52681a80c622f113edb310b3ca2fcea3fd5e0140
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] Add initiator parameter to module pipeline
4         https://bugs.webkit.org/show_bug.cgi?id=161470
5
6         Reviewed by Saam Barati.
7
8         The fetching semantics of the <script type="module"> tag has per module-tag context.
9         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
10         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
11         to the module loader pipeline. We are planning to transfer information by this parameter.
12
13         At the same time, we also perform some clean up.
14
15         - Use arrow function in ModuleLoaderPrototype.js.
16         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
17
18         * builtins/ModuleLoaderPrototype.js:
19         (newRegistryEntry):
20         (commitInstantiated):
21         (requestFetch):
22         (requestTranslate):
23         (requestInstantiate):
24         (requestSatisfy):
25         (requestInstantiateAll):
26         (requestLink):
27         (moduleEvaluation):
28         (provide):
29         (loadAndEvaluateModule):
30         (requestResolveDependencies.): Deleted.
31         (requestResolveDependencies): Deleted.
32         (requestReady): Deleted.
33         (link): Deleted.
34         (loadModule): Deleted.
35         (linkAndEvaluateModule): Deleted.
36         * bytecode/BytecodeIntrinsicRegistry.cpp:
37         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
38         * bytecode/BytecodeIntrinsicRegistry.h:
39         * jsc.cpp:
40         (GlobalObject::moduleLoaderResolve):
41         (GlobalObject::moduleLoaderFetch):
42         * runtime/Completion.cpp:
43         (JSC::loadAndEvaluateModule):
44         (JSC::loadModule):
45         (JSC::linkAndEvaluateModule):
46         * runtime/Completion.h:
47         * runtime/JSGlobalObject.h:
48         * runtime/JSModuleLoader.cpp:
49         (JSC::JSModuleLoader::loadAndEvaluateModule):
50         (JSC::JSModuleLoader::loadModule):
51         (JSC::JSModuleLoader::linkAndEvaluateModule):
52         (JSC::JSModuleLoader::resolve):
53         (JSC::JSModuleLoader::fetch):
54         (JSC::JSModuleLoader::translate):
55         (JSC::JSModuleLoader::instantiate):
56         (JSC::JSModuleLoader::evaluate):
57         * runtime/JSModuleLoader.h:
58         * runtime/ModuleLoaderPrototype.cpp:
59         (JSC::moduleLoaderPrototypeResolve):
60         (JSC::moduleLoaderPrototypeFetch):
61         (JSC::moduleLoaderPrototypeTranslate):
62         (JSC::moduleLoaderPrototypeInstantiate):
63         (JSC::moduleLoaderPrototypeEvaluate):
64
65 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
66
67         [JSC] linking and evaluating the modules are done in a sync manner
68         https://bugs.webkit.org/show_bug.cgi?id=161467
69
70         Reviewed by Saam Barati.
71
72         While the fetching and the other stages are done in an asynchronous manner,
73         linking and evaluating are done in a sync manner.
74         Just return the result value and do not wrap them with the internal promise.
75
76         * builtins/ModuleLoaderPrototype.js:
77         (linkAndEvaluateModule):
78         * runtime/Completion.cpp:
79         (JSC::linkAndEvaluateModule):
80         * runtime/Completion.h:
81         * runtime/JSModuleLoader.cpp:
82         (JSC::JSModuleLoader::linkAndEvaluateModule):
83         * runtime/JSModuleLoader.h:
84
85 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
86
87         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
88         https://bugs.webkit.org/show_bug.cgi?id=161436
89
90         Reviewed by Filip Pizlo.
91
92         * jsc.cpp:
93         (GlobalObject::finishCreation):
94         (functionGetRandomSeed):
95         (functionSetRandomSeed):
96         * runtime/JSGlobalObject.h:
97         (JSC::JSGlobalObject::weakRandom):
98         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
99
100 2016-08-31  Chris Dumez  <cdumez@apple.com>
101
102         Object.getPrototypeOf() should return null cross-origin
103         https://bugs.webkit.org/show_bug.cgi?id=161393
104
105         Reviewed by Geoffrey Garen.
106
107         Object.getPrototypeOf() should return null cross-origin:
108         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
109         - https://html.spec.whatwg.org/#location-getprototypeof
110
111         Firefox and Chrome return null. However, WebKit was returning undefined.
112
113         * runtime/ObjectConstructor.cpp:
114         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
115
116 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
117
118         [JSC] AbstractValue can contain padding which is not zero-filled
119         https://bugs.webkit.org/show_bug.cgi?id=161427
120
121         Reviewed by Saam Barati.
122
123         We checked that AbstractValue is zero-filled when initializing it to ensure
124         that zero-filled memory can be used as the initialized AbstractValue.
125         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
126         padding now. And this padding is not ensured that it is initialized with zeros.
127         So debug assertion fails when building with GCC.
128
129         This patch changes the strategy. Instead of checking the initialized
130         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
131         considered to be equal to the initialized AbstractValue.
132
133         * dfg/DFGAbstractValue.cpp:
134         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
135         * dfg/DFGAbstractValue.h:
136         (JSC::DFG::AbstractValue::AbstractValue):
137
138 2016-08-31  Brady Eidson  <beidson@apple.com>
139
140         WK2 Gamepad provider on iOS.
141         https://bugs.webkit.org/show_bug.cgi?id=161412
142
143         Reviewed by Tim Horton.
144
145         * Configurations/FeatureDefines.xcconfig:
146
147 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
148
149         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
150         https://bugs.webkit.org/show_bug.cgi?id=161410
151
152         Reviewed by Geoffrey Garen.
153
154         * dfg/DFGFixupPhase.cpp:
155         (JSC::DFG::FixupPhase::fixupNode):
156         DoubleRep is able to convert numbers, undefined, booleans and null.
157         I was too pessimistic when I gated the double implementations
158         on number-or-boolean speculation. We can just let DoubleRep convert
159         the other cases as long as it is not a Cell.
160
161 2016-08-30  Chris Dumez  <cdumez@apple.com>
162
163         Unreviewed, fix build after r205205.
164
165         * runtime/ObjectConstructor.cpp:
166         (JSC::objectConstructorSetPrototypeOf):
167
168 2016-08-30  Chris Dumez  <cdumez@apple.com>
169
170         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
171         https://bugs.webkit.org/show_bug.cgi?id=161396
172
173         Reviewed by Ryosuke Niwa.
174
175         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
176         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
177         - https://html.spec.whatwg.org/#location-setprototypeof
178         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
179
180         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
181
182         Note that technically, we should also throw in the same origin case.
183         However, not all browsers agree on this yet so I haven't not changed
184         the behavior for the same origin case.
185
186         * runtime/ObjectConstructor.cpp:
187         (JSC::objectConstructorSetPrototypeOf):
188
189 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
190
191         [JSC] Clean up the remaining compare nodes in FTLCapabilities
192         https://bugs.webkit.org/show_bug.cgi?id=161400
193
194         Reviewed by Geoffrey Garen.
195
196         It looks like we implemented all the cases without realizing it.
197
198         * ftl/FTLCapabilities.cpp:
199         (JSC::FTL::canCompile):
200         * ftl/FTLLowerDFGToB3.cpp:
201         (JSC::FTL::DFG::LowerDFGToB3::compare):
202
203 2016-08-30  Mark Lam  <mark.lam@apple.com>
204
205         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
206         https://bugs.webkit.org/show_bug.cgi?id=161171
207
208         Reviewed by Filip Pizlo and Geoffrey Garen.
209
210         This is the first step towards having a mechanism (using the ThrowScope) to
211         verify that we're properly checking for exceptions in all the needed places.
212         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
213
214         This patch only introduces the ThrowScope, and changes all throw sites to throw
215         using a ThrowScope instance.  VM::throwException() functions are now private, and
216         cannot be accessed directly.  All throws must now go through a ThrowScope.
217
218         Verification is disabled for the moment until we can fix all the verification
219         failures that will show up.
220
221         I also did a smoke test of the ThrowScope mechanisms by running verification on
222         the JSTests/stress/op-add-exceptions.js test with a local build with verification
223         turned on.
224
225         Performance is neutral on aggregate with this patch.
226
227         Misc other changes:
228         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
229         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
230
231         * API/APICallbackFunction.h:
232         (JSC::APICallbackFunction::call):
233         (JSC::APICallbackFunction::construct):
234         * API/JSCallbackObjectFunctions.h:
235         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
236         (JSC::JSCallbackObject<Parent>::defaultValue):
237         (JSC::JSCallbackObject<Parent>::put):
238         (JSC::JSCallbackObject<Parent>::putByIndex):
239         (JSC::JSCallbackObject<Parent>::deleteProperty):
240         (JSC::JSCallbackObject<Parent>::construct):
241         (JSC::JSCallbackObject<Parent>::customHasInstance):
242         (JSC::JSCallbackObject<Parent>::call):
243         (JSC::JSCallbackObject<Parent>::getStaticValue):
244         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
245         (JSC::JSCallbackObject<Parent>::callbackGetter):
246         * API/JSTypedArray.cpp:
247         (createTypedArray):
248         * CMakeLists.txt:
249         * JavaScriptCore.xcodeproj/project.pbxproj:
250         * dfg/DFGOperations.cpp:
251         (JSC::DFG::newTypedArrayWithSize):
252         * inspector/JSInjectedScriptHost.cpp:
253         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
254         * inspector/JSInjectedScriptHostPrototype.cpp:
255         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
256         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
257         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
258         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
259         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
260         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
261         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
262         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
263         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
264         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
265         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
266         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
267         * inspector/JSJavaScriptCallFrame.cpp:
268         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
269         * inspector/JSJavaScriptCallFramePrototype.cpp:
270         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
271         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
272         (Inspector::jsJavaScriptCallFrameAttributeCaller):
273         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
274         (Inspector::jsJavaScriptCallFrameAttributeLine):
275         (Inspector::jsJavaScriptCallFrameAttributeColumn):
276         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
277         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
278         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
279         (Inspector::jsJavaScriptCallFrameAttributeType):
280         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
281         * interpreter/CachedCall.h:
282         (JSC::CachedCall::CachedCall):
283         * interpreter/Interpreter.cpp:
284         (JSC::eval):
285         (JSC::sizeOfVarargs):
286         (JSC::sizeFrameForForwardArguments):
287         (JSC::sizeFrameForVarargs):
288         (JSC::Interpreter::execute):
289         (JSC::Interpreter::executeCall):
290         (JSC::Interpreter::executeConstruct):
291         (JSC::Interpreter::prepareForRepeatCall):
292         * jit/JITOperations.cpp:
293         * jsc.cpp:
294         (WTF::CustomGetter::customGetter):
295         (WTF::RuntimeArray::lengthGetter):
296         (functionCreateElement):
297         (functionRun):
298         (functionRunString):
299         (functionLoad):
300         (functionLoadString):
301         (functionReadFile):
302         (functionCheckSyntax):
303         (functionTransferArrayBuffer):
304         (functionLoadModule):
305         (functionCheckModuleSyntax):
306         (functionSamplingProfilerStackTraces):
307         * llint/LLIntSlowPaths.cpp:
308         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
309         (JSC::LLInt::getByVal):
310         (JSC::LLInt::handleHostCall):
311         (JSC::LLInt::setUpCall):
312         (JSC::LLInt::llint_throw_stack_overflow_error):
313         * runtime/ArrayConstructor.cpp:
314         (JSC::constructArrayWithSizeQuirk):
315         * runtime/ArrayConstructor.h:
316         (JSC::isArray):
317         * runtime/ArrayPrototype.cpp:
318         (JSC::shift):
319         (JSC::unshift):
320         (JSC::arrayProtoFuncToString):
321         (JSC::arrayProtoFuncPop):
322         (JSC::arrayProtoFuncReverse):
323         (JSC::arrayProtoFuncSplice):
324         (JSC::concatAppendOne):
325         (JSC::arrayProtoPrivateFuncConcatMemcpy):
326         * runtime/BooleanPrototype.cpp:
327         (JSC::booleanProtoFuncToString):
328         (JSC::booleanProtoFuncValueOf):
329         * runtime/CommonSlowPaths.cpp:
330         * runtime/CommonSlowPaths.h:
331         (JSC::CommonSlowPaths::opIn):
332         * runtime/CommonSlowPathsExceptions.cpp:
333         (JSC::CommonSlowPaths::interpreterThrowInCaller):
334         * runtime/ConstructData.cpp:
335         (JSC::construct):
336         * runtime/DatePrototype.cpp:
337         (JSC::formateDateInstance):
338         (JSC::dateProtoFuncToISOString):
339         (JSC::dateProtoFuncToLocaleString):
340         (JSC::dateProtoFuncToLocaleDateString):
341         (JSC::dateProtoFuncToLocaleTimeString):
342         (JSC::dateProtoFuncToPrimitiveSymbol):
343         (JSC::dateProtoFuncGetTime):
344         (JSC::dateProtoFuncGetFullYear):
345         (JSC::dateProtoFuncGetUTCFullYear):
346         (JSC::dateProtoFuncGetMonth):
347         (JSC::dateProtoFuncGetUTCMonth):
348         (JSC::dateProtoFuncGetDate):
349         (JSC::dateProtoFuncGetUTCDate):
350         (JSC::dateProtoFuncGetDay):
351         (JSC::dateProtoFuncGetUTCDay):
352         (JSC::dateProtoFuncGetHours):
353         (JSC::dateProtoFuncGetUTCHours):
354         (JSC::dateProtoFuncGetMinutes):
355         (JSC::dateProtoFuncGetUTCMinutes):
356         (JSC::dateProtoFuncGetSeconds):
357         (JSC::dateProtoFuncGetUTCSeconds):
358         (JSC::dateProtoFuncGetMilliSeconds):
359         (JSC::dateProtoFuncGetUTCMilliseconds):
360         (JSC::dateProtoFuncGetTimezoneOffset):
361         (JSC::dateProtoFuncSetTime):
362         (JSC::setNewValueFromTimeArgs):
363         (JSC::setNewValueFromDateArgs):
364         (JSC::dateProtoFuncSetYear):
365         (JSC::dateProtoFuncGetYear):
366         (JSC::dateProtoFuncToJSON):
367         * runtime/Error.cpp:
368         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
369         (JSC::throwTypeError):
370         (JSC::throwSyntaxError):
371         * runtime/Error.h:
372         (JSC::throwRangeError):
373         (JSC::throwVMError):
374         (JSC::throwVMTypeError):
375         (JSC::throwVMRangeError):
376         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
377         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
378         * runtime/ErrorPrototype.cpp:
379         (JSC::errorProtoFuncToString):
380         * runtime/ExceptionFuzz.cpp:
381         (JSC::doExceptionFuzzing):
382         * runtime/ExceptionHelpers.cpp:
383         (JSC::throwOutOfMemoryError):
384         (JSC::throwStackOverflowError):
385         (JSC::throwTerminatedExecutionException):
386         * runtime/ExceptionHelpers.h:
387         * runtime/Executable.cpp:
388         (JSC::ScriptExecutable::newCodeBlockFor):
389         (JSC::EvalExecutable::create):
390         * runtime/FunctionConstructor.cpp:
391         (JSC::constructFunction):
392         (JSC::constructFunctionSkippingEvalEnabledCheck):
393         * runtime/FunctionPrototype.cpp:
394         (JSC::functionProtoFuncToString):
395         (JSC::functionProtoFuncBind):
396         * runtime/GetterSetter.cpp:
397         (JSC::callSetter):
398         * runtime/IntlCollator.cpp:
399         (JSC::IntlCollator::compareStrings):
400         * runtime/IntlCollatorPrototype.cpp:
401         (JSC::IntlCollatorPrototypeGetterCompare):
402         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
403         * runtime/IntlDateTimeFormat.cpp:
404         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
405         (JSC::IntlDateTimeFormat::format):
406         * runtime/IntlDateTimeFormatPrototype.cpp:
407         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
408         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
409         * runtime/IntlNumberFormat.cpp:
410         (JSC::IntlNumberFormat::initializeNumberFormat):
411         (JSC::IntlNumberFormat::formatNumber):
412         * runtime/IntlNumberFormatPrototype.cpp:
413         (JSC::IntlNumberFormatPrototypeGetterFormat):
414         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
415         * runtime/IntlObject.cpp:
416         (JSC::intlStringOption):
417         (JSC::intlNumberOption):
418         (JSC::canonicalizeLocaleList):
419         (JSC::lookupSupportedLocales):
420         * runtime/IteratorOperations.cpp:
421         (JSC::iteratorNext):
422         (JSC::iteratorClose):
423         (JSC::createIteratorResultObject):
424         (JSC::iteratorForIterable):
425         * runtime/JSArray.cpp:
426         (JSC::JSArray::defineOwnProperty):
427         (JSC::JSArray::put):
428         (JSC::JSArray::appendMemcpy):
429         (JSC::JSArray::setLength):
430         (JSC::JSArray::pop):
431         (JSC::JSArray::push):
432         (JSC::JSArray::unshiftCountWithArrayStorage):
433         (JSC::JSArray::unshiftCountWithAnyIndexingType):
434         * runtime/JSArrayBufferConstructor.cpp:
435         (JSC::constructArrayBuffer):
436         (JSC::callArrayBuffer):
437         * runtime/JSArrayBufferPrototype.cpp:
438         (JSC::arrayBufferProtoFuncSlice):
439         * runtime/JSCInlines.h:
440         * runtime/JSCJSValue.cpp:
441         (JSC::JSValue::toObjectSlowCase):
442         (JSC::JSValue::synthesizePrototype):
443         (JSC::JSValue::putToPrimitive):
444         (JSC::JSValue::putToPrimitiveByIndex):
445         (JSC::JSValue::toStringSlowCase):
446         * runtime/JSCJSValueInlines.h:
447         (JSC::toPreferredPrimitiveType):
448         (JSC::JSValue::requireObjectCoercible):
449         * runtime/JSDataView.cpp:
450         (JSC::JSDataView::create):
451         * runtime/JSDataViewPrototype.cpp:
452         (JSC::getData):
453         (JSC::setData):
454         (JSC::dataViewProtoGetterBuffer):
455         (JSC::dataViewProtoGetterByteLength):
456         (JSC::dataViewProtoGetterByteOffset):
457         * runtime/JSFunction.cpp:
458         (JSC::callHostFunctionAsConstructor):
459         (JSC::JSFunction::callerGetter):
460         (JSC::JSFunction::put):
461         (JSC::JSFunction::defineOwnProperty):
462         * runtime/JSGenericTypedArrayView.h:
463         (JSC::JSGenericTypedArrayView::setIndex):
464         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
465         (JSC::constructGenericTypedArrayViewFromIterator):
466         (JSC::constructGenericTypedArrayViewWithArguments):
467         (JSC::constructGenericTypedArrayView):
468         (JSC::callGenericTypedArrayView):
469         * runtime/JSGenericTypedArrayViewInlines.h:
470         (JSC::JSGenericTypedArrayView<Adaptor>::create):
471         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
472         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
473         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
474         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
475         (JSC::speciesConstruct):
476         (JSC::genericTypedArrayViewProtoFuncSet):
477         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
478         (JSC::genericTypedArrayViewProtoFuncIncludes):
479         (JSC::genericTypedArrayViewProtoFuncIndexOf):
480         (JSC::genericTypedArrayViewProtoFuncJoin):
481         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
482         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
483         (JSC::genericTypedArrayViewProtoGetterFuncLength):
484         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
485         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
486         (JSC::genericTypedArrayViewProtoFuncReverse):
487         (JSC::genericTypedArrayViewPrivateFuncSort):
488         (JSC::genericTypedArrayViewProtoFuncSlice):
489         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
490         * runtime/JSGlobalObject.cpp:
491         (JSC::JSGlobalObject::createEvalCodeBlock):
492         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
493         * runtime/JSGlobalObjectFunctions.cpp:
494         (JSC::encode):
495         (JSC::decode):
496         (JSC::globalFuncEval):
497         (JSC::globalFuncThrowTypeError):
498         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
499         (JSC::globalFuncProtoGetter):
500         (JSC::globalFuncProtoSetter):
501         * runtime/JSModuleEnvironment.cpp:
502         (JSC::JSModuleEnvironment::put):
503         * runtime/JSModuleNamespaceObject.cpp:
504         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
505         (JSC::JSModuleNamespaceObject::put):
506         (JSC::JSModuleNamespaceObject::putByIndex):
507         (JSC::JSModuleNamespaceObject::defineOwnProperty):
508         (JSC::moduleNamespaceObjectSymbolIterator):
509         * runtime/JSModuleRecord.cpp:
510         (JSC::JSModuleRecord::getModuleNamespace):
511         (JSC::JSModuleRecord::link):
512         (JSC::JSModuleRecord::instantiateDeclarations):
513         * runtime/JSONObject.cpp:
514         (JSC::Stringifier::appendStringifiedValue):
515         (JSC::Walker::walk):
516         (JSC::JSONProtoFuncParse):
517         (JSC::JSONProtoFuncStringify):
518         * runtime/JSObject.cpp:
519         (JSC::JSObject::setPrototypeWithCycleCheck):
520         (JSC::callToPrimitiveFunction):
521         (JSC::JSObject::ordinaryToPrimitive):
522         (JSC::JSObject::hasInstance):
523         (JSC::JSObject::defaultHasInstance):
524         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
525         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
526         (JSC::validateAndApplyPropertyDescriptor):
527         (JSC::JSObject::getMethod):
528         * runtime/JSObject.h:
529         (JSC::createListFromArrayLike): Deleted.
530         * runtime/JSObjectInlines.h:
531         (JSC::createListFromArrayLike):
532         (JSC::JSObject::putInline):
533         * runtime/JSPromiseConstructor.cpp:
534         (JSC::constructPromise):
535         (JSC::callPromise):
536         * runtime/JSPropertyNameIterator.cpp:
537         (JSC::propertyNameIteratorFuncNext):
538         * runtime/JSString.cpp:
539         (JSC::JSRopeString::outOfMemory):
540         * runtime/JSStringBuilder.h:
541         (JSC::JSStringBuilder::build):
542         (JSC::jsMakeNontrivialString):
543         * runtime/JSStringJoiner.cpp:
544         (JSC::JSStringJoiner::joinedLength):
545         (JSC::JSStringJoiner::join):
546         * runtime/JSStringJoiner.h:
547         (JSC::JSStringJoiner::JSStringJoiner):
548         * runtime/JSSymbolTableObject.h:
549         (JSC::symbolTablePut):
550         * runtime/JSTypedArrayViewConstructor.cpp:
551         (JSC::constructTypedArrayView):
552         * runtime/JSTypedArrayViewPrototype.cpp:
553         (JSC::typedArrayViewPrivateFuncLength):
554         (JSC::typedArrayViewPrivateFuncSort):
555         (JSC::typedArrayViewProtoFuncSet):
556         (JSC::typedArrayViewProtoFuncCopyWithin):
557         (JSC::typedArrayViewProtoFuncIncludes):
558         (JSC::typedArrayViewProtoFuncLastIndexOf):
559         (JSC::typedArrayViewProtoFuncIndexOf):
560         (JSC::typedArrayViewProtoFuncJoin):
561         (JSC::typedArrayViewProtoGetterFuncBuffer):
562         (JSC::typedArrayViewProtoGetterFuncLength):
563         (JSC::typedArrayViewProtoGetterFuncByteLength):
564         (JSC::typedArrayViewProtoGetterFuncByteOffset):
565         (JSC::typedArrayViewProtoFuncReverse):
566         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
567         (JSC::typedArrayViewProtoFuncSlice):
568         * runtime/MapConstructor.cpp:
569         (JSC::callMap):
570         (JSC::constructMap):
571         * runtime/MapDataInlines.h:
572         (JSC::JSIterator>::ensureSpaceForAppend):
573         * runtime/MapIteratorPrototype.cpp:
574         (JSC::MapIteratorPrototypeFuncNext):
575         * runtime/MapPrototype.cpp:
576         (JSC::getMap):
577         (JSC::mapProtoFuncValues):
578         (JSC::mapProtoFuncEntries):
579         (JSC::mapProtoFuncKeys):
580         * runtime/ModuleLoaderPrototype.cpp:
581         (JSC::moduleLoaderPrototypeParseModule):
582         * runtime/NullSetterFunction.cpp:
583         (JSC::callReturnUndefined):
584         * runtime/NumberPrototype.cpp:
585         (JSC::numberProtoFuncToExponential):
586         (JSC::numberProtoFuncToFixed):
587         (JSC::numberProtoFuncToPrecision):
588         (JSC::numberProtoFuncToString):
589         (JSC::numberProtoFuncToLocaleString):
590         (JSC::numberProtoFuncValueOf):
591         * runtime/ObjectConstructor.cpp:
592         (JSC::objectConstructorSetPrototypeOf):
593         (JSC::toPropertyDescriptor):
594         (JSC::objectConstructorDefineProperty):
595         (JSC::objectConstructorDefineProperties):
596         (JSC::objectConstructorCreate):
597         * runtime/ObjectPrototype.cpp:
598         (JSC::objectProtoFuncDefineGetter):
599         (JSC::objectProtoFuncDefineSetter):
600         (JSC::objectProtoFuncToString):
601         * runtime/Operations.h:
602         (JSC::jsString):
603         (JSC::jsStringFromRegisterArray):
604         (JSC::jsStringFromArguments):
605         * runtime/ProxyConstructor.cpp:
606         (JSC::makeRevocableProxy):
607         (JSC::proxyRevocableConstructorThrowError):
608         (JSC::constructProxyObject):
609         (JSC::callProxy):
610         * runtime/ProxyObject.cpp:
611         (JSC::ProxyObject::finishCreation):
612         (JSC::performProxyGet):
613         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
614         (JSC::ProxyObject::performHasProperty):
615         (JSC::ProxyObject::getOwnPropertySlotCommon):
616         (JSC::ProxyObject::performPut):
617         (JSC::performProxyCall):
618         (JSC::performProxyConstruct):
619         (JSC::ProxyObject::performDelete):
620         (JSC::ProxyObject::performPreventExtensions):
621         (JSC::ProxyObject::performIsExtensible):
622         (JSC::ProxyObject::performDefineOwnProperty):
623         (JSC::ProxyObject::performGetOwnPropertyNames):
624         (JSC::ProxyObject::performSetPrototype):
625         (JSC::ProxyObject::performGetPrototype):
626         * runtime/ReflectObject.cpp:
627         (JSC::reflectObjectConstruct):
628         (JSC::reflectObjectDefineProperty):
629         (JSC::reflectObjectEnumerate):
630         (JSC::reflectObjectGet):
631         (JSC::reflectObjectGetOwnPropertyDescriptor):
632         (JSC::reflectObjectGetPrototypeOf):
633         (JSC::reflectObjectIsExtensible):
634         (JSC::reflectObjectOwnKeys):
635         (JSC::reflectObjectPreventExtensions):
636         (JSC::reflectObjectSet):
637         (JSC::reflectObjectSetPrototypeOf):
638         * runtime/RegExpConstructor.cpp:
639         (JSC::toFlags):
640         (JSC::regExpCreate):
641         * runtime/RegExpObject.cpp:
642         (JSC::collectMatches):
643         * runtime/RegExpObject.h:
644         (JSC::RegExpObject::setLastIndex):
645         * runtime/RegExpPrototype.cpp:
646         (JSC::regExpProtoFuncTestFast):
647         (JSC::regExpProtoFuncExec):
648         (JSC::regExpProtoFuncMatchFast):
649         (JSC::regExpProtoFuncCompile):
650         (JSC::regExpProtoFuncToString):
651         (JSC::regExpProtoGetterGlobal):
652         (JSC::regExpProtoGetterIgnoreCase):
653         (JSC::regExpProtoGetterMultiline):
654         (JSC::regExpProtoGetterSticky):
655         (JSC::regExpProtoGetterUnicode):
656         (JSC::regExpProtoGetterFlags):
657         (JSC::regExpProtoGetterSource):
658         (JSC::regExpProtoFuncSplitFast):
659         * runtime/Reject.h:
660         (JSC::reject):
661         * runtime/SetConstructor.cpp:
662         (JSC::callSet):
663         (JSC::constructSet):
664         * runtime/SetIteratorPrototype.cpp:
665         (JSC::SetIteratorPrototypeFuncNext):
666         * runtime/SetPrototype.cpp:
667         (JSC::getSet):
668         (JSC::setProtoFuncValues):
669         (JSC::setProtoFuncEntries):
670         * runtime/SparseArrayValueMap.cpp:
671         (JSC::SparseArrayValueMap::putEntry):
672         (JSC::SparseArrayEntry::put):
673         * runtime/StringConstructor.cpp:
674         (JSC::stringFromCodePoint):
675         * runtime/StringObject.cpp:
676         (JSC::StringObject::put):
677         (JSC::StringObject::putByIndex):
678         * runtime/StringPrototype.cpp:
679         (JSC::jsSpliceSubstrings):
680         (JSC::jsSpliceSubstringsWithSeparators):
681         (JSC::repeatCharacter):
682         (JSC::replace):
683         (JSC::stringProtoFuncToString):
684         (JSC::stringProtoFuncCharAt):
685         (JSC::stringProtoFuncCharCodeAt):
686         (JSC::stringProtoFuncCodePointAt):
687         (JSC::stringProtoFuncConcat):
688         (JSC::stringProtoFuncIndexOf):
689         (JSC::stringProtoFuncLastIndexOf):
690         (JSC::stringProtoFuncSlice):
691         (JSC::stringProtoFuncSubstr):
692         (JSC::stringProtoFuncSubstring):
693         (JSC::stringProtoFuncToLowerCase):
694         (JSC::stringProtoFuncToUpperCase):
695         (JSC::stringProtoFuncLocaleCompare):
696         (JSC::toLocaleCase):
697         (JSC::stringProtoFuncBig):
698         (JSC::stringProtoFuncSmall):
699         (JSC::stringProtoFuncBlink):
700         (JSC::stringProtoFuncBold):
701         (JSC::stringProtoFuncFixed):
702         (JSC::stringProtoFuncItalics):
703         (JSC::stringProtoFuncStrike):
704         (JSC::stringProtoFuncSub):
705         (JSC::stringProtoFuncSup):
706         (JSC::stringProtoFuncFontcolor):
707         (JSC::stringProtoFuncFontsize):
708         (JSC::stringProtoFuncAnchor):
709         (JSC::stringProtoFuncLink):
710         (JSC::trimString):
711         (JSC::stringProtoFuncStartsWith):
712         (JSC::stringProtoFuncEndsWith):
713         (JSC::stringProtoFuncIncludes):
714         (JSC::stringProtoFuncIterator):
715         (JSC::normalize):
716         (JSC::stringProtoFuncNormalize):
717         * runtime/StringRecursionChecker.cpp:
718         (JSC::StringRecursionChecker::throwStackOverflowError):
719         * runtime/Symbol.cpp:
720         (JSC::Symbol::toNumber):
721         * runtime/SymbolConstructor.cpp:
722         (JSC::symbolConstructorKeyFor):
723         * runtime/SymbolPrototype.cpp:
724         (JSC::symbolProtoFuncToString):
725         (JSC::symbolProtoFuncValueOf):
726         * runtime/ThrowScope.cpp: Added.
727         (JSC::ThrowScope::ThrowScope):
728         (JSC::ThrowScope::~ThrowScope):
729         (JSC::ThrowScope::throwException):
730         (JSC::ThrowScope::printIfNeedCheck):
731         (JSC::ThrowScope::simulateThrow):
732         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
733         * runtime/ThrowScope.h: Added.
734         (JSC::ThrowScope::vm):
735         (JSC::ThrowScope::exception):
736         (JSC::ThrowScope::release):
737         (JSC::ThrowScope::ThrowScope):
738         (JSC::ThrowScope::throwException):
739         (JSC::throwException):
740         * runtime/ThrowScopeLocation.h: Added.
741         (JSC::ThrowScopeLocation::ThrowScopeLocation):
742         * runtime/VM.h:
743         * runtime/VMEntryScope.h:
744         (JSC::VMEntryScope::vm):
745         * runtime/WeakMapConstructor.cpp:
746         (JSC::callWeakMap):
747         (JSC::constructWeakMap):
748         * runtime/WeakMapPrototype.cpp:
749         (JSC::getWeakMapData):
750         (JSC::protoFuncWeakMapSet):
751         * runtime/WeakSetConstructor.cpp:
752         (JSC::callWeakSet):
753         (JSC::constructWeakSet):
754         * runtime/WeakSetPrototype.cpp:
755         (JSC::getWeakMapData):
756         (JSC::protoFuncWeakSetAdd):
757
758 2016-08-30  Alex Christensen  <achristensen@webkit.org>
759
760         Fix WebInspectorUI in internal Windows build
761         https://bugs.webkit.org/show_bug.cgi?id=161221
762         rdar://problem/28019023
763
764         Reviewed by Brent Fulgham and Joseph Pecoraro.
765
766         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
767
768 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
769
770         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
771         https://bugs.webkit.org/show_bug.cgi?id=161263
772         <rdar://problem/28035849>
773
774         Reviewed by Matt Baker.
775
776         * inspector/InjectedScriptSource.js:
777         (InjectedScript.prototype._propertyDescriptors):
778         Previously we only took the "numeric index fast path" if an object was
779         array like with length > 100. When we dropped the length check we
780         ended up breaking our display of Array prototype, because [].__proto__
781         is an array instance. Get it back by just doing a check of length > 0.
782         We may want to address this differently in the future by knowing if
783         we are getting properties for a prototype or not.
784
785 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
786
787         [JSC] Clean up FTL Capabilities for CompareEq
788         https://bugs.webkit.org/show_bug.cgi?id=161353
789
790         Reviewed by Geoffrey Garen.
791
792         It looks like we already have code for every case.
793         This patch removes the tests from FTLCapabilities
794         and move the generic case last as usual.
795
796         * ftl/FTLCapabilities.cpp:
797         (JSC::FTL::canCompile):
798         * ftl/FTLLowerDFGToB3.cpp:
799         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
800
801 2016-08-29  Keith Miller  <keith_miller@apple.com>
802
803         Fix toStringName for Proxies and add support for normal instances
804         https://bugs.webkit.org/show_bug.cgi?id=161275
805
806         Reviewed by Saam Barati.
807
808         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
809         Additionally, there are a couple of other classes that need to return "Object" for their
810         toStringName. Since this isn't tested by test262 I will propose a new test there.
811
812         * runtime/ClassInfo.h:
813         * runtime/JSArrayBufferView.cpp:
814         (JSC::JSArrayBufferView::toStringName):
815         * runtime/JSArrayBufferView.h:
816         * runtime/JSCell.cpp:
817         (JSC::JSCell::toStringName):
818         * runtime/JSCell.h:
819         * runtime/JSMap.cpp:
820         (JSC::JSMap::toStringName):
821         * runtime/JSMap.h:
822         * runtime/JSObject.cpp:
823         (JSC::JSObject::toStringName):
824         * runtime/JSObject.h:
825         * runtime/JSSet.cpp:
826         (JSC::JSSet::destroy):
827         (JSC::JSSet::toStringName):
828         * runtime/JSSet.h:
829         * runtime/JSWeakMap.cpp:
830         (JSC::JSWeakMap::toStringName):
831         * runtime/JSWeakMap.h:
832         * runtime/JSWeakSet.cpp:
833         (JSC::JSWeakSet::toStringName):
834         * runtime/JSWeakSet.h:
835         * runtime/ObjectPrototype.cpp:
836         (JSC::objectProtoFuncToString):
837         * runtime/ProxyObject.cpp:
838         (JSC::ProxyObject::toStringName):
839         * runtime/ProxyObject.h:
840         * runtime/SymbolObject.cpp:
841         (JSC::SymbolObject::toStringName):
842         * runtime/SymbolObject.h:
843         (JSC::SymbolObject::internalValue):
844
845 2016-08-29  Youenn Fablet  <youenn@apple.com>
846
847         [Fetch API] Response cloning should structureClone when teeing Response stream
848         https://bugs.webkit.org/show_bug.cgi?id=161147
849
850         Reviewed by Darin Adler.
851
852         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
853         * runtime/JSArrayBufferConstructor.cpp:
854         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
855         * runtime/JSDataView.h: Exporting create method.
856
857 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
858
859         [JSC] Improve ArithAbs with polymorphic input
860         https://bugs.webkit.org/show_bug.cgi?id=161286
861
862         Reviewed by Saam Barati.
863
864         This is similar to the previous patches: if we have polymorphic
865         input, do a function call.
866
867         I also discovered a few problems with the tests and fixed them:
868         -I forgot to add NodeMustGenerate to the previous nodes I changed.
869          They could have been eliminated by DCE.
870         -ArithAbs was always exiting if the input types do not include numbers.
871          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
872          instead of isInt32OrBooleanSpeculation(). The test of
873          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
874          contains double or int52. If we were in that case, we were always speculating
875          Int32. That always fails and we were recompiling the same code over and over.
876
877         * dfg/DFGAbstractInterpreterInlines.h:
878         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
879         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
880
881         * dfg/DFGClobberize.h:
882         (JSC::DFG::clobberize):
883         * dfg/DFGFixupPhase.cpp:
884         (JSC::DFG::FixupPhase::fixupNode):
885         * dfg/DFGNode.h:
886         (JSC::DFG::Node::hasResult):
887         (JSC::DFG::Node::hasHeapPrediction):
888         (JSC::DFG::Node::hasInt32Result): Deleted.
889         The accessor hasInt32Result() was unused.
890
891         * dfg/DFGNodeType.h:
892         * dfg/DFGOperations.cpp:
893         * dfg/DFGOperations.h:
894         * dfg/DFGPredictionPropagationPhase.cpp:
895         * dfg/DFGSpeculativeJIT.cpp:
896         (JSC::DFG::SpeculativeJIT::compileArithAbs):
897         * dfg/DFGSpeculativeJIT.h:
898         * dfg/DFGSpeculativeJIT32_64.cpp:
899         (JSC::DFG::SpeculativeJIT::compile):
900         * dfg/DFGSpeculativeJIT64.cpp:
901         (JSC::DFG::SpeculativeJIT::compile):
902         * ftl/FTLLowerDFGToB3.cpp:
903         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
904
905 2016-08-28  Saam Barati  <sbarati@apple.com>
906
907         Make SpeculatedType a 64-bit integer
908         https://bugs.webkit.org/show_bug.cgi?id=161268
909
910         Reviewed by Filip Pizlo and Benjamin Poulain.
911
912         I'm going to introduce two new types into this and we only
913         have room for one in 32-bits. So, this patch widens SpeculatedType
914         to 64 bits. This also pulls this information through the DFG where
915         we needed to change DFGNode to support this.
916
917         * bytecode/SpeculatedType.h:
918         * dfg/DFGNode.cpp:
919         (JSC::DFG::Node::convertToPutHint):
920         (JSC::DFG::Node::promotedLocationDescriptor):
921         * dfg/DFGNode.h:
922         (JSC::DFG::Node::Node):
923         (JSC::DFG::Node::convertToCheckStructure):
924         (JSC::DFG::Node::constant):
925         (JSC::DFG::Node::convertToConstant):
926         (JSC::DFG::Node::convertToConstantStoragePointer):
927         (JSC::DFG::Node::convertToPutStack):
928         (JSC::DFG::Node::convertToGetStack):
929         (JSC::DFG::Node::convertToGetByOffset):
930         (JSC::DFG::Node::convertToMultiGetByOffset):
931         (JSC::DFG::Node::convertToPutByOffset):
932         (JSC::DFG::Node::convertToMultiPutByOffset):
933         (JSC::DFG::Node::convertToPhantomNewObject):
934         (JSC::DFG::Node::convertToPhantomNewFunction):
935         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
936         (JSC::DFG::Node::convertToPhantomCreateActivation):
937         (JSC::DFG::Node::convertToGetLocal):
938         (JSC::DFG::Node::lazyJSValue):
939         (JSC::DFG::Node::initializationValueForActivation):
940         (JSC::DFG::Node::tryGetVariableAccessData):
941         (JSC::DFG::Node::variableAccessData):
942         (JSC::DFG::Node::unlinkedLocal):
943         (JSC::DFG::Node::unlinkedMachineLocal):
944         (JSC::DFG::Node::stackAccessData):
945         (JSC::DFG::Node::phi):
946         (JSC::DFG::Node::identifierNumber):
947         (JSC::DFG::Node::getPutInfo):
948         (JSC::DFG::Node::accessorAttributes):
949         (JSC::DFG::Node::newArrayBufferData):
950         (JSC::DFG::Node::indexingType):
951         (JSC::DFG::Node::typedArrayType):
952         (JSC::DFG::Node::inlineCapacity):
953         (JSC::DFG::Node::scopeOffset):
954         (JSC::DFG::Node::capturedArgumentsOffset):
955         (JSC::DFG::Node::variablePointer):
956         (JSC::DFG::Node::callVarargsData):
957         (JSC::DFG::Node::loadVarargsData):
958         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
959         (JSC::DFG::Node::targetBlock):
960         (JSC::DFG::Node::branchData):
961         (JSC::DFG::Node::switchData):
962         (JSC::DFG::Node::getHeapPrediction):
963         (JSC::DFG::Node::cellOperand):
964         (JSC::DFG::Node::watchpointSet):
965         (JSC::DFG::Node::storagePointer):
966         (JSC::DFG::Node::uidOperand):
967         (JSC::DFG::Node::typeInfoOperand):
968         (JSC::DFG::Node::transition):
969         (JSC::DFG::Node::structureSet):
970         (JSC::DFG::Node::structure):
971         (JSC::DFG::Node::storageAccessData):
972         (JSC::DFG::Node::multiGetByOffsetData):
973         (JSC::DFG::Node::multiPutByOffsetData):
974         (JSC::DFG::Node::objectMaterializationData):
975         (JSC::DFG::Node::arrayMode):
976         (JSC::DFG::Node::arithMode):
977         (JSC::DFG::Node::arithRoundingMode):
978         (JSC::DFG::Node::setArithRoundingMode):
979         (JSC::DFG::Node::executionCounter):
980         (JSC::DFG::Node::typeLocation):
981         (JSC::DFG::Node::basicBlockLocation):
982         (JSC::DFG::Node::numberOfArgumentsToSkip):
983         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
984         (JSC::DFG::Node::OpInfoWrapper::operator=):
985         * dfg/DFGOpInfo.h:
986         (JSC::DFG::OpInfo::OpInfo):
987         * dfg/DFGPromotedHeapLocation.h:
988         (JSC::DFG::PromotedLocationDescriptor::imm1):
989         (JSC::DFG::PromotedLocationDescriptor::imm2):
990
991 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
992
993         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
994         https://bugs.webkit.org/show_bug.cgi?id=161120
995
996         Reviewed by Darin Adler.
997
998         * inspector/JSGlobalObjectInspectorController.cpp:
999
1000 2016-08-26  Sam Weinig  <sam@webkit.org>
1001
1002         Remove support for ENABLE_LEGACY_WEB_AUDIO
1003         https://bugs.webkit.org/show_bug.cgi?id=161262
1004
1005         Reviewed by Anders Carlsson.
1006
1007         * Configurations/FeatureDefines.xcconfig:
1008         Remove ENABLE_LEGACY_WEB_AUDIO
1009
1010 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
1011
1012         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
1013         https://bugs.webkit.org/show_bug.cgi?id=161229
1014
1015         Reviewed by Geoffrey Garen.
1016
1017         Add (String, Untyped) uses to FTL CompareStrictEq.
1018         This was the last use type not implemented, the node is fully
1019         supported by FTL after this patch.
1020
1021         * ftl/FTLCapabilities.cpp:
1022         (JSC::FTL::canCompile):
1023         * ftl/FTLLowerDFGToB3.cpp:
1024         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1025         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
1026
1027         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1028         Remove the type checks when possible.
1029
1030 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
1031
1032         Web Inspector: Frontend should have access to Resource Timing information
1033         https://bugs.webkit.org/show_bug.cgi?id=160095
1034
1035         Reviewed by Alex Christensen.
1036
1037         Rename ResourceTiming property.
1038
1039         * inspector/protocol/Network.json:
1040         Rename navigationStart to startTime so it's applicable
1041         for all resources and not just the main resource.
1042
1043 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
1044
1045         Web Inspector: Provide a way to clear an IndexedDB object store
1046         https://bugs.webkit.org/show_bug.cgi?id=161167
1047         <rdar://problem/27996932>
1048
1049         Reviewed by Brian Burg.
1050
1051         * inspector/protocol/IndexedDB.json:
1052         Cleanup the protocol file.
1053
1054 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
1055
1056         Web Inspector: Some CSS selectors in the UI aren't escaped
1057         https://bugs.webkit.org/show_bug.cgi?id=151378
1058
1059         Reviewed by Joseph Pecoraro.
1060
1061         Change ElementData from sending a className string to using an array of
1062         classes, allowing for proper escaping of each class value.
1063
1064         * inspector/protocol/OverlayTypes.json:
1065
1066 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
1067
1068         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
1069         https://bugs.webkit.org/show_bug.cgi?id=161213
1070         <rdar://problem/28017986>
1071
1072         Reviewed by Brian Burg.
1073
1074         * inspector/agents/InspectorHeapAgent.cpp:
1075         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1076         Don't take a final snapshot when disconnecting.
1077
1078         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1079         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
1080         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
1081         * inspector/agents/InspectorScriptProfilerAgent.h:
1082         * runtime/SamplingProfiler.h:
1083         Don't process samples when disconnecting.
1084
1085 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
1086
1087         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
1088         https://bugs.webkit.org/show_bug.cgi?id=161027
1089         <rdar://problem/27871349>
1090
1091         Reviewed by Mark Lam.
1092
1093         For JSContext inspection, when a frontend connects keep the target alive.
1094         This means ref'ing the JSGlobalObject / VM when the first frontend
1095         connects and deref'ing when the last frontend disconnects.
1096
1097         * inspector/JSGlobalObjectInspectorController.h:
1098         * inspector/JSGlobalObjectInspectorController.cpp:
1099         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1100         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
1101         Now that frontends keep the global object alive, when the global object
1102         is destroyed that must mean that no frontends exist. Remove the now
1103         stale code path.
1104
1105         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1106         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1107         Ref the target when the first frontend connects, deref when the last disconnects.
1108
1109 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1110
1111         [ES6] newPromiseCapabilities should check the given argument is constructor
1112         https://bugs.webkit.org/show_bug.cgi?id=161226
1113
1114         Reviewed by Mark Lam.
1115
1116         Use @isConstructor.
1117
1118         * builtins/PromiseOperations.js:
1119
1120 2016-08-25  Keith Miller  <keith_miller@apple.com>
1121
1122         toString called on proxies returns incorrect tag
1123         https://bugs.webkit.org/show_bug.cgi?id=161111
1124
1125         Reviewed by Benjamin Poulain.
1126
1127         This patch adds a new Method table function toStringName. This function
1128         is used by Object.prototype.toString to create the string tag that it
1129         inserts. Right now it only changes the stringification of proxy objects.
1130         In future patches I plan to make it work for other classes of objects as
1131         well.
1132
1133         * runtime/ClassInfo.h:
1134         * runtime/JSCell.cpp:
1135         (JSC::JSCell::toStringName):
1136         * runtime/JSCell.h:
1137         * runtime/JSObject.cpp:
1138         (JSC::JSObject::toStringName):
1139         * runtime/JSObject.h:
1140         * runtime/ObjectPrototype.cpp:
1141         (JSC::objectProtoFuncToString):
1142         * runtime/ProxyObject.cpp:
1143         (JSC::ProxyObject::toStringName):
1144         * runtime/ProxyObject.h:
1145
1146 2016-08-26  Csaba Osztrogonác  <ossy@webkit.org>
1147
1148         Fix the ENABLE(WEBASSEMBLY) build on Linux
1149         https://bugs.webkit.org/show_bug.cgi?id=161197
1150
1151         Reviewed by Mark Lam.
1152
1153         * CMakeLists.txt:
1154         * b3/B3Common.cpp:
1155         (JSC::B3::shouldDumpIR):
1156         * shell/CMakeLists.txt:
1157         * wasm/JSWASMModule.h:
1158         * wasm/WASMB3IRGenerator.cpp:
1159         (JSC::WASM::toB3Op):
1160         * wasm/WASMB3IRGenerator.h:
1161         * wasm/WASMFormat.h:
1162         * wasm/WASMFunctionParser.h:
1163         * wasm/WASMModuleParser.cpp:
1164         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
1165         * wasm/WASMModuleParser.h:
1166         * wasm/WASMParser.h:
1167         * wasm/WASMPlan.cpp:
1168         * wasm/WASMPlan.h:
1169         * wasm/WASMSections.cpp:
1170
1171 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
1172
1173         [Win] Compile fix.
1174         https://bugs.webkit.org/show_bug.cgi?id=161235
1175
1176         Reviewed by Brent Fulgham.
1177
1178         YarrPattern::errorMessage has inconsistent dll linkage.
1179
1180         * yarr/YarrPattern.h:
1181
1182 2016-08-25  Alex Christensen  <achristensen@webkit.org>
1183
1184         CMake build fix.
1185
1186         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
1187         This is needed for the internal Windows build.
1188
1189 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
1190
1191         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
1192         https://bugs.webkit.org/show_bug.cgi?id=161181
1193
1194         Reviewed by Geoffrey Garen.
1195
1196         All the nodes are doing the exact same thing with a single
1197         difference: how to process constants. I made that into a separate
1198         function called from each node.
1199
1200         I also generalized the constant-to-number code of DoubleRep
1201         to make it available for all those nodes.
1202
1203         * dfg/DFGAbstractInterpreter.h:
1204         * dfg/DFGAbstractInterpreterInlines.h:
1205         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1206         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1207         * runtime/JSCJSValue.cpp:
1208         (JSC::JSValue::toNumberFromPrimitive):
1209         * runtime/JSCJSValue.h:
1210
1211 2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1212
1213         [DFG][FTL] Implement ES6 Generators in DFG / FTL
1214         https://bugs.webkit.org/show_bug.cgi?id=152723
1215
1216         Reviewed by Filip Pizlo.
1217
1218         This patch introduces DFG and FTL support for ES6 generators.
1219         ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
1220         In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
1221         here. Those are emitted by the generatorification phase.
1222
1223         So the graph is super simple! Before the generatorification, the graph looks like this.
1224
1225              op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...
1226
1227         Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
1228         This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
1229         op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
1230         perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
1231         special generator frame scope. And we also set up the global switch for the generator.
1232
1233         In the generatorification phase,
1234
1235         1. We construct the BytecodeGraph from the unlinked instructions. This constructs the basic blocks, and it is used in the subsequent analysis.
1236         2. We perform the analysis onto the unlinked code. We extract the live variables at each op_yield.
1237         3. We insert the get_from_scope and put_to_scope at each op_yield. Which registers should be saved and resumed is offered by (2).
1238            Then, clip the op_yield themselves. And we also insert the switch_imm. The jump targets of this switch are just after this op_switch_imm and each op_yield point.
1239
1240         One interesting point is the try-range. We split the try-range at the op_yield point in BytecodeGenerator phase.
1241         This drops the hacky thing that is introduced in [1].
1242         If the try-range covers the resume sequences, the exception handler's use-registers are incorrectly transferred to the entry block.
1243         For example,
1244
1245             handler uses r2
1246                                                              try-range
1247             label:(entry block can jump here)                 ^
1248                 r1 = get_from_scope # resume sequence starts  | use r2 is transferred to the entry block!
1249                 r2 = get_from_scope                           |
1250                 starts usual sequences                        |
1251                 ...                                           |
1252
1253         Handler's r2 use should be considered at the `r1 = get_from_scope` point.
1254         Previously, we handle this edge case by treating op_resume specially in the liveness analysis[1].
1255         To drop this workaround, we split the try-range not to cover this resume sequence.
1256
1257             handler uses r2
1258                                                              try-range
1259             label:(entry block can jump here)
1260                 r1 = get_from_scope # resume sequence starts
1261                 r2 = get_from_scope
1262                 starts usual sequences                        ^ try-range should start from here.
1263                 ...                                           |
1264
1265         OK. Let's show the detailed example.
1266
1267             1. First, there is the normal bytecode sequence. Here, | represents the offsets, and [] represents the bytecodes.
1268
1269                 bytecodes   | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
1270                 try-range   <----------------------------------->
1271
1272             2. When we emit the op_yield in the bytecode generator, we carefully split the try-range.
1273
1274                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
1275                 try-range   <----------->            <----------------->
1276
1277             3. And in the generatorification phase, we insert the switch's jump target and save & resume sequences. And we also drop op_yield.
1278
1279                         Insert save seq  Insert resume seq
1280                         before op_yield. after op_yield's point.
1281                                        v v
1282                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
1283                 try-range   <----------->     ^      <----------------->
1284                                         ^     |
1285                              Jump to here.    Drop this op_yield.
1286
1287             4. The final layout is the following.
1288
1289                 bytecodes   | [ ] | [ ][save seq][op_ret] | [resume seq] | [ ] | [ ] | [ ] |
1290                 try-range   <----------------------------->               <---------------->
1291                                                           ^
1292                                               Jump to here.
1293
1294         The rewriting done by the BytecodeRewriter is executed in a batch manner. Since these modification changes the basic blocks and size of unlinked instructions,
1295         BytecodeRewriter also performs the offset adjustment for UnlinkedCodeBlock. So, this rewriting is performed onto the BytecodeGraph rather than BytecodeBasicBlock.
1296         The reason why we take this design is simple: we don't want to newly create the basic blocks and opcodes for this early phase like DFG. Instead, we perform the
1297         modification and adjustment to the unlinked instructions and UnlinkedCodeBlock in a in-place manner.
1298
1299         Bytecode rewriting functionality is offered by BytecodeRewriter. BytecodeRewriter allows us to insert any bytecodes to any places
1300         in a in-place manner. BytecodeRewriter handles the original bytecode offsets as labels. And you can insert bytecodes before and after
1301         these labels. You can also insert any jumps to any places. When you insert jumps, you need to specify jump target with this labels.
1302         These labels (original bytecode offsets) are automatically converted to the appropriate offsets by BytecodeRewriter.
1303
1304         After that phase, the data flow of the generator-saved-and-resumed-registers are explicitly represented by the get_from_scope and put_to_scope.
1305         And the switch is inserted to represent the actual control flow for the generator. And op_yield is removed. Since we use the existing bytecodes (op_switch_imm, op_put_to_scope
1306         op_ret, and op_get_from_scope), DFG and FTL changes are not necessary. This patch also drops data structures and implementations for the old generator,
1307         op_resume, op_save implementations and GeneratorFrame.
1308
1309         Note that this patch does not leverage the recent multi entrypoints support in B3. After this patch is introduced, we will submit a new patch that leverages the multi
1310         entrypoints for generator's resume and sees the performance gain.
1311
1312         Microbenchmarks related to generators show up to 2.9x improvements.
1313
1314                                                         Baseline                  Patched
1315
1316             generator-fib                          102.0116+-3.2880     ^     34.9670+-0.2221        ^ definitely 2.9174x faster
1317             generator-sunspider-access-nsieve        5.8596+-0.0371     ^      4.9051+-0.0720        ^ definitely 1.1946x faster
1318             generator-with-several-types           332.1478+-4.2425     ^    124.6642+-2.4826        ^ definitely 2.6643x faster
1319
1320             <geometric>                             58.2998+-0.7758     ^     27.7425+-0.2577        ^ definitely 2.1015x faster
1321
1322         In ES6SampleBench's Basic, we can observe 41% improvement (Macbook Pro).
1323
1324             Baseline:
1325                 Geometric Mean Result: 133.55 ms +- 4.49 ms
1326
1327                 Benchmark    First Iteration        Worst 2%               Steady State
1328                 Air          54.03 ms +- 7.51 ms    29.06 ms +- 3.13 ms    2276.59 ms +- 61.17 ms
1329                 Basic        30.18 ms +- 1.86 ms    18.85 ms +- 0.45 ms    2851.16 ms +- 41.87 ms
1330
1331             Patched:
1332                 Geometric Mean Result: 121.78 ms +- 3.96 ms
1333
1334                 Benchmark    First Iteration        Worst 2%               Steady State
1335                 Air          52.09 ms +- 6.89 ms    29.59 ms +- 3.16 ms    2239.90 ms +- 54.60 ms
1336                 Basic        29.28 ms +- 1.46 ms    16.26 ms +- 0.66 ms    2025.15 ms +- 38.56 ms
1337
1338         [1]: https://bugs.webkit.org/show_bug.cgi?id=159281
1339
1340         * CMakeLists.txt:
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342         * builtins/GeneratorPrototype.js:
1343         (globalPrivate.generatorResume):
1344         * bytecode/BytecodeBasicBlock.cpp:
1345         (JSC::BytecodeBasicBlock::shrinkToFit):
1346         (JSC::BytecodeBasicBlock::computeImpl):
1347         (JSC::BytecodeBasicBlock::compute):
1348         (JSC::isBranch): Deleted.
1349         (JSC::isUnconditionalBranch): Deleted.
1350         (JSC::isTerminal): Deleted.
1351         (JSC::isThrow): Deleted.
1352         (JSC::linkBlocks): Deleted.
1353         (JSC::computeBytecodeBasicBlocks): Deleted.
1354         * bytecode/BytecodeBasicBlock.h:
1355         (JSC::BytecodeBasicBlock::isEntryBlock):
1356         (JSC::BytecodeBasicBlock::isExitBlock):
1357         (JSC::BytecodeBasicBlock::leaderOffset):
1358         (JSC::BytecodeBasicBlock::totalLength):
1359         (JSC::BytecodeBasicBlock::offsets):
1360         (JSC::BytecodeBasicBlock::successors):
1361         (JSC::BytecodeBasicBlock::index):
1362         (JSC::BytecodeBasicBlock::addSuccessor):
1363         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
1364         (JSC::BytecodeBasicBlock::addLength):
1365         (JSC::BytecodeBasicBlock::leaderBytecodeOffset): Deleted.
1366         (JSC::BytecodeBasicBlock::totalBytecodeLength): Deleted.
1367         (JSC::BytecodeBasicBlock::bytecodeOffsets): Deleted.
1368         (JSC::BytecodeBasicBlock::addBytecodeLength): Deleted.
1369         * bytecode/BytecodeGeneratorification.cpp: Added.
1370         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1371         (JSC::BytecodeGeneratorification::graph):
1372         (JSC::BytecodeGeneratorification::yields):
1373         (JSC::BytecodeGeneratorification::enterPoint):
1374         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1375         (JSC::GeneratorLivenessAnalysis::GeneratorLivenessAnalysis):
1376         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset):
1377         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset):
1378         (JSC::GeneratorLivenessAnalysis::run):
1379         (JSC::BytecodeGeneratorification::run):
1380         (JSC::performGeneratorification):
1381         * bytecode/BytecodeGeneratorification.h: Copied from Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysisInlines.h.
1382         * bytecode/BytecodeGraph.h: Added.
1383         (JSC::BytecodeGraph::codeBlock):
1384         (JSC::BytecodeGraph::instructions):
1385         (JSC::BytecodeGraph::basicBlocksInReverseOrder):
1386         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
1387         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
1388         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
1389         (JSC::BytecodeGraph::size):
1390         (JSC::BytecodeGraph::at):
1391         (JSC::BytecodeGraph::operator[]):
1392         (JSC::BytecodeGraph::begin):
1393         (JSC::BytecodeGraph::end):
1394         (JSC::BytecodeGraph::first):
1395         (JSC::BytecodeGraph::last):
1396         (JSC::BytecodeGraph<Block>::BytecodeGraph):
1397         * bytecode/BytecodeList.json:
1398         * bytecode/BytecodeLivenessAnalysis.cpp:
1399         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1400         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset):
1401         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset):
1402         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1403         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1404         (JSC::BytecodeLivenessAnalysis::computeKills):
1405         (JSC::BytecodeLivenessAnalysis::dumpResults):
1406         (JSC::BytecodeLivenessAnalysis::compute):
1407         (JSC::isValidRegisterForLiveness): Deleted.
1408         (JSC::getLeaderOffsetForBasicBlock): Deleted.
1409         (JSC::findBasicBlockWithLeaderOffset): Deleted.
1410         (JSC::blockContainsBytecodeOffset): Deleted.
1411         (JSC::findBasicBlockForBytecodeOffset): Deleted.
1412         (JSC::stepOverInstruction): Deleted.
1413         (JSC::computeLocalLivenessForBytecodeOffset): Deleted.
1414         (JSC::computeLocalLivenessForBlock): Deleted.
1415         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Deleted.
1416         * bytecode/BytecodeLivenessAnalysis.h:
1417         * bytecode/BytecodeLivenessAnalysisInlines.h:
1418         (JSC::isValidRegisterForLiveness):
1419         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1420         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset):
1421         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock):
1422         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset):
1423         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
1424         * bytecode/BytecodeRewriter.cpp: Added.
1425         (JSC::BytecodeRewriter::applyModification):
1426         (JSC::BytecodeRewriter::execute):
1427         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1428         (JSC::BytecodeRewriter::insertImpl):
1429         (JSC::BytecodeRewriter::adjustJumpTarget):
1430         * bytecode/BytecodeRewriter.h: Added.
1431         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
1432         (JSC::BytecodeRewriter::InsertionPoint::operator<):
1433         (JSC::BytecodeRewriter::InsertionPoint::operator==):
1434         (JSC::BytecodeRewriter::Insertion::length):
1435         (JSC::BytecodeRewriter::Fragment::Fragment):
1436         (JSC::BytecodeRewriter::Fragment::appendInstruction):
1437         (JSC::BytecodeRewriter::BytecodeRewriter):
1438         (JSC::BytecodeRewriter::insertFragmentBefore):
1439         (JSC::BytecodeRewriter::insertFragmentAfter):
1440         (JSC::BytecodeRewriter::removeBytecode):
1441         (JSC::BytecodeRewriter::graph):
1442         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
1443         (JSC::BytecodeRewriter::adjustJumpTarget):
1444         (JSC::BytecodeRewriter::calculateDifference):
1445         * bytecode/BytecodeUseDef.h:
1446         (JSC::computeUsesForBytecodeOffset):
1447         (JSC::computeDefsForBytecodeOffset):
1448         * bytecode/CodeBlock.cpp:
1449         (JSC::CodeBlock::dumpBytecode):
1450         (JSC::CodeBlock::finishCreation):
1451         (JSC::CodeBlock::handlerForIndex):
1452         (JSC::CodeBlock::shrinkToFit):
1453         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1454         (JSC::CodeBlock::livenessAnalysisSlow):
1455         * bytecode/CodeBlock.h:
1456         (JSC::CodeBlock::isConstantRegisterIndex):
1457         (JSC::CodeBlock::livenessAnalysis):
1458         (JSC::CodeBlock::liveCalleeLocalsAtYield): Deleted.
1459         * bytecode/HandlerInfo.h:
1460         (JSC::HandlerInfoBase::handlerForIndex):
1461         * bytecode/Opcode.h:
1462         (JSC::isBranch):
1463         (JSC::isUnconditionalBranch):
1464         (JSC::isTerminal):
1465         (JSC::isThrow):
1466         * bytecode/PreciseJumpTargets.cpp:
1467         (JSC::getJumpTargetsForBytecodeOffset):
1468         (JSC::computePreciseJumpTargetsInternal):
1469         (JSC::computePreciseJumpTargets):
1470         (JSC::recomputePreciseJumpTargets):
1471         (JSC::findJumpTargetsForBytecodeOffset):
1472         * bytecode/PreciseJumpTargets.h:
1473         * bytecode/PreciseJumpTargetsInlines.h: Added.
1474         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1475         * bytecode/UnlinkedCodeBlock.cpp:
1476         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset):
1477         (JSC::UnlinkedCodeBlock::handlerForIndex):
1478         (JSC::UnlinkedCodeBlock::applyModification):
1479         * bytecode/UnlinkedCodeBlock.h:
1480         (JSC::UnlinkedStringJumpTable::offsetForValue):
1481         (JSC::UnlinkedCodeBlock::numCalleeLocals):
1482         * bytecode/VirtualRegister.h:
1483         * bytecompiler/BytecodeGenerator.cpp:
1484         (JSC::BytecodeGenerator::generate):
1485         (JSC::BytecodeGenerator::BytecodeGenerator):
1486         (JSC::BytecodeGenerator::emitComplexPopScopes):
1487         (JSC::prepareJumpTableForStringSwitch):
1488         (JSC::BytecodeGenerator::emitYieldPoint):
1489         (JSC::BytecodeGenerator::emitSave): Deleted.
1490         (JSC::BytecodeGenerator::emitResume): Deleted.
1491         (JSC::BytecodeGenerator::emitGeneratorStateLabel): Deleted.
1492         (JSC::BytecodeGenerator::beginGenerator): Deleted.
1493         (JSC::BytecodeGenerator::endGenerator): Deleted.
1494         * bytecompiler/BytecodeGenerator.h:
1495         (JSC::BytecodeGenerator::generatorStateRegister):
1496         (JSC::BytecodeGenerator::generatorValueRegister):
1497         (JSC::BytecodeGenerator::generatorResumeModeRegister):
1498         (JSC::BytecodeGenerator::generatorFrameRegister):
1499         * bytecompiler/NodesCodegen.cpp:
1500         (JSC::FunctionNode::emitBytecode):
1501         * dfg/DFGOperations.cpp:
1502         * interpreter/Interpreter.cpp:
1503         (JSC::findExceptionHandler):
1504         (JSC::GetCatchHandlerFunctor::operator()):
1505         (JSC::UnwindFunctor::operator()):
1506         * interpreter/Interpreter.h:
1507         * interpreter/InterpreterInlines.h: Copied from Source/JavaScriptCore/bytecode/PreciseJumpTargets.h.
1508         (JSC::Interpreter::getOpcodeID):
1509         * jit/JIT.cpp:
1510         (JSC::JIT::privateCompileMainPass):
1511         * jit/JIT.h:
1512         * jit/JITOpcodes.cpp:
1513         (JSC::JIT::emit_op_save): Deleted.
1514         (JSC::JIT::emit_op_resume): Deleted.
1515         * llint/LowLevelInterpreter.asm:
1516         * parser/Parser.cpp:
1517         (JSC::Parser<LexerType>::parseInner):
1518         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1519         (JSC::Parser<LexerType>::createGeneratorParameters):
1520         * parser/Parser.h:
1521         * runtime/CommonSlowPaths.cpp:
1522         (JSC::SLOW_PATH_DECL): Deleted.
1523         * runtime/CommonSlowPaths.h:
1524         * runtime/GeneratorFrame.cpp: Removed.
1525         (JSC::GeneratorFrame::GeneratorFrame): Deleted.
1526         (JSC::GeneratorFrame::finishCreation): Deleted.
1527         (JSC::GeneratorFrame::createStructure): Deleted.
1528         (JSC::GeneratorFrame::create): Deleted.
1529         (JSC::GeneratorFrame::save): Deleted.
1530         (JSC::GeneratorFrame::resume): Deleted.
1531         (JSC::GeneratorFrame::visitChildren): Deleted.
1532         * runtime/GeneratorFrame.h: Removed.
1533         (JSC::GeneratorFrame::locals): Deleted.
1534         (JSC::GeneratorFrame::localAt): Deleted.
1535         (JSC::GeneratorFrame::offsetOfLocals): Deleted.
1536         (JSC::GeneratorFrame::allocationSizeForLocals): Deleted.
1537         * runtime/JSGeneratorFunction.h:
1538         * runtime/VM.cpp:
1539         (JSC::VM::VM):
1540         * runtime/VM.h:
1541
1542 2016-08-25  JF Bastien  <jfbastien@apple.com>
1543
1544         TryGetById should have a ValueProfile so that it can predict its output type
1545         https://bugs.webkit.org/show_bug.cgi?id=160921
1546
1547         Reviewed by Saam Barati.
1548
1549         Add a ValueProfile to TryGetById, and make sure DFG picks it up.
1550
1551         A microbenchmark for perfectly predicted computation shows a 20%
1552         runtime reduction with no hit if the prediction goes polymorphic.
1553
1554         * bytecode/BytecodeList.json:
1555         * bytecode/CodeBlock.cpp:
1556         (JSC::CodeBlock::dumpBytecode):
1557         (JSC::CodeBlock::finishCreation):
1558         * bytecompiler/BytecodeGenerator.cpp:
1559         (JSC::BytecodeGenerator::emitTryGetById):
1560         * dfg/DFGByteCodeParser.cpp:
1561         (JSC::DFG::ByteCodeParser::parseBlock):
1562         * dfg/DFGNode.h:
1563         (JSC::DFG::Node::hasHeapPrediction):
1564         * dfg/DFGPredictionPropagationPhase.cpp:
1565         * dfg/DFGSpeculativeJIT32_64.cpp:
1566         (JSC::DFG::SpeculativeJIT::compile):
1567         * dfg/DFGSpeculativeJIT64.cpp:
1568         (JSC::DFG::SpeculativeJIT::compile):
1569         * jit/JITPropertyAccess.cpp:
1570         (JSC::JIT::emit_op_try_get_by_id):
1571         * jit/JITPropertyAccess32_64.cpp:
1572         (JSC::JIT::emit_op_try_get_by_id):
1573         * llint/LLIntSlowPaths.cpp:
1574         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1575         * llint/LowLevelInterpreter.asm:
1576
1577 2016-08-25  Csaba Osztrogonác  <ossy@webkit.org>
1578
1579         generate-js-builtins.py should generate platform independent files
1580         https://bugs.webkit.org/show_bug.cgi?id=161196
1581
1582         Reviewed by Mark Lam.
1583
1584         * Scripts/generate-js-builtins.py: Files should be processed in fixed order.
1585
1586 2016-08-25  Caio Lima  <ticaiolima@gmail.com>
1587
1588         NewRegexp should not prevent inlining
1589         https://bugs.webkit.org/show_bug.cgi?id=154808
1590
1591         Reviewed by Geoffrey Garen.
1592
1593         In this patch we are changing the current mechanism used to represent
1594         RegExp in NewRegexp nodes. We are changing the use of a index
1595         pointing to RegExp in
1596         CodeBlock->m_unlinkedCodeBlock->m_rareData->m_regexps as the operand of
1597         NewRegexp node to RegExp address as the operand. To make sure that RegExp* is
1598         pointing to a valid object, we are using m_graph.freezeStrong
1599         mechanism.
1600
1601         * dfg/DFGByteCodeParser.cpp:
1602         (JSC::DFG::ByteCodeParser::parseBlock):
1603         * dfg/DFGCapabilities.cpp:
1604         (JSC::DFG::capabilityLevel):
1605         * dfg/DFGNode.h:
1606         (JSC::DFG::Node::hasCellOperand):
1607         (JSC::DFG::Node::hasRegexpIndex): Deleted.
1608         (JSC::DFG::Node::regexpIndex): Deleted.
1609         * dfg/DFGSpeculativeJIT32_64.cpp:
1610         (JSC::DFG::SpeculativeJIT::compile):
1611         * dfg/DFGSpeculativeJIT64.cpp:
1612         (JSC::DFG::SpeculativeJIT::compile):
1613         * dfg/DFGStrengthReductionPhase.cpp:
1614         (JSC::DFG::StrengthReductionPhase::handleNode):
1615         * ftl/FTLLowerDFGToB3.cpp:
1616         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1617
1618 2016-08-24  Benjamin Poulain  <benjamin@webkit.org>
1619
1620         [JSC] Make FRound work with any type
1621         https://bugs.webkit.org/show_bug.cgi?id=161129
1622
1623         Reviewed by Geoffrey Garen.
1624
1625         Math.fround() does nothing with arguments past the first one
1626         (https://tc39.github.io/ecma262/#sec-math.fround).
1627         We can unify ArithFRound with the other single-input intrinsics.
1628
1629         Everything else is same old: if the input type is not a number,
1630         be pessimistic about everything and do a C call.
1631
1632         * dfg/DFGAbstractInterpreterInlines.h:
1633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1634         * dfg/DFGByteCodeParser.cpp:
1635         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1636         * dfg/DFGClobberize.h:
1637         (JSC::DFG::clobberize):
1638         * dfg/DFGFixupPhase.cpp:
1639         (JSC::DFG::FixupPhase::fixupNode):
1640         * dfg/DFGNodeType.h:
1641         * dfg/DFGOperations.cpp:
1642         * dfg/DFGOperations.h:
1643         * dfg/DFGSpeculativeJIT.cpp:
1644         (JSC::DFG::SpeculativeJIT::compileArithFRound):
1645         * dfg/DFGSpeculativeJIT.h:
1646         * dfg/DFGSpeculativeJIT32_64.cpp:
1647         (JSC::DFG::SpeculativeJIT::compile):
1648         * dfg/DFGSpeculativeJIT64.cpp:
1649         (JSC::DFG::SpeculativeJIT::compile):
1650         * ftl/FTLLowerDFGToB3.cpp:
1651         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
1652
1653 2016-08-24  Andreas Kling  <akling@apple.com>
1654
1655         Shrink DFG::OSRExit a bit.
1656         <https://webkit.org/b/161169>
1657
1658         Reviewed by Geoffrey Garen.
1659
1660         Rearrange the members of OSRExitBase and DFG::OSRExit to save 16 bytes per instance.
1661
1662         * dfg/DFGOSRExit.cpp:
1663         (JSC::DFG::OSRExit::OSRExit):
1664         * dfg/DFGOSRExit.h:
1665         * dfg/DFGOSRExitBase.h:
1666         (JSC::DFG::OSRExitBase::OSRExitBase):
1667
1668 2016-08-24  Ryan Haddad  <ryanhaddad@apple.com>
1669
1670         Rebaseline builtins-generator-tests since r204854 was rolled out.
1671
1672         Unreviewed test gardening.
1673
1674         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1675         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1676         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1677         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1678         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1679         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1680         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1681         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1682         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1683         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1684         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1685         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1686         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1687         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1688
1689 2016-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         [JSC] Move generic data structures out of B3
1692         https://bugs.webkit.org/show_bug.cgi?id=161155
1693
1694         Reviewed by Saam Barati.
1695
1696         Move B3's good generic data structures to WTF.
1697         They can be used for the other kind of basic blocks and nodes.
1698         For example, the generator patch[1] will make BytecodeBasicBlock usable with these structures.
1699
1700         [1]: https://bugs.webkit.org/show_bug.cgi?id=152723
1701
1702         * JavaScriptCore.xcodeproj/project.pbxproj:
1703         * b3/B3BasicBlockUtils.h:
1704         * b3/B3BlockWorklist.h:
1705         * b3/B3CFG.h:
1706         * b3/B3DuplicateTails.cpp:
1707         * b3/B3FixSSA.cpp:
1708         * b3/B3FixSSA.h:
1709         * b3/B3IndexMap.h:
1710         (JSC::B3::IndexMap::IndexMap): Deleted.
1711         (JSC::B3::IndexMap::resize): Deleted.
1712         (JSC::B3::IndexMap::clear): Deleted.
1713         (JSC::B3::IndexMap::size): Deleted.
1714         (JSC::B3::IndexMap::operator[]): Deleted.
1715         * b3/B3IndexSet.h:
1716         (JSC::B3::IndexSet::IndexSet): Deleted.
1717         (JSC::B3::IndexSet::add): Deleted.
1718         (JSC::B3::IndexSet::addAll): Deleted.
1719         (JSC::B3::IndexSet::remove): Deleted.
1720         (JSC::B3::IndexSet::contains): Deleted.
1721         (JSC::B3::IndexSet::size): Deleted.
1722         (JSC::B3::IndexSet::isEmpty): Deleted.
1723         (JSC::B3::IndexSet::Iterable::Iterable): Deleted.
1724         (JSC::B3::IndexSet::Iterable::iterator::iterator): Deleted.
1725         (JSC::B3::IndexSet::Iterable::iterator::operator*): Deleted.
1726         (JSC::B3::IndexSet::Iterable::iterator::operator++): Deleted.
1727         (JSC::B3::IndexSet::Iterable::iterator::operator==): Deleted.
1728         (JSC::B3::IndexSet::Iterable::iterator::operator!=): Deleted.
1729         (JSC::B3::IndexSet::Iterable::begin): Deleted.
1730         (JSC::B3::IndexSet::Iterable::end): Deleted.
1731         (JSC::B3::IndexSet::values): Deleted.
1732         (JSC::B3::IndexSet::indices): Deleted.
1733         (JSC::B3::IndexSet::dump): Deleted.
1734         * b3/B3LowerToAir.cpp:
1735         * b3/B3PhiChildren.h:
1736         * b3/B3Procedure.h:
1737         (JSC::B3::Procedure::iterator::iterator): Deleted.
1738         (JSC::B3::Procedure::iterator::operator*): Deleted.
1739         (JSC::B3::Procedure::iterator::operator++): Deleted.
1740         (JSC::B3::Procedure::iterator::operator==): Deleted.
1741         (JSC::B3::Procedure::iterator::operator!=): Deleted.
1742         (JSC::B3::Procedure::iterator::findNext): Deleted.
1743         * b3/B3ReduceDoubleToFloat.cpp:
1744         * b3/B3ReduceStrength.cpp:
1745         * b3/B3SSACalculator.h:
1746         * b3/B3UseCounts.h:
1747         * b3/air/AirCode.h:
1748         * b3/air/AirEliminateDeadCode.cpp:
1749         * b3/air/AirFixObviousSpills.cpp:
1750         * b3/air/AirFixPartialRegisterStalls.cpp:
1751         * b3/air/AirGenerate.cpp:
1752         * b3/air/AirGenerationContext.h:
1753         * b3/air/AirLiveness.h:
1754         * b3/air/AirSpillEverything.cpp:
1755
1756 2016-08-24  Filip Pizlo  <fpizlo@apple.com>
1757
1758         Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
1759
1760         * API/JSTypedArray.cpp:
1761         * API/ObjCCallbackFunction.mm:
1762         * CMakeLists.txt:
1763         * JavaScriptCore.xcodeproj/project.pbxproj:
1764         * Scripts/builtins/builtins_generate_combined_implementation.py:
1765         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
1766         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1767         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
1768         * Scripts/builtins/builtins_generate_separate_implementation.py:
1769         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
1770         * assembler/AbstractMacroAssembler.h:
1771         (JSC::AbstractMacroAssembler::JumpList::link):
1772         (JSC::AbstractMacroAssembler::JumpList::linkTo):
1773         * assembler/MacroAssembler.h:
1774         * assembler/MacroAssemblerARM64.h:
1775         (JSC::MacroAssemblerARM64::add32):
1776         * assembler/MacroAssemblerCodeRef.cpp: Removed.
1777         * assembler/MacroAssemblerCodeRef.h:
1778         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1779         (JSC::MacroAssemblerCodePtr::dumpWithName):
1780         (JSC::MacroAssemblerCodePtr::dump):
1781         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1782         (JSC::MacroAssemblerCodeRef::dump):
1783         * b3/B3BasicBlock.cpp:
1784         (JSC::B3::BasicBlock::appendBoolConstant): Deleted.
1785         * b3/B3BasicBlock.h:
1786         * b3/B3DuplicateTails.cpp:
1787         * b3/B3StackmapGenerationParams.h:
1788         * b3/testb3.cpp:
1789         (JSC::B3::run):
1790         (JSC::B3::testPatchpointTerminalReturnValue): Deleted.
1791         * bindings/ScriptValue.cpp:
1792         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1793         * bytecode/BytecodeBasicBlock.cpp:
1794         * bytecode/BytecodeLivenessAnalysis.cpp:
1795         * bytecode/BytecodeUseDef.h:
1796         * bytecode/CallLinkInfo.cpp:
1797         (JSC::CallLinkInfo::callTypeFor): Deleted.
1798         * bytecode/CallLinkInfo.h:
1799         (JSC::CallLinkInfo::callTypeFor):
1800         * bytecode/CallLinkStatus.cpp:
1801         * bytecode/CodeBlock.cpp:
1802         (JSC::CodeBlock::finishCreation):
1803         (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
1804         * bytecode/CodeBlock.h:
1805         (JSC::CodeBlock::jitCodeMap):
1806         (JSC::clearLLIntGetByIdCache):
1807         * bytecode/Instruction.h:
1808         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1809         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1810         * bytecode/ObjectAllocationProfile.h:
1811         (JSC::ObjectAllocationProfile::isNull):
1812         (JSC::ObjectAllocationProfile::initialize):
1813         * bytecode/Opcode.h:
1814         (JSC::padOpcodeName):
1815         * bytecode/PolymorphicAccess.cpp:
1816         (JSC::AccessCase::generateImpl):
1817         (JSC::PolymorphicAccess::regenerate):
1818         * bytecode/PolymorphicAccess.h:
1819         * bytecode/PreciseJumpTargets.cpp:
1820         * bytecode/StructureStubInfo.cpp:
1821         * bytecode/StructureStubInfo.h:
1822         * bytecode/UnlinkedCodeBlock.cpp:
1823         (JSC::UnlinkedCodeBlock::vm):
1824         * bytecode/UnlinkedCodeBlock.h:
1825         * bytecode/UnlinkedInstructionStream.cpp:
1826         * bytecode/UnlinkedInstructionStream.h:
1827         * dfg/DFGOperations.cpp:
1828         * dfg/DFGSpeculativeJIT.cpp:
1829         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1830         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1831         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1832         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1833         * dfg/DFGSpeculativeJIT.h:
1834         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1835         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1836         * dfg/DFGSpeculativeJIT32_64.cpp:
1837         (JSC::DFG::SpeculativeJIT::compile):
1838         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1839         * dfg/DFGSpeculativeJIT64.cpp:
1840         (JSC::DFG::SpeculativeJIT::compile):
1841         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1842         * dfg/DFGStrengthReductionPhase.cpp:
1843         (JSC::DFG::StrengthReductionPhase::handleNode):
1844         * ftl/FTLAbstractHeapRepository.h:
1845         * ftl/FTLCompile.cpp:
1846         * ftl/FTLJITFinalizer.cpp:
1847         * ftl/FTLLowerDFGToB3.cpp:
1848         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1849         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
1850         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
1851         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1852         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1853         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1854         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1855         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1856         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1857         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1858         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1859         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1860         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
1861         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
1862         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
1863         * ftl/FTLOutput.cpp:
1864         (JSC::FTL::Output::constBool):
1865         (JSC::FTL::Output::add):
1866         (JSC::FTL::Output::shl):
1867         (JSC::FTL::Output::aShr):
1868         (JSC::FTL::Output::lShr):
1869         (JSC::FTL::Output::zeroExt):
1870         (JSC::FTL::Output::equal):
1871         (JSC::FTL::Output::notEqual):
1872         (JSC::FTL::Output::above):
1873         (JSC::FTL::Output::aboveOrEqual):
1874         (JSC::FTL::Output::below):
1875         (JSC::FTL::Output::belowOrEqual):
1876         (JSC::FTL::Output::greaterThan):
1877         (JSC::FTL::Output::greaterThanOrEqual):
1878         (JSC::FTL::Output::lessThan):
1879         (JSC::FTL::Output::lessThanOrEqual):
1880         (JSC::FTL::Output::select):
1881         (JSC::FTL::Output::addIncomingToPhi):
1882         (JSC::FTL::Output::appendSuccessor): Deleted.
1883         * ftl/FTLOutput.h:
1884         * ftl/FTLValueFromBlock.h:
1885         (JSC::FTL::ValueFromBlock::ValueFromBlock):
1886         (JSC::FTL::ValueFromBlock::operator bool): Deleted.
1887         * ftl/FTLWeightedTarget.h:
1888         (JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
1889         * heap/CellContainer.h: Removed.
1890         * heap/CellContainerInlines.h: Removed.
1891         * heap/ConservativeRoots.cpp:
1892         (JSC::ConservativeRoots::ConservativeRoots):
1893         (JSC::ConservativeRoots::~ConservativeRoots):
1894         (JSC::ConservativeRoots::grow):
1895         (JSC::ConservativeRoots::genericAddPointer):
1896         (JSC::ConservativeRoots::genericAddSpan):
1897         * heap/ConservativeRoots.h:
1898         (JSC::ConservativeRoots::roots):
1899         * heap/CopyToken.h:
1900         * heap/FreeList.cpp: Removed.
1901         * heap/FreeList.h: Removed.
1902         * heap/Heap.cpp:
1903         (JSC::Heap::Heap):
1904         (JSC::Heap::lastChanceToFinalize):
1905         (JSC::Heap::finalizeUnconditionalFinalizers):
1906         (JSC::Heap::markRoots):
1907         (JSC::Heap::copyBackingStores):
1908         (JSC::Heap::gatherStackRoots):
1909         (JSC::Heap::gatherJSStackRoots):
1910         (JSC::Heap::gatherScratchBufferRoots):
1911         (JSC::Heap::clearLivenessData):
1912         (JSC::Heap::visitSmallStrings):
1913         (JSC::Heap::visitConservativeRoots):
1914         (JSC::Heap::removeDeadCompilerWorklistEntries):
1915         (JSC::Heap::gatherExtraHeapSnapshotData):
1916         (JSC::Heap::removeDeadHeapSnapshotNodes):
1917         (JSC::Heap::visitProtectedObjects):
1918         (JSC::Heap::visitArgumentBuffers):
1919         (JSC::Heap::visitException):
1920         (JSC::Heap::visitStrongHandles):
1921         (JSC::Heap::visitHandleStack):
1922         (JSC::Heap::visitSamplingProfiler):
1923         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1924         (JSC::Heap::converge):
1925         (JSC::Heap::visitWeakHandles):
1926         (JSC::Heap::updateObjectCounts):
1927         (JSC::Heap::clearUnmarkedExecutables):
1928         (JSC::Heap::deleteUnmarkedCompiledCode):
1929         (JSC::Heap::collectAllGarbage):
1930         (JSC::Heap::collect):
1931         (JSC::Heap::collectImpl):
1932         (JSC::Heap::suspendCompilerThreads):
1933         (JSC::Heap::willStartCollection):
1934         (JSC::Heap::flushOldStructureIDTables):
1935         (JSC::Heap::flushWriteBarrierBuffer):
1936         (JSC::Heap::stopAllocation):
1937         (JSC::Heap::reapWeakHandles):
1938         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1939         (JSC::Heap::sweepArrayBuffers):
1940         (JSC::Heap::snapshotMarkedSpace):
1941         (JSC::Heap::deleteSourceProviderCaches):
1942         (JSC::Heap::notifyIncrementalSweeper):
1943         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
1944         (JSC::Heap::resetAllocators):
1945         (JSC::Heap::updateAllocationLimits):
1946         (JSC::Heap::didFinishCollection):
1947         (JSC::Heap::resumeCompilerThreads):
1948         (JSC::Zombify::visit):
1949         (JSC::Heap::collectWithoutAnySweep): Deleted.
1950         (JSC::Heap::prepareForMarking): Deleted.
1951         (JSC::Heap::forEachCodeBlockImpl): Deleted.
1952         * heap/Heap.h:
1953         (JSC::Heap::allocatorForObjectWithoutDestructor):
1954         (JSC::Heap::allocatorForObjectWithDestructor):
1955         (JSC::Heap::storageAllocator):
1956         (JSC::Heap::jitStubRoutines):
1957         (JSC::Heap::codeBlockSet):
1958         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
1959         * heap/HeapCell.h:
1960         (JSC::HeapCell::isZapped):
1961         * heap/HeapCellInlines.h: Removed.
1962         * heap/HeapInlines.h:
1963         (JSC::Heap::heap):
1964         (JSC::Heap::isLive):
1965         (JSC::Heap::isMarked):
1966         (JSC::Heap::testAndSetMarked):
1967         (JSC::Heap::setMarked):
1968         (JSC::Heap::forEachCodeBlock):
1969         (JSC::Heap::allocateObjectOfType):
1970         (JSC::Heap::subspaceForObjectOfType):
1971         (JSC::Heap::allocatorForObjectOfType):
1972         (JSC::Heap::isPointerGCObject):
1973         (JSC::Heap::isValueGCObject):
1974         (JSC::Heap::cellSize): Deleted.
1975         (JSC::Heap::allocateAuxiliary): Deleted.
1976         (JSC::Heap::tryAllocateAuxiliary): Deleted.
1977         (JSC::Heap::tryReallocateAuxiliary): Deleted.
1978         * heap/HeapUtil.h: Removed.
1979         * heap/LargeAllocation.cpp: Removed.
1980         * heap/LargeAllocation.h: Removed.
1981         * heap/MarkedAllocator.cpp:
1982         (JSC::MarkedAllocator::retire):
1983         (JSC::MarkedAllocator::tryAllocateHelper):
1984         (JSC::MarkedAllocator::tryPopFreeList):
1985         (JSC::MarkedAllocator::tryAllocate):
1986         (JSC::MarkedAllocator::allocateSlowCase):
1987         (JSC::MarkedAllocator::allocateBlock):
1988         (JSC::MarkedAllocator::addBlock):
1989         (JSC::MarkedAllocator::removeBlock):
1990         (JSC::MarkedAllocator::reset):
1991         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
1992         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
1993         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
1994         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
1995         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
1996         (JSC::blockHeaderSize): Deleted.
1997         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
1998         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
1999         (JSC::MarkedAllocator::setFreeList): Deleted.
2000         * heap/MarkedAllocator.h:
2001         (JSC::MarkedAllocator::offsetOfFreeListHead):
2002         (JSC::MarkedAllocator::MarkedAllocator):
2003         (JSC::MarkedAllocator::init):
2004         (JSC::MarkedAllocator::allocate):
2005         (JSC::MarkedAllocator::stopAllocating):
2006         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
2007         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
2008         (JSC::MarkedAllocator::tryAllocate): Deleted.
2009         * heap/MarkedBlock.cpp:
2010         (JSC::MarkedBlock::create):
2011         (JSC::MarkedBlock::MarkedBlock):
2012         (JSC::MarkedBlock::callDestructor):
2013         (JSC::MarkedBlock::specializedSweep):
2014         (JSC::MarkedBlock::sweep):
2015         (JSC::MarkedBlock::sweepHelper):
2016         (JSC::MarkedBlock::stopAllocating):
2017         (JSC::MarkedBlock::clearMarksWithCollectionType):
2018         (JSC::MarkedBlock::resumeAllocating):
2019         (JSC::MarkedBlock::didRetireBlock):
2020         (JSC::MarkedBlock::tryCreate): Deleted.
2021         (JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
2022         (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
2023         (JSC::MarkedBlock::forEachFreeCell): Deleted.
2024         * heap/MarkedBlock.h:
2025         (JSC::MarkedBlock::FreeList::FreeList):
2026         (JSC::MarkedBlock::isEmpty):
2027         (JSC::MarkedBlock::setHasAnyMarked): Deleted.
2028         (JSC::MarkedBlock::hasAnyMarked): Deleted.
2029         (JSC::MarkedBlock::clearHasAnyMarked): Deleted.
2030         (JSC::MarkedBlock::cellAlign): Deleted.
2031         * heap/MarkedSpace.cpp:
2032         (JSC::MarkedSpace::MarkedSpace):
2033         (JSC::MarkedSpace::lastChanceToFinalize):
2034         (JSC::MarkedSpace::sweep):
2035         (JSC::MarkedSpace::zombifySweep):
2036         (JSC::MarkedSpace::resetAllocators):
2037         (JSC::MarkedSpace::visitWeakSets):
2038         (JSC::MarkedSpace::reapWeakSets):
2039         (JSC::MarkedSpace::forEachAllocator):
2040         (JSC::MarkedSpace::stopAllocating):
2041         (JSC::MarkedSpace::resumeAllocating):
2042         (JSC::MarkedSpace::isPagedOut):
2043         (JSC::MarkedSpace::shrink):
2044         (JSC::MarkedSpace::clearNewlyAllocated):
2045         (JSC::MarkedSpace::clearMarks):
2046         (JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
2047         (JSC::MarkedSpace::allocate): Deleted.
2048         (JSC::MarkedSpace::tryAllocate): Deleted.
2049         (JSC::MarkedSpace::allocateLarge): Deleted.
2050         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
2051         (JSC::MarkedSpace::sweepLargeAllocations): Deleted.
2052         (JSC::MarkedSpace::prepareForMarking): Deleted.
2053         (JSC::MarkedSpace::objectCount): Deleted.
2054         (JSC::MarkedSpace::size): Deleted.
2055         (JSC::MarkedSpace::capacity): Deleted.
2056         * heap/MarkedSpace.h:
2057         (JSC::MarkedSpace::blocksWithNewObjects):
2058         (JSC::MarkedSpace::forEachLiveCell):
2059         (JSC::MarkedSpace::forEachDeadCell):
2060         (JSC::MarkedSpace::allocatorFor):
2061         (JSC::MarkedSpace::destructorAllocatorFor):
2062         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2063         (JSC::MarkedSpace::allocateWithoutDestructor):
2064         (JSC::MarkedSpace::allocateWithDestructor):
2065         (JSC::MarkedSpace::allocateAuxiliary):
2066         (JSC::MarkedSpace::forEachBlock):
2067         (JSC::MarkedSpace::objectCount):
2068         (JSC::MarkedSpace::size):
2069         (JSC::MarkedSpace::capacity):
2070         (JSC::MarkedSpace::sizeClassToIndex): Deleted.
2071         (JSC::MarkedSpace::indexToSizeClass): Deleted.
2072         (JSC::MarkedSpace::largeAllocations): Deleted.
2073         (JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
2074         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
2075         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
2076         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
2077         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
2078         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
2079         (JSC::MarkedSpace::forEachAllocator): Deleted.
2080         (JSC::MarkedSpace::optimalSizeFor): Deleted.
2081         * heap/SlotVisitor.cpp:
2082         (JSC::SlotVisitor::didStartMarking):
2083         (JSC::SlotVisitor::reset):
2084         (JSC::SlotVisitor::append):
2085         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2086         (JSC::SlotVisitor::appendToMarkStack):
2087         (JSC::SlotVisitor::visitChildren):
2088         (JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
2089         (JSC::SlotVisitor::markAuxiliary): Deleted.
2090         (JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
2091         * heap/SlotVisitor.h:
2092         * heap/WeakBlock.cpp:
2093         (JSC::WeakBlock::create):
2094         (JSC::WeakBlock::WeakBlock):
2095         (JSC::WeakBlock::visit):
2096         (JSC::WeakBlock::reap):
2097         * heap/WeakBlock.h:
2098         (JSC::WeakBlock::disconnectMarkedBlock):
2099         (JSC::WeakBlock::disconnectContainer): Deleted.
2100         * heap/WeakSet.cpp:
2101         (JSC::WeakSet::sweep):
2102         (JSC::WeakSet::addAllocator):
2103         * heap/WeakSet.h:
2104         (JSC::WeakSet::WeakSet):
2105         * heap/WeakSetInlines.h:
2106         (JSC::WeakSet::allocate):
2107         * inspector/InjectedScriptManager.cpp:
2108         * inspector/JSGlobalObjectInspectorController.cpp:
2109         * inspector/JSJavaScriptCallFrame.cpp:
2110         * inspector/ScriptDebugServer.cpp:
2111         * inspector/agents/InspectorDebuggerAgent.cpp:
2112         * interpreter/CachedCall.h:
2113         (JSC::CachedCall::CachedCall):
2114         * interpreter/Interpreter.cpp:
2115         (JSC::StackFrame::sourceID):
2116         (JSC::StackFrame::sourceURL):
2117         (JSC::StackFrame::functionName):
2118         (JSC::loadVarargs):
2119         (JSC::StackFrame::computeLineAndColumn):
2120         (JSC::StackFrame::toString):
2121         * interpreter/Interpreter.h:
2122         (JSC::StackFrame::isNative):
2123         * jit/AssemblyHelpers.h:
2124         (JSC::AssemblyHelpers::emitAllocate):
2125         (JSC::AssemblyHelpers::emitAllocateJSCell):
2126         (JSC::AssemblyHelpers::emitAllocateJSObject):
2127         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2128         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2129         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
2130         * jit/GCAwareJITStubRoutine.cpp:
2131         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2132         * jit/JIT.cpp:
2133         (JSC::JIT::compileCTINativeCall): Deleted.
2134         * jit/JIT.h:
2135         (JSC::JIT::compileCTINativeCall):
2136         * jit/JITExceptions.cpp:
2137         (JSC::genericUnwind): Deleted.
2138         * jit/JITExceptions.h:
2139         * jit/JITOpcodes.cpp:
2140         (JSC::JIT::emit_op_new_object):
2141         (JSC::JIT::emitSlow_op_new_object):
2142         (JSC::JIT::emit_op_create_this):
2143         (JSC::JIT::emitSlow_op_create_this):
2144         * jit/JITOpcodes32_64.cpp:
2145         (JSC::JIT::emit_op_new_object):
2146         (JSC::JIT::emitSlow_op_new_object):
2147         (JSC::JIT::emit_op_create_this):
2148         (JSC::JIT::emitSlow_op_create_this):
2149         * jit/JITOperations.cpp:
2150         * jit/JITOperations.h:
2151         * jit/JITPropertyAccess.cpp:
2152         (JSC::JIT::emitWriteBarrier):
2153         * jit/JITThunks.cpp:
2154         * jit/JITThunks.h:
2155         * jsc.cpp:
2156         (functionDescribeArray):
2157         (main):
2158         * llint/LLIntData.cpp:
2159         (JSC::LLInt::Data::performAssertions):
2160         * llint/LLIntExceptions.cpp:
2161         * llint/LLIntThunks.cpp:
2162         * llint/LLIntThunks.h:
2163         * llint/LowLevelInterpreter.asm:
2164         * llint/LowLevelInterpreter.cpp:
2165         * llint/LowLevelInterpreter32_64.asm:
2166         * llint/LowLevelInterpreter64.asm:
2167         * parser/ModuleAnalyzer.cpp:
2168         * parser/NodeConstructors.h:
2169         * parser/Nodes.h:
2170         * profiler/ProfilerBytecode.cpp:
2171         * profiler/ProfilerBytecode.h:
2172         * profiler/ProfilerBytecodeSequence.cpp:
2173         * runtime/ArrayConventions.h:
2174         (JSC::indexingHeaderForArray):
2175         (JSC::baseIndexingHeaderForArray):
2176         (JSC::indexingHeaderForArrayStorage): Deleted.
2177         (JSC::baseIndexingHeaderForArrayStorage): Deleted.
2178         * runtime/ArrayPrototype.cpp:
2179         (JSC::arrayProtoFuncSplice):
2180         (JSC::concatAppendOne):
2181         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2182         * runtime/ArrayStorage.h:
2183         (JSC::ArrayStorage::vectorLength):
2184         (JSC::ArrayStorage::sizeFor):
2185         (JSC::ArrayStorage::totalSizeFor): Deleted.
2186         (JSC::ArrayStorage::totalSize): Deleted.
2187         (JSC::ArrayStorage::availableVectorLength): Deleted.
2188         (JSC::ArrayStorage::optimalVectorLength): Deleted.
2189         * runtime/AuxiliaryBarrier.h: Removed.
2190         * runtime/AuxiliaryBarrierInlines.h: Removed.
2191         * runtime/Butterfly.h:
2192         * runtime/ButterflyInlines.h:
2193         (JSC::Butterfly::createUninitialized):
2194         (JSC::Butterfly::growArrayRight):
2195         (JSC::Butterfly::availableContiguousVectorLength): Deleted.
2196         (JSC::Butterfly::optimalContiguousVectorLength): Deleted.
2197         * runtime/ClonedArguments.cpp:
2198         (JSC::ClonedArguments::createEmpty):
2199         * runtime/CommonSlowPathsExceptions.cpp:
2200         * runtime/CommonSlowPathsExceptions.h:
2201         * runtime/DataView.cpp:
2202         * runtime/DirectArguments.h:
2203         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2204         * runtime/Error.cpp:
2205         * runtime/Error.h:
2206         * runtime/ErrorInstance.cpp:
2207         * runtime/ErrorInstance.h:
2208         * runtime/Exception.cpp:
2209         * runtime/Exception.h:
2210         * runtime/GeneratorFrame.cpp:
2211         * runtime/GeneratorPrototype.cpp:
2212         * runtime/InternalFunction.cpp:
2213         (JSC::InternalFunction::InternalFunction):
2214         * runtime/IntlCollator.cpp:
2215         * runtime/IntlCollatorConstructor.cpp:
2216         * runtime/IntlCollatorPrototype.cpp:
2217         * runtime/IntlDateTimeFormat.cpp:
2218         * runtime/IntlDateTimeFormatConstructor.cpp:
2219         * runtime/IntlDateTimeFormatPrototype.cpp:
2220         * runtime/IntlNumberFormat.cpp:
2221         * runtime/IntlNumberFormatConstructor.cpp:
2222         * runtime/IntlNumberFormatPrototype.cpp:
2223         * runtime/IntlObject.cpp:
2224         * runtime/IteratorPrototype.cpp:
2225         * runtime/JSArray.cpp:
2226         (JSC::JSArray::setLengthWritable):
2227         (JSC::JSArray::unshiftCountSlowCase):
2228         (JSC::JSArray::setLengthWithArrayStorage):
2229         (JSC::JSArray::appendMemcpy):
2230         (JSC::JSArray::setLength):
2231         (JSC::JSArray::pop):
2232         (JSC::JSArray::push):
2233         (JSC::JSArray::fastSlice):
2234         (JSC::JSArray::shiftCountWithArrayStorage):
2235         (JSC::JSArray::shiftCountWithAnyIndexingType):
2236         (JSC::JSArray::unshiftCountWithArrayStorage):
2237         (JSC::JSArray::fillArgList):
2238         (JSC::JSArray::copyToArguments):
2239         (JSC::JSArray::tryCreateUninitialized): Deleted.
2240         * runtime/JSArray.h:
2241         (JSC::createContiguousArrayButterfly):
2242         (JSC::createArrayButterfly):
2243         (JSC::JSArray::create):
2244         (JSC::JSArray::tryCreateUninitialized):
2245         * runtime/JSArrayBufferView.h:
2246         * runtime/JSCInlines.h:
2247         * runtime/JSCJSValue.cpp:
2248         (JSC::JSValue::dumpInContextAssumingStructure):
2249         * runtime/JSCallee.cpp:
2250         (JSC::JSCallee::JSCallee):
2251         * runtime/JSCell.cpp:
2252         (JSC::JSCell::estimatedSize):
2253         * runtime/JSCell.h:
2254         (JSC::JSCell::cellStateOffset):
2255         * runtime/JSCellInlines.h:
2256         (JSC::JSCell::vm):
2257         (JSC::ExecState::vm):
2258         (JSC::JSCell::classInfo):
2259         (JSC::JSCell::callDestructor): Deleted.
2260         * runtime/JSFunction.cpp:
2261         (JSC::JSFunction::create):
2262         (JSC::JSFunction::allocateAndInitializeRareData):
2263         (JSC::JSFunction::initializeRareData):
2264         (JSC::JSFunction::getOwnPropertySlot):
2265         (JSC::JSFunction::put):
2266         (JSC::JSFunction::deleteProperty):
2267         (JSC::JSFunction::defineOwnProperty):
2268         (JSC::JSFunction::setFunctionName):
2269         (JSC::JSFunction::reifyLength):
2270         (JSC::JSFunction::reifyName):
2271         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2272         (JSC::JSFunction::reifyBoundNameIfNeeded):
2273         * runtime/JSFunction.h:
2274         * runtime/JSFunctionInlines.h:
2275         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2276         (JSC::JSFunction::JSFunction):
2277         * runtime/JSGenericTypedArrayViewInlines.h:
2278         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2279         * runtime/JSInternalPromise.cpp:
2280         * runtime/JSInternalPromiseConstructor.cpp:
2281         * runtime/JSInternalPromiseDeferred.cpp:
2282         * runtime/JSInternalPromisePrototype.cpp:
2283         * runtime/JSJob.cpp:
2284         * runtime/JSMapIterator.cpp:
2285         * runtime/JSModuleNamespaceObject.cpp:
2286         * runtime/JSModuleRecord.cpp:
2287         * runtime/JSObject.cpp:
2288         (JSC::JSObject::copyButterfly):
2289         (JSC::JSObject::visitButterfly):
2290         (JSC::JSObject::copyBackingStore):
2291         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2292         (JSC::JSObject::createInitialIndexedStorage):
2293         (JSC::JSObject::createInitialUndecided):
2294         (JSC::JSObject::createInitialInt32):
2295         (JSC::JSObject::createInitialDouble):
2296         (JSC::JSObject::createInitialContiguous):
2297         (JSC::JSObject::createArrayStorage):
2298         (JSC::JSObject::createInitialArrayStorage):
2299         (JSC::JSObject::convertUndecidedToInt32):
2300         (JSC::JSObject::convertUndecidedToContiguous):
2301         (JSC::JSObject::convertUndecidedToArrayStorage):
2302         (JSC::JSObject::convertInt32ToDouble):
2303         (JSC::JSObject::convertInt32ToArrayStorage):
2304         (JSC::JSObject::convertDoubleToArrayStorage):
2305         (JSC::JSObject::convertContiguousToArrayStorage):
2306         (JSC::JSObject::putByIndexBeyondVectorLength):
2307         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2308         (JSC::JSObject::getNewVectorLength):
2309         (JSC::JSObject::increaseVectorLength):
2310         (JSC::JSObject::ensureLengthSlow):
2311         (JSC::JSObject::growOutOfLineStorage):
2312         * runtime/JSObject.h:
2313         (JSC::JSObject::putDirectInternal):
2314         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2315         (JSC::JSObject::globalObject): Deleted.
2316         * runtime/JSObjectInlines.h:
2317         * runtime/JSPromise.cpp:
2318         * runtime/JSPromiseConstructor.cpp:
2319         * runtime/JSPromiseDeferred.cpp:
2320         * runtime/JSPromisePrototype.cpp:
2321         * runtime/JSPropertyNameIterator.cpp:
2322         * runtime/JSScope.cpp:
2323         (JSC::JSScope::resolve):
2324         * runtime/JSScope.h:
2325         (JSC::JSScope::vm):
2326         (JSC::JSScope::globalObject): Deleted.
2327         * runtime/JSSetIterator.cpp:
2328         * runtime/JSStringIterator.cpp:
2329         * runtime/JSTemplateRegistryKey.cpp:
2330         * runtime/JSTypedArrayViewConstructor.cpp:
2331         * runtime/JSTypedArrayViewPrototype.cpp:
2332         * runtime/JSWeakMap.cpp:
2333         * runtime/JSWeakSet.cpp:
2334         * runtime/MapConstructor.cpp:
2335         * runtime/MapIteratorPrototype.cpp:
2336         * runtime/MapPrototype.cpp:
2337         * runtime/NativeErrorConstructor.cpp:
2338         * runtime/NativeStdFunctionCell.cpp:
2339         * runtime/Operations.h:
2340         (JSC::scribbleFreeCells): Deleted.
2341         (JSC::scribble): Deleted.
2342         * runtime/Options.h:
2343         * runtime/PropertyTable.cpp:
2344         * runtime/ProxyConstructor.cpp:
2345         * runtime/ProxyObject.cpp:
2346         * runtime/ProxyRevoke.cpp:
2347         * runtime/RegExp.cpp:
2348         (JSC::RegExp::match):
2349         (JSC::RegExp::matchConcurrently):
2350         (JSC::RegExp::matchCompareWithInterpreter):
2351         * runtime/RegExp.h:
2352         * runtime/RegExpConstructor.h:
2353         * runtime/RegExpInlines.h:
2354         (JSC::RegExp::matchInline):
2355         * runtime/RegExpMatchesArray.h:
2356         (JSC::tryCreateUninitializedRegExpMatchesArray):
2357         (JSC::createRegExpMatchesArray):
2358         * runtime/RegExpPrototype.cpp:
2359         (JSC::genericSplit):
2360         * runtime/RuntimeType.cpp:
2361         * runtime/SamplingProfiler.cpp:
2362         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2363         * runtime/SetConstructor.cpp:
2364         * runtime/SetIteratorPrototype.cpp:
2365         * runtime/SetPrototype.cpp:
2366         * runtime/StackFrame.cpp: Removed.
2367         * runtime/StackFrame.h: Removed.
2368         * runtime/StringConstructor.cpp:
2369         * runtime/StringIteratorPrototype.cpp:
2370         * runtime/TemplateRegistry.cpp:
2371         * runtime/TestRunnerUtils.cpp:
2372         (JSC::finalizeStatsAtEndOfTesting): Deleted.
2373         * runtime/TestRunnerUtils.h:
2374         * runtime/TypeProfilerLog.cpp:
2375         * runtime/TypeSet.cpp:
2376         * runtime/VM.cpp:
2377         (JSC::VM::ensureStackCapacityForCLoop): Deleted.
2378         (JSC::VM::isSafeToRecurseSoftCLoop): Deleted.
2379         * runtime/VM.h:
2380         * runtime/VMEntryScope.h:
2381         * runtime/VMInlines.h:
2382         (JSC::VM::ensureStackCapacityFor):
2383         (JSC::VM::isSafeToRecurseSoft):
2384         * runtime/WeakMapConstructor.cpp:
2385         * runtime/WeakMapData.cpp:
2386         * runtime/WeakMapPrototype.cpp:
2387         * runtime/WeakSetConstructor.cpp:
2388         * runtime/WeakSetPrototype.cpp:
2389         * testRegExp.cpp:
2390         (testOneRegExp):
2391         * tools/JSDollarVM.cpp:
2392         * tools/JSDollarVMPrototype.cpp:
2393         (JSC::JSDollarVMPrototype::isInObjectSpace):
2394
2395 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2396
2397         js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854
2398         https://bugs.webkit.org/show_bug.cgi?id=161115
2399
2400         Reviewed by Keith Miller.
2401         
2402         There were two small goofs.
2403
2404         * bytecode/ObjectAllocationProfile.h:
2405         (JSC::ObjectAllocationProfile::isNull): The new policy is that the allocator can be null. So now the way you tell if the profile is null is by checking the structure.
2406         * jit/JITOperations.cpp: This was using DeferGC, which is now definitely wrong. It forces the GC to happen when the structure and butterfly are mismatched. It's better for the GC to happen before we put the butterfly in the object.
2407
2408 2016-08-24  Filip Pizlo  <fpizlo@apple.com>
2409
2410         AssemblyHelpers::emitAllocateWithNonNullAllocator() crashes in the FTL on ARM64
2411         https://bugs.webkit.org/show_bug.cgi?id=161138
2412         rdar://problem/27985868
2413
2414         Reviewed by Saam Barati.
2415         
2416         The FTL expects that this method can be used with scratch registers disallowed, but it
2417         uses addPtr(Addr, Reg).
2418
2419         The solution is to only use addPtr(Addr, Reg) on x86.
2420
2421         * jit/AssemblyHelpers.h:
2422         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2423
2424 2016-08-24  Skachkov Oleksandr  <gskachkov@gmail.com>
2425
2426         [ES2016] Allow assignment in for-in head in not-strict mode
2427         https://bugs.webkit.org/show_bug.cgi?id=160955
2428
2429         Reviewed by Saam Barati.
2430
2431         This patch allow make assignment in for..in head in not-strict mode, 
2432         according to the spec https://tc39.github.io/ecma262/#sec-initializers-in-forin-statement-heads
2433
2434         * bytecompiler/NodesCodegen.cpp:
2435         (JSC::ForInNode::emitLoopHeader):
2436         (JSC::ForInNode::emitMultiLoopBytecode):
2437         * parser/Nodes.h:
2438         (JSC::ExpressionNode::isAssignResolveNode):
2439         (JSC::AssignResolveNode::identifier):
2440         (JSC::ExpressionNode::isResolveNode): Deleted.
2441         * parser/Parser.cpp:
2442         (JSC::Parser<LexerType>::parseForStatement):
2443
2444 2016-08-23  Saam Barati  <sbarati@apple.com>
2445
2446         It should be easy to run ES6SampleBench from the jsc shell
2447         https://bugs.webkit.org/show_bug.cgi?id=161085
2448
2449         Reviewed by Yusuke Suzuki.
2450
2451         This patch adds a new function called `runString` to the shell.
2452         It takes in a string, and executes it in a new global object.
2453         Then, it returns the global object it executed the code in.
2454         This allows the code to stash some kind of a result on the global,
2455         and then have the caller of `runString` extract the result.
2456
2457         * jsc.cpp:
2458         (GlobalObject::finishCreation):
2459         (functionRunString):
2460
2461 2016-08-23  Benjamin Poulain  <benjamin@webkit.org>
2462
2463         [JSC] Make ArithLog works with any type
2464         https://bugs.webkit.org/show_bug.cgi?id=161110
2465
2466         Reviewed by Geoffrey Garen.
2467
2468         Same old: if the type is not a number, assume the worst in every
2469         phase and generate a fallback function call.
2470
2471         * dfg/DFGAbstractInterpreterInlines.h:
2472         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2473         * dfg/DFGClobberize.h:
2474         (JSC::DFG::clobberize):
2475         * dfg/DFGFixupPhase.cpp:
2476         (JSC::DFG::FixupPhase::fixupNode):
2477         * dfg/DFGNodeType.h:
2478         * dfg/DFGOperations.cpp:
2479         * dfg/DFGOperations.h:
2480         * dfg/DFGSpeculativeJIT.cpp:
2481         (JSC::DFG::SpeculativeJIT::compileArithLog):
2482         * ftl/FTLLowerDFGToB3.cpp:
2483         (JSC::FTL::DFG::LowerDFGToB3::compileArithLog):
2484
2485 2016-08-23  Ryan Haddad  <ryanhaddad@apple.com>
2486
2487         Rebaseline builtins-generator-tests after r204854.
2488
2489         Unreviewed test gardening.
2490
2491         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2492         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2493         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2494         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2495         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2496         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2497         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2498         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2499         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2500         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2501         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2502         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2503         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2504         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2505
2506 2016-08-23  Keith Miller  <keith_miller@apple.com>
2507
2508         %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
2509         https://bugs.webkit.org/show_bug.cgi?id=161031
2510         <rdar://problem/27937019>
2511
2512         Reviewed by Geoffrey Garen.
2513
2514         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2515         (JSC::speciesConstruct):
2516         (JSC::genericTypedArrayViewProtoFuncSlice):
2517
2518 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2519
2520         REGRESSION(204854): ASan is unhappy
2521         https://bugs.webkit.org/show_bug.cgi?id=161109
2522
2523         Reviewed by Geoffrey Garen.
2524         
2525         I messed up RegExpConstructor: it ends up being a callee and a large allocation.
2526         
2527         This fixes it to not be a large allocation.
2528
2529         * dfg/DFGStrengthReductionPhase.cpp:
2530         (JSC::DFG::StrengthReductionPhase::handleNode):
2531         * runtime/InternalFunction.cpp:
2532         (JSC::InternalFunction::InternalFunction):
2533         * runtime/RegExp.cpp:
2534         (JSC::RegExp::match):
2535         (JSC::RegExp::matchConcurrently):
2536         (JSC::RegExp::matchCompareWithInterpreter):
2537         * runtime/RegExp.h:
2538         * runtime/RegExpConstructor.h:
2539         * runtime/RegExpInlines.h:
2540         (JSC::RegExp::matchInline):
2541         * runtime/RegExpPrototype.cpp:
2542         (JSC::genericSplit):
2543         * testRegExp.cpp:
2544         (testOneRegExp):
2545
2546 2016-08-23  Saam Barati  <sbarati@apple.com>
2547
2548         strict mode eval should not fire the var injection watch point
2549         https://bugs.webkit.org/show_bug.cgi?id=161104
2550
2551         Reviewed by Geoffrey Garen.
2552
2553         Strict mode eval can't do any variable injections. It was
2554         an oversight that we fired the var injection watchpoint when
2555         the eval is in strict mode.
2556
2557         * interpreter/Interpreter.cpp:
2558         (JSC::Interpreter::execute):
2559
2560 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
2561
2562         Spilling of constant tmps should make it easier for the spill code optimizer to rematerialize the constant
2563         https://bugs.webkit.org/show_bug.cgi?id=160150
2564         
2565         Reviewed by Benjamin Poulain.
2566         
2567         When we spill in-place for admitsStack()==true, we prevent rematerialization if that
2568         argument doesn't also admit immediates (which it almost certainly won't do).  So, we
2569         prevent remat.
2570         
2571         This fixes the issue by avoiding in-place spilling for warm uses of constants. I don't
2572         know if this helps performance, but I do know that it make the codegen for
2573         bigswitch-indirect-symbol look a lot better. Prior to this change, the prolog would have
2574         a constant materialization for each symbol that function used, and then it would spill
2575         that constant. This removes all of that yucky code.
2576         
2577         This also changes how IRC detects constant Tmps. Previously we would say that a Tmp is a
2578         constant if the number of const defs was equal to the number of defs. But it's possible
2579         for each of the const defs to produce a different value. This is unlikely considering
2580         how B3->Air lowering works and how our SSA works - each def would have its own register.
2581         But, regardless, this picks a more precise way of detecting constants: the number of
2582         const defs must be 1 and the number of defs must be 1.
2583         
2584         * b3/air/AirIteratedRegisterCoalescing.cpp:
2585         
2586 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2587
2588         Unreviewed, fix CLoop build.
2589         
2590         This fixes the CLoop build while still ensuring that Interpreter.h is a project header.
2591
2592         * llint/LowLevelInterpreter.cpp:
2593         * runtime/VM.cpp:
2594         (JSC::VM::ensureStackCapacityForCLoop):
2595         (JSC::VM::isSafeToRecurseSoftCLoop):
2596         * runtime/VM.h:
2597         * runtime/VMInlines.h:
2598         (JSC::VM::ensureStackCapacityFor):
2599         (JSC::VM::isSafeToRecurseSoft):
2600
2601 2016-08-22  Filip Pizlo  <fpizlo@apple.com>
2602
2603         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2604         https://bugs.webkit.org/show_bug.cgi?id=160125
2605
2606         Reviewed by Geoffrey Garen.
2607
2608         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2609         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2610         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2611         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2612         to get rid of copied space. This change moves copied space's biggest client over to marked
2613         space.
2614         
2615         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2616         allocation path. This is a fairly mechanical change, but it caused performance regressions
2617         everywhere, so this change also fixes MarkedSpace's performance issues.
2618         
2619         At a high level the mechanical changes are:
2620         
2621         - We use AuxiliaryBarrier instead of CopyBarrier.
2622         
2623         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2624           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2625         
2626         - The JITs have to emit inlined marked space allocations instead of inline copy space
2627           allocations.
2628         
2629         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2630           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2631           space doesn't.
2632         
2633         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2634         optimizations that amounted to a major MarkedSpace rewrite:
2635         
2636         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2637           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2638           size class. I got around this by making array allocations usually round up vectorLength to
2639           the maximum allowed by the size class that we would have allocated in. Also,
2640           ensureLengthSlow() and friends first make sure that the requested length can't just be
2641           fulfilled with the current allocation size. This safeguard means that not every array
2642           allocation has to do size class queries. For example, the fast path of new Array(length)
2643           never does any size class queries, under the assumption that (1) the speed gained from
2644           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2645           size class query, is too small to offset the speed lost by doing the query on every
2646           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2647           likely.
2648         
2649         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2650           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2651           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2652           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2653           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2654           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2655           size (80 bytes), we proceed using a geometric progression, but round up each size to
2656           minimize slop at the end of the block. This naturally causes the geometric progression to
2657           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2658           can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2659         
2660         - Large allocations caused massive internal fragmentation, since the smallest large
2661           allocation had to use exactly blockSize, and the largest small allocation used
2662           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2663           also had 50% internal fragmentation. This is because we required large allocations to be
2664           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2665           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2666           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2667           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2668           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2669           out great since (1) typed arrays won't use large allocations anyway since they have their
2670           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2671           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2672           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2673           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2674           must be small allocations. It's also possible to use template tricks to do one check for
2675           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2676           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2677           that get used from functions that are template-specialized like this. That's mostly to
2678           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2679           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2680           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2681           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2682           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2683           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2684           that the MarkedBlock size classes end up being:
2685           
2686           16, 32, 48, 64, 80, 112, 160, 224, 320
2687           
2688           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2689           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2690           size classes you end up with by doing --dumpSizeClasses=true.
2691         
2692         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2693           of stuff in 16KB blocks is slower than allocating it in 64KB blocks. I got more speed from
2694           changing MarkedBlock::blockSize to 64KB. This would have been a space fail before, but now
2695           that we have LargeAllocation, it ends up being an overall win.
2696         
2697         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2698           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2699           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2700           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2701           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2702           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2703           that we walk the block to build a free list. This means walking dead space. The new
2704           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2705           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2706           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2707           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2708           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2709           is completely empty, which is the common case because of the generational hypothesis: the
2710           number of objects that survive an eden collection is a tiny fraction of the number of
2711           objects that had been allocated, and this fraction is so small that there are typically
2712           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2713           win over tip-of-tree.
2714         
2715         - FTL now shares the same allocation fast paths as everything else, which is great, because
2716           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2717           control flow, since it won't be able to improve the machine code we write ourselves. GC
2718           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2719           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2720           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2721           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2722           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2723           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2724           variable-length allocation but then realize that the length is known). I think it makes
2725           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2726           since this makes lowering easier (you can constant fold during lowering more easily) and it
2727           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2728           constant-fold this code. That would require allowing loads to be constant-folded, which is
2729           doable but hella tricky.
2730         
2731         All of this put together gives us neutral perf on JetStream, Speedometer, and PLT3. SunSpider
2732         sometimes gets penalized depending on how you run it. By comparison, the alternative approach
2733         of using a copy barrier would have cost us 1-2%. That's the real apples-to-apples comparison
2734         if your premise is that we should have a concurrent GC. After we finish removing copied
2735         space, we will be barrier-ready for concurrent GC: we already have a marking barrier and we
2736         simply won't need a copying barrier. This change gets us there for the purposes of our
2737         benchmarks, since the remaining clients of copied space are not very important. On the other
2738         hand, if we keep copying, then getting barrier-ready would mean adding back the copy barrier,
2739         which costs more perf.
2740         
2741         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2742         typed arrays and a few other weird things over to Aux MarkedSpace.
2743         
2744         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2745         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2746         just including JSCInlines.h (instead of manually including the files that includes) is
2747         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2748         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2749         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2750         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2751         meant having to manually include HeapInlines.h from the places that previously got it
2752         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2753         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2754         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2755         made it impossible to include it from outside JSC. This was a lot of work, but it was
2756         necessary to get the patch to build on all ports. It's also a net win. There were many places
2757         in WebCore that were transitively including a *ton* of JSC headers just because of the
2758         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2759         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2760
2761         * API/JSTypedArray.cpp:
2762         * API/ObjCCallbackFunction.mm:
2763         * CMakeLists.txt:
2764         * JavaScriptCore.xcodeproj/project.pbxproj:
2765         * Scripts/builtins/builtins_generate_combined_implementation.py:
2766         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2767         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2768         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2769         * Scripts/builtins/builtins_generate_separate_implementation.py:
2770         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2771         * assembler/AbstractMacroAssembler.h:
2772         (JSC::AbstractMacroAssembler::JumpList::JumpList):
2773         (JSC::AbstractMacroAssembler::JumpList::link):
2774         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2775         (JSC::AbstractMacroAssembler::JumpList::append):
2776         * assembler/MacroAssemblerARM64.h:
2777         (JSC::MacroAssemblerARM64::add32):
2778         * b3/B3BasicBlock.cpp:
2779         (JSC::B3::BasicBlock::appendIntConstant):
2780         (JSC::B3::BasicBlock::appendBoolConstant):
2781         (JSC::B3::BasicBlock::clearSuccessors):
2782         * b3/B3BasicBlock.h:
2783         * b3/B3DuplicateTails.cpp:
2784         * b3/B3StackmapGenerationParams.h:
2785         * b3/testb3.cpp:
2786         (JSC::B3::testBranchBitAndImmFusion):
2787         (JSC::B3::testPatchpointTerminalReturnValue):
2788         (JSC::B3::zero):
2789         (JSC::B3::run):
2790         * bindings/ScriptValue.cpp:
2791         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2792         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2793         * bytecode/ObjectAllocationProfile.h:
2794         (JSC::ObjectAllocationProfile::initialize):
2795         * bytecode/PolymorphicAccess.cpp:
2796         (JSC::AccessCase::generateImpl):
2797         * bytecode/StructureStubInfo.cpp:
2798         * dfg/DFGOperations.cpp:
2799         * dfg/DFGSpeculativeJIT.cpp:
2800         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2801         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2802         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2803         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2804         * dfg/DFGSpeculativeJIT.h:
2805         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2806         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2807         * dfg/DFGSpeculativeJIT32_64.cpp:
2808         (JSC::DFG::SpeculativeJIT::compile):
2809         * dfg/DFGSpeculativeJIT64.cpp:
2810         (JSC::DFG::SpeculativeJIT::compile):
2811         * dfg/DFGStrengthReductionPhase.cpp:
2812         (JSC::DFG::StrengthReductionPhase::handleNode):
2813         * ftl/FTLAbstractHeapRepository.h:
2814         * ftl/FTLCompile.cpp:
2815         * ftl/FTLJITFinalizer.cpp:
2816         * ftl/FTLLowerDFGToB3.cpp:
2817         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2818         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2819         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2820         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2821         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2822         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2823         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2824         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2825         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2826         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2827         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2828         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2829         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2830         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2831         * ftl/FTLOutput.cpp:
2832         (JSC::FTL::Output::constBool):
2833         (JSC::FTL::Output::constInt32):
2834         (JSC::FTL::Output::add):
2835         (JSC::FTL::Output::shl):
2836         (JSC::FTL::Output::aShr):
2837         (JSC::FTL::Output::lShr):
2838         (JSC::FTL::Output::zeroExt):
2839         (JSC::FTL::Output::equal):
2840         (JSC::FTL::Output::notEqual):
2841         (JSC::FTL::Output::above):
2842         (JSC::FTL::Output::aboveOrEqual):
2843         (JSC::FTL::Output::below):
2844         (JSC::FTL::Output::belowOrEqual):
2845         (JSC::FTL::Output::greaterThan):
2846         (JSC::FTL::Output::greaterThanOrEqual):
2847         (JSC::FTL::Output::lessThan):
2848         (JSC::FTL::Output::lessThanOrEqual):
2849         (JSC::FTL::Output::select):
2850         (JSC::FTL::Output::unreachable):
2851         (JSC::FTL::Output::appendSuccessor):
2852         (JSC::FTL::Output::speculate):
2853         (JSC::FTL::Output::addIncomingToPhi):
2854         * ftl/FTLOutput.h:
2855         * ftl/FTLValueFromBlock.h:
2856         (JSC::FTL::ValueFromBlock::ValueFromBlock):
2857         (JSC::FTL::ValueFromBlock::operator bool):
2858         (JSC::FTL::ValueFromBlock::value):
2859         (JSC::FTL::ValueFromBlock::block):
2860         * ftl/FTLWeightedTarget.h:
2861         (JSC::FTL::WeightedTarget::target):
2862         (JSC::FTL::WeightedTarget::weight):
2863         (JSC::FTL::WeightedTarget::frequentedBlock):
2864         * heap/CellContainer.h: Added.
2865         (JSC::CellContainer::CellContainer):
2866         (JSC::CellContainer::operator bool):
2867         (JSC::CellContainer::isMarkedBlock):
2868         (JSC::CellContainer::isLargeAllocation):
2869         (JSC::CellContainer::markedBlock):
2870         (JSC::CellContainer::largeAllocation):
2871         * heap/CellContainerInlines.h: Added.
2872         (JSC::CellContainer::isMarkedOrRetired):
2873         (JSC::CellContainer::isMarked):
2874         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2875         (JSC::CellContainer::setHasAnyMarked):
2876         (JSC::CellContainer::cellSize):
2877         (JSC::CellContainer::weakSet):
2878         * heap/ConservativeRoots.cpp:
2879         (JSC::ConservativeRoots::ConservativeRoots):
2880         (JSC::ConservativeRoots::~ConservativeRoots):
2881         (JSC::ConservativeRoots::grow):
2882         (JSC::ConservativeRoots::genericAddPointer):
2883         (JSC::ConservativeRoots::genericAddSpan):
2884         * heap/ConservativeRoots.h:
2885         (JSC::ConservativeRoots::size):
2886         (JSC::ConservativeRoots::roots):
2887         * heap/CopyToken.h:
2888         * heap/FreeList.cpp: Added.
2889         (JSC::FreeList::dump):
2890         * heap/FreeList.h: Added.
2891         (JSC::FreeList::FreeList):
2892         (JSC::FreeList::list):
2893         (JSC::FreeList::bump):
2894         (JSC::FreeList::operator==):
2895         (JSC::FreeList::operator!=):
2896         (JSC::FreeList::operator bool):
2897         * heap/Heap.cpp:
2898         (JSC::Heap::Heap):
2899         (JSC::Heap::finalizeUnconditionalFinalizers):
2900         (JSC::Heap::markRoots):
2901         (JSC::Heap::copyBackingStores):
2902         (JSC::Heap::gatherStackRoots):
2903         (JSC::Heap::gatherJSStackRoots):
2904         (JSC::Heap::gatherScratchBufferRoots):
2905         (JSC::Heap::clearLivenessData):
2906         (JSC::Heap::visitSmallStrings):
2907         (JSC::Heap::visitConservativeRoots):
2908         (JSC::Heap::removeDeadCompilerWorklistEntries):
2909         (JSC::Heap::gatherExtraHeapSnapshotData):
2910         (JSC::Heap::removeDeadHeapSnapshotNodes):
2911         (JSC::Heap::visitProtectedObjects):
2912         (JSC::Heap::visitArgumentBuffers):
2913         (JSC::Heap::visitException):
2914         (JSC::Heap::visitStrongHandles):
2915         (JSC::Heap::visitHandleStack):
2916         (JSC::Heap::visitSamplingProfiler):
2917         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2918         (JSC::Heap::converge):
2919         (JSC::Heap::visitWeakHandles):
2920         (JSC::Heap::updateObjectCounts):
2921         (JSC::Heap::clearUnmarkedExecutables):
2922         (JSC::Heap::deleteUnmarkedCompiledCode):
2923         (JSC::Heap::collectAllGarbage):
2924         (JSC::Heap::collect):
2925         (JSC::Heap::collectWithoutAnySweep):
2926         (JSC::Heap::collectImpl):
2927         (JSC::Heap::suspendCompilerThreads):
2928         (JSC::Heap::willStartCollection):
2929         (JSC::Heap::flushOldStructureIDTables):
2930         (JSC::Heap::flushWriteBarrierBuffer):
2931         (JSC::Heap::stopAllocation):
2932         (JSC::Heap::reapWeakHandles):
2933         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2934         (JSC::Heap::sweepArrayBuffers):
2935         (JSC::Heap::snapshotMarkedSpace):
2936         (JSC::Heap::deleteSourceProviderCaches):
2937         (JSC::Heap::notifyIncrementalSweeper):
2938         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2939         (JSC::Heap::resetAllocators):
2940         (JSC::Heap::updateAllocationLimits):
2941         (JSC::Heap::didFinishCollection):
2942         (JSC::Heap::resumeCompilerThreads):
2943         (JSC::Zombify::visit):
2944         * heap/Heap.h:
2945         (JSC::Heap::subspaceForObjectDestructor):
2946         (JSC::Heap::subspaceForAuxiliaryData):
2947         (JSC::Heap::allocatorForObjectWithoutDestructor):
2948         (JSC::Heap::allocatorForObjectWithDestructor):
2949         (JSC::Heap::allocatorForAuxiliaryData):
2950         (JSC::Heap::storageAllocator):
2951         * heap/HeapCell.h:
2952         (JSC::HeapCell::zap):
2953         (JSC::HeapCell::isZapped):
2954         * heap/HeapCellInlines.h: Added.
2955         (JSC::HeapCell::isLargeAllocation):
2956         (JSC::HeapCell::cellContainer):
2957         (JSC::HeapCell::markedBlock):
2958         (JSC::HeapCell::largeAllocation):
2959         (JSC::HeapCell::heap):
2960         (JSC::HeapCell::vm):
2961         (JSC::HeapCell::cellSize):
2962         (JSC::HeapCell::allocatorAttributes):
2963         (JSC::HeapCell::destructionMode):
2964         (JSC::HeapCell::cellKind):
2965         * heap/HeapInlines.h:
2966         (JSC::Heap::isCollecting):
2967         (JSC::Heap::heap):
2968         (JSC::Heap::isLive):
2969         (JSC::Heap::isMarked):
2970         (JSC::Heap::testAndSetMarked):
2971         (JSC::Heap::setMarked):
2972         (JSC::Heap::cellSize):
2973         (JSC::Heap::writeBarrier):
2974         (JSC::Heap::allocateWithoutDestructor):
2975         (JSC::Heap::allocateObjectOfType):
2976         (JSC::Heap::subspaceForObjectOfType):
2977         (JSC::Heap::allocatorForObjectOfType):
2978         (JSC::Heap::allocateAuxiliary):
2979         (JSC::Heap::tryAllocateAuxiliary):
2980         (JSC::Heap::tryReallocateAuxiliary):
2981         (JSC::Heap::tryAllocateStorage):
2982         (JSC::Heap::didFreeBlock):
2983         (JSC::Heap::isPointerGCObject): Deleted.
2984         (JSC::Heap::isValueGCObject): Deleted.
2985         * heap/HeapUtil.h: Added.
2986         (JSC::HeapUtil::findGCObjectPointersForMarking):
2987         (JSC::HeapUtil::isPointerGCObjectJSCell):
2988         (JSC::HeapUtil::isValueGCObject):
2989         * heap/LargeAllocation.cpp: Added.
2990         (JSC::LargeAllocation::tryCreate):
2991         (JSC::LargeAllocation::LargeAllocation):
2992         (JSC::LargeAllocation::lastChanceToFinalize):
2993         (JSC::LargeAllocation::shrink):
2994         (JSC::LargeAllocation::visitWeakSet):
2995         (JSC::LargeAllocation::reapWeakSet):
2996         (JSC::LargeAllocation::clearMarks):
2997         (JSC::LargeAllocation::clearMarksWithCollectionType):
2998         (JSC::LargeAllocation::isEmpty):
2999         (JSC::LargeAllocation::sweep):
3000         (JSC::LargeAllocation::destroy):
3001         (JSC::LargeAllocation::dump):
3002         * heap/LargeAllocation.h: Added.
3003         (JSC::LargeAllocation::fromCell):
3004         (JSC::LargeAllocation::cell):
3005         (JSC::LargeAllocation::isLargeAllocation):
3006         (JSC::LargeAllocation::heap):
3007         (JSC::LargeAllocation::vm):
3008         (JSC::LargeAllocation::weakSet):
3009         (JSC::LargeAllocation::clearNewlyAllocated):
3010         (JSC::LargeAllocation::isNewlyAllocated):
3011         (JSC::LargeAllocation::isMarked):
3012         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3013         (JSC::LargeAllocation::isLive):
3014         (JSC::LargeAllocation::hasValidCell):
3015         (JSC::LargeAllocation::cellSize):
3016         (JSC::LargeAllocation::aboveLowerBound):
3017         (JSC::LargeAllocation::belowUpperBound):
3018         (JSC::LargeAllocation::contains):
3019         (JSC::LargeAllocation::attributes):
3020         (JSC::LargeAllocation::testAndSetMarked):
3021         (JSC::LargeAllocation::setMarked):
3022         (JSC::LargeAllocation::clearMarked):
3023         (JSC::LargeAllocation::setHasAnyMarked):
3024         (JSC::LargeAllocation::headerSize):
3025         * heap/MarkedAllocator.cpp:
3026         (JSC::MarkedAllocator::MarkedAllocator):
3027         (JSC::isListPagedOut):
3028         (JSC::MarkedAllocator::isPagedOut):
3029         (JSC::MarkedAllocator::retire):
3030         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3031         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3032         (JSC::MarkedAllocator::allocateSlowCase):
3033         (JSC::MarkedAllocator::tryAllocateSlowCase):
3034         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3035         (JSC::blockHeaderSize):
3036         (JSC::MarkedAllocator::blockSizeForBytes):
3037         (JSC::MarkedAllocator::tryAllocateBlock):
3038         (JSC::MarkedAllocator::addBlock):
3039         (JSC::MarkedAllocator::removeBlock):
3040         (JSC::MarkedAllocator::reset):
3041         (JSC::MarkedAllocator::lastChanceToFinalize):
3042         (JSC::MarkedAllocator::setFreeList):
3043         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3044         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3045         (JSC::MarkedAllocator::tryAllocate): Deleted.
3046         (JSC::MarkedAllocator::allocateBlock): Deleted.
3047         * heap/MarkedAllocator.h:
3048         (JSC::MarkedAllocator::destruction):
3049         (JSC::MarkedAllocator::cellKind):
3050         (JSC::MarkedAllocator::heap):
3051         (JSC::MarkedAllocator::takeLastActiveBlock):
3052         (JSC::MarkedAllocator::offsetOfFreeList):
3053         (JSC::MarkedAllocator::offsetOfCellSize):
3054         (JSC::MarkedAllocator::tryAllocate):
3055         (JSC::MarkedAllocator::allocate):
3056         (JSC::MarkedAllocator::stopAllocating):
3057         (JSC::MarkedAllocator::resumeAllocating):
3058         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3059         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3060         (JSC::MarkedAllocator::init): Deleted.
3061         * heap/MarkedBlock.cpp:
3062         (JSC::MarkedBlock::tryCreate):
3063         (JSC::MarkedBlock::MarkedBlock):
3064         (JSC::MarkedBlock::specializedSweep):
3065         (JSC::MarkedBlock::sweep):
3066         (JSC::MarkedBlock::sweepHelperSelectResetMode):
3067         (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode):
3068         (JSC::MarkedBlock::stopAllocating):
3069         (JSC::MarkedBlock::clearMarksWithCollectionType):
3070         (JSC::MarkedBlock::lastChanceToFinalize):
3071         (JSC::MarkedBlock::resumeAllocating):
3072         (JSC::MarkedBlock::didRetireBlock):
3073         (JSC::MarkedBlock::forEachFreeCell):
3074         (JSC::MarkedBlock::create): Deleted.
3075         (JSC::MarkedBlock::callDestructor): Deleted.
3076         (JSC::MarkedBlock::sweepHelper): Deleted.
3077         * heap/MarkedBlock.h:
3078         (JSC::MarkedBlock::VoidFunctor::returnValue):
3079         (JSC::MarkedBlock::setHasAnyMarked):
3080         (JSC::MarkedBlock::hasAnyMarked):
3081         (JSC::MarkedBlock::clearHasAnyMarked):
3082         (JSC::MarkedBlock::firstAtom):
3083         (JSC::MarkedBlock::isAtomAligned):
3084         (JSC::MarkedBlock::cellAlign):
3085         (JSC::MarkedBlock::blockFor):
3086         (JSC::MarkedBlock::isEmpty):
3087         (JSC::MarkedBlock::cellSize):
3088         (JSC::MarkedBlock::isMarkedOrRetired):
3089         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
3090         * heap/MarkedSpace.cpp:
3091         (JSC::MarkedSpace::initializeSizeClassForStepSize):
3092         (JSC::MarkedSpace::MarkedSpace):
3093         (JSC::MarkedSpace::lastChanceToFinalize):
3094         (JSC::MarkedSpace::allocateLarge):
3095         (JSC::MarkedSpace::tryAllocateLarge):
3096         (JSC::MarkedSpace::sweep):
3097         (JSC::MarkedSpace::sweepABit):
3098         (JSC::MarkedSpace::sweepLargeAllocations):
3099         (JSC::MarkedSpace::zombifySweep):
3100         (JSC::MarkedSpace::resetAllocators):
3101         (JSC::MarkedSpace::visitWeakSets):
3102         (JSC::MarkedSpace::reapWeakSets):
3103         (JSC::MarkedSpace::stopAllocating):
3104         (JSC::MarkedSpace::resumeAllocating):
3105         (JSC::MarkedSpace::isPagedOut):
3106         (JSC::MarkedSpace::shrink):
3107         (JSC::MarkedSpace::clearNewlyAllocated):
3108         (JSC::MarkedSpace::clearMarks):
3109         (JSC::MarkedSpace::didFinishIterating):
3110         (JSC::MarkedSpace::objectCount):
3111         (JSC::MarkedSpace::size):
3112         (JSC::MarkedSpace::capacity):
3113         (JSC::MarkedSpace::forEachAllocator): Deleted.
3114         * heap/MarkedSpace.h:
3115         (JSC::MarkedSpace::sizeClassIndex):
3116         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
3117         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
3118         (JSC::MarkedSpace::subspaceForAuxiliaryData):
3119         (JSC::MarkedSpace::blocksWithNewObjects):
3120         (JSC::MarkedSpace::largeAllocations):
3121         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3122         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3123         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3124         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3125         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3126         (JSC::MarkedSpace::forEachLiveCell):
3127         (JSC::MarkedSpace::forEachDeadCell):
3128         (JSC::MarkedSpace::allocatorFor):
3129         (JSC::MarkedSpace::destructorAllocatorFor):
3130         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3131         (JSC::MarkedSpace::allocate):
3132         (JSC::MarkedSpace::tryAllocate):
3133         (JSC::MarkedSpace::allocateWithoutDestructor):
3134         (JSC::MarkedSpace::allocateWithDestructor):
3135         (JSC::MarkedSpace::allocateAuxiliary):
3136         (JSC::MarkedSpace::tryAllocateAuxiliary):
3137         (JSC::MarkedSpace::forEachBlock):
3138         (JSC::MarkedSpace::didAllocateInBlock):
3139         (JSC::MarkedSpace::forEachAllocator):
3140         (JSC::MarkedSpace::forEachSubspace):
3141         (JSC::MarkedSpace::optimalSizeFor):
3142         (JSC::MarkedSpace::objectCount): Deleted.
3143         (JSC::MarkedSpace::size): Deleted.
3144         (JSC::MarkedSpace::capacity): Deleted.
3145         * heap/SlotVisitor.cpp:
3146         (JSC::SlotVisitor::didStartMarking):
3147         (JSC::SlotVisitor::reset):
3148         (JSC::SlotVisitor::clearMarkStack):
3149         (JSC::SlotVisitor::append):
3150         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3151         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3152         (JSC::SlotVisitor::appendToMarkStack):
3153         (JSC::SlotVisitor::markAuxiliary):
3154         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3155         (JSC::SetCurrentCellScope::SetCurrentCellScope):
3156         (JSC::SlotVisitor::visitChildren):
3157         * heap/SlotVisitor.h:
3158         * heap/WeakBlock.cpp:
3159         (JSC::WeakBlock::create):
3160         (JSC::WeakBlock::destroy):
3161         (JSC::WeakBlock::WeakBlock):
3162         (JSC::WeakBlock::visit):
3163         (JSC::WeakBlock::reap):
3164         * heap/WeakBlock.h:
3165         (JSC::WeakBlock::disconnectContainer):
3166         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3167         * heap/WeakSet.cpp:
3168         (JSC::WeakSet::sweep):
3169         (JSC::WeakSet::addAllocator):
3170         * heap/WeakSet.h:
3171         (JSC::WeakSet::WeakSet):
3172         * heap/WeakSetInlines.h:
3173         (JSC::WeakSet::allocate):
3174         * inspector/InjectedScriptManager.cpp:
3175         * inspector/JSGlobalObjectInspectorController.cpp:
3176         * inspector/JSJavaScriptCallFrame.cpp:
3177         * inspector/ScriptDebugServer.cpp:
3178         * inspector/agents/InspectorDebuggerAgent.cpp:
3179         * interpreter/CachedCall.h:
3180         (JSC::CachedCall::CachedCall):
3181         * jit/AssemblyHelpers.h:
3182         (JSC::AssemblyHelpers::emitAllocate):
3183         (JSC::AssemblyHelpers::emitAllocateJSCell):
3184         (JSC::AssemblyHelpers::emitAllocateJSObject):
3185         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3186         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3187         * jit/JITOpcodes.cpp:
3188         (JSC::JIT::emit_op_new_object):
3189         (JSC::JIT::emit_op_create_this):
3190         * jit/JITOpcodes32_64.cpp:
3191         (JSC::JIT::emit_op_new_object):
3192         (JSC::JIT::emit_op_create_this):
3193         * jit/JITOperations.cpp:
3194         * jit/JITOperations.h:
3195         * jit/JITPropertyAccess.cpp:
3196         (JSC::JIT::emitWriteBarrier):
3197         * jsc.cpp:
3198         (functionDescribeArray):
3199         * llint/LLIntData.cpp:
3200         (JSC::LLInt::Data::performAssertions):
3201         * llint/LowLevelInterpreter.asm:
3202         * llint/LowLevelInterpreter32_64.asm:
3203         * llint/LowLevelInterpreter64.asm:
3204         * parser/ModuleAnalyzer.cpp:
3205         * runtime/ArrayConventions.h:
3206         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3207         (JSC::indexingHeaderForArrayStorage):
3208         (JSC::baseIndexingHeaderForArrayStorage):
3209         (JSC::indexingHeaderForArray): Deleted.
3210         (JSC::baseIndexingHeaderForArray): Deleted.
3211         * runtime/ArrayStorage.h:
3212         (JSC::ArrayStorage::length):
3213         (JSC::ArrayStorage::setLength):
3214         (JSC::ArrayStorage::vectorLength):
3215         (JSC::ArrayStorage::setVectorLength):
3216         (JSC::ArrayStorage::copyHeaderFromDuringGC):
3217         (JSC::ArrayStorage::sizeFor):
3218         (JSC::ArrayStorage::totalSizeFor):
3219         (JSC::ArrayStorage::totalSize):
3220         (JSC::ArrayStorage::availableVectorLength):
3221         (JSC::ArrayStorage::optimalVectorLength):
3222         * runtime/AuxiliaryBarrier.h: Added.
3223         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3224         (JSC::AuxiliaryBarrier::clear):
3225         (JSC::AuxiliaryBarrier::get):
3226         (JSC::AuxiliaryBarrier::slot):
3227         (JSC::AuxiliaryBarrier::operator bool):
3228         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3229         * runtime/AuxiliaryBarrierInlines.h: Added.
3230         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3231         (JSC::AuxiliaryBarrier<T>::set):
3232         * runtime/Butterfly.h:
3233         (JSC::Butterfly::fromBase):
3234         (JSC::Butterfly::fromPointer):
3235         * runtime/ButterflyInlines.h:
3236         (JSC::Butterfly::availableContiguousVectorLength):
3237         (JSC::Butterfly::optimalContiguousVectorLength):
3238         (JSC::Butterfly::createUninitialized):
3239         (JSC::Butterfly::growArrayRight):
3240         * runtime/ClonedArguments.cpp:
3241         (JSC::ClonedArguments::createEmpty):
3242         * runtime/DataView.cpp:
3243         * runtime/DirectArguments.h:
3244         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3245         * runtime/GeneratorFrame.cpp:
3246         * runtime/GeneratorPrototype.cpp:
3247         * runtime/IntlCollator.cpp:
3248         * runtime/IntlCollatorConstructor.cpp:
3249         * runtime/IntlCollatorPrototype.cpp:
3250         * runtime/IntlDateTimeFormat.cpp:
3251         * runtime/IntlDateTimeFormatConstructor.cpp:
3252         * runtime/IntlDateTimeFormatPrototype.cpp:
3253         * runtime/IntlNumberFormat.cpp:
3254         * runtime/IntlNumberFormatConstructor.cpp:
3255         * runtime/IntlNumberFormatPrototype.cpp:
3256         * runtime/JSArray.cpp:
3257         (JSC::createArrayButterflyInDictionaryIndexingMode):
3258         (JSC::JSArray::tryCreateUninitialized):
3259         (JSC::JSArray::setLengthWritable):
3260         (JSC::JSArray::unshiftCountSlowCase):
3261         (JSC::JSArray::setLengthWithArrayStorage):
3262         (JSC::JSArray::appendMemcpy):
3263         (JSC::JSArray::setLength):
3264         (JSC::JSArray::pop):
3265         (JSC::JSArray::push):
3266         (JSC::JSArray::fastSlice):
3267         (JSC::JSArray::shiftCountWithArrayStorage):
3268         (JSC::JSArray::shiftCountWithAnyIndexingType):
3269         (JSC::JSArray::unshiftCountWithArrayStorage):
3270         (JSC::JSArray::fillArgList):
3271         (JSC::JSArray::copyToArguments):
3272         * runtime/JSArray.h:
3273         (JSC::createContiguousArrayButterfly):
3274         (JSC::createArrayButterfly):
3275         (JSC::JSArray::create):
3276         (JSC::JSArray::tryCreateUninitialized): Deleted.
3277         * runtime/JSArrayBufferView.h:
3278         * runtime/JSCInlines.h:
3279         * runtime/JSCJSValue.cpp:
3280         * runtime/JSCallee.cpp:
3281         * runtime/JSCell.cpp:
3282         (JSC::JSCell::estimatedSize):
3283         (JSC::JSCell::copyBackingStore):
3284         * runtime/JSCell.h:
3285         (JSC::JSCell::cellStateOffset):
3286         * runtime/JSCellInlines.h:
3287         (JSC::JSCell::visitChildren):
3288         (JSC::ExecState::vm):
3289         (JSC::JSCell::canUseFastGetOwnProperty):
3290         (JSC::JSCell::classInfo):
3291         (JSC::JSCell::toBoolean):
3292         (JSC::JSCell::pureToBoolean):
3293         (JSC::JSCell::callDestructor):
3294         (JSC::JSCell::vm): Deleted.
3295         * runtime/JSFunction.cpp:
3296         (JSC::JSFunction::create):
3297         (JSC::JSFunction::allocateAndInitializeRareData):
3298         (JSC::JSFunction::initializeRareData):
3299         (JSC::JSFunction::getOwnPropertySlot):
3300         (JSC::JSFunction::put):
3301         (JSC::JSFunction::deleteProperty):
3302         (JSC::JSFunction::defineOwnProperty):
3303         (JSC::JSFunction::setFunctionName):
3304         (JSC::JSFunction::reifyLength):
3305         (JSC::JSFunction::reifyName):
3306         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3307         (JSC::JSFunction::reifyBoundNameIfNeeded):
3308         * runtime/JSFunction.h:
3309         * runtime/JSFunctionInlines.h:
3310         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3311         (JSC::JSFunction::JSFunction):
3312         * runtime/JSGenericTypedArrayViewInlines.h:
3313         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3314         * runtime/JSInternalPromise.cpp:
3315         * runtime/JSInternalPromiseConstructor.cpp:
3316         * runtime/JSInternalPromiseDeferred.cpp:
3317         * runtime/JSInternalPromisePrototype.cpp:
3318         * runtime/JSJob.cpp: