[JSC] Make ArithClz32 work with Cell arguments
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2
3         [JSC] Make ArithClz32 work with Cell arguments
4         https://bugs.webkit.org/show_bug.cgi?id=161369
5
6         Reviewed by Geoffrey Garen.
7
8         ArithClz32 was already working with all primitive types
9         thanks to the magic of ValueToInt32.
10         This patch adds support for cell arguments through a function
11         call.
12
13         * dfg/DFGAbstractInterpreterInlines.h:
14         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15         * dfg/DFGClobberize.h:
16         (JSC::DFG::clobberize):
17         * dfg/DFGFixupPhase.cpp:
18         (JSC::DFG::FixupPhase::fixupNode):
19         * dfg/DFGNodeType.h:
20         * dfg/DFGOperations.cpp:
21         * dfg/DFGOperations.h:
22         * dfg/DFGSpeculativeJIT.cpp:
23         (JSC::DFG::SpeculativeJIT::compileArithClz32):
24         * dfg/DFGSpeculativeJIT.h:
25         (JSC::DFG::SpeculativeJIT::callOperation):
26         * ftl/FTLLowerDFGToB3.cpp:
27         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
28
29 2016-09-06  Mark Lam  <mark.lam@apple.com>
30
31         Gardening: change to use old header guard to appease Win EWS.
32
33         Not reviewed.
34
35         * runtime/AuxiliaryBarrier.h:
36
37 2016-09-06  Commit Queue  <commit-queue@webkit.org>
38
39         Unreviewed, rolling out r205494.
40         https://bugs.webkit.org/show_bug.cgi?id=161646
41
42         This change broke the Windows build (Requested by ryanhaddad
43         on #webkit).
44
45         Reverted changeset:
46
47         "Typed arrays should use MarkedSpace instead of CopiedSpace"
48         https://bugs.webkit.org/show_bug.cgi?id=161100
49         http://trac.webkit.org/changeset/205494
50
51 2016-09-06  Commit Queue  <commit-queue@webkit.org>
52
53         Unreviewed, rolling out r205504.
54         https://bugs.webkit.org/show_bug.cgi?id=161645
55
56         Broke the iOS device build (Requested by ryanhaddad on
57         #webkit).
58
59         Reverted changeset:
60
61         "Make JSMap and JSSet faster"
62         https://bugs.webkit.org/show_bug.cgi?id=160989
63         http://trac.webkit.org/changeset/205504
64
65 2016-09-06  Saam Barati  <sbarati@apple.com>
66
67         Make JSMap and JSSet faster
68         https://bugs.webkit.org/show_bug.cgi?id=160989
69
70         Reviewed by Filip Pizlo.
71
72         This patch revamps how we implement Map and Set. It uses
73         a new hash map implementation. The hash map uses linear
74         probing and it uses Wang's 64 bit hash function for JSValues
75         that aren't strings. Strings use StringImpl's hash function.
76         The reason I wanted to roll our own HashTable is twofold:
77         I didn't want to inline WTF::HashMap's implementation into our
78         JIT, since that seems error prone and unmaintainable. Also, I wanted
79         a different structure for hash map buckets where buckets also exist in
80         a linked list.
81
82         The reason for making buckets part of a linked list is that iteration
83         is now simple. Iteration works by just traversing a linked list.
84         This design also allows for a simple implementation when doing iteration
85         while the hash table is mutating. Whenever we remove a bucket from
86         the hash table, it is removed from the list, meaning items in the
87         list don't point to it. However, the removed bucket will still point
88         to things that are either in the list, or have also been removed.
89         e.g, from a removed bucket, you can always follow pointers until you
90         either find an item in the list, or you find the tail of the list.
91         This is a really nice property because it means that a Map or Set
92         does not need to reason about the all the iterators that point
93         into its list. Also, whenever we add items to the Map or Set, we
94         hijack the tail as the new item, and make the new item point to a newly
95         created tail. This means that any iterator that pointed to the "tail" now
96         points to non-tail items. This makes the implementation of adding things
97         to the Map/Set while iterating easy.
98
99         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
100         into intrinsics in the DFG. The IR can now reason about hash map
101         operations and can even do CSE over Wang's hash function, hash map
102         bucket lookups, hash map bucket loads, and testing if a key is in
103         the hash table. This makes code patterns for Map like so, super fast
104         in the FTL, since we will only be doing a single hash and hash bucket lookup:
105
106         ```
107         function getKeyIfPresent(map, key) {
108             if (map.has(key))
109                 return map.get(key);
110         }
111         ```
112
113         This patch is roughly an 8% speedup on ES6SampleBench.
114
115         * CMakeLists.txt:
116         * JavaScriptCore.xcodeproj/project.pbxproj:
117         * bytecode/SpeculatedType.cpp:
118         (JSC::speculationFromClassInfo):
119         * bytecode/SpeculatedType.h:
120         * dfg/DFGAbstractInterpreterInlines.h:
121         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
122         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
123         * dfg/DFGByteCodeParser.cpp:
124         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
125         * dfg/DFGClobberize.h:
126         (JSC::DFG::clobberize):
127         * dfg/DFGDoesGC.cpp:
128         (JSC::DFG::doesGC):
129         * dfg/DFGEdge.h:
130         (JSC::DFG::Edge::shift):
131         (JSC::DFG::Edge::makeWord):
132         * dfg/DFGFixupPhase.cpp:
133         (JSC::DFG::FixupPhase::fixupNode):
134         * dfg/DFGHeapLocation.cpp:
135         (WTF::printInternal):
136         * dfg/DFGHeapLocation.h:
137         * dfg/DFGNode.h:
138         (JSC::DFG::Node::hasHeapPrediction):
139         * dfg/DFGNodeType.h:
140         * dfg/DFGOperations.cpp:
141         * dfg/DFGOperations.h:
142         * dfg/DFGPredictionPropagationPhase.cpp:
143         * dfg/DFGSafeToExecute.h:
144         (JSC::DFG::SafeToExecuteEdge::operator()):
145         (JSC::DFG::safeToExecute):
146         * dfg/DFGSpeculativeJIT.cpp:
147         (JSC::DFG::SpeculativeJIT::speculateMapObject):
148         (JSC::DFG::SpeculativeJIT::speculateSetObject):
149         (JSC::DFG::SpeculativeJIT::speculate):
150         * dfg/DFGSpeculativeJIT.h:
151         (JSC::DFG::SpeculativeJIT::callOperation):
152         * dfg/DFGSpeculativeJIT32_64.cpp:
153         (JSC::DFG::SpeculativeJIT::compile):
154         * dfg/DFGSpeculativeJIT64.cpp:
155         (JSC::DFG::SpeculativeJIT::compile):
156         * dfg/DFGUseKind.cpp:
157         (WTF::printInternal):
158         * dfg/DFGUseKind.h:
159         (JSC::DFG::typeFilterFor):
160         (JSC::DFG::isCell):
161         * ftl/FTLAbstractHeapRepository.h:
162         * ftl/FTLCapabilities.cpp:
163         (JSC::FTL::canCompile):
164         * ftl/FTLLowerDFGToB3.cpp:
165         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
166         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
167         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
168         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
169         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
170         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
171         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
172         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
173         (JSC::FTL::DFG::LowerDFGToB3::speculate):
174         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
175         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
176         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
177         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
178         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
179         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
180         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
181         * jit/AssemblyHelpers.cpp:
182         (JSC::AssemblyHelpers::wangsInt64Hash):
183         * jit/AssemblyHelpers.h:
184         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
185         * jit/JITOperations.h:
186         * parser/ModuleAnalyzer.cpp:
187         (JSC::ModuleAnalyzer::ModuleAnalyzer):
188         * runtime/HashMapImpl.cpp: Added.
189         (JSC::HashMapBucket<Data>::visitChildren):
190         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
191         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
192         * runtime/HashMapImpl.h: Added.
193         (JSC::HashMapBucket::selectStructure):
194         (JSC::HashMapBucket::createStructure):
195         (JSC::HashMapBucket::create):
196         (JSC::HashMapBucket::HashMapBucket):
197         (JSC::HashMapBucket::setNext):
198         (JSC::HashMapBucket::setPrev):
199         (JSC::HashMapBucket::setKey):
200         (JSC::HashMapBucket::setValue):
201         (JSC::HashMapBucket::key):
202         (JSC::HashMapBucket::value):
203         (JSC::HashMapBucket::next):
204         (JSC::HashMapBucket::prev):
205         (JSC::HashMapBucket::deleted):
206         (JSC::HashMapBucket::setDeleted):
207         (JSC::HashMapBucket::offsetOfKey):
208         (JSC::HashMapBucket::offsetOfValue):
209         (JSC::HashMapBuffer::allocationSize):
210         (JSC::HashMapBuffer::buffer):
211         (JSC::HashMapBuffer::create):
212         (JSC::areKeysEqual):
213         (JSC::normalizeMapKey):
214         (JSC::jsMapHash):
215         (JSC::HashMapImpl::selectStructure):
216         (JSC::HashMapImpl::createStructure):
217         (JSC::HashMapImpl::create):
218         (JSC::HashMapImpl::HashMapImpl):
219         (JSC::HashMapImpl::buffer):
220         (JSC::HashMapImpl::finishCreation):
221         (JSC::HashMapImpl::emptyValue):
222         (JSC::HashMapImpl::isEmpty):
223         (JSC::HashMapImpl::deletedValue):
224         (JSC::HashMapImpl::isDeleted):
225         (JSC::HashMapImpl::findBucket):
226         (JSC::HashMapImpl::get):
227         (JSC::HashMapImpl::has):
228         (JSC::HashMapImpl::add):
229         (JSC::HashMapImpl::remove):
230         (JSC::HashMapImpl::size):
231         (JSC::HashMapImpl::clear):
232         (JSC::HashMapImpl::bufferSizeInBytes):
233         (JSC::HashMapImpl::offsetOfBuffer):
234         (JSC::HashMapImpl::offsetOfCapacity):
235         (JSC::HashMapImpl::head):
236         (JSC::HashMapImpl::tail):
237         (JSC::HashMapImpl::approximateSize):
238         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
239         (JSC::HashMapImpl::rehash):
240         (JSC::HashMapImpl::makeAndSetNewBuffer):
241         * runtime/Intrinsic.h:
242         * runtime/JSCJSValue.h:
243         * runtime/JSCJSValueInlines.h:
244         (JSC::sameValue):
245         * runtime/JSGlobalObject.cpp:
246         (JSC::JSGlobalObject::init):
247         * runtime/JSMap.cpp:
248         (JSC::JSMap::destroy): Deleted.
249         (JSC::JSMap::estimatedSize): Deleted.
250         (JSC::JSMap::visitChildren): Deleted.
251         (JSC::JSMap::copyBackingStore): Deleted.
252         (JSC::JSMap::has): Deleted.
253         (JSC::JSMap::size): Deleted.
254         (JSC::JSMap::get): Deleted.
255         (JSC::JSMap::set): Deleted.
256         (JSC::JSMap::clear): Deleted.
257         (JSC::JSMap::remove): Deleted.
258         * runtime/JSMap.h:
259         (JSC::JSMap::createStructure):
260         (JSC::JSMap::create):
261         (JSC::JSMap::get):
262         (JSC::JSMap::set):
263         (JSC::JSMap::JSMap):
264         (JSC::JSMap::Entry::key): Deleted.
265         (JSC::JSMap::Entry::value): Deleted.
266         (JSC::JSMap::Entry::visitChildren): Deleted.
267         (JSC::JSMap::Entry::setKey): Deleted.
268         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
269         (JSC::JSMap::Entry::setValue): Deleted.
270         (JSC::JSMap::Entry::clear): Deleted.
271         * runtime/JSMapIterator.cpp:
272         (JSC::JSMapIterator::finishCreation):
273         (JSC::JSMapIterator::visitChildren):
274         (JSC::JSMapIterator::clone):
275         * runtime/JSMapIterator.h:
276         (JSC::JSMapIterator::advanceIter):
277         (JSC::JSMapIterator::next):
278         (JSC::JSMapIterator::nextKeyValue):
279         (JSC::JSMapIterator::JSMapIterator):
280         (JSC::JSMapIterator::setIterator):
281         (JSC::JSMapIterator::finish): Deleted.
282         (JSC::JSMapIterator::iteratorData): Deleted.
283         * runtime/JSModuleLoader.cpp:
284         (JSC::JSModuleLoader::finishCreation):
285         * runtime/JSModuleLoader.h:
286         (JSC::JSModuleLoader::create):
287         * runtime/JSModuleRecord.cpp:
288         (JSC::JSModuleRecord::finishCreation):
289         * runtime/JSModuleRecord.h:
290         (JSC::JSModuleRecord::create):
291         * runtime/JSSet.cpp:
292         (JSC::JSSet::destroy): Deleted.
293         (JSC::JSSet::estimatedSize): Deleted.
294         (JSC::JSSet::visitChildren): Deleted.
295         (JSC::JSSet::copyBackingStore): Deleted.
296         (JSC::JSSet::has): Deleted.
297         (JSC::JSSet::size): Deleted.
298         (JSC::JSSet::add): Deleted.
299         (JSC::JSSet::clear): Deleted.
300         (JSC::JSSet::remove): Deleted.
301         * runtime/JSSet.h:
302         (JSC::JSSet::createStructure):
303         (JSC::JSSet::create):
304         (JSC::JSSet::add):
305         (JSC::JSSet::JSSet):
306         (JSC::JSSet::Entry::key): Deleted.
307         (JSC::JSSet::Entry::value): Deleted.
308         (JSC::JSSet::Entry::visitChildren): Deleted.
309         (JSC::JSSet::Entry::setKey): Deleted.
310         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
311         (JSC::JSSet::Entry::setValue): Deleted.
312         (JSC::JSSet::Entry::clear): Deleted.
313         * runtime/JSSetIterator.cpp:
314         (JSC::JSSetIterator::finishCreation):
315         (JSC::JSSetIterator::visitChildren):
316         (JSC::JSSetIterator::clone):
317         * runtime/JSSetIterator.h:
318         (JSC::JSSetIterator::advanceIter):
319         (JSC::JSSetIterator::next):
320         (JSC::JSSetIterator::JSSetIterator):
321         (JSC::JSSetIterator::setIterator):
322         (JSC::JSSetIterator::finish): Deleted.
323         (JSC::JSSetIterator::iteratorData): Deleted.
324         * runtime/JSType.h:
325         * runtime/MapBase.cpp: Added.
326         (JSC::MapBase<HashMapBucketType>::visitChildren):
327         (JSC::MapBase<HashMapBucketType>::estimatedSize):
328         * runtime/MapBase.h: Added.
329         (JSC::MapBase::size):
330         (JSC::MapBase::has):
331         (JSC::MapBase::clear):
332         (JSC::MapBase::remove):
333         (JSC::MapBase::findBucket):
334         (JSC::MapBase::offsetOfHashMapImpl):
335         (JSC::MapBase::impl):
336         (JSC::MapBase::finishCreation):
337         (JSC::MapBase::MapBase):
338         * runtime/MapConstructor.cpp:
339         (JSC::constructMap):
340         * runtime/MapIteratorPrototype.cpp:
341         (JSC::MapIteratorPrototypeFuncNext):
342         * runtime/MapPrototype.cpp:
343         (JSC::MapPrototype::finishCreation):
344         (JSC::getMap):
345         (JSC::privateFuncIsMap):
346         (JSC::privateFuncMapIteratorNext):
347         * runtime/PropertyDescriptor.cpp:
348         (JSC::sameValue): Deleted.
349         * runtime/PropertyDescriptor.h:
350         * runtime/SetConstructor.cpp:
351         (JSC::constructSet):
352         * runtime/SetIteratorPrototype.cpp:
353         (JSC::SetIteratorPrototypeFuncNext):
354         * runtime/SetPrototype.cpp:
355         (JSC::SetPrototype::finishCreation):
356         (JSC::getSet):
357         (JSC::privateFuncSetIteratorNext):
358         * runtime/VM.cpp:
359         (JSC::VM::VM):
360         * runtime/VM.h:
361
362 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
363
364         Typed arrays should use MarkedSpace instead of CopiedSpace
365         https://bugs.webkit.org/show_bug.cgi?id=161100
366
367         Reviewed by Geoffrey Garen.
368         
369         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
370         
371         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
372         everything that typed arrays want.
373
374         * dfg/DFGOperations.cpp:
375         (JSC::DFG::newTypedArrayWithSize):
376         * dfg/DFGOperations.h:
377         (JSC::DFG::operationNewTypedArrayWithSizeForType):
378         * dfg/DFGSpeculativeJIT.cpp:
379         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
380         * dfg/DFGSpeculativeJIT.h:
381         (JSC::DFG::SpeculativeJIT::callOperation):
382         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
383         * ftl/FTLLowerDFGToB3.cpp:
384         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
385         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
386         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
387         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
388         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
389         * heap/CopyToken.h:
390         * heap/SlotVisitor.cpp:
391         (JSC::SlotVisitor::markAuxiliary):
392         * jit/JITOperations.h:
393         * runtime/JSArrayBufferView.cpp:
394         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
395         (JSC::JSArrayBufferView::JSArrayBufferView):
396         * runtime/JSArrayBufferView.h:
397         * runtime/JSGenericTypedArrayView.h:
398         * runtime/JSGenericTypedArrayViewInlines.h:
399         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
400         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
401         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
402         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
403
404 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
405
406         Silence GCC warning spam introduced in r205462
407
408         Rubber-stamped by Filip Pizlo.
409
410         * bytecode/Opcode.h:
411         (JSC::padOpcodeName):
412
413 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
414
415         Heap::isMarked() should use concurrent lazy flipping
416         https://bugs.webkit.org/show_bug.cgi?id=161613
417
418         Reviewed by Michael Catanzaro.
419         
420         I found out about this race condition via
421         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
422         
423         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
424         phase. So, they need to lazy-flip in a non-racy way.
425
426         * heap/HeapInlines.h:
427         (JSC::Heap::isLive):
428         (JSC::Heap::isMarked):
429
430 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
431
432         Unreviewed, reset generator test results after the butterflies.
433
434         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
435         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
436         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
437         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
438         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
439         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
440         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
441         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
442         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
443         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
444         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
445         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
446         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
447         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
448
449 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
450
451         Unreviewed, fix cloop build.
452
453         * bytecode/SuperSampler.cpp:
454
455 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
456
457         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
458         https://bugs.webkit.org/show_bug.cgi?id=160125
459
460         Reviewed by Geoffrey Garen and Keith Miller.
461
462         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
463         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
464         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
465         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
466         to get rid of copied space. This change moves copied space's biggest client over to marked
467         space.
468         
469         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
470         allocation path. This is a fairly mechanical change, but it caused performance regressions
471         everywhere, so this change also fixes MarkedSpace's performance issues.
472         
473         At a high level the mechanical changes are:
474         
475         - We use AuxiliaryBarrier instead of CopyBarrier.
476         
477         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
478           CheckedBoolean stuff, since it's so much more trouble than it's worth.
479         
480         - The JITs have to emit inlined marked space allocations instead of inline copy space
481           allocations.
482         
483         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
484           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
485           space doesn't.
486         
487         That's about 1/3 of this change. But this led to performance problems, which I fixed with
488         optimizations that amounted to a major MarkedSpace rewrite:
489         
490         - MarkedSpace always causes internal fragmentation for array allocations because the vector
491           length we choose when we resize usually leads to a cell size that doesn't correspond to any
492           size class. I got around this by making array allocations usually round up vectorLength to
493           the maximum allowed by the size class that we would have allocated in. Also,
494           ensureLengthSlow() and friends first make sure that the requested length can't just be
495           fulfilled with the current allocation size. This safeguard means that not every array
496           allocation has to do size class queries. For example, the fast path of new Array(length)
497           never does any size class queries, under the assumption that (1) the speed gained from
498           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
499           size class query, is too small to offset the speed lost by doing the query on every
500           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
501           likely.
502         
503         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
504           changes MarkedSpace size classes to use a linear progression for very small sizes followed
505           by a geometric progression that naturally transitions to a hyperbolic progression. We want
506           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
507           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
508           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
509           size (80 bytes), we proceed using a geometric progression, but round up each size to
510           minimize slop at the end of the block. This naturally causes the geometric progression to
511           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
512           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
513         
514         - Large allocations caused massive internal fragmentation, since the smallest large
515           allocation had to use exactly blockSize, and the largest small allocation used
516           blockSize / 2. The next size up - the first large allocation size to require two blocks -
517           also had 50% internal fragmentation. This is because we required large allocations to be
518           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
519           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
520           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
521           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
522           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
523           out great since (1) typed arrays won't use large allocations anyway since they have their
524           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
525           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
526           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
527           rare as possible; for example, ExecState::vm() skips the check because we know that callees
528           must be small allocations. It's also possible to use template tricks to do one check for
529           cell container kind, and then invoke a function specialized for MarkedBlock or a function
530           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
531           that get used from functions that are template-specialized like this. That's mostly to
532           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
533           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
534           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
535           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
536           cutoff for large allocations is runtime-configurable, so long as you don't choose something
537           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
538           that the MarkedBlock size classes end up being:
539           
540           16, 32, 48, 64, 80, 112, 160, 224, 320
541           
542           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
543           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
544           size classes you end up with by doing --dumpSizeClasses=true.
545         
546         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
547           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
548           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
549           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
550           side, for better locality during a sequential walk. It's no longer necessary to scan
551           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
552           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
553           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
554           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
555           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
556           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
557           together, these optimizations allowed me to reduce block size to 16KB without losing much
558           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
559           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
560           progression on membuster. That's not possible yet, since there is still enough per-block
561           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
562           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
563         
564         - Even after all of that, copying butterflies was still faster because it allowed us to skip
565           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
566           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
567           larger than O(live), especially in an eden collection. Copying satisfies this premise while
568           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
569           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
570           that we walk the block to build a free list. This means walking dead space. The new
571           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
572           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
573           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
574           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
575           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
576           is completely empty, which is the common case because of the generational hypothesis: the
577           number of objects that survive an eden collection is a tiny fraction of the number of
578           objects that had been allocated, and this fraction is so small that there are typically
579           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
580           win over tip-of-tree.
581         
582         - FTL now shares the same allocation fast paths as everything else, which is great, because
583           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
584           control flow, since it won't be able to improve the machine code we write ourselves. GC
585           fast paths are best written in assembly. So, I've empowered B3 to have even better support
586           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
587           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
588           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
589           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
590           ability to constant-fold some allocator logic (in case we first assume that we're doing a
591           variable-length allocation but then realize that the length is known). I think it makes
592           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
593           since this makes lowering easier (you can constant fold during lowering more easily) and it
594           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
595           constant-fold this code. That would require allowing loads to be constant-folded, which is
596           doable but hella tricky.
597         
598         - It used to be that if a logical object allocation required two physical allocations (first
599           the butterfly and then the cell), then the JIT would emit the code in such a way that a
600           failure in the second fast path would cause us to forget the successful first physical
601           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
602           register to storing either the butterfly or null, because the butterfly register is anyway
603           going to be free inside the first allocation. The only overhead here is zeroing the
604           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
605           path, which can then either allocate a butterfly or not. So now we never waste a successful
606           allocation. This patch implements such a solution both in DFG (where it's easy to do this
607           since we control registers already) and in FTL (where it's annoying, because mutable
608           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
609           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
610           one version of this patch, this wastage would resonate with some Kraken benchmark: the
611           benchmark would always allocate N small things followed by one bigger thing. The problem
612           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
613           the JSObject size class, which both the small and big thing shared for their cell, could
614           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
615           it allocated the big thing. So, it would end up having to allocate the big thing's large
616           butterfly twice, every single time! Ouch!
617         
618         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
619           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
620           of the allocator to initialize the object to whatever state they need. It used to be that
621           we would just use a dumb loop. I initially changed this so that we would end up in memset
622           for large allocations, but this didn't actually help performance that much. I got a much
623           better result by playing with different memsets written in assembly. First I wrote one
624           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
625           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
626           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
627           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
628           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
629           of stores (if the size is known), but those paths in the JIT won't trigger for
630           NewArrayWithSize() if the size is large, since that takes us to the
631           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
632           optimizations here are all in JSArray::create() - that's the hot place for large arrays
633           that need to be filled with holes.
634         
635         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
636         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
637         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
638         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
639         difference, but take the hit for now because it's a crazy corner case. By comparison, the
640         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
641         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
642         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
643         marking barrier and we simply won't need a copying barrier. This change gets us there for
644         the purposes of our benchmarks, since the remaining clients of copied space are not very
645         important. On the other hand, if we keep copying, then getting barrier-ready would mean
646         adding back the copy barrier, which costs more perf.
647         
648         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
649         typed arrays and a few other weird things over to Aux MarkedSpace.
650         
651         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
652         and CellContainer meant that I had to include those files from everywhere. Fortunately,
653         just including JSCInlines.h (instead of manually including the files that includes) is
654         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
655         that we were already basically doing. In places where JSCInlines.h would be too much, I just
656         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
657         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
658         meant having to manually include HeapInlines.h from the places that previously got it
659         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
660         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
661         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
662         made it impossible to include it from outside JSC. This was a lot of work, but it was
663         necessary to get the patch to build on all ports. It's also a net win. There were many places
664         in WebCore that were transitively including a *ton* of JSC headers just because of the
665         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
666         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
667
668         * API/JSManagedValue.mm:
669         (-[JSManagedValue initWithValue:]):
670         * API/JSTypedArray.cpp:
671         * API/ObjCCallbackFunction.mm:
672         * API/tests/testapi.mm:
673         (testObjectiveCAPI):
674         (testWeakValue): Deleted.
675         * CMakeLists.txt:
676         * JavaScriptCore.xcodeproj/project.pbxproj:
677         * Scripts/builtins/builtins_generate_combined_implementation.py:
678         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
679         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
680         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
681         * Scripts/builtins/builtins_generate_separate_implementation.py:
682         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
683         * assembler/AbstractMacroAssembler.h:
684         (JSC::AbstractMacroAssembler::JumpList::link):
685         (JSC::AbstractMacroAssembler::JumpList::linkTo):
686         * assembler/MacroAssembler.h:
687         * assembler/MacroAssemblerARM64.h:
688         (JSC::MacroAssemblerARM64::add32):
689         * assembler/MacroAssemblerCodeRef.cpp: Added.
690         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
691         (JSC::MacroAssemblerCodePtr::dumpWithName):
692         (JSC::MacroAssemblerCodePtr::dump):
693         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
694         (JSC::MacroAssemblerCodeRef::dump):
695         * assembler/MacroAssemblerCodeRef.h:
696         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
697         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
698         (JSC::MacroAssemblerCodePtr::dump): Deleted.
699         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
700         (JSC::MacroAssemblerCodeRef::dump): Deleted.
701         * b3/B3BasicBlock.cpp:
702         (JSC::B3::BasicBlock::appendBoolConstant):
703         * b3/B3BasicBlock.h:
704         * b3/B3DuplicateTails.cpp:
705         * b3/B3StackmapGenerationParams.h:
706         * b3/testb3.cpp:
707         (JSC::B3::testPatchpointTerminalReturnValue):
708         (JSC::B3::run):
709         * bindings/ScriptValue.cpp:
710         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
711         * bytecode/BytecodeBasicBlock.cpp:
712         * bytecode/BytecodeLivenessAnalysis.cpp:
713         * bytecode/BytecodeUseDef.h:
714         * bytecode/CallLinkInfo.cpp:
715         (JSC::CallLinkInfo::callTypeFor):
716         * bytecode/CallLinkInfo.h:
717         (JSC::CallLinkInfo::callTypeFor): Deleted.
718         * bytecode/CallLinkStatus.cpp:
719         * bytecode/CodeBlock.cpp:
720         (JSC::CodeBlock::finishCreation):
721         (JSC::CodeBlock::clearLLIntGetByIdCache):
722         (JSC::CodeBlock::predictedMachineCodeSize):
723         * bytecode/CodeBlock.h:
724         (JSC::CodeBlock::jitCodeMap): Deleted.
725         (JSC::clearLLIntGetByIdCache): Deleted.
726         * bytecode/ExecutionCounter.h:
727         * bytecode/Instruction.h:
728         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
729         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
730         * bytecode/ObjectAllocationProfile.h:
731         (JSC::ObjectAllocationProfile::isNull):
732         (JSC::ObjectAllocationProfile::initialize):
733         * bytecode/Opcode.h:
734         (JSC::padOpcodeName):
735         * bytecode/PolymorphicAccess.cpp:
736         (JSC::AccessCase::generateImpl):
737         (JSC::PolymorphicAccess::regenerate):
738         * bytecode/PolymorphicAccess.h:
739         * bytecode/PreciseJumpTargets.cpp:
740         * bytecode/StructureStubInfo.cpp:
741         * bytecode/StructureStubInfo.h:
742         * bytecode/UnlinkedCodeBlock.cpp:
743         (JSC::UnlinkedCodeBlock::vm): Deleted.
744         * bytecode/UnlinkedCodeBlock.h:
745         * bytecode/UnlinkedInstructionStream.cpp:
746         * bytecode/UnlinkedInstructionStream.h:
747         * dfg/DFGOperations.cpp:
748         * dfg/DFGSpeculativeJIT.cpp:
749         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
750         (JSC::DFG::SpeculativeJIT::compileMakeRope):
751         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
752         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
753         * dfg/DFGSpeculativeJIT.h:
754         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
755         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
756         * dfg/DFGSpeculativeJIT32_64.cpp:
757         (JSC::DFG::SpeculativeJIT::compile):
758         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
759         * dfg/DFGSpeculativeJIT64.cpp:
760         (JSC::DFG::SpeculativeJIT::compile):
761         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
762         * dfg/DFGStrengthReductionPhase.cpp:
763         (JSC::DFG::StrengthReductionPhase::handleNode):
764         * ftl/FTLAbstractHeapRepository.h:
765         * ftl/FTLCompile.cpp:
766         * ftl/FTLJITFinalizer.cpp:
767         * ftl/FTLLowerDFGToB3.cpp:
768         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
769         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
770         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
771         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
772         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
773         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
774         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
775         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
776         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
777         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
778         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
779         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
780         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
781         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
782         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
783         * ftl/FTLOutput.cpp:
784         (JSC::FTL::Output::constBool):
785         (JSC::FTL::Output::add):
786         (JSC::FTL::Output::shl):
787         (JSC::FTL::Output::aShr):
788         (JSC::FTL::Output::lShr):
789         (JSC::FTL::Output::zeroExt):
790         (JSC::FTL::Output::equal):
791         (JSC::FTL::Output::notEqual):
792         (JSC::FTL::Output::above):
793         (JSC::FTL::Output::aboveOrEqual):
794         (JSC::FTL::Output::below):
795         (JSC::FTL::Output::belowOrEqual):
796         (JSC::FTL::Output::greaterThan):
797         (JSC::FTL::Output::greaterThanOrEqual):
798         (JSC::FTL::Output::lessThan):
799         (JSC::FTL::Output::lessThanOrEqual):
800         (JSC::FTL::Output::select):
801         (JSC::FTL::Output::appendSuccessor):
802         (JSC::FTL::Output::addIncomingToPhi):
803         * ftl/FTLOutput.h:
804         * ftl/FTLValueFromBlock.h:
805         (JSC::FTL::ValueFromBlock::operator bool):
806         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
807         * ftl/FTLWeightedTarget.h:
808         (JSC::FTL::WeightedTarget::frequentedBlock):
809         * heap/CellContainer.h: Added.
810         (JSC::CellContainer::CellContainer):
811         (JSC::CellContainer::operator bool):
812         (JSC::CellContainer::isMarkedBlock):
813         (JSC::CellContainer::isLargeAllocation):
814         (JSC::CellContainer::markedBlock):
815         (JSC::CellContainer::largeAllocation):
816         * heap/CellContainerInlines.h: Added.
817         (JSC::CellContainer::isMarked):
818         (JSC::CellContainer::isMarkedOrNewlyAllocated):
819         (JSC::CellContainer::noteMarked):
820         (JSC::CellContainer::cellSize):
821         (JSC::CellContainer::weakSet):
822         (JSC::CellContainer::flipIfNecessary):
823         * heap/ConservativeRoots.cpp:
824         (JSC::ConservativeRoots::ConservativeRoots):
825         (JSC::ConservativeRoots::~ConservativeRoots):
826         (JSC::ConservativeRoots::grow):
827         (JSC::ConservativeRoots::genericAddPointer):
828         (JSC::ConservativeRoots::genericAddSpan):
829         * heap/ConservativeRoots.h:
830         (JSC::ConservativeRoots::roots):
831         * heap/CopyToken.h:
832         * heap/FreeList.cpp: Added.
833         (JSC::FreeList::dump):
834         * heap/FreeList.h: Added.
835         (JSC::FreeList::FreeList):
836         (JSC::FreeList::list):
837         (JSC::FreeList::bump):
838         (JSC::FreeList::operator==):
839         (JSC::FreeList::operator!=):
840         (JSC::FreeList::operator bool):
841         (JSC::FreeList::allocationWillFail):
842         (JSC::FreeList::allocationWillSucceed):
843         * heap/GCTypeMap.h: Added.
844         (JSC::GCTypeMap::operator[]):
845         * heap/Heap.cpp:
846         (JSC::Heap::Heap):
847         (JSC::Heap::lastChanceToFinalize):
848         (JSC::Heap::finalizeUnconditionalFinalizers):
849         (JSC::Heap::markRoots):
850         (JSC::Heap::copyBackingStores):
851         (JSC::Heap::gatherStackRoots):
852         (JSC::Heap::gatherJSStackRoots):
853         (JSC::Heap::gatherScratchBufferRoots):
854         (JSC::Heap::clearLivenessData):
855         (JSC::Heap::visitSmallStrings):
856         (JSC::Heap::visitConservativeRoots):
857         (JSC::Heap::removeDeadCompilerWorklistEntries):
858         (JSC::Heap::gatherExtraHeapSnapshotData):
859         (JSC::Heap::removeDeadHeapSnapshotNodes):
860         (JSC::Heap::visitProtectedObjects):
861         (JSC::Heap::visitArgumentBuffers):
862         (JSC::Heap::visitException):
863         (JSC::Heap::visitStrongHandles):
864         (JSC::Heap::visitHandleStack):
865         (JSC::Heap::visitSamplingProfiler):
866         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
867         (JSC::Heap::converge):
868         (JSC::Heap::visitWeakHandles):
869         (JSC::Heap::updateObjectCounts):
870         (JSC::Heap::clearUnmarkedExecutables):
871         (JSC::Heap::deleteUnmarkedCompiledCode):
872         (JSC::Heap::collectAllGarbage):
873         (JSC::Heap::collect):
874         (JSC::Heap::collectWithoutAnySweep):
875         (JSC::Heap::collectImpl):
876         (JSC::Heap::suspendCompilerThreads):
877         (JSC::Heap::willStartCollection):
878         (JSC::Heap::flushOldStructureIDTables):
879         (JSC::Heap::flushWriteBarrierBuffer):
880         (JSC::Heap::stopAllocation):
881         (JSC::Heap::prepareForMarking):
882         (JSC::Heap::reapWeakHandles):
883         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
884         (JSC::Heap::sweepArrayBuffers):
885         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
886         (JSC::MarkedBlockSnapshotFunctor::operator()):
887         (JSC::Heap::snapshotMarkedSpace):
888         (JSC::Heap::deleteSourceProviderCaches):
889         (JSC::Heap::notifyIncrementalSweeper):
890         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
891         (JSC::Heap::resetAllocators):
892         (JSC::Heap::updateAllocationLimits):
893         (JSC::Heap::didFinishCollection):
894         (JSC::Heap::resumeCompilerThreads):
895         (JSC::Zombify::visit):
896         (JSC::Heap::forEachCodeBlockImpl):
897         * heap/Heap.h:
898         (JSC::Heap::allocatorForObjectWithoutDestructor):
899         (JSC::Heap::allocatorForObjectWithDestructor):
900         (JSC::Heap::allocatorForAuxiliaryData):
901         (JSC::Heap::jitStubRoutines):
902         (JSC::Heap::codeBlockSet):
903         (JSC::Heap::storageAllocator): Deleted.
904         * heap/HeapCell.h:
905         (JSC::HeapCell::isZapped): Deleted.
906         * heap/HeapCellInlines.h: Added.
907         (JSC::HeapCell::isLargeAllocation):
908         (JSC::HeapCell::cellContainer):
909         (JSC::HeapCell::markedBlock):
910         (JSC::HeapCell::largeAllocation):
911         (JSC::HeapCell::heap):
912         (JSC::HeapCell::vm):
913         (JSC::HeapCell::cellSize):
914         (JSC::HeapCell::allocatorAttributes):
915         (JSC::HeapCell::destructionMode):
916         (JSC::HeapCell::cellKind):
917         * heap/HeapInlines.h:
918         (JSC::Heap::heap):
919         (JSC::Heap::isLive):
920         (JSC::Heap::isMarked):
921         (JSC::Heap::testAndSetMarked):
922         (JSC::Heap::setMarked):
923         (JSC::Heap::cellSize):
924         (JSC::Heap::forEachCodeBlock):
925         (JSC::Heap::allocateObjectOfType):
926         (JSC::Heap::subspaceForObjectOfType):
927         (JSC::Heap::allocatorForObjectOfType):
928         (JSC::Heap::allocateAuxiliary):
929         (JSC::Heap::tryAllocateAuxiliary):
930         (JSC::Heap::tryReallocateAuxiliary):
931         (JSC::Heap::isPointerGCObject): Deleted.
932         (JSC::Heap::isValueGCObject): Deleted.
933         * heap/HeapOperation.cpp: Added.
934         (WTF::printInternal):
935         * heap/HeapOperation.h:
936         * heap/HeapUtil.h: Added.
937         (JSC::HeapUtil::findGCObjectPointersForMarking):
938         (JSC::HeapUtil::isPointerGCObjectJSCell):
939         (JSC::HeapUtil::isValueGCObject):
940         * heap/IncrementalSweeper.cpp:
941         (JSC::IncrementalSweeper::sweepNextBlock):
942         * heap/IncrementalSweeper.h:
943         * heap/LargeAllocation.cpp: Added.
944         (JSC::LargeAllocation::tryCreate):
945         (JSC::LargeAllocation::LargeAllocation):
946         (JSC::LargeAllocation::lastChanceToFinalize):
947         (JSC::LargeAllocation::shrink):
948         (JSC::LargeAllocation::visitWeakSet):
949         (JSC::LargeAllocation::reapWeakSet):
950         (JSC::LargeAllocation::flip):
951         (JSC::LargeAllocation::isEmpty):
952         (JSC::LargeAllocation::sweep):
953         (JSC::LargeAllocation::destroy):
954         (JSC::LargeAllocation::dump):
955         * heap/LargeAllocation.h: Added.
956         (JSC::LargeAllocation::fromCell):
957         (JSC::LargeAllocation::cell):
958         (JSC::LargeAllocation::isLargeAllocation):
959         (JSC::LargeAllocation::heap):
960         (JSC::LargeAllocation::vm):
961         (JSC::LargeAllocation::weakSet):
962         (JSC::LargeAllocation::clearNewlyAllocated):
963         (JSC::LargeAllocation::isNewlyAllocated):
964         (JSC::LargeAllocation::isMarked):
965         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
966         (JSC::LargeAllocation::isLive):
967         (JSC::LargeAllocation::hasValidCell):
968         (JSC::LargeAllocation::cellSize):
969         (JSC::LargeAllocation::aboveLowerBound):
970         (JSC::LargeAllocation::belowUpperBound):
971         (JSC::LargeAllocation::contains):
972         (JSC::LargeAllocation::attributes):
973         (JSC::LargeAllocation::flipIfNecessary):
974         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
975         (JSC::LargeAllocation::testAndSetMarked):
976         (JSC::LargeAllocation::setMarked):
977         (JSC::LargeAllocation::clearMarked):
978         (JSC::LargeAllocation::noteMarked):
979         (JSC::LargeAllocation::headerSize):
980         * heap/MarkedAllocator.cpp:
981         (JSC::MarkedAllocator::MarkedAllocator):
982         (JSC::MarkedAllocator::isPagedOut):
983         (JSC::MarkedAllocator::retire):
984         (JSC::MarkedAllocator::filterNextBlock):
985         (JSC::MarkedAllocator::setNextBlockToSweep):
986         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
987         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
988         (JSC::MarkedAllocator::allocateSlowCase):
989         (JSC::MarkedAllocator::tryAllocateSlowCase):
990         (JSC::MarkedAllocator::allocateSlowCaseImpl):
991         (JSC::blockHeaderSize):
992         (JSC::MarkedAllocator::blockSizeForBytes):
993         (JSC::MarkedAllocator::tryAllocateBlock):
994         (JSC::MarkedAllocator::addBlock):
995         (JSC::MarkedAllocator::removeBlock):
996         (JSC::MarkedAllocator::stopAllocating):
997         (JSC::MarkedAllocator::reset):
998         (JSC::MarkedAllocator::lastChanceToFinalize):
999         (JSC::MarkedAllocator::setFreeList):
1000         (JSC::isListPagedOut): Deleted.
1001         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
1002         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
1003         (JSC::MarkedAllocator::tryAllocate): Deleted.
1004         (JSC::MarkedAllocator::allocateBlock): Deleted.
1005         * heap/MarkedAllocator.h:
1006         (JSC::MarkedAllocator::takeLastActiveBlock):
1007         (JSC::MarkedAllocator::offsetOfFreeList):
1008         (JSC::MarkedAllocator::offsetOfCellSize):
1009         (JSC::MarkedAllocator::tryAllocate):
1010         (JSC::MarkedAllocator::allocate):
1011         (JSC::MarkedAllocator::forEachBlock):
1012         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
1013         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
1014         (JSC::MarkedAllocator::init): Deleted.
1015         (JSC::MarkedAllocator::stopAllocating): Deleted.
1016         * heap/MarkedBlock.cpp:
1017         (JSC::MarkedBlock::tryCreate):
1018         (JSC::MarkedBlock::Handle::Handle):
1019         (JSC::MarkedBlock::Handle::~Handle):
1020         (JSC::MarkedBlock::MarkedBlock):
1021         (JSC::MarkedBlock::Handle::specializedSweep):
1022         (JSC::MarkedBlock::Handle::sweep):
1023         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
1024         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
1025         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
1026         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
1027         (JSC::SetNewlyAllocatedFunctor::operator()):
1028         (JSC::MarkedBlock::Handle::stopAllocating):
1029         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1030         (JSC::MarkedBlock::Handle::resumeAllocating):
1031         (JSC::MarkedBlock::Handle::zap):
1032         (JSC::MarkedBlock::Handle::forEachFreeCell):
1033         (JSC::MarkedBlock::flipIfNecessary):
1034         (JSC::MarkedBlock::Handle::flipIfNecessary):
1035         (JSC::MarkedBlock::flipIfNecessarySlow):
1036         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
1037         (JSC::MarkedBlock::clearMarks):
1038         (JSC::MarkedBlock::assertFlipped):
1039         (JSC::MarkedBlock::needsFlip):
1040         (JSC::MarkedBlock::Handle::needsFlip):
1041         (JSC::MarkedBlock::Handle::willRemoveBlock):
1042         (JSC::MarkedBlock::Handle::didConsumeFreeList):
1043         (JSC::MarkedBlock::markCount):
1044         (JSC::MarkedBlock::Handle::isEmpty):
1045         (JSC::MarkedBlock::clearHasAnyMarked):
1046         (JSC::MarkedBlock::noteMarkedSlow):
1047         (WTF::printInternal):
1048         (JSC::MarkedBlock::create): Deleted.
1049         (JSC::MarkedBlock::destroy): Deleted.
1050         (JSC::MarkedBlock::callDestructor): Deleted.
1051         (JSC::MarkedBlock::specializedSweep): Deleted.
1052         (JSC::MarkedBlock::sweep): Deleted.
1053         (JSC::MarkedBlock::sweepHelper): Deleted.
1054         (JSC::MarkedBlock::stopAllocating): Deleted.
1055         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
1056         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
1057         (JSC::MarkedBlock::resumeAllocating): Deleted.
1058         (JSC::MarkedBlock::didRetireBlock): Deleted.
1059         * heap/MarkedBlock.h:
1060         (JSC::MarkedBlock::VoidFunctor::returnValue):
1061         (JSC::MarkedBlock::CountFunctor::CountFunctor):
1062         (JSC::MarkedBlock::CountFunctor::count):
1063         (JSC::MarkedBlock::CountFunctor::returnValue):
1064         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
1065         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
1066         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
1067         (JSC::MarkedBlock::Handle::state):
1068         (JSC::MarkedBlock::needsDestruction):
1069         (JSC::MarkedBlock::handle):
1070         (JSC::MarkedBlock::Handle::block):
1071         (JSC::MarkedBlock::firstAtom):
1072         (JSC::MarkedBlock::atoms):
1073         (JSC::MarkedBlock::isAtomAligned):
1074         (JSC::MarkedBlock::Handle::cellAlign):
1075         (JSC::MarkedBlock::blockFor):
1076         (JSC::MarkedBlock::Handle::allocator):
1077         (JSC::MarkedBlock::Handle::heap):
1078         (JSC::MarkedBlock::Handle::vm):
1079         (JSC::MarkedBlock::vm):
1080         (JSC::MarkedBlock::Handle::weakSet):
1081         (JSC::MarkedBlock::weakSet):
1082         (JSC::MarkedBlock::Handle::shrink):
1083         (JSC::MarkedBlock::Handle::visitWeakSet):
1084         (JSC::MarkedBlock::Handle::reapWeakSet):
1085         (JSC::MarkedBlock::Handle::cellSize):
1086         (JSC::MarkedBlock::cellSize):
1087         (JSC::MarkedBlock::Handle::attributes):
1088         (JSC::MarkedBlock::attributes):
1089         (JSC::MarkedBlock::Handle::needsDestruction):
1090         (JSC::MarkedBlock::Handle::destruction):
1091         (JSC::MarkedBlock::Handle::cellKind):
1092         (JSC::MarkedBlock::Handle::markCount):
1093         (JSC::MarkedBlock::Handle::size):
1094         (JSC::MarkedBlock::atomNumber):
1095         (JSC::MarkedBlock::flipIfNecessary):
1096         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
1097         (JSC::MarkedBlock::Handle::flipIfNecessary):
1098         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
1099         (JSC::MarkedBlock::Handle::flipForEdenCollection):
1100         (JSC::MarkedBlock::assertFlipped):
1101         (JSC::MarkedBlock::Handle::assertFlipped):
1102         (JSC::MarkedBlock::isMarked):
1103         (JSC::MarkedBlock::testAndSetMarked):
1104         (JSC::MarkedBlock::Handle::isNewlyAllocated):
1105         (JSC::MarkedBlock::Handle::setNewlyAllocated):
1106         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
1107         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
1108         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
1109         (JSC::MarkedBlock::Handle::isLive):
1110         (JSC::MarkedBlock::isAtom):
1111         (JSC::MarkedBlock::Handle::isLiveCell):
1112         (JSC::MarkedBlock::Handle::forEachCell):
1113         (JSC::MarkedBlock::Handle::forEachLiveCell):
1114         (JSC::MarkedBlock::Handle::forEachDeadCell):
1115         (JSC::MarkedBlock::Handle::needsSweeping):
1116         (JSC::MarkedBlock::Handle::isAllocated):
1117         (JSC::MarkedBlock::Handle::isMarked):
1118         (JSC::MarkedBlock::Handle::isFreeListed):
1119         (JSC::MarkedBlock::hasAnyMarked):
1120         (JSC::MarkedBlock::noteMarked):
1121         (WTF::MarkedBlockHash::hash):
1122         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
1123         (JSC::MarkedBlock::allocator): Deleted.
1124         (JSC::MarkedBlock::heap): Deleted.
1125         (JSC::MarkedBlock::shrink): Deleted.
1126         (JSC::MarkedBlock::visitWeakSet): Deleted.
1127         (JSC::MarkedBlock::reapWeakSet): Deleted.
1128         (JSC::MarkedBlock::willRemoveBlock): Deleted.
1129         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
1130         (JSC::MarkedBlock::markCount): Deleted.
1131         (JSC::MarkedBlock::isEmpty): Deleted.
1132         (JSC::MarkedBlock::destruction): Deleted.
1133         (JSC::MarkedBlock::cellKind): Deleted.
1134         (JSC::MarkedBlock::size): Deleted.
1135         (JSC::MarkedBlock::capacity): Deleted.
1136         (JSC::MarkedBlock::setMarked): Deleted.
1137         (JSC::MarkedBlock::clearMarked): Deleted.
1138         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
1139         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
1140         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
1141         (JSC::MarkedBlock::isLive): Deleted.
1142         (JSC::MarkedBlock::isLiveCell): Deleted.
1143         (JSC::MarkedBlock::forEachCell): Deleted.
1144         (JSC::MarkedBlock::forEachLiveCell): Deleted.
1145         (JSC::MarkedBlock::forEachDeadCell): Deleted.
1146         (JSC::MarkedBlock::needsSweeping): Deleted.
1147         (JSC::MarkedBlock::isAllocated): Deleted.
1148         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
1149         * heap/MarkedSpace.cpp:
1150         (JSC::MarkedSpace::initializeSizeClassForStepSize):
1151         (JSC::MarkedSpace::MarkedSpace):
1152         (JSC::MarkedSpace::~MarkedSpace):
1153         (JSC::MarkedSpace::lastChanceToFinalize):
1154         (JSC::MarkedSpace::allocate):
1155         (JSC::MarkedSpace::tryAllocate):
1156         (JSC::MarkedSpace::allocateLarge):
1157         (JSC::MarkedSpace::tryAllocateLarge):
1158         (JSC::MarkedSpace::sweep):
1159         (JSC::MarkedSpace::sweepLargeAllocations):
1160         (JSC::MarkedSpace::zombifySweep):
1161         (JSC::MarkedSpace::resetAllocators):
1162         (JSC::MarkedSpace::visitWeakSets):
1163         (JSC::MarkedSpace::reapWeakSets):
1164         (JSC::MarkedSpace::stopAllocating):
1165         (JSC::MarkedSpace::prepareForMarking):
1166         (JSC::MarkedSpace::resumeAllocating):
1167         (JSC::MarkedSpace::isPagedOut):
1168         (JSC::MarkedSpace::freeBlock):
1169         (JSC::MarkedSpace::freeOrShrinkBlock):
1170         (JSC::MarkedSpace::shrink):
1171         (JSC::MarkedSpace::clearNewlyAllocated):
1172         (JSC::VerifyMarked::operator()):
1173         (JSC::MarkedSpace::flip):
1174         (JSC::MarkedSpace::objectCount):
1175         (JSC::MarkedSpace::size):
1176         (JSC::MarkedSpace::capacity):
1177         (JSC::MarkedSpace::addActiveWeakSet):
1178         (JSC::MarkedSpace::didAddBlock):
1179         (JSC::MarkedSpace::didAllocateInBlock):
1180         (JSC::MarkedSpace::forEachAllocator): Deleted.
1181         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
1182         (JSC::MarkedSpace::clearMarks): Deleted.
1183         * heap/MarkedSpace.h:
1184         (JSC::MarkedSpace::sizeClassToIndex):
1185         (JSC::MarkedSpace::indexToSizeClass):
1186         (JSC::MarkedSpace::version):
1187         (JSC::MarkedSpace::blocksWithNewObjects):
1188         (JSC::MarkedSpace::largeAllocations):
1189         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
1190         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
1191         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
1192         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
1193         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
1194         (JSC::MarkedSpace::forEachLiveCell):
1195         (JSC::MarkedSpace::forEachDeadCell):
1196         (JSC::MarkedSpace::allocatorFor):
1197         (JSC::MarkedSpace::destructorAllocatorFor):
1198         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1199         (JSC::MarkedSpace::allocateWithoutDestructor):
1200         (JSC::MarkedSpace::allocateWithDestructor):
1201         (JSC::MarkedSpace::allocateAuxiliary):
1202         (JSC::MarkedSpace::tryAllocateAuxiliary):
1203         (JSC::MarkedSpace::forEachBlock):
1204         (JSC::MarkedSpace::forEachAllocator):
1205         (JSC::MarkedSpace::optimalSizeFor):
1206         (JSC::MarkedSpace::didAddBlock): Deleted.
1207         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
1208         (JSC::MarkedSpace::objectCount): Deleted.
1209         (JSC::MarkedSpace::size): Deleted.
1210         (JSC::MarkedSpace::capacity): Deleted.
1211         * heap/SlotVisitor.cpp:
1212         (JSC::SlotVisitor::SlotVisitor):
1213         (JSC::SlotVisitor::didStartMarking):
1214         (JSC::SlotVisitor::reset):
1215         (JSC::SlotVisitor::append):
1216         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1217         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1218         (JSC::SlotVisitor::appendToMarkStack):
1219         (JSC::SlotVisitor::markAuxiliary):
1220         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
1221         (JSC::SlotVisitor::visitChildren):
1222         * heap/SlotVisitor.h:
1223         * heap/WeakBlock.cpp:
1224         (JSC::WeakBlock::create):
1225         (JSC::WeakBlock::WeakBlock):
1226         (JSC::WeakBlock::visit):
1227         (JSC::WeakBlock::reap):
1228         * heap/WeakBlock.h:
1229         (JSC::WeakBlock::disconnectContainer):
1230         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
1231         * heap/WeakSet.cpp:
1232         (JSC::WeakSet::~WeakSet):
1233         (JSC::WeakSet::sweep):
1234         (JSC::WeakSet::shrink):
1235         (JSC::WeakSet::addAllocator):
1236         * heap/WeakSet.h:
1237         (JSC::WeakSet::container):
1238         (JSC::WeakSet::setContainer):
1239         (JSC::WeakSet::WeakSet):
1240         (JSC::WeakSet::visit):
1241         (JSC::WeakSet::shrink): Deleted.
1242         * heap/WeakSetInlines.h:
1243         (JSC::WeakSet::allocate):
1244         * inspector/InjectedScriptManager.cpp:
1245         * inspector/JSGlobalObjectInspectorController.cpp:
1246         * inspector/JSJavaScriptCallFrame.cpp:
1247         * inspector/ScriptDebugServer.cpp:
1248         * inspector/agents/InspectorDebuggerAgent.cpp:
1249         * interpreter/CachedCall.h:
1250         (JSC::CachedCall::CachedCall):
1251         * interpreter/Interpreter.cpp:
1252         (JSC::loadVarargs):
1253         (JSC::StackFrame::sourceID): Deleted.
1254         (JSC::StackFrame::sourceURL): Deleted.
1255         (JSC::StackFrame::functionName): Deleted.
1256         (JSC::StackFrame::computeLineAndColumn): Deleted.
1257         (JSC::StackFrame::toString): Deleted.
1258         * interpreter/Interpreter.h:
1259         (JSC::StackFrame::isNative): Deleted.
1260         * jit/AssemblyHelpers.h:
1261         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1262         (JSC::AssemblyHelpers::emitAllocate):
1263         (JSC::AssemblyHelpers::emitAllocateJSCell):
1264         (JSC::AssemblyHelpers::emitAllocateJSObject):
1265         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1266         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1267         * jit/GCAwareJITStubRoutine.cpp:
1268         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1269         * jit/JIT.cpp:
1270         (JSC::JIT::compileCTINativeCall):
1271         (JSC::JIT::link):
1272         * jit/JIT.h:
1273         (JSC::JIT::compileCTINativeCall): Deleted.
1274         * jit/JITExceptions.cpp:
1275         (JSC::genericUnwind):
1276         * jit/JITExceptions.h:
1277         * jit/JITOpcodes.cpp:
1278         (JSC::JIT::emit_op_new_object):
1279         (JSC::JIT::emitSlow_op_new_object):
1280         (JSC::JIT::emit_op_create_this):
1281         (JSC::JIT::emitSlow_op_create_this):
1282         * jit/JITOpcodes32_64.cpp:
1283         (JSC::JIT::emit_op_new_object):
1284         (JSC::JIT::emitSlow_op_new_object):
1285         (JSC::JIT::emit_op_create_this):
1286         (JSC::JIT::emitSlow_op_create_this):
1287         * jit/JITOperations.cpp:
1288         * jit/JITOperations.h:
1289         * jit/JITPropertyAccess.cpp:
1290         (JSC::JIT::emitWriteBarrier):
1291         * jit/JITThunks.cpp:
1292         * jit/JITThunks.h:
1293         * jsc.cpp:
1294         (functionDescribeArray):
1295         (main):
1296         * llint/LLIntData.cpp:
1297         (JSC::LLInt::Data::performAssertions):
1298         * llint/LLIntExceptions.cpp:
1299         * llint/LLIntThunks.cpp:
1300         * llint/LLIntThunks.h:
1301         * llint/LowLevelInterpreter.asm:
1302         * llint/LowLevelInterpreter.cpp:
1303         * llint/LowLevelInterpreter32_64.asm:
1304         * llint/LowLevelInterpreter64.asm:
1305         * parser/ModuleAnalyzer.cpp:
1306         * parser/NodeConstructors.h:
1307         * parser/Nodes.h:
1308         * profiler/ProfilerBytecode.cpp:
1309         * profiler/ProfilerBytecode.h:
1310         * profiler/ProfilerBytecodeSequence.cpp:
1311         * runtime/ArrayConventions.h:
1312         (JSC::indexingHeaderForArrayStorage):
1313         (JSC::baseIndexingHeaderForArrayStorage):
1314         (JSC::indexingHeaderForArray): Deleted.
1315         (JSC::baseIndexingHeaderForArray): Deleted.
1316         * runtime/ArrayPrototype.cpp:
1317         (JSC::arrayProtoFuncSplice):
1318         (JSC::concatAppendOne):
1319         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1320         * runtime/ArrayStorage.h:
1321         (JSC::ArrayStorage::vectorLength):
1322         (JSC::ArrayStorage::totalSizeFor):
1323         (JSC::ArrayStorage::totalSize):
1324         (JSC::ArrayStorage::availableVectorLength):
1325         (JSC::ArrayStorage::optimalVectorLength):
1326         (JSC::ArrayStorage::sizeFor): Deleted.
1327         * runtime/AuxiliaryBarrier.h: Added.
1328         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
1329         (JSC::AuxiliaryBarrier::clear):
1330         (JSC::AuxiliaryBarrier::get):
1331         (JSC::AuxiliaryBarrier::slot):
1332         (JSC::AuxiliaryBarrier::operator bool):
1333         (JSC::AuxiliaryBarrier::setWithoutBarrier):
1334         * runtime/AuxiliaryBarrierInlines.h: Added.
1335         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
1336         (JSC::AuxiliaryBarrier<T>::set):
1337         * runtime/Butterfly.h:
1338         * runtime/ButterflyInlines.h:
1339         (JSC::Butterfly::availableContiguousVectorLength):
1340         (JSC::Butterfly::optimalContiguousVectorLength):
1341         (JSC::Butterfly::createUninitialized):
1342         (JSC::Butterfly::growArrayRight):
1343         * runtime/ClonedArguments.cpp:
1344         (JSC::ClonedArguments::createEmpty):
1345         * runtime/CommonSlowPathsExceptions.cpp:
1346         * runtime/CommonSlowPathsExceptions.h:
1347         * runtime/DataView.cpp:
1348         * runtime/DirectArguments.h:
1349         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1350         * runtime/Error.cpp:
1351         * runtime/Error.h:
1352         * runtime/ErrorInstance.cpp:
1353         * runtime/ErrorInstance.h:
1354         * runtime/Exception.cpp:
1355         * runtime/Exception.h:
1356         * runtime/GeneratorFrame.cpp:
1357         * runtime/GeneratorPrototype.cpp:
1358         * runtime/InternalFunction.cpp:
1359         (JSC::InternalFunction::InternalFunction):
1360         * runtime/IntlCollator.cpp:
1361         * runtime/IntlCollatorConstructor.cpp:
1362         * runtime/IntlCollatorPrototype.cpp:
1363         * runtime/IntlDateTimeFormat.cpp:
1364         * runtime/IntlDateTimeFormatConstructor.cpp:
1365         * runtime/IntlDateTimeFormatPrototype.cpp:
1366         * runtime/IntlNumberFormat.cpp:
1367         * runtime/IntlNumberFormatConstructor.cpp:
1368         * runtime/IntlNumberFormatPrototype.cpp:
1369         * runtime/IntlObject.cpp:
1370         * runtime/IteratorPrototype.cpp:
1371         * runtime/JSArray.cpp:
1372         (JSC::JSArray::tryCreateUninitialized):
1373         (JSC::JSArray::setLengthWritable):
1374         (JSC::JSArray::unshiftCountSlowCase):
1375         (JSC::JSArray::setLengthWithArrayStorage):
1376         (JSC::JSArray::appendMemcpy):
1377         (JSC::JSArray::setLength):
1378         (JSC::JSArray::pop):
1379         (JSC::JSArray::push):
1380         (JSC::JSArray::fastSlice):
1381         (JSC::JSArray::shiftCountWithArrayStorage):
1382         (JSC::JSArray::shiftCountWithAnyIndexingType):
1383         (JSC::JSArray::unshiftCountWithArrayStorage):
1384         (JSC::JSArray::fillArgList):
1385         (JSC::JSArray::copyToArguments):
1386         * runtime/JSArray.h:
1387         (JSC::createContiguousArrayButterfly):
1388         (JSC::createArrayButterfly):
1389         (JSC::JSArray::create):
1390         (JSC::JSArray::tryCreateUninitialized): Deleted.
1391         * runtime/JSArrayBufferView.h:
1392         * runtime/JSCInlines.h:
1393         * runtime/JSCJSValue.cpp:
1394         (JSC::JSValue::dumpInContextAssumingStructure):
1395         * runtime/JSCallee.cpp:
1396         (JSC::JSCallee::JSCallee):
1397         * runtime/JSCell.cpp:
1398         (JSC::JSCell::estimatedSize):
1399         * runtime/JSCell.h:
1400         (JSC::JSCell::cellStateOffset): Deleted.
1401         * runtime/JSCellInlines.h:
1402         (JSC::ExecState::vm):
1403         (JSC::JSCell::classInfo):
1404         (JSC::JSCell::callDestructor):
1405         (JSC::JSCell::vm): Deleted.
1406         * runtime/JSFunction.cpp:
1407         (JSC::JSFunction::create):
1408         (JSC::JSFunction::allocateAndInitializeRareData):
1409         (JSC::JSFunction::initializeRareData):
1410         (JSC::JSFunction::getOwnPropertySlot):
1411         (JSC::JSFunction::put):
1412         (JSC::JSFunction::deleteProperty):
1413         (JSC::JSFunction::defineOwnProperty):
1414         (JSC::JSFunction::setFunctionName):
1415         (JSC::JSFunction::reifyLength):
1416         (JSC::JSFunction::reifyName):
1417         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1418         (JSC::JSFunction::reifyBoundNameIfNeeded):
1419         * runtime/JSFunction.h:
1420         * runtime/JSFunctionInlines.h:
1421         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1422         (JSC::JSFunction::JSFunction):
1423         * runtime/JSGenericTypedArrayViewInlines.h:
1424         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1425         * runtime/JSInternalPromise.cpp:
1426         * runtime/JSInternalPromiseConstructor.cpp:
1427         * runtime/JSInternalPromiseDeferred.cpp:
1428         * runtime/JSInternalPromisePrototype.cpp:
1429         * runtime/JSJob.cpp:
1430         * runtime/JSMapIterator.cpp:
1431         * runtime/JSModuleNamespaceObject.cpp:
1432         * runtime/JSModuleRecord.cpp:
1433         * runtime/JSObject.cpp:
1434         (JSC::JSObject::visitButterfly):
1435         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1436         (JSC::JSObject::createInitialIndexedStorage):
1437         (JSC::JSObject::createInitialUndecided):
1438         (JSC::JSObject::createInitialInt32):
1439         (JSC::JSObject::createInitialDouble):
1440         (JSC::JSObject::createInitialContiguous):
1441         (JSC::JSObject::createArrayStorage):
1442         (JSC::JSObject::createInitialArrayStorage):
1443         (JSC::JSObject::convertUndecidedToInt32):
1444         (JSC::JSObject::convertUndecidedToContiguous):
1445         (JSC::JSObject::convertUndecidedToArrayStorage):
1446         (JSC::JSObject::convertInt32ToDouble):
1447         (JSC::JSObject::convertInt32ToArrayStorage):
1448         (JSC::JSObject::convertDoubleToArrayStorage):
1449         (JSC::JSObject::convertContiguousToArrayStorage):
1450         (JSC::JSObject::putByIndexBeyondVectorLength):
1451         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1452         (JSC::JSObject::getNewVectorLength):
1453         (JSC::JSObject::increaseVectorLength):
1454         (JSC::JSObject::ensureLengthSlow):
1455         (JSC::JSObject::growOutOfLineStorage):
1456         (JSC::JSObject::copyButterfly): Deleted.
1457         (JSC::JSObject::copyBackingStore): Deleted.
1458         * runtime/JSObject.h:
1459         (JSC::JSObject::globalObject):
1460         (JSC::JSObject::putDirectInternal):
1461         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
1462         * runtime/JSObjectInlines.h:
1463         * runtime/JSPromise.cpp:
1464         * runtime/JSPromiseConstructor.cpp:
1465         * runtime/JSPromiseDeferred.cpp:
1466         * runtime/JSPromisePrototype.cpp:
1467         * runtime/JSPropertyNameIterator.cpp:
1468         * runtime/JSScope.cpp:
1469         (JSC::JSScope::resolve):
1470         * runtime/JSScope.h:
1471         (JSC::JSScope::globalObject):
1472         (JSC::JSScope::vm): Deleted.
1473         * runtime/JSSetIterator.cpp:
1474         * runtime/JSStringIterator.cpp:
1475         * runtime/JSTemplateRegistryKey.cpp:
1476         * runtime/JSTypedArrayViewConstructor.cpp:
1477         * runtime/JSTypedArrayViewPrototype.cpp:
1478         * runtime/JSWeakMap.cpp:
1479         * runtime/JSWeakSet.cpp:
1480         * runtime/MapConstructor.cpp:
1481         * runtime/MapIteratorPrototype.cpp:
1482         * runtime/MapPrototype.cpp:
1483         * runtime/NativeErrorConstructor.cpp:
1484         * runtime/NativeStdFunctionCell.cpp:
1485         * runtime/Operations.h:
1486         (JSC::scribbleFreeCells):
1487         (JSC::scribble):
1488         * runtime/Options.h:
1489         * runtime/PropertyTable.cpp:
1490         * runtime/ProxyConstructor.cpp:
1491         * runtime/ProxyObject.cpp:
1492         * runtime/ProxyRevoke.cpp:
1493         * runtime/RegExp.cpp:
1494         (JSC::RegExp::match):
1495         (JSC::RegExp::matchConcurrently):
1496         (JSC::RegExp::matchCompareWithInterpreter):
1497         * runtime/RegExp.h:
1498         * runtime/RegExpConstructor.h:
1499         * runtime/RegExpInlines.h:
1500         (JSC::RegExp::matchInline):
1501         * runtime/RegExpMatchesArray.h:
1502         (JSC::tryCreateUninitializedRegExpMatchesArray):
1503         (JSC::createRegExpMatchesArray):
1504         * runtime/RegExpPrototype.cpp:
1505         (JSC::genericSplit):
1506         * runtime/RuntimeType.cpp:
1507         * runtime/SamplingProfiler.cpp:
1508         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1509         * runtime/SetConstructor.cpp:
1510         * runtime/SetIteratorPrototype.cpp:
1511         * runtime/SetPrototype.cpp:
1512         * runtime/StackFrame.cpp: Added.
1513         (JSC::StackFrame::sourceID):
1514         (JSC::StackFrame::sourceURL):
1515         (JSC::StackFrame::functionName):
1516         (JSC::StackFrame::computeLineAndColumn):
1517         (JSC::StackFrame::toString):
1518         * runtime/StackFrame.h: Added.
1519         (JSC::StackFrame::isNative):
1520         * runtime/StringConstructor.cpp:
1521         * runtime/StringIteratorPrototype.cpp:
1522         * runtime/StructureInlines.h:
1523         (JSC::Structure::propertyTable):
1524         * runtime/TemplateRegistry.cpp:
1525         * runtime/TestRunnerUtils.cpp:
1526         (JSC::finalizeStatsAtEndOfTesting):
1527         * runtime/TestRunnerUtils.h:
1528         * runtime/TypeProfilerLog.cpp:
1529         * runtime/TypeSet.cpp:
1530         * runtime/VM.cpp:
1531         (JSC::VM::VM):
1532         (JSC::VM::ensureStackCapacityForCLoop):
1533         (JSC::VM::isSafeToRecurseSoftCLoop):
1534         * runtime/VM.h:
1535         * runtime/VMEntryScope.h:
1536         * runtime/VMInlines.h:
1537         (JSC::VM::ensureStackCapacityFor):
1538         (JSC::VM::isSafeToRecurseSoft):
1539         * runtime/WeakMapConstructor.cpp:
1540         * runtime/WeakMapData.cpp:
1541         * runtime/WeakMapPrototype.cpp:
1542         * runtime/WeakSetConstructor.cpp:
1543         * runtime/WeakSetPrototype.cpp:
1544         * testRegExp.cpp:
1545         (testOneRegExp):
1546         * tools/JSDollarVM.cpp:
1547         * tools/JSDollarVMPrototype.cpp:
1548         (JSC::JSDollarVMPrototype::isInObjectSpace):
1549
1550 2016-09-04  Commit Queue  <commit-queue@webkit.org>
1551
1552         Unreviewed, rolling out r205415.
1553         https://bugs.webkit.org/show_bug.cgi?id=161573
1554
1555         Many bots see inspector test failures, rolling out now and
1556         investigating later. (Requested by brrian on #webkit).
1557
1558         Reverted changeset:
1559
1560         "Web Inspector: unify Main.html and Test.html sources and
1561         generate different copies with the preprocessor"
1562         https://bugs.webkit.org/show_bug.cgi?id=161212
1563         http://trac.webkit.org/changeset/205415
1564
1565 2016-09-01  Brian Burg  <bburg@apple.com>
1566
1567         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
1568         https://bugs.webkit.org/show_bug.cgi?id=161212
1569         <rdar://problem/28017961>
1570
1571         Reviewed by Joseph Pecoraro.
1572
1573         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
1574
1575 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1576
1577         Use ASCIILiteral in some more places
1578         https://bugs.webkit.org/show_bug.cgi?id=161557
1579
1580         Reviewed by Darin Adler.
1581
1582         * runtime/TypeSet.h:
1583         (JSC::StructureShape::setConstructorName):
1584
1585 2016-09-01  Michael Saboff  <msaboff@apple.com>
1586
1587         Import Chakra tests to JSC
1588         https://bugs.webkit.org/show_bug.cgi?id=154697
1589
1590         Reviewed by Saam Barati.
1591
1592         Added --dumpException option to jsc command line utility to dump uncaught exception
1593         text even for the last exception that matches --exception.  This is used to
1594         check the exception text for a text that is expected to end on an exception.
1595         Chakra has several tests of this form and does the same thing when such a test
1596         ends with an exception.  Tests that rely on this behavior have had their expected
1597         output updated for JSC specific text.
1598
1599         * jsc.cpp:
1600
1601 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
1602
1603         [JSC] Remove some more useless cases from FTL Capabilities
1604         https://bugs.webkit.org/show_bug.cgi?id=161466
1605
1606         Reviewed by Geoffrey Garen.
1607
1608         Some cases do not make sense:
1609         -In: Fixup only generate CellUse.
1610         -PutByIdXXX: same.
1611         -GetIndexedPropertyStorage: those cases are the only ones supported
1612          by DFG. We would have crashed in SpeculativeJIT if other modes
1613          were generated.
1614
1615         * ftl/FTLCapabilities.cpp:
1616         (JSC::FTL::canCompile):
1617         * ftl/FTLLowerDFGToB3.cpp:
1618         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1619         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1620         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1621
1622 2016-09-02  Chris Dumez  <cdumez@apple.com>
1623
1624         Unreviewed, roll out r205354 because it caused JSC test failures
1625
1626         * jsc.cpp:
1627         * runtime/JSGlobalObject.cpp:
1628         * runtime/JSGlobalObject.h:
1629         (JSC::JSGlobalObject::allowsAccessFrom):
1630         (JSC::JSGlobalObject::setDebugger): Deleted.
1631         * runtime/JSGlobalObjectFunctions.cpp:
1632         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1633         (JSC::GlobalFuncProtoGetterFunctor::result):
1634         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1635         (JSC::globalFuncProtoGetter):
1636         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
1637         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1638         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1639         (JSC::checkProtoSetterAccessAllowed):
1640         (JSC::globalFuncProtoSetter):
1641         * runtime/JSGlobalObjectFunctions.h:
1642         * runtime/JSObject.cpp:
1643         (JSC::JSObject::setPrototypeWithCycleCheck):
1644         (JSC::JSObject::allowsAccessFrom):
1645         * runtime/JSObject.h:
1646         * runtime/JSProxy.cpp:
1647         * runtime/JSProxy.h:
1648         * runtime/ObjectConstructor.cpp:
1649         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1650         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1651         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1652         (JSC::objectConstructorGetPrototypeOf):
1653         (JSC::objectConstructorSetPrototypeOf):
1654         * runtime/ObjectConstructor.h:
1655         * runtime/ReflectObject.cpp:
1656         (JSC::reflectObjectGetPrototypeOf):
1657         (JSC::reflectObjectSetPrototypeOf):
1658
1659 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
1660
1661         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
1662         https://bugs.webkit.org/show_bug.cgi?id=160802
1663
1664         Reviewed by Saam Barati.
1665
1666         This patch is fixing a broken mechanism of MathIC that avoids allocate
1667         a register to LHS or RHS if one of these operands are proven as valid
1668         constant for JIT*Generator. In previous implementation, even if the
1669         JIT*Generator was not using an operand register because it was proven as a
1670         constant, compileMathIC and emitICFast were allocating a register for
1671         it. This was broken because mathIC->isLeftOperandValidConstant and
1672         mathIC->isLeftOperandValidConstant were being called before its Generator be
1673         properly initialized. We changed this mechanism to enable Generators write
1674         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
1675         and isRightOperandValidConstant(SnippetOperand).
1676
1677         * dfg/DFGSpeculativeJIT.cpp:
1678         (JSC::DFG::SpeculativeJIT::compileMathIC):
1679         * jit/JITAddGenerator.h:
1680         (JSC::JITAddGenerator::JITAddGenerator):
1681         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1682         (JSC::JITAddGenerator::isRightOperandValidConstant):
1683         * jit/JITArithmetic.cpp:
1684         (JSC::JIT::emitMathICFast):
1685         * jit/JITMathIC.h:
1686         * jit/JITMulGenerator.h:
1687         (JSC::JITMulGenerator::JITMulGenerator):
1688         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1689         (JSC::JITMulGenerator::isRightOperandValidConstant):
1690         * jit/JITSubGenerator.h:
1691         (JSC::JITSubGenerator::isLeftOperandValidConstant):
1692         (JSC::JITSubGenerator::isRightOperandValidConstant):
1693
1694 2016-09-02  JF Bastien  <jfbastien@apple.com>
1695
1696         GetByValWithThis: fix opInfo in DFG creation
1697         https://bugs.webkit.org/show_bug.cgi?id=161541
1698
1699         Reviewed by Saam Barati.
1700
1701         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
1702
1703         * dfg/DFGByteCodeParser.cpp:
1704         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
1705
1706 2016-09-02  Chris Dumez  <cdumez@apple.com>
1707
1708         Object.preventExtensions() should throw cross-origin
1709         https://bugs.webkit.org/show_bug.cgi?id=161486
1710
1711         Reviewed by Geoffrey Garen.
1712
1713         Update JSProxy to forward preventExtensions() calls to its target.
1714
1715         * runtime/JSProxy.cpp:
1716         (JSC::JSProxy::preventExtensions):
1717         * runtime/JSProxy.h:
1718
1719 2016-09-02  Chris Dumez  <cdumez@apple.com>
1720
1721         Align proto getter / setter behavior with other browsers
1722         https://bugs.webkit.org/show_bug.cgi?id=161455
1723
1724         Reviewed by Mark Lam.
1725
1726         Drop allowsAccessFrom from the methodTable and delegate cross-origin
1727         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
1728         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
1729
1730         * jsc.cpp:
1731         * runtime/JSGlobalObject.cpp:
1732         * runtime/JSGlobalObject.h:
1733         * runtime/JSGlobalObjectFunctions.cpp:
1734         (JSC::globalFuncProtoGetter):
1735         (JSC::globalFuncProtoSetter):
1736         (JSC::globalFuncBuiltinLog): Deleted.
1737         * runtime/JSGlobalObjectFunctions.h:
1738         * runtime/JSObject.h:
1739         (JSC::JSObject::getArrayLength): Deleted.
1740         * runtime/JSProxy.cpp:
1741         (JSC::JSProxy::setPrototype):
1742         (JSC::JSProxy::getPrototype):
1743         * runtime/JSProxy.h:
1744         * runtime/ObjectConstructor.cpp:
1745         (JSC::objectConstructorGetPrototypeOf):
1746         (JSC::objectConstructorSetPrototypeOf):
1747         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
1748         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
1749         * runtime/ObjectConstructor.h:
1750         * runtime/ReflectObject.cpp:
1751         (JSC::reflectObjectGetPrototypeOf):
1752         (JSC::reflectObjectSetPrototypeOf):
1753
1754         * runtime/JSObject.cpp:
1755         (JSC::JSObject::setPrototypeWithCycleCheck):
1756         Comment out check added in r197648. This check was added to match
1757         the latest EcmaScript spec:
1758         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
1759         This check allowed for [[Prototype]] chain cycles if the prototype
1760         chain includes objects that do not use the ordinary object definitions
1761         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
1762         The issue is that the rest of our code base does not properly handle
1763         such cycles and we can end up in infinite loops. This became obvious
1764         because this patch updates Window / Location so that they no longer
1765         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
1766         comment out this check, I get an infinite loop in
1767         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
1768         called from JSObject::setPrototypeDirect(), when running the following
1769         layout test:
1770         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
1771         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
1772         issue.
1773
1774 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1775
1776         Add toJS for JSC::PrivateName
1777         https://bugs.webkit.org/show_bug.cgi?id=161522
1778
1779         Reviewed by Ryosuke Niwa.
1780
1781         Add the export annotation.
1782         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
1783         since PrivateName never holds null SymbolImpl pointer. And along with this change,
1784         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
1785
1786         * runtime/Completion.cpp:
1787         (JSC::createSymbolForEntryPointModule):
1788         * runtime/IdentifierInlines.h:
1789         (JSC::Identifier::fromUid):
1790         * runtime/JSFunction.cpp:
1791         (JSC::JSFunction::setFunctionName):
1792         * runtime/PrivateName.h:
1793         (JSC::PrivateName::PrivateName):
1794         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
1795         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
1796         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
1797         (JSC::PrivateName::operator==):
1798         (JSC::PrivateName::operator!=):
1799         * runtime/PropertyName.h:
1800         (JSC::PropertyName::PropertyName):
1801         * runtime/Symbol.cpp:
1802         (JSC::Symbol::finishCreation):
1803         * runtime/Symbol.h:
1804         * runtime/SymbolConstructor.cpp:
1805         (JSC::symbolConstructorKeyFor):
1806
1807 2016-09-01  Dan Bernstein  <mitz@apple.com>
1808
1809         Build fix.
1810
1811         * Configurations/FeatureDefines.xcconfig:
1812
1813 2016-09-01  JF Bastien  <jfbastien@apple.com>
1814
1815         jsc: fix cmake build missing symbol getPropertySlot
1816         https://bugs.webkit.org/show_bug.cgi?id=161521
1817
1818         Reviewed by Saam Barati.
1819
1820         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
1821         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
1822
1823 2016-09-01  JF Bastien  <jfbastien@apple.com>
1824
1825         jsc: provide printErr()
1826         https://bugs.webkit.org/show_bug.cgi?id=161513
1827
1828         Reviewed by Mark Lam.
1829
1830         * jsc.cpp:
1831         (GlobalObject::finishCreation):
1832         (printInternal): renamed from functionPrint, add error checking
1833         (functionPrintStdOut): punt to printInternal
1834         (functionPrintStdErr): punt to printInternal
1835         (functionPrint): Deleted.
1836
1837 2016-09-01  Mark Lam  <mark.lam@apple.com>
1838
1839         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
1840         https://bugs.webkit.org/show_bug.cgi?id=161499
1841
1842         Reviewed by Saam Barati.
1843
1844         This is just a refactoring patch to move some inline functions to their Inlines.h
1845         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
1846         later.
1847
1848         * bindings/ScriptValue.cpp:
1849         * interpreter/Interpreter.cpp:
1850         * runtime/IntlDateTimeFormatPrototype.cpp:
1851         * runtime/IntlNumberFormatPrototype.cpp:
1852         * runtime/JSArray.cpp:
1853         * runtime/JSArray.h:
1854         (JSC::getLength): Deleted.
1855         (JSC::toLength): Deleted.
1856         * runtime/JSArrayInlines.h:
1857         (JSC::JSArray::mergeIndexingTypeForCopying):
1858         (JSC::JSArray::canFastCopy):
1859         (JSC::getLength):
1860         (JSC::toLength):
1861         * runtime/JSInternalPromise.cpp:
1862         * runtime/JSInternalPromiseDeferred.cpp:
1863         * runtime/JSJob.cpp:
1864         * runtime/JSModuleRecord.cpp:
1865         * runtime/JSObject.h:
1866         (JSC::JSObject::getPropertySlot): Deleted.
1867         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
1868         * runtime/JSObjectInlines.h:
1869         (JSC::JSObject::getPropertySlot):
1870         (JSC::JSObject::getNonIndexPropertySlot):
1871         * runtime/JSPromiseDeferred.cpp:
1872         * runtime/JSTypedArrayViewPrototype.cpp:
1873         * runtime/MapConstructor.cpp:
1874         * runtime/SamplingProfiler.cpp:
1875         * runtime/SetConstructor.cpp:
1876         * runtime/WeakMapConstructor.cpp:
1877         * runtime/WeakSetConstructor.cpp:
1878
1879 2016-09-01  JF Bastien  <jfbastien@apple.com>
1880
1881         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
1882         https://bugs.webkit.org/show_bug.cgi?id=160922
1883
1884         Reviewed by Keith Miller.
1885
1886         Add value profiling to GetBy{Id,Val}WithThis.
1887
1888         * bytecode/BytecodeList.json:
1889         * bytecode/CodeBlock.cpp:
1890         (JSC::CodeBlock::dumpBytecode):
1891         (JSC::CodeBlock::finishCreation):
1892         * bytecompiler/BytecodeGenerator.cpp:
1893         (JSC::BytecodeGenerator::emitGetById):
1894         (JSC::BytecodeGenerator::emitGetByVal):
1895         * dfg/DFGByteCodeParser.cpp:
1896         (JSC::DFG::ByteCodeParser::parseBlock):
1897         * dfg/DFGNode.h:
1898         (JSC::DFG::Node::hasHeapPrediction):
1899         * dfg/DFGPredictionPropagationPhase.cpp:
1900         * llint/LowLevelInterpreter.asm:
1901         * runtime/CommonSlowPaths.cpp:
1902         (JSC::SLOW_PATH_DECL):
1903
1904 2016-09-01  Keith Miller  <keith_miller@apple.com>
1905
1906         WASM functions should be able to use arguments
1907         https://bugs.webkit.org/show_bug.cgi?id=161471
1908
1909         Reviewed by Benjamin Poulain.
1910
1911         This patch does a couple of changes:
1912
1913         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
1914
1915         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
1916
1917         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
1918
1919         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
1920         (JSC::B3::jscCallingConvention):
1921         * B3CallingConventions.h: Added.
1922         (JSC::B3::CallingConvention::CallingConvention):
1923         (JSC::B3::CallingConvention::iterate):
1924         (JSC::B3::nextJSCOffset):
1925         * JavaScriptCore.xcodeproj/project.pbxproj:
1926         * interpreter/ProtoCallFrame.h:
1927         * llint/LLIntThunks.cpp:
1928         (JSC::vmEntryToWASM):
1929         * llint/LLIntThunks.h:
1930         * testWASM.cpp:
1931         (invoke):
1932         (box):
1933         (runWASMTests):
1934         * wasm/WASMB3IRGenerator.cpp:
1935         (JSC::WASM::B3IRGenerator::addLocal):
1936         (JSC::WASM::B3IRGenerator::addArguments):
1937         (JSC::WASM::B3IRGenerator::getLocal):
1938         * wasm/WASMFormat.h:
1939         * wasm/WASMFunctionParser.h:
1940         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1941         (JSC::WASM::FunctionParser<Context>::parseExpression):
1942         * wasm/WASMModuleParser.cpp:
1943         (JSC::WASM::ModuleParser::parseFunctionTypes):
1944         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1945         * wasm/WASMModuleParser.h:
1946         * wasm/WASMOps.h:
1947
1948 2016-09-01  Keith Miller  <keith_miller@apple.com>
1949
1950         Rename WASM classes dropping the WASM prefix
1951         https://bugs.webkit.org/show_bug.cgi?id=161500
1952
1953         Reviewed by Mark Lam.
1954
1955         Having to write WASM::WASMModule seems silly. Also, this patch
1956         merges WASMFunctionReturnType and WASMValueType into one type
1957         that is a typedef of B3::Type. Using B3::Type as the WASM
1958         primitive type makes it trivial to convert a Vector of WASM
1959         types into a Vector of B3 types.
1960
1961         * b3/B3Type.h:
1962         * wasm/JSWASMModule.h:
1963         (JSC::JSWASMModule::signatures):
1964         (JSC::JSWASMModule::functionImports):
1965         (JSC::JSWASMModule::functionImportSignatures):
1966         (JSC::JSWASMModule::globalVariableTypes):
1967         (JSC::JSWASMModule::functionDeclarations):
1968         (JSC::JSWASMModule::functionPointerTables):
1969         * wasm/WASMB3IRGenerator.cpp:
1970         (JSC::WASM::toB3Op):
1971         (JSC::WASM::B3IRGenerator::addLocal):
1972         (JSC::WASM::B3IRGenerator::unaryOp):
1973         (JSC::WASM::B3IRGenerator::binaryOp):
1974         (JSC::WASM::B3IRGenerator::addConstant):
1975         (JSC::WASM::parseAndCompile):
1976         * wasm/WASMB3IRGenerator.h:
1977         * wasm/WASMFormat.h:
1978         * wasm/WASMFunctionParser.h:
1979         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1980         (JSC::WASM::FunctionParser<Context>::parse):
1981         (JSC::WASM::FunctionParser<Context>::parseBlock):
1982         (JSC::WASM::FunctionParser<Context>::parseExpression):
1983         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
1984         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
1985         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
1986         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
1987         * wasm/WASMModuleParser.cpp:
1988         (JSC::WASM::ModuleParser::parse):
1989         (JSC::WASM::ModuleParser::parseFunctionTypes):
1990         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1991         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
1992         (JSC::WASM::WASMModuleParser::parse): Deleted.
1993         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
1994         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
1995         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
1996         * wasm/WASMModuleParser.h:
1997         (JSC::WASM::ModuleParser::ModuleParser):
1998         (JSC::WASM::ModuleParser::functionInformation):
1999         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
2000         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
2001         * wasm/WASMOps.h:
2002         * wasm/WASMParser.h:
2003         (JSC::WASM::Parser::Parser):
2004         (JSC::WASM::Parser::consumeCharacter):
2005         (JSC::WASM::Parser::consumeString):
2006         (JSC::WASM::Parser::parseUInt32):
2007         (JSC::WASM::Parser::parseUInt7):
2008         (JSC::WASM::Parser::parseVarUInt1):
2009         (JSC::WASM::Parser::parseValueType):
2010         (JSC::WASM::WASMParser::WASMParser): Deleted.
2011         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
2012         (JSC::WASM::WASMParser::consumeString): Deleted.
2013         (JSC::WASM::WASMParser::parseUInt32): Deleted.
2014         (JSC::WASM::WASMParser::parseUInt7): Deleted.
2015         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
2016         (JSC::WASM::WASMParser::parseValueType): Deleted.
2017         * wasm/WASMPlan.cpp:
2018         (JSC::WASM::Plan::Plan):
2019         * wasm/WASMSections.cpp:
2020         (JSC::WASM::Sections::lookup):
2021         (JSC::WASM::WASMSections::lookup): Deleted.
2022         * wasm/WASMSections.h:
2023         (JSC::WASM::Sections::validateOrder):
2024         (JSC::WASM::WASMSections::validateOrder): Deleted.
2025
2026 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
2027
2028         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
2029         https://bugs.webkit.org/show_bug.cgi?id=161492
2030
2031         Reviewed by Mark Lam.
2032         
2033         If you materialize a sunken object that is referenced from another sunken object, then you
2034         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
2035         object rather than to the old sunken one.
2036         
2037         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
2038         did it when the PromotedLocationDescriptor for the field used for referring to the other
2039         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
2040         I can sort of imagine why we thought that would be right - neededForMaterialization() means
2041         it's a special meta-data field initialized on construction. But just because it's immutable
2042         and special doesn't mean that materialization can't change its physical representation.
2043         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
2044         regress anything.
2045
2046         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2047
2048 2016-09-01  Chris Dumez  <cdumez@apple.com>
2049
2050         Unreviewed, rolling out r205297.
2051
2052         Caused some JSC test failures
2053
2054         Reverted changeset:
2055
2056         "Align cross-origin proto getter / setter behavior with the
2057         specification"
2058         https://bugs.webkit.org/show_bug.cgi?id=161455
2059         http://trac.webkit.org/changeset/205297
2060
2061 2016-09-01  Chris Dumez  <cdumez@apple.com>
2062
2063         Align cross-origin proto getter / setter behavior with the specification
2064         https://bugs.webkit.org/show_bug.cgi?id=161455
2065
2066         Reviewed by Mark Lam.
2067
2068         Align cross-origin proto getter / setter behavior with the specification:
2069
2070         The setter should throw a TypeError:
2071         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
2072         - https://html.spec.whatwg.org/#location-setprototypeof
2073         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
2074
2075         The getter should return null:
2076         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
2077         - https://html.spec.whatwg.org/#location-getprototypeof
2078
2079         I have verified that this aligns our behavior with Firefox and Chrome.
2080
2081         * runtime/JSGlobalObjectFunctions.cpp:
2082         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2083         (JSC::globalFuncProtoSetter):
2084
2085 2016-09-01  Csaba Osztrogon√°c  <ossy@webkit.org>
2086
2087         Unreviewed ARM buildfix after r205283.
2088
2089         * assembler/ARMAssembler.h:
2090         (JSC::ARMAssembler::patchableJumpSize):
2091         * assembler/MacroAssemblerARM.h:
2092         (JSC::MacroAssemblerARM::patchableJumpSize):
2093
2094 2016-09-01  Saam Barati  <sbarati@apple.com>
2095
2096         JITMathIC was misusing maxJumpReplacementSize
2097         https://bugs.webkit.org/show_bug.cgi?id=161356
2098         <rdar://problem/28065560>
2099
2100         Reviewed by Benjamin Poulain.
2101
2102         JITMathIC was assuming that maxJumpReplacementSize is the size
2103         you'd get if you emitted a patchableJump() using the macro assembler.
2104         This is not true, however. It happens to be true on arm64, x86 and x86-64,
2105         however, it is not true on armv7. This patch introduces an alternative to
2106         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
2107         to use that number instead.
2108
2109         * assembler/ARM64Assembler.h:
2110         (JSC::ARM64Assembler::patchableJumpSize):
2111         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
2112         * assembler/ARMv7Assembler.h:
2113         (JSC::ARMv7Assembler::patchableJumpSize):
2114         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
2115         * assembler/MacroAssemblerARM64.h:
2116         (JSC::MacroAssemblerARM64::patchableJumpSize):
2117         * assembler/MacroAssemblerARMv7.h:
2118         (JSC::MacroAssemblerARMv7::patchableJumpSize):
2119         * assembler/MacroAssemblerX86Common.h:
2120         (JSC::MacroAssemblerX86Common::patchableJumpSize):
2121         * assembler/X86Assembler.h:
2122         (JSC::X86Assembler::patchableJumpSize):
2123         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
2124         * jit/JITMathIC.h:
2125         (JSC::JITMathIC::generateInline):
2126
2127 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2128
2129         [JSC] Add initiator parameter to module pipeline
2130         https://bugs.webkit.org/show_bug.cgi?id=161470
2131
2132         Reviewed by Saam Barati.
2133
2134         The fetching semantics of the <script type="module"> tag has per module-tag context.
2135         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
2136         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
2137         to the module loader pipeline. We are planning to transfer information by this parameter.
2138
2139         At the same time, we also perform some clean up.
2140
2141         - Use arrow function in ModuleLoaderPrototype.js.
2142         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
2143
2144         * builtins/ModuleLoaderPrototype.js:
2145         (newRegistryEntry):
2146         (commitInstantiated):
2147         (requestFetch):
2148         (requestTranslate):
2149         (requestInstantiate):
2150         (requestSatisfy):
2151         (requestInstantiateAll):
2152         (requestLink):
2153         (moduleEvaluation):
2154         (provide):
2155         (loadAndEvaluateModule):
2156         (requestResolveDependencies.): Deleted.
2157         (requestResolveDependencies): Deleted.
2158         (requestReady): Deleted.
2159         (link): Deleted.
2160         (loadModule): Deleted.
2161         (linkAndEvaluateModule): Deleted.
2162         * bytecode/BytecodeIntrinsicRegistry.cpp:
2163         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2164         * bytecode/BytecodeIntrinsicRegistry.h:
2165         * jsc.cpp:
2166         (GlobalObject::moduleLoaderResolve):
2167         (GlobalObject::moduleLoaderFetch):
2168         * runtime/Completion.cpp:
2169         (JSC::loadAndEvaluateModule):
2170         (JSC::loadModule):
2171         (JSC::linkAndEvaluateModule):
2172         * runtime/Completion.h:
2173         * runtime/JSGlobalObject.h:
2174         * runtime/JSModuleLoader.cpp:
2175         (JSC::JSModuleLoader::loadAndEvaluateModule):
2176         (JSC::JSModuleLoader::loadModule):
2177         (JSC::JSModuleLoader::linkAndEvaluateModule):
2178         (JSC::JSModuleLoader::resolve):
2179         (JSC::JSModuleLoader::fetch):
2180         (JSC::JSModuleLoader::translate):
2181         (JSC::JSModuleLoader::instantiate):
2182         (JSC::JSModuleLoader::evaluate):
2183         * runtime/JSModuleLoader.h:
2184         * runtime/ModuleLoaderPrototype.cpp:
2185         (JSC::moduleLoaderPrototypeResolve):
2186         (JSC::moduleLoaderPrototypeFetch):
2187         (JSC::moduleLoaderPrototypeTranslate):
2188         (JSC::moduleLoaderPrototypeInstantiate):
2189         (JSC::moduleLoaderPrototypeEvaluate):
2190
2191 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2192
2193         [JSC] linking and evaluating the modules are done in a sync manner
2194         https://bugs.webkit.org/show_bug.cgi?id=161467
2195
2196         Reviewed by Saam Barati.
2197
2198         While the fetching and the other stages are done in an asynchronous manner,
2199         linking and evaluating are done in a sync manner.
2200         Just return the result value and do not wrap them with the internal promise.
2201
2202         * builtins/ModuleLoaderPrototype.js:
2203         (linkAndEvaluateModule):
2204         * runtime/Completion.cpp:
2205         (JSC::linkAndEvaluateModule):
2206         * runtime/Completion.h:
2207         * runtime/JSModuleLoader.cpp:
2208         (JSC::JSModuleLoader::linkAndEvaluateModule):
2209         * runtime/JSModuleLoader.h:
2210
2211 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2212
2213         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
2214         https://bugs.webkit.org/show_bug.cgi?id=161436
2215
2216         Reviewed by Filip Pizlo.
2217
2218         * jsc.cpp:
2219         (GlobalObject::finishCreation):
2220         (functionGetRandomSeed):
2221         (functionSetRandomSeed):
2222         * runtime/JSGlobalObject.h:
2223         (JSC::JSGlobalObject::weakRandom):
2224         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
2225
2226 2016-08-31  Chris Dumez  <cdumez@apple.com>
2227
2228         Object.getPrototypeOf() should return null cross-origin
2229         https://bugs.webkit.org/show_bug.cgi?id=161393
2230
2231         Reviewed by Geoffrey Garen.
2232
2233         Object.getPrototypeOf() should return null cross-origin:
2234         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
2235         - https://html.spec.whatwg.org/#location-getprototypeof
2236
2237         Firefox and Chrome return null. However, WebKit was returning undefined.
2238
2239         * runtime/ObjectConstructor.cpp:
2240         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2241
2242 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2243
2244         [JSC] AbstractValue can contain padding which is not zero-filled
2245         https://bugs.webkit.org/show_bug.cgi?id=161427
2246
2247         Reviewed by Saam Barati.
2248
2249         We checked that AbstractValue is zero-filled when initializing it to ensure
2250         that zero-filled memory can be used as the initialized AbstractValue.
2251         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
2252         padding now. And this padding is not ensured that it is initialized with zeros.
2253         So debug assertion fails when building with GCC.
2254
2255         This patch changes the strategy. Instead of checking the initialized
2256         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
2257         considered to be equal to the initialized AbstractValue.
2258
2259         * dfg/DFGAbstractValue.cpp:
2260         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
2261         * dfg/DFGAbstractValue.h:
2262         (JSC::DFG::AbstractValue::AbstractValue):
2263
2264 2016-08-31  Brady Eidson  <beidson@apple.com>
2265
2266         WK2 Gamepad provider on iOS.
2267         https://bugs.webkit.org/show_bug.cgi?id=161412
2268
2269         Reviewed by Tim Horton.
2270
2271         * Configurations/FeatureDefines.xcconfig:
2272
2273 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
2274
2275         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
2276         https://bugs.webkit.org/show_bug.cgi?id=161410
2277
2278         Reviewed by Geoffrey Garen.
2279
2280         * dfg/DFGFixupPhase.cpp:
2281         (JSC::DFG::FixupPhase::fixupNode):
2282         DoubleRep is able to convert numbers, undefined, booleans and null.
2283         I was too pessimistic when I gated the double implementations
2284         on number-or-boolean speculation. We can just let DoubleRep convert
2285         the other cases as long as it is not a Cell.
2286
2287 2016-08-30  Chris Dumez  <cdumez@apple.com>
2288
2289         Unreviewed, fix build after r205205.
2290
2291         * runtime/ObjectConstructor.cpp:
2292         (JSC::objectConstructorSetPrototypeOf):
2293
2294 2016-08-30  Chris Dumez  <cdumez@apple.com>
2295
2296         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
2297         https://bugs.webkit.org/show_bug.cgi?id=161396
2298
2299         Reviewed by Ryosuke Niwa.
2300
2301         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
2302         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
2303         - https://html.spec.whatwg.org/#location-setprototypeof
2304         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
2305
2306         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
2307
2308         Note that technically, we should also throw in the same origin case.
2309         However, not all browsers agree on this yet so I haven't not changed
2310         the behavior for the same origin case.
2311
2312         * runtime/ObjectConstructor.cpp:
2313         (JSC::objectConstructorSetPrototypeOf):
2314
2315 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
2316
2317         [JSC] Clean up the remaining compare nodes in FTLCapabilities
2318         https://bugs.webkit.org/show_bug.cgi?id=161400
2319
2320         Reviewed by Geoffrey Garen.
2321
2322         It looks like we implemented all the cases without realizing it.
2323
2324         * ftl/FTLCapabilities.cpp:
2325         (JSC::FTL::canCompile):
2326         * ftl/FTLLowerDFGToB3.cpp:
2327         (JSC::FTL::DFG::LowerDFGToB3::compare):
2328
2329 2016-08-30  Mark Lam  <mark.lam@apple.com>
2330
2331         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
2332         https://bugs.webkit.org/show_bug.cgi?id=161171
2333
2334         Reviewed by Filip Pizlo and Geoffrey Garen.
2335
2336         This is the first step towards having a mechanism (using the ThrowScope) to
2337         verify that we're properly checking for exceptions in all the needed places.
2338         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
2339
2340         This patch only introduces the ThrowScope, and changes all throw sites to throw
2341         using a ThrowScope instance.  VM::throwException() functions are now private, and
2342         cannot be accessed directly.  All throws must now go through a ThrowScope.
2343
2344         Verification is disabled for the moment until we can fix all the verification
2345         failures that will show up.
2346
2347         I also did a smoke test of the ThrowScope mechanisms by running verification on
2348         the JSTests/stress/op-add-exceptions.js test with a local build with verification
2349         turned on.
2350
2351         Performance is neutral on aggregate with this patch.
2352
2353         Misc other changes:
2354         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
2355         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
2356
2357         * API/APICallbackFunction.h:
2358         (JSC::APICallbackFunction::call):
2359         (JSC::APICallbackFunction::construct):
2360         * API/JSCallbackObjectFunctions.h:
2361         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2362         (JSC::JSCallbackObject<Parent>::defaultValue):
2363         (JSC::JSCallbackObject<Parent>::put):
2364         (JSC::JSCallbackObject<Parent>::putByIndex):
2365         (JSC::JSCallbackObject<Parent>::deleteProperty):
2366         (JSC::JSCallbackObject<Parent>::construct):
2367         (JSC::JSCallbackObject<Parent>::customHasInstance):
2368         (JSC::JSCallbackObject<Parent>::call):
2369         (JSC::JSCallbackObject<Parent>::getStaticValue):
2370         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2371         (JSC::JSCallbackObject<Parent>::callbackGetter):
2372         * API/JSTypedArray.cpp:
2373         (createTypedArray):
2374         * CMakeLists.txt:
2375         * JavaScriptCore.xcodeproj/project.pbxproj:
2376         * dfg/DFGOperations.cpp:
2377         (JSC::DFG::newTypedArrayWithSize):
2378         * inspector/JSInjectedScriptHost.cpp:
2379         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2380         * inspector/JSInjectedScriptHostPrototype.cpp:
2381         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
2382         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
2383         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
2384         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
2385         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
2386         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
2387         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
2388         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
2389         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
2390         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
2391         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
2392         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
2393         * inspector/JSJavaScriptCallFrame.cpp:
2394         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2395         * inspector/JSJavaScriptCallFramePrototype.cpp:
2396         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
2397         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2398         (Inspector::jsJavaScriptCallFrameAttributeCaller):
2399         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
2400         (Inspector::jsJavaScriptCallFrameAttributeLine):
2401         (Inspector::jsJavaScriptCallFrameAttributeColumn):
2402         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
2403         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
2404         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
2405         (Inspector::jsJavaScriptCallFrameAttributeType):
2406         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
2407         * interpreter/CachedCall.h:
2408         (JSC::CachedCall::CachedCall):
2409         * interpreter/Interpreter.cpp:
2410         (JSC::eval):
2411         (JSC::sizeOfVarargs):
2412         (JSC::sizeFrameForForwardArguments):
2413         (JSC::sizeFrameForVarargs):
2414         (JSC::Interpreter::execute):
2415         (JSC::Interpreter::executeCall):
2416         (JSC::Interpreter::executeConstruct):
2417         (JSC::Interpreter::prepareForRepeatCall):
2418         * jit/JITOperations.cpp:
2419         * jsc.cpp:
2420         (WTF::CustomGetter::customGetter):
2421         (WTF::RuntimeArray::lengthGetter):
2422         (functionCreateElement):
2423         (functionRun):
2424         (functionRunString):
2425         (functionLoad):
2426         (functionLoadString):
2427         (functionReadFile):
2428         (functionCheckSyntax):
2429         (functionTransferArrayBuffer):
2430         (functionLoadModule):
2431         (functionCheckModuleSyntax):
2432         (functionSamplingProfilerStackTraces):
2433         * llint/LLIntSlowPaths.cpp:
2434         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2435         (JSC::LLInt::getByVal):
2436         (JSC::LLInt::handleHostCall):
2437         (JSC::LLInt::setUpCall):
2438         (JSC::LLInt::llint_throw_stack_overflow_error):
2439         * runtime/ArrayConstructor.cpp:
2440         (JSC::constructArrayWithSizeQuirk):
2441         * runtime/ArrayConstructor.h:
2442         (JSC::isArray):
2443         * runtime/ArrayPrototype.cpp:
2444         (JSC::shift):
2445         (JSC::unshift):
2446         (JSC::arrayProtoFuncToString):
2447         (JSC::arrayProtoFuncPop):
2448         (JSC::arrayProtoFuncReverse):
2449         (JSC::arrayProtoFuncSplice):
2450         (JSC::concatAppendOne):
2451         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2452         * runtime/BooleanPrototype.cpp:
2453         (JSC::booleanProtoFuncToString):
2454         (JSC::booleanProtoFuncValueOf):
2455         * runtime/CommonSlowPaths.cpp:
2456         * runtime/CommonSlowPaths.h:
2457         (JSC::CommonSlowPaths::opIn):
2458         * runtime/CommonSlowPathsExceptions.cpp:
2459         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2460         * runtime/ConstructData.cpp:
2461         (JSC::construct):
2462         * runtime/DatePrototype.cpp:
2463         (JSC::formateDateInstance):
2464         (JSC::dateProtoFuncToISOString):
2465         (JSC::dateProtoFuncToLocaleString):
2466         (JSC::dateProtoFuncToLocaleDateString):
2467         (JSC::dateProtoFuncToLocaleTimeString):
2468         (JSC::dateProtoFuncToPrimitiveSymbol):
2469         (JSC::dateProtoFuncGetTime):
2470         (JSC::dateProtoFuncGetFullYear):
2471         (JSC::dateProtoFuncGetUTCFullYear):
2472         (JSC::dateProtoFuncGetMonth):
2473         (JSC::dateProtoFuncGetUTCMonth):
2474         (JSC::dateProtoFuncGetDate):
2475         (JSC::dateProtoFuncGetUTCDate):
2476         (JSC::dateProtoFuncGetDay):
2477         (JSC::dateProtoFuncGetUTCDay):
2478         (JSC::dateProtoFuncGetHours):
2479         (JSC::dateProtoFuncGetUTCHours):
2480         (JSC::dateProtoFuncGetMinutes):
2481         (JSC::dateProtoFuncGetUTCMinutes):
2482         (JSC::dateProtoFuncGetSeconds):
2483         (JSC::dateProtoFuncGetUTCSeconds):
2484         (JSC::dateProtoFuncGetMilliSeconds):
2485         (JSC::dateProtoFuncGetUTCMilliseconds):
2486         (JSC::dateProtoFuncGetTimezoneOffset):
2487         (JSC::dateProtoFuncSetTime):
2488         (JSC::setNewValueFromTimeArgs):
2489         (JSC::setNewValueFromDateArgs):
2490         (JSC::dateProtoFuncSetYear):
2491         (JSC::dateProtoFuncGetYear):
2492         (JSC::dateProtoFuncToJSON):
2493         * runtime/Error.cpp:
2494         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2495         (JSC::throwTypeError):
2496         (JSC::throwSyntaxError):
2497         * runtime/Error.h:
2498         (JSC::throwRangeError):
2499         (JSC::throwVMError):
2500         (JSC::throwVMTypeError):
2501         (JSC::throwVMRangeError):
2502         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2503         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2504         * runtime/ErrorPrototype.cpp:
2505         (JSC::errorProtoFuncToString):
2506         * runtime/ExceptionFuzz.cpp:
2507         (JSC::doExceptionFuzzing):
2508         * runtime/ExceptionHelpers.cpp:
2509         (JSC::throwOutOfMemoryError):
2510         (JSC::throwStackOverflowError):
2511         (JSC::throwTerminatedExecutionException):
2512         * runtime/ExceptionHelpers.h:
2513         * runtime/Executable.cpp:
2514         (JSC::ScriptExecutable::newCodeBlockFor):
2515         (JSC::EvalExecutable::create):
2516         * runtime/FunctionConstructor.cpp:
2517         (JSC::constructFunction):
2518         (JSC::constructFunctionSkippingEvalEnabledCheck):
2519         * runtime/FunctionPrototype.cpp:
2520         (JSC::functionProtoFuncToString):
2521         (JSC::functionProtoFuncBind):
2522         * runtime/GetterSetter.cpp:
2523         (JSC::callSetter):
2524         * runtime/IntlCollator.cpp:
2525         (JSC::IntlCollator::compareStrings):
2526         * runtime/IntlCollatorPrototype.cpp:
2527         (JSC::IntlCollatorPrototypeGetterCompare):
2528         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2529         * runtime/IntlDateTimeFormat.cpp:
2530         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2531         (JSC::IntlDateTimeFormat::format):
2532         * runtime/IntlDateTimeFormatPrototype.cpp:
2533         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2534         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2535         * runtime/IntlNumberFormat.cpp:
2536         (JSC::IntlNumberFormat::initializeNumberFormat):
2537         (JSC::IntlNumberFormat::formatNumber):
2538         * runtime/IntlNumberFormatPrototype.cpp:
2539         (JSC::IntlNumberFormatPrototypeGetterFormat):
2540         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2541         * runtime/IntlObject.cpp:
2542         (JSC::intlStringOption):
2543         (JSC::intlNumberOption):
2544         (JSC::canonicalizeLocaleList):
2545         (JSC::lookupSupportedLocales):
2546         * runtime/IteratorOperations.cpp:
2547         (JSC::iteratorNext):
2548         (JSC::iteratorClose):
2549         (JSC::createIteratorResultObject):
2550         (JSC::iteratorForIterable):
2551         * runtime/JSArray.cpp:
2552         (JSC::JSArray::defineOwnProperty):
2553         (JSC::JSArray::put):
2554         (JSC::JSArray::appendMemcpy):
2555         (JSC::JSArray::setLength):
2556         (JSC::JSArray::pop):
2557         (JSC::JSArray::push):
2558         (JSC::JSArray::unshiftCountWithArrayStorage):
2559         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2560         * runtime/JSArrayBufferConstructor.cpp:
2561         (JSC::constructArrayBuffer):
2562         (JSC::callArrayBuffer):
2563         * runtime/JSArrayBufferPrototype.cpp:
2564         (JSC::arrayBufferProtoFuncSlice):
2565         * runtime/JSCInlines.h:
2566         * runtime/JSCJSValue.cpp:
2567         (JSC::JSValue::toObjectSlowCase):
2568         (JSC::JSValue::synthesizePrototype):
2569         (JSC::JSValue::putToPrimitive):
2570         (JSC::JSValue::putToPrimitiveByIndex):
2571         (JSC::JSValue::toStringSlowCase):
2572         * runtime/JSCJSValueInlines.h:
2573         (JSC::toPreferredPrimitiveType):
2574         (JSC::JSValue::requireObjectCoercible):
2575         * runtime/JSDataView.cpp:
2576         (JSC::JSDataView::create):
2577         * runtime/JSDataViewPrototype.cpp:
2578         (JSC::getData):
2579         (JSC::setData):
2580         (JSC::dataViewProtoGetterBuffer):
2581         (JSC::dataViewProtoGetterByteLength):
2582         (JSC::dataViewProtoGetterByteOffset):
2583         * runtime/JSFunction.cpp:
2584         (JSC::callHostFunctionAsConstructor):
2585         (JSC::JSFunction::callerGetter):
2586         (JSC::JSFunction::put):
2587         (JSC::JSFunction::defineOwnProperty):
2588         * runtime/JSGenericTypedArrayView.h:
2589         (JSC::JSGenericTypedArrayView::setIndex):
2590         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2591         (JSC::constructGenericTypedArrayViewFromIterator):
2592         (JSC::constructGenericTypedArrayViewWithArguments):
2593         (JSC::constructGenericTypedArrayView):
2594         (JSC::callGenericTypedArrayView):
2595         * runtime/JSGenericTypedArrayViewInlines.h:
2596         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2597         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2598         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
2599         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
2600         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2601         (JSC::speciesConstruct):
2602         (JSC::genericTypedArrayViewProtoFuncSet):
2603         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2604         (JSC::genericTypedArrayViewProtoFuncIncludes):
2605         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2606         (JSC::genericTypedArrayViewProtoFuncJoin):
2607         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2608         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
2609         (JSC::genericTypedArrayViewProtoGetterFuncLength):
2610         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
2611         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
2612         (JSC::genericTypedArrayViewProtoFuncReverse):
2613         (JSC::genericTypedArrayViewPrivateFuncSort):
2614         (JSC::genericTypedArrayViewProtoFuncSlice):
2615         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2616         * runtime/JSGlobalObject.cpp:
2617         (JSC::JSGlobalObject::createEvalCodeBlock):
2618         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2619         * runtime/JSGlobalObjectFunctions.cpp:
2620         (JSC::encode):
2621         (JSC::decode):
2622         (JSC::globalFuncEval):
2623         (JSC::globalFuncThrowTypeError):
2624         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
2625         (JSC::globalFuncProtoGetter):
2626         (JSC::globalFuncProtoSetter):
2627         * runtime/JSModuleEnvironment.cpp:
2628         (JSC::JSModuleEnvironment::put):
2629         * runtime/JSModuleNamespaceObject.cpp:
2630         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2631         (JSC::JSModuleNamespaceObject::put):
2632         (JSC::JSModuleNamespaceObject::putByIndex):
2633         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2634         (JSC::moduleNamespaceObjectSymbolIterator):
2635         * runtime/JSModuleRecord.cpp:
2636         (JSC::JSModuleRecord::getModuleNamespace):
2637         (JSC::JSModuleRecord::link):
2638         (JSC::JSModuleRecord::instantiateDeclarations):
2639         * runtime/JSONObject.cpp:
2640         (JSC::Stringifier::appendStringifiedValue):
2641         (JSC::Walker::walk):
2642         (JSC::JSONProtoFuncParse):
2643         (JSC::JSONProtoFuncStringify):
2644         * runtime/JSObject.cpp:
2645         (JSC::JSObject::setPrototypeWithCycleCheck):
2646         (JSC::callToPrimitiveFunction):
2647         (JSC::JSObject::ordinaryToPrimitive):
2648         (JSC::JSObject::hasInstance):
2649         (JSC::JSObject::defaultHasInstance):
2650         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2651         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2652         (JSC::validateAndApplyPropertyDescriptor):
2653         (JSC::JSObject::getMethod):
2654         * runtime/JSObject.h:
2655         (JSC::createListFromArrayLike): Deleted.
2656         * runtime/JSObjectInlines.h:
2657         (JSC::createListFromArrayLike):
2658         (JSC::JSObject::putInline):
2659         * runtime/JSPromiseConstructor.cpp:
2660         (JSC::constructPromise):
2661         (JSC::callPromise):
2662         * runtime/JSPropertyNameIterator.cpp:
2663         (JSC::propertyNameIteratorFuncNext):
2664         * runtime/JSString.cpp:
2665         (JSC::JSRopeString::outOfMemory):
2666         * runtime/JSStringBuilder.h:
2667         (JSC::JSStringBuilder::build):
2668         (JSC::jsMakeNontrivialString):
2669         * runtime/JSStringJoiner.cpp:
2670         (JSC::JSStringJoiner::joinedLength):
2671         (JSC::JSStringJoiner::join):
2672         * runtime/JSStringJoiner.h:
2673         (JSC::JSStringJoiner::JSStringJoiner):
2674         * runtime/JSSymbolTableObject.h:
2675         (JSC::symbolTablePut):
2676         * runtime/JSTypedArrayViewConstructor.cpp:
2677         (JSC::constructTypedArrayView):
2678         * runtime/JSTypedArrayViewPrototype.cpp:
2679         (JSC::typedArrayViewPrivateFuncLength):
2680         (JSC::typedArrayViewPrivateFuncSort):
2681         (JSC::typedArrayViewProtoFuncSet):
2682         (JSC::typedArrayViewProtoFuncCopyWithin):
2683         (JSC::typedArrayViewProtoFuncIncludes):
2684         (JSC::typedArrayViewProtoFuncLastIndexOf):
2685         (JSC::typedArrayViewProtoFuncIndexOf):
2686         (JSC::typedArrayViewProtoFuncJoin):
2687         (JSC::typedArrayViewProtoGetterFuncBuffer):
2688         (JSC::typedArrayViewProtoGetterFuncLength):
2689         (JSC::typedArrayViewProtoGetterFuncByteLength):
2690         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2691         (JSC::typedArrayViewProtoFuncReverse):
2692         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2693         (JSC::typedArrayViewProtoFuncSlice):
2694         * runtime/MapConstructor.cpp:
2695         (JSC::callMap):
2696         (JSC::constructMap):
2697         * runtime/MapDataInlines.h:
2698         (JSC::JSIterator>::ensureSpaceForAppend):
2699         * runtime/MapIteratorPrototype.cpp:
2700         (JSC::MapIteratorPrototypeFuncNext):
2701         * runtime/MapPrototype.cpp:
2702         (JSC::getMap):
2703         (JSC::mapProtoFuncValues):
2704         (JSC::mapProtoFuncEntries):
2705         (JSC::mapProtoFuncKeys):
2706         * runtime/ModuleLoaderPrototype.cpp:
2707         (JSC::moduleLoaderPrototypeParseModule):
2708         * runtime/NullSetterFunction.cpp:
2709         (JSC::callReturnUndefined):
2710         * runtime/NumberPrototype.cpp:
2711         (JSC::numberProtoFuncToExponential):
2712         (JSC::numberProtoFuncToFixed):
2713         (JSC::numberProtoFuncToPrecision):
2714         (JSC::numberProtoFuncToString):
2715         (JSC::numberProtoFuncToLocaleString):
2716         (JSC::numberProtoFuncValueOf):
2717         * runtime/ObjectConstructor.cpp:
2718         (JSC::objectConstructorSetPrototypeOf):
2719         (JSC::toPropertyDescriptor):
2720         (JSC::objectConstructorDefineProperty):
2721         (JSC::objectConstructorDefineProperties):
2722         (JSC::objectConstructorCreate):
2723         * runtime/ObjectPrototype.cpp:
2724         (JSC::objectProtoFuncDefineGetter):
2725         (JSC::objectProtoFuncDefineSetter):
2726         (JSC::objectProtoFuncToString):
2727         * runtime/Operations.h:
2728         (JSC::jsString):
2729         (JSC::jsStringFromRegisterArray):
2730         (JSC::jsStringFromArguments):
2731         * runtime/ProxyConstructor.cpp:
2732         (JSC::makeRevocableProxy):
2733         (JSC::proxyRevocableConstructorThrowError):
2734         (JSC::constructProxyObject):
2735         (JSC::callProxy):
2736         * runtime/ProxyObject.cpp:
2737         (JSC::ProxyObject::finishCreation):
2738         (JSC::performProxyGet):
2739         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2740         (JSC::ProxyObject::performHasProperty):
2741         (JSC::ProxyObject::getOwnPropertySlotCommon):
2742         (JSC::ProxyObject::performPut):
2743         (JSC::performProxyCall):
2744         (JSC::performProxyConstruct):
2745         (JSC::ProxyObject::performDelete):
2746         (JSC::ProxyObject::performPreventExtensions):
2747         (JSC::ProxyObject::performIsExtensible):
2748         (JSC::ProxyObject::performDefineOwnProperty):
2749         (JSC::ProxyObject::performGetOwnPropertyNames):
2750         (JSC::ProxyObject::performSetPrototype):
2751         (JSC::ProxyObject::performGetPrototype):
2752         * runtime/ReflectObject.cpp:
2753         (JSC::reflectObjectConstruct):
2754         (JSC::reflectObjectDefineProperty):
2755         (JSC::reflectObjectEnumerate):
2756         (JSC::reflectObjectGet):
2757         (JSC::reflectObjectGetOwnPropertyDescriptor):
2758         (JSC::reflectObjectGetPrototypeOf):
2759         (JSC::reflectObjectIsExtensible):
2760         (JSC::reflectObjectOwnKeys):
2761         (JSC::reflectObjectPreventExtensions):
2762         (JSC::reflectObjectSet):
2763         (JSC::reflectObjectSetPrototypeOf):
2764         * runtime/RegExpConstructor.cpp:
2765         (JSC::toFlags):
2766         (JSC::regExpCreate):
2767         * runtime/RegExpObject.cpp:
2768         (JSC::collectMatches):
2769         * runtime/RegExpObject.h:
2770         (JSC::RegExpObject::setLastIndex):
2771         * runtime/RegExpPrototype.cpp:
2772         (JSC::regExpProtoFuncTestFast):
2773         (JSC::regExpProtoFuncExec):
2774         (JSC::regExpProtoFuncMatchFast):
2775         (JSC::regExpProtoFuncCompile):
2776         (JSC::regExpProtoFuncToString):
2777         (JSC::regExpProtoGetterGlobal):
2778         (JSC::regExpProtoGetterIgnoreCase):
2779         (JSC::regExpProtoGetterMultiline):
2780         (JSC::regExpProtoGetterSticky):
2781         (JSC::regExpProtoGetterUnicode):
2782         (JSC::regExpProtoGetterFlags):
2783         (JSC::regExpProtoGetterSource):
2784         (JSC::regExpProtoFuncSplitFast):
2785         * runtime/Reject.h:
2786         (JSC::reject):
2787         * runtime/SetConstructor.cpp:
2788         (JSC::callSet):
2789         (JSC::constructSet):
2790         * runtime/SetIteratorPrototype.cpp:
2791         (JSC::SetIteratorPrototypeFuncNext):
2792         * runtime/SetPrototype.cpp:
2793         (JSC::getSet):
2794         (JSC::setProtoFuncValues):
2795         (JSC::setProtoFuncEntries):
2796         * runtime/SparseArrayValueMap.cpp:
2797         (JSC::SparseArrayValueMap::putEntry):
2798         (JSC::SparseArrayEntry::put):
2799         * runtime/StringConstructor.cpp:
2800         (JSC::stringFromCodePoint):
2801         * runtime/StringObject.cpp:
2802         (JSC::StringObject::put):
2803         (JSC::StringObject::putByIndex):
2804         * runtime/StringPrototype.cpp:
2805         (JSC::jsSpliceSubstrings):
2806         (JSC::jsSpliceSubstringsWithSeparators):
2807         (JSC::repeatCharacter):
2808         (JSC::replace):
2809         (JSC::stringProtoFuncToString):
2810         (JSC::stringProtoFuncCharAt):
2811         (JSC::stringProtoFuncCharCodeAt):
2812         (JSC::stringProtoFuncCodePointAt):
2813         (JSC::stringProtoFuncConcat):
2814         (JSC::stringProtoFuncIndexOf):
2815         (JSC::stringProtoFuncLastIndexOf):
2816         (JSC::stringProtoFuncSlice):
2817         (JSC::stringProtoFuncSubstr):
2818         (JSC::stringProtoFuncSubstring):
2819         (JSC::stringProtoFuncToLowerCase):
2820         (JSC::stringProtoFuncToUpperCase):
2821         (JSC::stringProtoFuncLocaleCompare):
2822         (JSC::toLocaleCase):
2823         (JSC::stringProtoFuncBig):
2824         (JSC::stringProtoFuncSmall):
2825         (JSC::stringProtoFuncBlink):
2826         (JSC::stringProtoFuncBold):
2827         (JSC::stringProtoFuncFixed):
2828         (JSC::stringProtoFuncItalics):
2829         (JSC::stringProtoFuncStrike):
2830         (JSC::stringProtoFuncSub):
2831         (JSC::stringProtoFuncSup):
2832         (JSC::stringProtoFuncFontcolor):
2833         (JSC::stringProtoFuncFontsize):
2834         (JSC::stringProtoFuncAnchor):
2835         (JSC::stringProtoFuncLink):
2836         (JSC::trimString):
2837         (JSC::stringProtoFuncStartsWith):
2838         (JSC::stringProtoFuncEndsWith):
2839         (JSC::stringProtoFuncIncludes):
2840         (JSC::stringProtoFuncIterator):
2841         (JSC::normalize):
2842         (JSC::stringProtoFuncNormalize):
2843         * runtime/StringRecursionChecker.cpp:
2844         (JSC::StringRecursionChecker::throwStackOverflowError):
2845         * runtime/Symbol.cpp:
2846         (JSC::Symbol::toNumber):
2847         * runtime/SymbolConstructor.cpp:
2848         (JSC::symbolConstructorKeyFor):
2849         * runtime/SymbolPrototype.cpp:
2850         (JSC::symbolProtoFuncToString):
2851         (JSC::symbolProtoFuncValueOf):
2852         * runtime/ThrowScope.cpp: Added.
2853         (JSC::ThrowScope::ThrowScope):
2854         (JSC::ThrowScope::~ThrowScope):
2855         (JSC::ThrowScope::throwException):
2856         (JSC::ThrowScope::printIfNeedCheck):
2857         (JSC::ThrowScope::simulateThrow):
2858         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
2859         * runtime/ThrowScope.h: Added.
2860         (JSC::ThrowScope::vm):
2861         (JSC::ThrowScope::exception):
2862         (JSC::ThrowScope::release):
2863         (JSC::ThrowScope::ThrowScope):
2864         (JSC::ThrowScope::throwException):
2865         (JSC::throwException):
2866         * runtime/ThrowScopeLocation.h: Added.
2867         (JSC::ThrowScopeLocation::ThrowScopeLocation):
2868         * runtime/VM.h:
2869         * runtime/VMEntryScope.h:
2870         (JSC::VMEntryScope::vm):
2871         * runtime/WeakMapConstructor.cpp:
2872         (JSC::callWeakMap):
2873         (JSC::constructWeakMap):
2874         * runtime/WeakMapPrototype.cpp:
2875         (JSC::getWeakMapData):
2876         (JSC::protoFuncWeakMapSet):
2877         * runtime/WeakSetConstructor.cpp:
2878         (JSC::callWeakSet):
2879         (JSC::constructWeakSet):
2880         * runtime/WeakSetPrototype.cpp:
2881         (JSC::getWeakMapData):
2882         (JSC::protoFuncWeakSetAdd):
2883
2884 2016-08-30  Alex Christensen  <achristensen@webkit.org>
2885
2886         Fix WebInspectorUI in internal Windows build
2887         https://bugs.webkit.org/show_bug.cgi?id=161221
2888         rdar://problem/28019023
2889
2890         Reviewed by Brent Fulgham and Joseph Pecoraro.
2891
2892         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2893
2894 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
2895
2896         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
2897         https://bugs.webkit.org/show_bug.cgi?id=161263
2898         <rdar://problem/28035849>
2899
2900         Reviewed by Matt Baker.
2901
2902         * inspector/InjectedScriptSource.js:
2903         (InjectedScript.prototype._propertyDescriptors):
2904         Previously we only took the "numeric index fast path" if an object was
2905         array like with length > 100. When we dropped the length check we
2906         ended up breaking our display of Array prototype, because [].__proto__
2907         is an array instance. Get it back by just doing a check of length > 0.
2908         We may want to address this differently in the future by knowing if
2909         we are getting properties for a prototype or not.
2910
2911 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2912
2913         [JSC] Clean up FTL Capabilities for CompareEq
2914         https://bugs.webkit.org/show_bug.cgi?id=161353
2915
2916         Reviewed by Geoffrey Garen.
2917
2918         It looks like we already have code for every case.
2919         This patch removes the tests from FTLCapabilities
2920         and move the generic case last as usual.
2921
2922         * ftl/FTLCapabilities.cpp:
2923         (JSC::FTL::canCompile):
2924         * ftl/FTLLowerDFGToB3.cpp:
2925         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
2926
2927 2016-08-29  Keith Miller  <keith_miller@apple.com>
2928
2929         Fix toStringName for Proxies and add support for normal instances
2930         https://bugs.webkit.org/show_bug.cgi?id=161275
2931
2932         Reviewed by Saam Barati.
2933
2934         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
2935         Additionally, there are a couple of other classes that need to return "Object" for their
2936         toStringName. Since this isn't tested by test262 I will propose a new test there.
2937
2938         * runtime/ClassInfo.h:
2939         * runtime/JSArrayBufferView.cpp:
2940         (JSC::JSArrayBufferView::toStringName):
2941         * runtime/JSArrayBufferView.h:
2942         * runtime/JSCell.cpp:
2943         (JSC::JSCell::toStringName):
2944         * runtime/JSCell.h:
2945         * runtime/JSMap.cpp:
2946         (JSC::JSMap::toStringName):
2947         * runtime/JSMap.h:
2948         * runtime/JSObject.cpp:
2949         (JSC::JSObject::toStringName):
2950         * runtime/JSObject.h:
2951         * runtime/JSSet.cpp:
2952         (JSC::JSSet::destroy):
2953         (JSC::JSSet::toStringName):
2954         * runtime/JSSet.h:
2955         * runtime/JSWeakMap.cpp:
2956         (JSC::JSWeakMap::toStringName):
2957         * runtime/JSWeakMap.h:
2958         * runtime/JSWeakSet.cpp:
2959         (JSC::JSWeakSet::toStringName):
2960         * runtime/JSWeakSet.h:
2961         * runtime/ObjectPrototype.cpp:
2962         (JSC::objectProtoFuncToString):
2963         * runtime/ProxyObject.cpp:
2964         (JSC::ProxyObject::toStringName):
2965         * runtime/ProxyObject.h:
2966         * runtime/SymbolObject.cpp:
2967         (JSC::SymbolObject::toStringName):
2968         * runtime/SymbolObject.h:
2969         (JSC::SymbolObject::internalValue):
2970
2971 2016-08-29  Youenn Fablet  <youenn@apple.com>
2972
2973         [Fetch API] Response cloning should structureClone when teeing Response stream
2974         https://bugs.webkit.org/show_bug.cgi?id=161147
2975
2976         Reviewed by Darin Adler.
2977
2978         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
2979         * runtime/JSArrayBufferConstructor.cpp:
2980         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
2981         * runtime/JSDataView.h: Exporting create method.
2982
2983 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2984
2985         [JSC] Improve ArithAbs with polymorphic input
2986         https://bugs.webkit.org/show_bug.cgi?id=161286
2987
2988         Reviewed by Saam Barati.
2989
2990         This is similar to the previous patches: if we have polymorphic
2991         input, do a function call.
2992
2993         I also discovered a few problems with the tests and fixed them:
2994         -I forgot to add NodeMustGenerate to the previous nodes I changed.
2995          They could have been eliminated by DCE.
2996         -ArithAbs was always exiting if the input types do not include numbers.
2997          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
2998          instead of isInt32OrBooleanSpeculation(). The test of
2999          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
3000          contains double or int52. If we were in that case, we were always speculating
3001          Int32. That always fails and we were recompiling the same code over and over.
3002
3003         * dfg/DFGAbstractInterpreterInlines.h:
3004         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3005         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
3006
3007         * dfg/DFGClobberize.h:
3008         (JSC::DFG::clobberize):
3009         * dfg/DFGFixupPhase.cpp:
3010         (JSC::DFG::FixupPhase::fixupNode):
3011         * dfg/DFGNode.h:
3012         (JSC::DFG::Node::hasResult):
3013         (JSC::DFG::Node::hasHeapPrediction):
3014         (JSC::DFG::Node::hasInt32Result): Deleted.
3015         The accessor hasInt32Result() was unused.
3016
3017         * dfg/DFGNodeType.h:
3018         * dfg/DFGOperations.cpp:
3019         * dfg/DFGOperations.h:
3020         * dfg/DFGPredictionPropagationPhase.cpp:
3021         * dfg/DFGSpeculativeJIT.cpp:
3022         (JSC::DFG::SpeculativeJIT::compileArithAbs):
3023         * dfg/DFGSpeculativeJIT.h:
3024         * dfg/DFGSpeculativeJIT32_64.cpp:
3025         (JSC::DFG::SpeculativeJIT::compile):
3026         * dfg/DFGSpeculativeJIT64.cpp:
3027         (JSC::DFG::SpeculativeJIT::compile):
3028         * ftl/FTLLowerDFGToB3.cpp:
3029         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
3030
3031 2016-08-28  Saam Barati  <sbarati@apple.com>
3032
3033         Make SpeculatedType a 64-bit integer
3034         https://bugs.webkit.org/show_bug.cgi?id=161268
3035
3036         Reviewed by Filip Pizlo and Benjamin Poulain.
3037
3038         I'm going to introduce two new types into this and we only
3039         have room for one in 32-bits. So, this patch widens SpeculatedType
3040         to 64 bits. This also pulls this information through the DFG where
3041         we needed to change DFGNode to support this.
3042
3043         * bytecode/SpeculatedType.h:
3044         * dfg/DFGNode.cpp:
3045         (JSC::DFG::Node::convertToPutHint):
3046         (JSC::DFG::Node::promotedLocationDescriptor):
3047         * dfg/DFGNode.h:
3048         (JSC::DFG::Node::Node):
3049         (JSC::DFG::Node::convertToCheckStructure):
3050         (JSC::DFG::Node::constant):
3051         (JSC::DFG::Node::convertToConstant):
3052         (JSC::DFG::Node::convertToConstantStoragePointer):
3053         (JSC::DFG::Node::convertToPutStack):
3054         (JSC::DFG::Node::convertToGetStack):
3055         (JSC::DFG::Node::convertToGetByOffset):
3056         (JSC::DFG::Node::convertToMultiGetByOffset):
3057         (JSC::DFG::Node::convertToPutByOffset):
3058         (JSC::DFG::Node::convertToMultiPutByOffset):
3059         (JSC::DFG::Node::convertToPhantomNewObject):
3060         (JSC::DFG::Node::convertToPhantomNewFunction):
3061         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
3062         (JSC::DFG::Node::convertToPhantomCreateActivation):
3063         (JSC::DFG::Node::convertToGetLocal):
3064         (JSC::DFG::Node::lazyJSValue):
3065         (JSC::DFG::Node::initializationValueForActivation):
3066         (JSC::DFG::Node::tryGetVariableAccessData):
3067         (JSC::DFG::Node::variableAccessData):
3068         (JSC::DFG::Node::unlinkedLocal):
3069         (JSC::DFG::Node::unlinkedMachineLocal):
3070         (JSC::DFG::Node::stackAccessData):
3071         (JSC::DFG::Node::phi):
3072         (JSC::DFG::Node::identifierNumber):
3073         (JSC::DFG::Node::getPutInfo):
3074         (JSC::DFG::Node::accessorAttributes):
3075         (JSC::DFG::Node::newArrayBufferData):
3076         (JSC::DFG::Node::indexingType):
3077         (JSC::DFG::Node::typedArrayType):
3078         (JSC::DFG::Node::inlineCapacity):
3079         (JSC::DFG::Node::scopeOffset):
3080         (JSC::DFG::Node::capturedArgumentsOffset):
3081         (JSC::DFG::Node::variablePointer):
3082         (JSC::DFG::Node::callVarargsData):
3083         (JSC::DFG::Node::loadVarargsData):
3084         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
3085         (JSC::DFG::Node::targetBlock):
3086         (JSC::DFG::Node::branchData):
3087         (JSC::DFG::Node::switchData):
3088         (JSC::DFG::Node::getHeapPrediction):
3089         (JSC::DFG::Node::cellOperand):
3090         (JSC::DFG::Node::watchpointSet):
3091         (JSC::DFG::Node::storagePointer):
3092         (JSC::DFG::Node::uidOperand):
3093         (JSC::DFG::Node::typeInfoOperand):
3094         (JSC::DFG::Node::transition):
3095         (JSC::DFG::Node::structureSet):
3096         (JSC::DFG::Node::structure):
3097         (JSC::DFG::Node::storageAccessData):
3098         (JSC::DFG::Node::multiGetByOffsetData):
3099         (JSC::DFG::Node::multiPutByOffsetData):
3100         (JSC::DFG::Node::objectMaterializationData):
3101         (JSC::DFG::Node::arrayMode):
3102         (JSC::DFG::Node::arithMode):
3103         (JSC::DFG::Node::arithRoundingMode):
3104         (JSC::DFG::Node::setArithRoundingMode):
3105         (JSC::DFG::Node::executionCounter):
3106         (JSC::DFG::Node::typeLocation):
3107         (JSC::DFG::Node::basicBlockLocation):
3108         (JSC::DFG::Node::numberOfArgumentsToSkip):
3109         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
3110         (JSC::DFG::Node::OpInfoWrapper::operator=):
3111         * dfg/DFGOpInfo.h:
3112         (JSC::DFG::OpInfo::OpInfo):
3113         * dfg/DFGPromotedHeapLocation.h:
3114         (JSC::DFG::PromotedLocationDescriptor::imm1):
3115         (JSC::DFG::PromotedLocationDescriptor::imm2):
3116
3117 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
3118
3119         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
3120         https://bugs.webkit.org/show_bug.cgi?id=161120
3121
3122         Reviewed by Darin Adler.
3123
3124         * inspector/JSGlobalObjectInspectorController.cpp:
3125
3126 2016-08-26  Sam Weinig  <sam@webkit.org>
3127
3128         Remove support for ENABLE_LEGACY_WEB_AUDIO
3129         https://bugs.webkit.org/show_bug.cgi?id=161262
3130
3131         Reviewed by Anders Carlsson.
3132
3133         * Configurations/FeatureDefines.xcconfig:
3134         Remove ENABLE_LEGACY_WEB_AUDIO
3135
3136 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
3137
3138         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
3139         https://bugs.webkit.org/show_bug.cgi?id=161229
3140
3141         Reviewed by Geoffrey Garen.
3142
3143         Add (String, Untyped) uses to FTL CompareStrictEq.
3144         This was the last use type not implemented, the node is fully
3145         supported by FTL after this patch.
3146
3147         * ftl/FTLCapabilities.cpp:
3148         (JSC::FTL::canCompile):
3149         * ftl/FTLLowerDFGToB3.cpp:
3150         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3151         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
3152
3153         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
3154         Remove the type checks when possible.
3155
3156 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
3157
3158         Web Inspector: Frontend should have access to Resource Timing information
3159         https://bugs.webkit.org/show_bug.cgi?id=160095
3160
3161         Reviewed by Alex Christensen.
3162
3163         Rename ResourceTiming property.
3164
3165         * inspector/protocol/Network.json:
3166         Rename navigationStart to startTime so it's applicable
3167         for all resources and not just the main resource.
3168
3169 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
3170
3171         Web Inspector: Provide a way to clear an IndexedDB object store
3172         https://bugs.webkit.org/show_bug.cgi?id=161167
3173         <rdar://problem/27996932>
3174
3175         Reviewed by Brian Burg.
3176
3177         * inspector/protocol/IndexedDB.json:
3178         Cleanup the protocol file.
3179
3180 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
3181
3182         Web Inspector: Some CSS selectors in the UI aren't escaped
3183         https://bugs.webkit.org/show_bug.cgi?id=151378
3184
3185         Reviewed by Joseph Pecoraro.
3186
3187         Change ElementData from sending a className string to using an array of
3188         classes, allowing for proper escaping of each class value.
3189
3190         * inspector/protocol/OverlayTypes.json:
3191
3192 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
3193
3194         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
3195         https://bugs.webkit.org/show_bug.cgi?id=161213
3196         <rdar://problem/28017986>
3197
3198         Reviewed by Brian Burg.
3199
3200         * inspector/agents/InspectorHeapAgent.cpp:
3201         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
3202         Don't take a final snapshot when disconnecting.
3203
3204         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3205         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
3206         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
3207         * inspector/agents/InspectorScriptProfilerAgent.h:
3208         * runtime/SamplingProfiler.h:
3209         Don't process samples when disconnecting.
3210
3211 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
3212
3213         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
3214         https://bugs.webkit.org/show_bug.cgi?id=161027
3215         <rdar://problem/27871349>
3216
3217         Reviewed by Mark Lam.
3218
3219         For JSContext inspection, when a frontend connects keep the target alive.
3220         This means ref'ing the JSGlobalObject / VM when the first frontend
3221         connects and deref'ing when the last frontend disconnects.
3222
3223         * inspector/JSGlobalObjectInspectorController.h:
3224         * inspector/JSGlobalObjectInspectorController.cpp:
3225         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
3226         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
3227         Now that frontends keep the global object alive, when the global object
3228         is destroyed that must mean that no frontends exist. Remove the now
3229         stale code path.
3230
3231         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3232         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
3233         Ref the target when the first frontend connects, deref when the last disconnects.
3234
3235 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3236
3237         [ES6] newPromiseCapabilities should check the given argument is constructor
3238         https://bugs.webkit.org/show_bug.cgi?id=161226
3239
3240         Reviewed by Mark Lam.
3241
3242         Use @isConstructor.
3243
3244         * builtins/PromiseOperations.js:
3245
3246 2016-08-25  Keith Miller  <keith_miller@apple.com>
3247
3248         toString called on proxies returns incorrect tag
3249         https://bugs.webkit.org/show_bug.cgi?id=161111
3250
3251         Reviewed by Benjamin Poulain.
3252
3253         This patch adds a new Method table function toStringName. This function
3254         is used by Object.prototype.toString to create the string tag that it
3255         inserts. Right now it only changes the stringification of proxy objects.
3256         In future patches I plan to make it work for other classes of objects as
3257         well.
3258
3259         * runtime/ClassInfo.h:
3260         * runtime/JSCell.cpp:
3261         (JSC::JSCell::toStringName):
3262         * runtime/JSCell.h:
3263         * runtime/JSObject.cpp:
3264         (JSC::JSObject::toStringName):
3265         * runtime/JSObject.h:
3266         * runtime/ObjectPrototype.cpp:
3267         (JSC::objectProtoFuncToString):
3268         * runtime/ProxyObject.cpp:
3269         (JSC::ProxyObject::toStringName):
3270         * runtime/ProxyObject.h:
3271
3272 2016-08-26  Csaba Osztrogon√°c  <ossy@webkit.org>
3273
3274         Fix the ENABLE(WEBASSEMBLY) build on Linux
3275         https://bugs.webkit.org/show_bug.cgi?id=161197
3276
3277         Reviewed by Mark Lam.
3278
3279         * CMakeLists.txt:
3280         * b3/B3Common.cpp:
3281         (JSC::B3::shouldDumpIR):
3282         * shell/CMakeLists.txt:
3283         * wasm/JSWASMModule.h:
3284         * wasm/WASMB3IRGenerator.cpp:
3285         (JSC::WASM::toB3Op):
3286         * wasm/WASMB3IRGenerator.h:
3287         * wasm/WASMFormat.h:
3288         * wasm/WASMFunctionParser.h:
3289         * wasm/WASMModuleParser.cpp:
3290         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
3291         * wasm/WASMModuleParser.h:
3292         * wasm/WASMParser.h:
3293         * wasm/WASMPlan.cpp:
3294         * wasm/WASMPlan.h:
3295         * wasm/WASMSections.cpp:
3296
3297 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
3298
3299         [Win] Compile fix.
3300         https://bugs.webkit.org/show_bug.cgi?id=161235
3301
3302         Reviewed by Brent Fulgham.
3303
3304         YarrPattern::errorMessage has inconsistent dll linkage.
3305
3306         * yarr/YarrPattern.h:
3307
3308 2016-08-25  Alex Christensen  <achristensen@webkit.org>
3309
3310         CMake build fix.
3311
3312         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
3313         This is needed for the internal Windows build.
3314
3315 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
3316
3317         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
3318         https://bugs.webkit.org/show_bug.cgi?id=161181
3319
3320         Reviewed by Geoffrey Garen.
3321
3322         All the nodes are doing the exact same thing with a single
3323         difference: how to process constants. I made that into a separate
3324         function called from each node.
3325
3326         I also generalized the constant-to-number code of DoubleRep
3327         to make it available for all those nodes.
3328
3329         * dfg/DFGAbstractInterpreter.h:
3330         * dfg/DFGAbstractInterpreterInlines.h:
3331         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3332         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
3333         * runtime/JSCJSValue.cpp:
3334         (JSC::JSValue::toNumberFromPrimitive):
3335         * runtime/JSCJSValue.h: