
2921         * API/JSManagedValue.mm:
2922         (-[JSManagedValue initWithValue:]):
2923         * API/JSTypedArray.cpp:
2924         * API/ObjCCallbackFunction.mm:
2925         * API/tests/testapi.mm:
2926         (testObjectiveCAPI):
2927         (testWeakValue): Deleted.
2928         * CMakeLists.txt:
2929         * JavaScriptCore.xcodeproj/project.pbxproj:
2930         * Scripts/builtins/builtins_generate_combined_implementation.py:
2931         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2932         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2933         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2934         * Scripts/builtins/builtins_generate_separate_implementation.py:
2935         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2936         * assembler/AbstractMacroAssembler.h:
2937         (JSC::AbstractMacroAssembler::JumpList::link):
2938         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2939         * assembler/MacroAssembler.h:
2940         * assembler/MacroAssemblerARM64.h:
2941         (JSC::MacroAssemblerARM64::add32):
2942         * assembler/MacroAssemblerCodeRef.cpp: Added.
2943         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2944         (JSC::MacroAssemblerCodePtr::dumpWithName):
2945         (JSC::MacroAssemblerCodePtr::dump):
2946         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2947         (JSC::MacroAssemblerCodeRef::dump):
2948         * assembler/MacroAssemblerCodeRef.h:
2949         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2950         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2951         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2952         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2953         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2954         * b3/B3BasicBlock.cpp:
2955         (JSC::B3::BasicBlock::appendBoolConstant):
2956         * b3/B3BasicBlock.h:
2957         * b3/B3DuplicateTails.cpp:
2958         * b3/B3StackmapGenerationParams.h:
2959         * b3/testb3.cpp:
2960         (JSC::B3::testPatchpointTerminalReturnValue):
2961         (JSC::B3::run):
2962         * bindings/ScriptValue.cpp:
2963         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2964         * bytecode/BytecodeBasicBlock.cpp:
2965         * bytecode/BytecodeLivenessAnalysis.cpp:
2966         * bytecode/BytecodeUseDef.h:
2967         * bytecode/CallLinkInfo.cpp:
2968         (JSC::CallLinkInfo::callTypeFor):
2969         * bytecode/CallLinkInfo.h:
2970         (JSC::CallLinkInfo::callTypeFor): Deleted.
2971         * bytecode/CallLinkStatus.cpp:
2972         * bytecode/CodeBlock.cpp:
2973         (JSC::CodeBlock::finishCreation):
2974         (JSC::CodeBlock::clearLLIntGetByIdCache):
2975         (JSC::CodeBlock::predictedMachineCodeSize):
2976         * bytecode/CodeBlock.h:
2977         (JSC::CodeBlock::jitCodeMap): Deleted.
2978         (JSC::clearLLIntGetByIdCache): Deleted.
2979         * bytecode/ExecutionCounter.h:
2980         * bytecode/Instruction.h:
2981         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2982         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2983         * bytecode/ObjectAllocationProfile.h:
2984         (JSC::ObjectAllocationProfile::isNull):
2985         (JSC::ObjectAllocationProfile::initialize):
2986         * bytecode/Opcode.h:
2987         (JSC::padOpcodeName):
2988         * bytecode/PolymorphicAccess.cpp:
2989         (JSC::AccessCase::generateImpl):
2990         (JSC::PolymorphicAccess::regenerate):
2991         * bytecode/PolymorphicAccess.h:
2992         * bytecode/PreciseJumpTargets.cpp:
2993         * bytecode/StructureStubInfo.cpp:
2994         * bytecode/StructureStubInfo.h:
2995         * bytecode/UnlinkedCodeBlock.cpp:
2996         (JSC::UnlinkedCodeBlock::vm): Deleted.
2997         * bytecode/UnlinkedCodeBlock.h:
2998         * bytecode/UnlinkedInstructionStream.cpp:
2999         * bytecode/UnlinkedInstructionStream.h:
3000         * dfg/DFGOperations.cpp:
3001         * dfg/DFGSpeculativeJIT.cpp:
3002         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3003         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3004         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3005         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3006         * dfg/DFGSpeculativeJIT.h:
3007         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3008         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3009         * dfg/DFGSpeculativeJIT32_64.cpp:
3010         (JSC::DFG::SpeculativeJIT::compile):
3011         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3012         * dfg/DFGSpeculativeJIT64.cpp:
3013         (JSC::DFG::SpeculativeJIT::compile):
3014         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3015         * dfg/DFGStrengthReductionPhase.cpp:
3016         (JSC::DFG::StrengthReductionPhase::handleNode):
3017         * ftl/FTLAbstractHeapRepository.h:
3018         * ftl/FTLCompile.cpp:
3019         * ftl/FTLJITFinalizer.cpp:
3020         * ftl/FTLLowerDFGToB3.cpp:
3021         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3022         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3023         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
3024         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3025         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3026         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3027         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3028         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3029         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3030         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3031         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3032         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3033         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3034         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3035         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
3036         * ftl/FTLOutput.cpp:
3037         (JSC::FTL::Output::constBool):
3038         (JSC::FTL::Output::add):
3039         (JSC::FTL::Output::shl):
3040         (JSC::FTL::Output::aShr):
3041         (JSC::FTL::Output::lShr):
3042         (JSC::FTL::Output::zeroExt):
3043         (JSC::FTL::Output::equal):
3044         (JSC::FTL::Output::notEqual):
3045         (JSC::FTL::Output::above):
3046         (JSC::FTL::Output::aboveOrEqual):
3047         (JSC::FTL::Output::below):
3048         (JSC::FTL::Output::belowOrEqual):
3049         (JSC::FTL::Output::greaterThan):
3050         (JSC::FTL::Output::greaterThanOrEqual):
3051         (JSC::FTL::Output::lessThan):
3052         (JSC::FTL::Output::lessThanOrEqual):
3053         (JSC::FTL::Output::select):
3054         (JSC::FTL::Output::appendSuccessor):
3055         (JSC::FTL::Output::addIncomingToPhi):
3056         * ftl/FTLOutput.h:
3057         * ftl/FTLValueFromBlock.h:
3058         (JSC::FTL::ValueFromBlock::operator bool):
3059         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
3060         * ftl/FTLWeightedTarget.h:
3061         (JSC::FTL::WeightedTarget::frequentedBlock):
3062         * heap/CellContainer.h: Added.
3063         (JSC::CellContainer::CellContainer):
3064         (JSC::CellContainer::operator bool):
3065         (JSC::CellContainer::isMarkedBlock):
3066         (JSC::CellContainer::isLargeAllocation):
3067         (JSC::CellContainer::markedBlock):
3068         (JSC::CellContainer::largeAllocation):
3069         * heap/CellContainerInlines.h: Added.
3070         (JSC::CellContainer::isMarked):
3071         (JSC::CellContainer::isMarkedOrNewlyAllocated):
3072         (JSC::CellContainer::noteMarked):
3073         (JSC::CellContainer::cellSize):
3074         (JSC::CellContainer::weakSet):
3075         (JSC::CellContainer::flipIfNecessary):
3076         * heap/ConservativeRoots.cpp:
3077         (JSC::ConservativeRoots::ConservativeRoots):
3078         (JSC::ConservativeRoots::~ConservativeRoots):
3079         (JSC::ConservativeRoots::grow):
3080         (JSC::ConservativeRoots::genericAddPointer):
3081         (JSC::ConservativeRoots::genericAddSpan):
3082         * heap/ConservativeRoots.h:
3083         (JSC::ConservativeRoots::roots):
3084         * heap/CopyToken.h:
3085         * heap/FreeList.cpp: Added.
3086         (JSC::FreeList::dump):
3087         * heap/FreeList.h: Added.
3088         (JSC::FreeList::FreeList):
3089         (JSC::FreeList::list):
3090         (JSC::FreeList::bump):
3091         (JSC::FreeList::operator==):
3092         (JSC::FreeList::operator!=):
3093         (JSC::FreeList::operator bool):
3094         (JSC::FreeList::allocationWillFail):
3095         (JSC::FreeList::allocationWillSucceed):
3096         * heap/GCTypeMap.h: Added.
3097         (JSC::GCTypeMap::operator[]):
3098         * heap/Heap.cpp:
3099         (JSC::Heap::Heap):
3100         (JSC::Heap::lastChanceToFinalize):
3101         (JSC::Heap::finalizeUnconditionalFinalizers):
3102         (JSC::Heap::markRoots):
3103         (JSC::Heap::copyBackingStores):
3104         (JSC::Heap::gatherStackRoots):
3105         (JSC::Heap::gatherJSStackRoots):
3106         (JSC::Heap::gatherScratchBufferRoots):
3107         (JSC::Heap::clearLivenessData):
3108         (JSC::Heap::visitSmallStrings):
3109         (JSC::Heap::visitConservativeRoots):
3110         (JSC::Heap::removeDeadCompilerWorklistEntries):
3111         (JSC::Heap::gatherExtraHeapSnapshotData):
3112         (JSC::Heap::removeDeadHeapSnapshotNodes):
3113         (JSC::Heap::visitProtectedObjects):
3114         (JSC::Heap::visitArgumentBuffers):
3115         (JSC::Heap::visitException):
3116         (JSC::Heap::visitStrongHandles):
3117         (JSC::Heap::visitHandleStack):
3118         (JSC::Heap::visitSamplingProfiler):
3119         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3120         (JSC::Heap::converge):
3121         (JSC::Heap::visitWeakHandles):
3122         (JSC::Heap::updateObjectCounts):
3123         (JSC::Heap::clearUnmarkedExecutables):
3124         (JSC::Heap::deleteUnmarkedCompiledCode):
3125         (JSC::Heap::collectAllGarbage):
3126         (JSC::Heap::collect):
3127         (JSC::Heap::collectWithoutAnySweep):
3128         (JSC::Heap::collectImpl):
3129         (JSC::Heap::suspendCompilerThreads):
3130         (JSC::Heap::willStartCollection):
3131         (JSC::Heap::flushOldStructureIDTables):
3132         (JSC::Heap::flushWriteBarrierBuffer):
3133         (JSC::Heap::stopAllocation):
3134         (JSC::Heap::prepareForMarking):
3135         (JSC::Heap::reapWeakHandles):
3136         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3137         (JSC::Heap::sweepArrayBuffers):
3138         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3139         (JSC::MarkedBlockSnapshotFunctor::operator()):
3140         (JSC::Heap::snapshotMarkedSpace):
3141         (JSC::Heap::deleteSourceProviderCaches):
3142         (JSC::Heap::notifyIncrementalSweeper):
3143         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3144         (JSC::Heap::resetAllocators):
3145         (JSC::Heap::updateAllocationLimits):
3146         (JSC::Heap::didFinishCollection):
3147         (JSC::Heap::resumeCompilerThreads):
3148         (JSC::Zombify::visit):
3149         (JSC::Heap::forEachCodeBlockImpl):
3150         * heap/Heap.h:
3151         (JSC::Heap::allocatorForObjectWithoutDestructor):
3152         (JSC::Heap::allocatorForObjectWithDestructor):
3153         (JSC::Heap::allocatorForAuxiliaryData):
3154         (JSC::Heap::jitStubRoutines):
3155         (JSC::Heap::codeBlockSet):
3156         (JSC::Heap::storageAllocator): Deleted.
3157         * heap/HeapCell.h:
3158         (JSC::HeapCell::isZapped): Deleted.
3159         * heap/HeapCellInlines.h: Added.
3160         (JSC::HeapCell::isLargeAllocation):
3161         (JSC::HeapCell::cellContainer):
3162         (JSC::HeapCell::markedBlock):
3163         (JSC::HeapCell::largeAllocation):
3164         (JSC::HeapCell::heap):
3165         (JSC::HeapCell::vm):
3166         (JSC::HeapCell::cellSize):
3167         (JSC::HeapCell::allocatorAttributes):
3168         (JSC::HeapCell::destructionMode):
3169         (JSC::HeapCell::cellKind):
3170         * heap/HeapInlines.h:
3171         (JSC::Heap::heap):
3172         (JSC::Heap::isLive):
3173         (JSC::Heap::isMarked):
3174         (JSC::Heap::testAndSetMarked):
3175         (JSC::Heap::setMarked):
3176         (JSC::Heap::cellSize):
3177         (JSC::Heap::forEachCodeBlock):
3178         (JSC::Heap::allocateObjectOfType):
3179         (JSC::Heap::subspaceForObjectOfType):
3180         (JSC::Heap::allocatorForObjectOfType):
3181         (JSC::Heap::allocateAuxiliary):
3182         (JSC::Heap::tryAllocateAuxiliary):
3183         (JSC::Heap::tryReallocateAuxiliary):
3184         (JSC::Heap::isPointerGCObject): Deleted.
3185         (JSC::Heap::isValueGCObject): Deleted.
3186         * heap/HeapOperation.cpp: Added.
3187         (WTF::printInternal):
3188         * heap/HeapOperation.h:
3189         * heap/HeapUtil.h: Added.
3190         (JSC::HeapUtil::findGCObjectPointersForMarking):
3191         (JSC::HeapUtil::isPointerGCObjectJSCell):
3192         (JSC::HeapUtil::isValueGCObject):
3193         * heap/IncrementalSweeper.cpp:
3194         (JSC::IncrementalSweeper::sweepNextBlock):
3195         * heap/IncrementalSweeper.h:
3196         * heap/LargeAllocation.cpp: Added.
3197         (JSC::LargeAllocation::tryCreate):
3198         (JSC::LargeAllocation::LargeAllocation):
3199         (JSC::LargeAllocation::lastChanceToFinalize):
3200         (JSC::LargeAllocation::shrink):
3201         (JSC::LargeAllocation::visitWeakSet):
3202         (JSC::LargeAllocation::reapWeakSet):
3203         (JSC::LargeAllocation::flip):
3204         (JSC::LargeAllocation::isEmpty):
3205         (JSC::LargeAllocation::sweep):
3206         (JSC::LargeAllocation::destroy):
3207         (JSC::LargeAllocation::dump):
3208         * heap/LargeAllocation.h: Added.
3209         (JSC::LargeAllocation::fromCell):
3210         (JSC::LargeAllocation::cell):
3211         (JSC::LargeAllocation::isLargeAllocation):
3212         (JSC::LargeAllocation::heap):
3213         (JSC::LargeAllocation::vm):
3214         (JSC::LargeAllocation::weakSet):
3215         (JSC::LargeAllocation::clearNewlyAllocated):
3216         (JSC::LargeAllocation::isNewlyAllocated):
3217         (JSC::LargeAllocation::isMarked):
3218         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3219         (JSC::LargeAllocation::isLive):
3220         (JSC::LargeAllocation::hasValidCell):
3221         (JSC::LargeAllocation::cellSize):
3222         (JSC::LargeAllocation::aboveLowerBound):
3223         (JSC::LargeAllocation::belowUpperBound):
3224         (JSC::LargeAllocation::contains):
3225         (JSC::LargeAllocation::attributes):
3226         (JSC::LargeAllocation::flipIfNecessary):
3227         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
3228         (JSC::LargeAllocation::testAndSetMarked):
3229         (JSC::LargeAllocation::setMarked):
3230         (JSC::LargeAllocation::clearMarked):
3231         (JSC::LargeAllocation::noteMarked):
3232         (JSC::LargeAllocation::headerSize):
3233         * heap/MarkedAllocator.cpp:
3234         (JSC::MarkedAllocator::MarkedAllocator):
3235         (JSC::MarkedAllocator::isPagedOut):
3236         (JSC::MarkedAllocator::retire):
3237         (JSC::MarkedAllocator::filterNextBlock):
3238         (JSC::MarkedAllocator::setNextBlockToSweep):
3239         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3240         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3241         (JSC::MarkedAllocator::allocateSlowCase):
3242         (JSC::MarkedAllocator::tryAllocateSlowCase):
3243         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3244         (JSC::blockHeaderSize):
3245         (JSC::MarkedAllocator::blockSizeForBytes):
3246         (JSC::MarkedAllocator::tryAllocateBlock):
3247         (JSC::MarkedAllocator::addBlock):
3248         (JSC::MarkedAllocator::removeBlock):
3249         (JSC::MarkedAllocator::stopAllocating):
3250         (JSC::MarkedAllocator::reset):
3251         (JSC::MarkedAllocator::lastChanceToFinalize):
3252         (JSC::MarkedAllocator::setFreeList):
3253         (JSC::isListPagedOut): Deleted.
3254         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3255         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3256         (JSC::MarkedAllocator::tryAllocate): Deleted.
3257         (JSC::MarkedAllocator::allocateBlock): Deleted.
3258         * heap/MarkedAllocator.h:
3259         (JSC::MarkedAllocator::takeLastActiveBlock):
3260         (JSC::MarkedAllocator::offsetOfFreeList):
3261         (JSC::MarkedAllocator::offsetOfCellSize):
3262         (JSC::MarkedAllocator::tryAllocate):
3263         (JSC::MarkedAllocator::allocate):
3264         (JSC::MarkedAllocator::forEachBlock):
3265         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3266         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3267         (JSC::MarkedAllocator::init): Deleted.
3268         (JSC::MarkedAllocator::stopAllocating): Deleted.
3269         * heap/MarkedBlock.cpp:
3270         (JSC::MarkedBlock::tryCreate):
3271         (JSC::MarkedBlock::Handle::Handle):
3272         (JSC::MarkedBlock::Handle::~Handle):
3273         (JSC::MarkedBlock::MarkedBlock):
3274         (JSC::MarkedBlock::Handle::specializedSweep):
3275         (JSC::MarkedBlock::Handle::sweep):
3276         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
3277         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
3278         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
3279         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3280         (JSC::SetNewlyAllocatedFunctor::operator()):
3281         (JSC::MarkedBlock::Handle::stopAllocating):
3282         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3283         (JSC::MarkedBlock::Handle::resumeAllocating):
3284         (JSC::MarkedBlock::Handle::zap):
3285         (JSC::MarkedBlock::Handle::forEachFreeCell):
3286         (JSC::MarkedBlock::flipIfNecessary):
3287         (JSC::MarkedBlock::Handle::flipIfNecessary):
3288         (JSC::MarkedBlock::flipIfNecessarySlow):
3289         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
3290         (JSC::MarkedBlock::clearMarks):
3291         (JSC::MarkedBlock::assertFlipped):
3292         (JSC::MarkedBlock::needsFlip):
3293         (JSC::MarkedBlock::Handle::needsFlip):
3294         (JSC::MarkedBlock::Handle::willRemoveBlock):
3295         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3296        &nbs