Remove Heap::isLive()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
2
3         Remove Heap::isLive()
4         https://bugs.webkit.org/show_bug.cgi?id=161933
5
6         Reviewed by Mark Lam.
7         
8         Before I put any more effort into maintaining this weird function, I decided to check how it
9         was used. It turns out it's not.
10
11         * heap/Heap.h:
12         * heap/HeapInlines.h:
13         (JSC::Heap::isLive): Deleted.
14
15 2016-09-13  Mark Lam  <mark.lam@apple.com>
16
17         DFG NewArrayBuffer node should watch for "have a bad time" state change.
18         https://bugs.webkit.org/show_bug.cgi?id=161927
19         <rdar://problem/27995222>
20
21         Reviewed by Geoffrey Garen.
22
23         * dfg/DFGFixupPhase.cpp:
24         (JSC::DFG::FixupPhase::fixupNode):
25
26 2016-09-13  JF Bastien  <jfbastien@apple.com>
27
28         Support jsc shell builtin `read`
29         https://bugs.webkit.org/show_bug.cgi?id=161662
30
31         Reviewed by Keith Miller.
32
33         The jsc shell currently supports a `readFile` method which returns
34         a string. SpiderMonkey's js shell and V8's d8 shell both support
35         similar file-to-string functions, as well as a
36         binary-file-to-Uint8Array function. jsc should support a similar
37         binary file method to simplify testing, including testing of
38         WebAssembly blobs.
39
40         Emscripten's shell.js (which is also used for some WebAssembly
41         things) has a polyfill [1] for a builtin called `read`. jsc should
42         therefore have a builtin with the same name if we want things to
43         "Just Work".
44
45           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
46
47         * jsc.cpp:
48         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
49         (functionReadFile): support binary files, as per SpiderMonkey.
50         * runtime/Error.h:
51         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
52         * runtime/JSTypedArrays.cpp:
53         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
54         * runtime/JSTypedArrays.h: expose private export.
55
56 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
57
58         ES6: Classes: Should be allowed to create a static method with name "arguments"
59         https://bugs.webkit.org/show_bug.cgi?id=152985
60
61         Reviewed by Keith Miller.
62
63         Current patch covered 16.2 Forbidden Extensions - first topic 
64         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
65         should not have own properties named "caller" or "arguments".
66         Also added possibility to declare static methods and getters with 
67         name 'arguments' and 'caller' for classes. i.e.:
68         class A { static arguments() { return 'value'; } }
69         A.arguments() === 'value';
70         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
71         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
72         property from Lazy to common because it necessary to use execState during init of the accessors 
73         properties.
74
75         * runtime/Executable.h:
76         * runtime/FunctionPrototype.cpp:
77         (JSC::FunctionPrototype::initRestrictedProperties):
78         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
79         * runtime/FunctionPrototype.h:
80         * runtime/JSFunction.cpp:
81         (JSC::JSFunction::getOwnPropertySlot):
82         (JSC::JSFunction::getOwnNonIndexPropertyNames):
83         (JSC::JSFunction::put):
84         (JSC::JSFunction::deleteProperty):
85         (JSC::JSFunction::defineOwnProperty):
86         * runtime/JSGlobalObject.cpp:
87         (JSC::JSGlobalObject::init):
88         (JSC::JSGlobalObject::visitChildren):
89         * runtime/JSGlobalObject.h:
90         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
91
92 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
93
94         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
95         https://bugs.webkit.org/show_bug.cgi?id=161869
96
97         Reviewed by Saam Barati.
98         
99         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
100         empty" hook, which will set a bit in the markingNotEmpty bitvector.
101         
102         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
103         If anyone else does it but they aren't marking new objects, then this prevents
104         flipIfNecessary() from triggering when the first object is marked, which means we won't
105         always detect when a block became non-empty.
106         
107         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
108         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
109         knows that it can trigger something like noteMarked(). The only places that were using
110         flipIfNecessary() should have been using needsFlip() anyway.
111
112         * heap/CellContainer.h:
113         * heap/CellContainerInlines.h:
114         (JSC::CellContainer::needsFlip):
115         * heap/Heap.cpp:
116         (JSC::Heap::markRoots):
117         (JSC::Heap::beginMarking):
118         (JSC::Heap::endMarking):
119         (JSC::Heap::clearLivenessData): Deleted.
120         (JSC::Heap::converge): Deleted.
121         (JSC::Heap::resetVisitors): Deleted.
122         * heap/Heap.h:
123         * heap/HeapInlines.h:
124         (JSC::Heap::testAndSetMarked):
125         * heap/LargeAllocation.h:
126         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
127         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
128         * heap/MarkedBlock.cpp:
129         (JSC::MarkedBlock::flipIfNecessarySlow):
130         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
131         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
132         * heap/MarkedBlock.h:
133         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
134         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
135         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
136         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
137         * heap/MarkedSpace.h:
138         (JSC::MarkedSpace::isMarking):
139         (JSC::MarkedSpace::setIsMarking):
140         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
141         * heap/SlotVisitor.cpp:
142         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
143         * heap/WeakBlock.cpp:
144         (JSC::WeakBlock::visit):
145
146 2016-09-12  Saam Barati  <sbarati@apple.com>
147
148         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
149         https://bugs.webkit.org/show_bug.cgi?id=161640
150
151         Reviewed by Geoffrey Garen.
152
153         HashMapImpl now takes into account m_deleteCount in its load factor.
154         It now knows how to rehash to either decrease its capacity, stay at
155         the same capacity, or increase its capacity. The reason we can sometimes
156         stay at the same capacity is that we can reduce the load factor enough
157         by rehashing that growing isn't warranted. The reason for this is that
158         anytime we rehash, we remove all deleted sentinels from the buffer.
159         Therefore, staying at the same same capacity, when there are deleted entries,
160         can still reduce the load factor because it removes all deleted sentinels.
161
162         * runtime/HashMapImpl.h:
163         (JSC::HashMapBuffer::create):
164         (JSC::HashMapBuffer::reset):
165         (JSC::HashMapImpl::HashMapImpl):
166         (JSC::HashMapImpl::add):
167         (JSC::HashMapImpl::remove):
168         (JSC::HashMapImpl::size):
169         (JSC::HashMapImpl::clear):
170         (JSC::HashMapImpl::approximateSize):
171         (JSC::HashMapImpl::shouldRehashAfterAdd):
172         (JSC::HashMapImpl::shouldShrink):
173         (JSC::HashMapImpl::rehash):
174         (JSC::HashMapImpl::checkConsistency):
175         (JSC::HashMapImpl::makeAndSetNewBuffer):
176         (JSC::HashMapImpl::assertBufferIsEmpty):
177
178 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
179
180         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
181         https://bugs.webkit.org/show_bug.cgi?id=161671
182
183         Reviewed by Geoffrey Garen.
184
185         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
186         it gets a butterfly with its length.
187         When we were querying that length, we were generating a generic GetById with inline cache.
188
189         This patch adds the missing bits to treat Undecided like the other types with storage.
190
191         * dfg/DFGArrayMode.cpp:
192         (JSC::DFG::canBecomeGetArrayLength):
193         (JSC::DFG::ArrayMode::refine):
194         * dfg/DFGArrayMode.h:
195         (JSC::DFG::ArrayMode::usesButterfly):
196         (JSC::DFG::ArrayMode::lengthNeedsStorage):
197         * dfg/DFGClobberize.h:
198         (JSC::DFG::clobberize):
199         * dfg/DFGFixupPhase.cpp:
200         (JSC::DFG::FixupPhase::checkArray):
201         * dfg/DFGSpeculativeJIT.cpp:
202         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
203         * ftl/FTLCapabilities.cpp:
204         (JSC::FTL::canCompile):
205         * ftl/FTLLowerDFGToB3.cpp:
206         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
207
208 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
209
210         [DFG][FTL] Add ArithTan
211         https://bugs.webkit.org/show_bug.cgi?id=161857
212
213         Reviewed by Filip Pizlo.
214
215         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
216         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
217
218         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
219         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
220         The microbenchmark shows the 9% perf improvement.
221
222             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
223
224         * dfg/DFGAbstractInterpreterInlines.h:
225         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
226         * dfg/DFGByteCodeParser.cpp:
227         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
228         * dfg/DFGClobberize.h:
229         (JSC::DFG::clobberize):
230         * dfg/DFGDoesGC.cpp:
231         (JSC::DFG::doesGC):
232         * dfg/DFGFixupPhase.cpp:
233         (JSC::DFG::FixupPhase::fixupNode):
234         * dfg/DFGNodeType.h:
235         * dfg/DFGOperations.cpp:
236         * dfg/DFGOperations.h:
237         * dfg/DFGPredictionPropagationPhase.cpp:
238         * dfg/DFGSafeToExecute.h:
239         (JSC::DFG::safeToExecute):
240         * dfg/DFGSpeculativeJIT.cpp:
241         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
242         (JSC::DFG::SpeculativeJIT::compileArithCos):
243         (JSC::DFG::SpeculativeJIT::compileArithTan):
244         (JSC::DFG::SpeculativeJIT::compileArithSin):
245         (JSC::DFG::SpeculativeJIT::compileArithLog):
246         * dfg/DFGSpeculativeJIT.h:
247         * dfg/DFGSpeculativeJIT32_64.cpp:
248         (JSC::DFG::SpeculativeJIT::compile):
249         * dfg/DFGSpeculativeJIT64.cpp:
250         (JSC::DFG::SpeculativeJIT::compile):
251         * ftl/FTLCapabilities.cpp:
252         (JSC::FTL::canCompile):
253         * ftl/FTLLowerDFGToB3.cpp:
254         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
255         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
256         * ftl/FTLOutput.cpp:
257         (JSC::FTL::Output::doubleTan):
258         * ftl/FTLOutput.h:
259         * runtime/Intrinsic.h:
260         * runtime/MathObject.cpp:
261         (JSC::MathObject::finishCreation):
262
263 2016-09-12  Saam Barati  <sbarati@apple.com>
264
265         MapHash should do constant folding when it has a constant argument and its legal to hash that value
266         https://bugs.webkit.org/show_bug.cgi?id=161639
267
268         Reviewed by Filip Pizlo.
269
270         We now constant fold the MapHash node. We're careful to not resolve
271         ropes from the compiler thread, and to only hash strings if they're
272         not too large. The microbenchmark I added runs about 12% faster with
273         this patch.
274
275         * dfg/DFGAbstractInterpreterInlines.h:
276         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
277         * runtime/HashMapImpl.h:
278         (JSC::wangsInt64Hash):
279         (JSC::jsMapHash):
280         (JSC::concurrentJSMapHash):
281
282 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
283
284         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
285         https://bugs.webkit.org/show_bug.cgi?id=161849
286
287         Reviewed by Saam Barati.
288         
289         This is a fairly obvious change. This turns a loop that would query each bit individually
290         into a loop that will process a word at a time. I would expect a very tiny progression in
291         DFG compile times.
292         
293         This also gave me an opportunity to test and fix the new FastBitVector functionality.
294
295         * dfg/DFGForAllKills.h:
296         (JSC::DFG::forAllKilledOperands):
297
298 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
299
300         FastBitVector should have efficient and easy-to-use vector-vector operations
301         https://bugs.webkit.org/show_bug.cgi?id=161847
302
303         Reviewed by Saam Barati.
304         
305         Adapt existing users of FastBitVector to the new API.
306
307         * bytecode/BytecodeLivenessAnalysis.cpp:
308         (JSC::BytecodeLivenessAnalysis::computeKills):
309         (JSC::BytecodeLivenessAnalysis::dumpResults):
310         * bytecode/BytecodeLivenessAnalysisInlines.h:
311         (JSC::operandThatIsNotAlwaysLiveIsLive):
312         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
313         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
314         * bytecode/CodeBlock.cpp:
315         (JSC::CodeBlock::validate):
316         * dfg/DFGByteCodeParser.cpp:
317         (JSC::DFG::ByteCodeParser::flushForTerminal):
318         * dfg/DFGForAllKills.h:
319         (JSC::DFG::forAllKilledOperands):
320         * dfg/DFGGraph.h:
321         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
322         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
323         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
324         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
325         * dfg/DFGNaturalLoops.cpp:
326         (JSC::DFG::NaturalLoops::NaturalLoops):
327         * dfg/DFGPlan.cpp:
328         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
329
330 2016-09-10  Chris Dumez  <cdumez@apple.com>
331
332         parseHTMLInteger() should take a StringView in parameter
333         https://bugs.webkit.org/show_bug.cgi?id=161669
334
335         Reviewed by Ryosuke Niwa.
336
337         * runtime/DateConversion.cpp:
338         (JSC::formatDateTime):
339         Explicitly construct a String from the const WCHAR* on Windows because
340         it is ambiguous otherwise now that there is a StringBuilder::append()
341         overload taking an AtomicString in.
342
343 2016-09-08  Keith Miller  <keith_miller@apple.com>
344
345         WASM should support if-then-else
346         https://bugs.webkit.org/show_bug.cgi?id=161778
347
348         Reviewed by Michael Saboff.
349
350         This patch makes some major changes to the way that the WASM
351         function parser works. First, the control stack has been moved
352         from the parser's context to the parser itself. This simplifies
353         the way that the parser works and allows us to make the decoder
354         iterative rather than recursive. Since the control stack has been
355         moved to the parser, any context operation that refers to some
356         block now receives that block by reference.
357
358         For any if block, regardless of whether or not it is an
359         if-then-else or not, we will allocate both the entire control flow
360         diamond. This is not a major issue in the if-then case since B3
361         will immediately cleanup these blocks. In order to support if-then
362         and if-then-else we needed to be able to distinguish what the type
363         of the top block on the control stack is. This will be necessary
364         when validating the else opcode in the future. In the B3 IR
365         generator we decide to the type of the block strictly by the
366         shape.
367
368         Currently, if blocks don't handle passed and returned stack values
369         correctly. I plan to fix this when I add support for the block
370         signatures. See: https://github.com/WebAssembly/design/pull/765
371
372         * testWASM.cpp:
373         (runWASMTests):
374         * wasm/WASMB3IRGenerator.cpp:
375         (dumpProcedure):
376         (JSC::WASM::parseAndCompile):
377         * wasm/WASMB3IRGenerator.h:
378         * wasm/WASMFunctionParser.h:
379         (JSC::WASM::FunctionParser<Context>::parseBlock):
380         (JSC::WASM::FunctionParser<Context>::parseExpression):
381         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
382         * wasm/WASMOps.h:
383
384 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
385
386         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
387         https://bugs.webkit.org/show_bug.cgi?id=161801
388
389         Reviewed by Keith Miller.
390         
391         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
392         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
393         that is to call initializeMainThread().
394
395         * jsc.cpp:
396         (jscmain):
397
398 2016-09-09  Saam Barati  <sbarati@apple.com>
399
400         Make hasOwnProperty ALWAYS_INLINE
401         https://bugs.webkit.org/show_bug.cgi?id=161775
402
403         Reviewed by Ryosuke Niwa.
404
405         Speedometer spends around 2.5% of its time in hasOwnProperty.
406         Let's reduce the overhead of calling that function by marking
407         it as inline. Also, it's likely that the function will call into
408         JSObject::getOwnPropertySlot. I added a check to see if that's
409         the function we're calling, if it is, we do a direct call instead
410         of an indirect call.
411
412         * runtime/JSObject.cpp:
413         (JSC::JSObject::hasOwnProperty): Deleted.
414         * runtime/JSObjectInlines.h:
415         (JSC::JSObject::hasOwnProperty):
416
417 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
418
419         HashMapImpl needs to m_buffer.clear() in its constructor
420         https://bugs.webkit.org/show_bug.cgi?id=161796
421
422         Reviewed by Keith Miller.
423         
424         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
425         itself. That seemed like a good idea because maybe sometimes the user knows better how to
426         initialize it. But, it's not worth it if it's a constant source of bugs.
427         
428         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
429         m_value.
430
431         * runtime/AuxiliaryBarrier.h:
432         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
433         * runtime/DirectArguments.cpp:
434         (JSC::DirectArguments::DirectArguments):
435
436 2016-09-09  Youenn Fablet  <youenn@apple.com>
437
438         ASSERTION FAILED: promise.inherits(JSPromise::info())
439         https://bugs.webkit.org/show_bug.cgi?id=161632
440         <rdar://problem/28184743>
441
442         Reviewed by Mark Lam.
443
444         * runtime/JSPromiseDeferred.cpp:
445         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
446
447 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
448
449         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
450         https://bugs.webkit.org/show_bug.cgi?id=161760
451
452         Reviewed by Mark Lam.
453         
454         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
455         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
456         
457         This introduces three unnecessary overheads:
458         
459         - isLive() is not called by marking, so that change was not necessary.
460         
461         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
462           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
463           isMarked().
464         
465         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
466           return false if the flip is necessary.
467         
468         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
469         during marking.
470         
471         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
472         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
473         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
474         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
475         thing.
476
477         * bytecode/CodeBlock.cpp:
478         (JSC::CodeBlock::visitWeakly):
479         (JSC::CodeBlock::shouldJettisonDueToOldAge):
480         (JSC::shouldMarkTransition):
481         (JSC::CodeBlock::propagateTransitions):
482         (JSC::CodeBlock::determineLiveness):
483         * bytecode/PolymorphicAccess.cpp:
484         (JSC::AccessCase::propagateTransitions):
485         * heap/Heap.h:
486         * heap/HeapInlines.h:
487         (JSC::Heap::isLive):
488         (JSC::Heap::isMarked):
489         (JSC::Heap::isMarkedConcurrently):
490         * heap/MarkedBlock.cpp:
491         (JSC::MarkedBlock::flipIfNecessarySlow):
492         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
493         (JSC::MarkedBlock::needsFlip):
494         * heap/MarkedBlock.h:
495         (JSC::MarkedBlock::needsFlip):
496         (JSC::MarkedBlock::flipIfNecessary):
497         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
498         * heap/SlotVisitor.cpp:
499         (JSC::SlotVisitor::appendToMarkStack):
500         (JSC::SlotVisitor::markAuxiliary):
501         (JSC::SlotVisitor::visitChildren):
502         * runtime/Structure.cpp:
503         (JSC::Structure::isCheapDuringGC):
504         (JSC::Structure::markIfCheap):
505
506 2016-09-08  Saam Barati  <sbarati@apple.com>
507
508         We should inline operationConvertJSValueToBoolean into JIT code
509         https://bugs.webkit.org/show_bug.cgi?id=161729
510
511         Reviewed by Filip Pizlo.
512
513         This patch introduces an AssemblyHelpers emitter function
514         that replaces operationConvertJSValueToBoolean. This operation
515         was showing up when I was doing performance analysis for the
516         speedometer benchmark. I saw that it was spending about 1% of
517         its time in this function. Hopefully this patch can help us speedup
518         up speedometer by a little bit.
519
520         * dfg/DFGSpeculativeJIT32_64.cpp:
521         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
522         (JSC::DFG::SpeculativeJIT::emitBranch):
523         * dfg/DFGSpeculativeJIT64.cpp:
524         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
525         (JSC::DFG::SpeculativeJIT::emitBranch):
526         * jit/AssemblyHelpers.cpp:
527         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
528         * jit/AssemblyHelpers.h:
529         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
530         * jit/JIT.cpp:
531         (JSC::JIT::privateCompileSlowCases):
532         * jit/JIT.h:
533         * jit/JITOpcodes.cpp:
534         (JSC::JIT::emit_op_jfalse):
535         (JSC::JIT::emit_op_jtrue):
536         (JSC::JIT::emitSlow_op_jfalse): Deleted.
537         (JSC::JIT::emitSlow_op_jtrue): Deleted.
538         * jit/JITOpcodes32_64.cpp:
539         (JSC::JIT::emit_op_jfalse):
540         (JSC::JIT::emit_op_jtrue):
541         (JSC::JIT::emitSlow_op_jfalse): Deleted.
542         (JSC::JIT::emitSlow_op_jtrue): Deleted.
543         * jit/JITOperations.cpp:
544         * jit/JITOperations.h:
545
546 2016-09-08  Chris Dumez  <cdumez@apple.com>
547
548         Align proto getter / setter behavior with other browsers
549         https://bugs.webkit.org/show_bug.cgi?id=161455
550
551         Reviewed by Saam Barati.
552
553         Drop allowsAccessFrom from the methodTable and delegate cross-origin
554         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
555         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
556
557         * jsc.cpp:
558         * runtime/JSGlobalObject.cpp:
559         * runtime/JSGlobalObject.h:
560         * runtime/JSGlobalObjectFunctions.cpp:
561         (JSC::globalFuncProtoGetter):
562         (JSC::globalFuncProtoSetter):
563         (JSC::globalFuncBuiltinLog): Deleted.
564         * runtime/JSGlobalObjectFunctions.h:
565         * runtime/JSObject.cpp:
566         (JSC::JSObject::setPrototypeWithCycleCheck):
567         Remove check added in r197648. This check was added to match
568         the latest EcmaScript spec:
569         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
570         This check allowed for [[Prototype]] chain cycles if the prototype
571         chain includes objects that do not use the ordinary object definitions
572         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
573         The issue is that the rest of our code base does not properly handle
574         such cycles and we can end up in infinite loops. This became obvious
575         because this patch updates Window / Location so that they no longer
576         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
577         remove this check, I get an infinite loop in
578         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
579         called from JSObject::setPrototypeDirect(), when running the following
580         layout test:
581         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
582         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
583         issue.
584
585         * runtime/JSObject.h:
586         (JSC::JSObject::getArrayLength): Deleted.
587         * runtime/JSProxy.cpp:
588         (JSC::JSProxy::setPrototype):
589         (JSC::JSProxy::getPrototype):
590         * runtime/JSProxy.h:
591         * runtime/ObjectConstructor.cpp:
592         (JSC::objectConstructorGetPrototypeOf):
593         (JSC::objectConstructorSetPrototypeOf):
594         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
595         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
596         * runtime/ObjectConstructor.h:
597         * runtime/ReflectObject.cpp:
598         (JSC::reflectObjectGetPrototypeOf):
599         (JSC::reflectObjectSetPrototypeOf):
600
601 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
602
603         Remove CopiedSpace and use MarkedSpace instead
604         https://bugs.webkit.org/show_bug.cgi?id=159658
605
606         Reviewed by Keith Miller.
607         
608         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
609         is a simple change.
610         
611         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
612         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
613         
614         The rest of this patch is deleting CopiedSpace.
615
616         * API/JSObjectRef.cpp:
617         * CMakeLists.txt:
618         * JavaScriptCore.xcodeproj/project.pbxproj:
619         * dfg/DFGOperations.cpp:
620         * heap/ConservativeRoots.cpp:
621         (JSC::ConservativeRoots::genericAddPointer):
622         * heap/CopiedAllocator.h: Removed.
623         * heap/CopiedBlock.cpp: Removed.
624         * heap/CopiedBlock.h: Removed.
625         * heap/CopiedBlockInlines.h: Removed.
626         * heap/CopiedSpace.cpp: Removed.
627         * heap/CopiedSpace.h: Removed.
628         * heap/CopiedSpaceInlines.h: Removed.
629         * heap/CopyBarrier.h: Removed.
630         * heap/CopyToken.h: Removed.
631         * heap/CopyVisitor.cpp: Removed.
632         * heap/CopyVisitor.h: Removed.
633         * heap/CopyVisitorInlines.h: Removed.
634         * heap/CopyWorkList.h: Removed.
635         * heap/Heap.cpp:
636         (JSC::Heap::Heap):
637         (JSC::Heap::isPagedOut):
638         (JSC::Heap::updateObjectCounts):
639         (JSC::Heap::size):
640         (JSC::Heap::capacity):
641         (JSC::Heap::collectImpl):
642         (JSC::Heap::stopAllocation):
643         (JSC::Heap::updateAllocationLimits):
644         (JSC::Heap::copyBackingStores): Deleted.
645         (JSC::Heap::threadBytesCopied): Deleted.
646         * heap/Heap.h:
647         (JSC::Heap::objectSpace):
648         (JSC::Heap::allocatorForAuxiliaryData):
649         (JSC::Heap::storageSpace): Deleted.
650         (JSC::Heap::storageAllocator): Deleted.
651         * heap/HeapCellInlines.h:
652         * heap/HeapInlines.h:
653         (JSC::Heap::tryAllocateStorage): Deleted.
654         (JSC::Heap::tryReallocateStorage): Deleted.
655         * heap/HeapVerifier.cpp:
656         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
657         (JSC::HeapVerifier::reportObject):
658         (JSC::getButterflyDetails): Deleted.
659         * heap/SlotVisitor.cpp:
660         (JSC::SlotVisitor::copyLater): Deleted.
661         * heap/SlotVisitor.h:
662         * jit/AssemblyHelpers.h:
663         * jit/JITOpcodes.cpp:
664         * jsc.cpp:
665         * runtime/ArrayConstructor.cpp:
666         * runtime/ArrayPrototype.cpp:
667         * runtime/Butterfly.h:
668         * runtime/ButterflyInlines.h:
669         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
670         * runtime/ClassInfo.h:
671         * runtime/DirectArguments.cpp:
672         (JSC::DirectArguments::visitChildren):
673         (JSC::DirectArguments::overrideThings):
674         (JSC::DirectArguments::copyBackingStore): Deleted.
675         * runtime/DirectArguments.h:
676         * runtime/JSArray.cpp:
677         * runtime/JSCell.cpp:
678         (JSC::JSCell::copyBackingStore): Deleted.
679         * runtime/JSCell.h:
680         * runtime/JSLexicalEnvironment.h:
681         * runtime/JSObject.cpp:
682         * runtime/JSTypedArrays.cpp:
683         * runtime/LiteralParser.cpp:
684         * runtime/ObjectConstructor.cpp:
685         * runtime/RegExpObject.cpp:
686         * runtime/StringPrototype.cpp:
687         * runtime/WeakMapData.cpp:
688         * tools/JSDollarVMPrototype.cpp:
689         (JSC::JSDollarVMPrototype::isInStorageSpace):
690
691 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
692
693         Heap version should be 32-bit
694         https://bugs.webkit.org/show_bug.cgi?id=161751
695
696         Reviewed by Mark Lam.
697         
698         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
699         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
700         easy to handle.
701
702         * heap/CellContainer.h:
703         * heap/CellContainerInlines.h:
704         (JSC::CellContainer::flipIfNecessary):
705         * heap/ConservativeRoots.cpp:
706         (JSC::ConservativeRoots::genericAddPointer):
707         (JSC::ConservativeRoots::genericAddSpan):
708         * heap/ConservativeRoots.h:
709         * heap/Heap.h:
710         * heap/HeapInlines.h:
711         (JSC::Heap::testAndSetMarked):
712         * heap/HeapUtil.h:
713         (JSC::HeapUtil::findGCObjectPointersForMarking):
714         * heap/MarkedBlock.cpp:
715         (JSC::MarkedBlock::MarkedBlock):
716         * heap/MarkedBlock.h:
717         (JSC::MarkedBlock::flipIfNecessary):
718         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
719         (JSC::MarkedBlock::Handle::flipIfNecessary):
720         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
721         * heap/MarkedSpace.cpp:
722         (JSC::MarkedSpace::flip):
723         * heap/MarkedSpace.h:
724         (JSC::MarkedSpace::version):
725         * heap/SlotVisitor.cpp:
726         (JSC::SlotVisitor::SlotVisitor):
727         * heap/SlotVisitor.h:
728
729 2016-09-08  Mark Lam  <mark.lam@apple.com>
730
731         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
732         https://bugs.webkit.org/show_bug.cgi?id=161724
733
734         Reviewed by Filip Pizlo.
735
736         ARM architectures support ternary sub instructions.  We should make use of them
737         in emitAllocateWithNonNullAllocator().
738
739         * assembler/MacroAssemblerARM.h:
740         (JSC::MacroAssemblerARM::sub32):
741         * assembler/MacroAssemblerARM64.h:
742         (JSC::MacroAssemblerARM64::sub32):
743         * assembler/MacroAssemblerARMv7.h:
744         (JSC::MacroAssemblerARMv7::sub32):
745         * assembler/MacroAssemblerSH4.h:
746         (JSC::MacroAssemblerSH4::sub32):
747         * assembler/MacroAssemblerX86Common.h:
748         (JSC::MacroAssemblerX86Common::sub32):
749         * b3/air/AirOpcode.opcodes:
750         * b3/testb3.cpp:
751         (JSC::B3::testTernarySubInstructionSelection):
752         (JSC::B3::run):
753         * jit/AssemblyHelpers.h:
754         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
755
756 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
757
758         Move JSMap/JSSet over to Auxiliary MarkedSpace
759         https://bugs.webkit.org/show_bug.cgi?id=161744
760
761         Reviewed by Saam Barati.
762         
763         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
764         
765         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
766         speak of CopiedSpace.
767         
768         This is a purely mechanical change.
769
770         * JavaScriptCore.xcodeproj/project.pbxproj:
771         * heap/CopyToken.h:
772         * runtime/HashMapImpl.cpp:
773         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
774         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
775         * runtime/HashMapImpl.h:
776         (JSC::HashMapBuffer::create):
777         * runtime/JSMapIterator.cpp:
778         * runtime/JSMapIterator.h:
779         * runtime/JSSetIterator.cpp:
780         * runtime/JSSetIterator.h:
781         * runtime/MapBase.cpp:
782         * runtime/MapData.h: Removed.
783         * runtime/MapDataInlines.h: Removed.
784         * runtime/MapPrototype.cpp:
785         * runtime/SetConstructor.cpp:
786         * runtime/SetPrototype.cpp:
787         * runtime/VM.cpp:
788
789 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
790
791         Typed arrays should use MarkedSpace instead of CopiedSpace
792         https://bugs.webkit.org/show_bug.cgi?id=161100
793
794         Reviewed by Geoffrey Garen.
795         
796         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
797         
798         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
799         everything that typed arrays want.
800
801         * dfg/DFGOperations.cpp:
802         (JSC::DFG::newTypedArrayWithSize):
803         * dfg/DFGOperations.h:
804         (JSC::DFG::operationNewTypedArrayWithSizeForType):
805         * dfg/DFGSpeculativeJIT.cpp:
806         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
807         * dfg/DFGSpeculativeJIT.h:
808         (JSC::DFG::SpeculativeJIT::callOperation):
809         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
810         * ftl/FTLLowerDFGToB3.cpp:
811         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
812         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
813         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
814         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
815         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
816         * heap/CopyToken.h:
817         * heap/SlotVisitor.cpp:
818         (JSC::SlotVisitor::markAuxiliary):
819         * jit/JITOperations.h:
820         * runtime/JSArrayBufferView.cpp:
821         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
822         (JSC::JSArrayBufferView::JSArrayBufferView):
823         * runtime/JSArrayBufferView.h:
824         * runtime/JSGenericTypedArrayView.h:
825         * runtime/JSGenericTypedArrayViewInlines.h:
826         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
827         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
828         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
829         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
830
831 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
832
833         [Win64] Compile fixes.
834         https://bugs.webkit.org/show_bug.cgi?id=161682
835
836         Reviewed by Brent Fulgham.
837
838         * dfg/DFGSpeculativeJIT64.cpp:
839         (JSC::DFG::SpeculativeJIT::emitCall):
840         * jit/JITCall.cpp:
841         (JSC::JIT::compileOpCall):
842         * runtime/ArrayConventions.cpp:
843         (JSC::clearArrayMemset):
844
845 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
846
847         [Win] Exception fuzz tests fail
848         https://bugs.webkit.org/show_bug.cgi?id=140928
849
850         Reviewed by Mark Lam.
851
852         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
853         The tests depend on the output to stdout being written in the correct order.
854
855         * runtime/ExceptionFuzz.cpp:
856         (JSC::doExceptionFuzzing):
857
858 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
859
860         Enable the <meter> element on iOS
861         https://bugs.webkit.org/show_bug.cgi?id=161714
862         rdar://problem/8978410
863
864         Reviewed by Tim Horton.
865
866         Define ENABLE_METER_ELEMENT unconditionally now.
867
868         * Configurations/FeatureDefines.xcconfig:
869
870 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
871
872         Modernize Debugger to use nullptr
873         https://bugs.webkit.org/show_bug.cgi?id=161718
874
875         Reviewed by Mark Lam.
876
877         * debugger/Debugger.cpp:
878         (JSC::Debugger::Debugger):
879         (JSC::Debugger::~Debugger):
880         (JSC::Debugger::detach):
881         (JSC::Debugger::stepOutOfFunction):
882         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
883         * debugger/Debugger.h:
884
885 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
886
887         Web Inspector: Remove always false case in Debugger
888         https://bugs.webkit.org/show_bug.cgi?id=161717
889
890         Reviewed by Brian Burg.
891
892         * debugger/Debugger.cpp:
893         (JSC::Debugger::didExecuteProgram):
894         We would have earlier returned a few statements ago if this case was true.
895         And we would have crashed in the previous statement if this case was true.
896
897 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
898
899         Unreviewed, build fix after r205569
900
901         Tweak CMakeLists.txt
902
903         * CMakeLists.txt:
904
905 2016-09-07  Mark Lam  <mark.lam@apple.com>
906
907         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
908         https://bugs.webkit.org/show_bug.cgi?id=161498
909
910         Reviewed by Geoffrey Garen.
911
912         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
913         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
914         introduced.
915
916         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
917         which is a more suitable name now.
918
919         Note: exception scope verification is still disabled by default.  There are still
920         many places that need to be fixed up or re-expressed in a way that is friendly
921         to the verification.  I'll address those in subsequent patches.
922
923         After this patch, the code will statically enforce that:
924         1. all calls to throwException() go through a ThrowScope.
925         2. all calls to clearException() go through a CatchScope.
926         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
927            or CatchScope.
928
929         A Summary of how to use ExceptionScopes
930         =======================================
931         1. If a function can throw a JS exception, it should declare a ThrowScope at the
932            top of the function (as early as possible).
933
934         2. If a function can clear JS exceptions, it should declare a CatchScope at the
935            top of the function (as early as possible).
936
937         Declaring a ThrowScope in a function means that the function may throw an exception
938         that its caller will have to handle.  Declaring a CatchScope in a function means
939         that the function intends to clear pending exceptions before returning to its
940         caller. 
941
942         For more details, see the notes below.
943         
944         Everything you may want to know about ExceptionScopes
945         =====================================================
946         ExceptionScope verification works to simulate exception throws and detect cases
947         where exception checks are missing.  The notes below will cover:
948
949             1. The VM::m_needExceptionCheck bit
950             2. ThrowScopes and CatchScopes
951             3. Verification of needed exception checks
952             3. Checking Exceptions
953             4. Simulating throws
954             5. Using ThrowScope::release()
955             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
956             7. Checking exceptions by checking callee results
957             8. Debugging verification errors
958
959         1. The VM::m_needExceptionCheck bit
960
961            The VM has a m_needExceptionCheck bit that indicates when an exception may be
962            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
963            throw.
964
965         2. ThrowScopes and CatchScopes
966
967            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
968
969            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
970            at the top of its function (as early as possible) e.g.
971  
972                 void foo(...)
973                 {
974                     auto scope = DECLARE_THROW_SCOPE(vm);
975                     ...
976                     throwException(exec, scope, ...);
977                 }
978
979            Note: by convention, every throw helper function must take a ThrowScope argument
980            instead of instantiating its own ThrowScope.  This allows the throw to be
981            attributed to the client code rather than the throw helper itself.
982
983            Every catch site (i.e. a site that calls clearException()) must declare a
984            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
985
986            If a function can both throw or clear exceptions, then the ThrowScope should
987            be declared first so that it can simulate a throw to the function's caller.
988
989            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
990            can be aware if there's an enclosing CatchScope between it and the point where
991            C++ code returns to JS code.  This is needed to determine if the ThrowScope
992            should simulate a re-throw or not.  See (4) below for more details on returning
993            to JS code.
994
995         3. Verification of needed exception checks
996
997            a. On construction, each ThrowScope and CatchScope will verify that
998               VM::m_needExceptionCheck is not set.
999  
1000               This ensures that the caller of the current function has checked for exceptions
1001               where needed before doing more work which lead to calling the current function.
1002
1003            b. On destruction, each ThrowScope and CatchScope will verify that
1004               VM::m_needExceptionCheck is not set. This verification will be skipped if
1005               the ThrowScope has been released (see (5) below).
1006
1007               This ensures that the function that owns this exception scope is not missing
1008               any exception checks before returning.
1009
1010            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
1011               is not already set, unless it's been ask to rethrow the same Exception object.
1012
1013         4. Simulating throws
1014
1015            Throws are simulated by setting the m_needExceptionCheck bit.
1016
1017            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1018            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1019            check for exceptions after a host C++ function returns to it.  However, they will
1020            not clear the m_needExceptionCheck bit.
1021
1022            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1023            it will just skip the setting of the bit.
1024
1025            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1026            throwException methods.  This is because, in practice, we always return
1027            immediately after throwing an exception.  It doesn't make sense to set the bit in
1028            the throw just to have to clear it immediately after before we do verification in
1029            the ThrowScope destructor.
1030
1031         5. Using ThrowScope::release()
1032
1033            Calling release() means that the scope is released from its obligation to
1034            verify the VM::m_needExceptionCheck bit on destruction.
1035
1036            release() should only be used at the bottom of a function if:
1037
1038            a. This function is going to let its caller check and handle the exception, e.g.
1039
1040                 void foo(...)
1041                 {
1042                     auto scope = DECLARE_THROW_SCOPE(vm);
1043                     auto result = goo(); // may throw.
1044
1045                     ... // Code that will are not affected by a pending exceptions.
1046
1047                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1048                     return result;
1049                 }
1050
1051            b. This function is going to do a tail call that may throw.
1052
1053                 void foo(...)
1054                 {
1055                     auto scope = DECLARE_THROW_SCOPE(vm);
1056                     ...
1057                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1058                     return goo(); // may throw.
1059                 }
1060
1061               release() should not be used in code paths that branch. For example:
1062
1063                 void foo(...)
1064                 {
1065                     auto scope = DECLARE_THROW_SCOPE(vm);
1066
1067                     auto result = goo1(); // may throw.
1068                     scope.release(); // WRONG !!! Don't do this.
1069                     if (result)
1070                         return;
1071
1072                     result = goo2(); // may throw.
1073                     ...
1074                     return result;
1075                 }
1076
1077             The above will result in a verification error in goo2()'s ThrowScope.  The
1078             proper way to fix this verification is to do either (6) or (7) below.
1079
1080          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1081
1082             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1083             there is one pending.  Else, it returns nullptr.
1084
1085             It also clears the m_needExceptionCheck bit thereby indicating that we've
1086             satisfied the needed exception check.  For example,
1087
1088                 void foo(...)
1089                 {
1090                     auto scope = DECLARE_THROW_SCOPE(vm);
1091
1092                     auto result = goo1(); // may throw.
1093                     if (scope.exception())
1094                         return;
1095
1096                     result = goo2(); // may throw.
1097                     ...
1098                     return result;
1099                 }
1100
1101             But sometimes, for optimization reasons, we may choose to test the result of
1102             the callee function instead doing a load of the VM exception value.  See (7)
1103             below.
1104
1105          7. Checking exceptions by checking callee results
1106
1107             This approach should only be applied when it makes a difference to performance.
1108             If we need to do this, we should add an ASSERT() that invokes the scope's
1109             exception() method to verify the result.  Since exception scope verification
1110             is only done on DEBUG builds, this ASSERT will satisfy the verification
1111             requirements without impacting performance.  For example,
1112
1113                 void foo(...)
1114                 {
1115                     auto scope = DECLARE_THROW_SCOPE(vm);
1116
1117                     bool failed = goo1(); // may throw.
1118                     ASSERT(!!scope.exception() == failed)
1119                     if (failed)
1120                         return;
1121
1122                     result = goo2(); // may throw.
1123                     ...
1124                     return result;
1125                 }
1126
1127          8. Debugging verification errors
1128
1129             a. When verification fails, you will see a message followed by an assertion
1130                failure.  For example:
1131
1132             ERROR: Unchecked JS exception:
1133                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1134                     (ExceptionScope::m_recursionDepth was ...)
1135                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1136                     (ExceptionScope::m_recursionDepth was ...)
1137                 [ backtrace here ]
1138
1139                The message tells you that failure was detected at in varargsSetup() at
1140                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1141                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1142                line 1245 and it.
1143
1144                If that is insufficient information, you can ...
1145
1146             b. Dump simulated throws
1147
1148                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1149                back traces at each simulated throw.
1150
1151             c. Narrowing down the source of a simulated throw
1152
1153                Another technique for narrowing down the source of simulated throws is by
1154                further dividing a function to smaller regions by separating each region
1155                with additional local throw scopes.  For example,
1156
1157                 ... // Region 1
1158                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1159                 ... // Region 2
1160                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1161                 ... // Region 3
1162
1163         * API/APIUtils.h:
1164         (handleExceptionIfNeeded):
1165         * CMakeLists.txt:
1166         * JavaScriptCore.xcodeproj/project.pbxproj:
1167         * bindings/ScriptFunctionCall.cpp:
1168         (Deprecated::ScriptFunctionCall::call):
1169         * bindings/ScriptValue.cpp:
1170         (Deprecated::ScriptValue::toString):
1171         * debugger/Debugger.cpp:
1172         (JSC::Debugger::pauseIfNeeded):
1173         * debugger/DebuggerCallFrame.cpp:
1174         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1175         * dfg/DFGOSRExitCompiler.cpp:
1176         * dfg/DFGOperations.cpp:
1177         (JSC::DFG::operationPutByValInternal):
1178         * inspector/InjectedScriptManager.cpp:
1179         (Inspector::InjectedScriptManager::createInjectedScript):
1180         * inspector/JSGlobalObjectInspectorController.cpp:
1181         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1182         * inspector/JSInjectedScriptHost.cpp:
1183         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1184         (Inspector::JSInjectedScriptHost::getInternalProperties):
1185         (Inspector::JSInjectedScriptHost::weakMapEntries):
1186         (Inspector::JSInjectedScriptHost::weakSetEntries):
1187         (Inspector::JSInjectedScriptHost::iteratorEntries):
1188         * inspector/JSJavaScriptCallFrame.cpp:
1189         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1190         * inspector/ScriptCallStackFactory.cpp:
1191         (Inspector::extractSourceInformationFromException):
1192         * interpreter/CachedCall.h:
1193         (JSC::CachedCall::CachedCall):
1194         * interpreter/CallFrame.h:
1195         (JSC::ExecState::clearException): Deleted.
1196         (JSC::ExecState::exception): Deleted.
1197         (JSC::ExecState::hadException): Deleted.
1198         (JSC::ExecState::lastException): Deleted.
1199         (JSC::ExecState::clearLastException): Deleted.
1200         * interpreter/Interpreter.cpp:
1201         (JSC::eval):
1202         (JSC::sizeOfVarargs):
1203         (JSC::notifyDebuggerOfUnwinding):
1204         (JSC::Interpreter::unwind):
1205         (JSC::Interpreter::execute):
1206         (JSC::Interpreter::executeCall):
1207         (JSC::Interpreter::executeConstruct):
1208         (JSC::Interpreter::prepareForRepeatCall):
1209         (JSC::Interpreter::debug):
1210         * interpreter/Interpreter.h:
1211         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1212         * interpreter/ShadowChicken.cpp:
1213         (JSC::ShadowChicken::functionsOnStack):
1214         * jit/JITCode.cpp:
1215         (JSC::JITCode::execute):
1216         * jit/JITExceptions.cpp:
1217         (JSC::genericUnwind):
1218         * jit/JITOperations.cpp:
1219         (JSC::getByVal):
1220         * jsc.cpp:
1221         (WTF::ImpureGetter::getOwnPropertySlot):
1222         (GlobalObject::moduleLoaderResolve):
1223         (GlobalObject::moduleLoaderFetch):
1224         (functionCreateElement):
1225         (functionRun):
1226         (functionRunString):
1227         (functionLoad):
1228         (functionLoadString):
1229         (functionReadFile):
1230         (functionCheckSyntax):
1231         (functionSetRandomSeed):
1232         (functionLoadModule):
1233         (functionCreateBuiltin):
1234         (functionCheckModuleSyntax):
1235         (functionGenerateHeapSnapshot):
1236         (functionSamplingProfilerStackTraces):
1237         (dumpException):
1238         (checkUncaughtException):
1239         (runWithScripts):
1240         (runInteractive):
1241         * llint/LLIntExceptions.cpp:
1242         (JSC::LLInt::returnToThrow):
1243         (JSC::LLInt::callToThrow):
1244         * llint/LLIntSlowPaths.cpp:
1245         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1246         * profiler/ProfilerBytecodeSequence.cpp:
1247         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1248         * profiler/ProfilerCompilation.cpp:
1249         (JSC::Profiler::Compilation::toJS):
1250         * profiler/ProfilerDatabase.cpp:
1251         (JSC::Profiler::Database::toJS):
1252         * profiler/ProfilerOSRExitSite.cpp:
1253         (JSC::Profiler::OSRExitSite::toJS):
1254         * profiler/ProfilerOriginStack.cpp:
1255         (JSC::Profiler::OriginStack::toJS):
1256         * runtime/ArrayPrototype.cpp:
1257         (JSC::speciesConstructArray):
1258         (JSC::shift):
1259         (JSC::unshift):
1260         (JSC::arrayProtoFuncToString):
1261         (JSC::arrayProtoFuncToLocaleString):
1262         (JSC::slowJoin):
1263         (JSC::fastJoin):
1264         (JSC::arrayProtoFuncJoin):
1265         (JSC::arrayProtoFuncPop):
1266         (JSC::arrayProtoFuncPush):
1267         (JSC::arrayProtoFuncReverse):
1268         (JSC::arrayProtoFuncShift):
1269         (JSC::arrayProtoFuncSlice):
1270         (JSC::arrayProtoFuncSplice):
1271         (JSC::arrayProtoFuncUnShift):
1272         (JSC::arrayProtoFuncIndexOf):
1273         (JSC::arrayProtoFuncLastIndexOf):
1274         (JSC::moveElements):
1275         (JSC::concatAppendOne):
1276         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1277         * runtime/BooleanConstructor.cpp:
1278         (JSC::constructWithBooleanConstructor):
1279         * runtime/CallData.cpp:
1280         (JSC::call):
1281         * runtime/CatchScope.cpp: Added.
1282         (JSC::CatchScope::CatchScope):
1283         (JSC::CatchScope::~CatchScope):
1284         * runtime/CatchScope.h: Added.
1285         (JSC::CatchScope::clearException):
1286         (JSC::CatchScope::CatchScope):
1287         * runtime/CommonSlowPaths.cpp:
1288         (JSC::SLOW_PATH_DECL):
1289         * runtime/CommonSlowPaths.h:
1290         (JSC::CommonSlowPaths::opIn):
1291         * runtime/CommonSlowPathsExceptions.cpp:
1292         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1293         * runtime/Completion.cpp:
1294         (JSC::evaluate):
1295         (JSC::rejectPromise):
1296         (JSC::loadAndEvaluateModule):
1297         (JSC::loadModule):
1298         * runtime/ConsoleObject.cpp:
1299         (JSC::consoleProtoFuncAssert):
1300         (JSC::consoleProtoFuncProfile):
1301         (JSC::consoleProtoFuncProfileEnd):
1302         (JSC::consoleProtoFuncTakeHeapSnapshot):
1303         (JSC::consoleProtoFuncTime):
1304         (JSC::consoleProtoFuncTimeEnd):
1305         * runtime/DateConstructor.cpp:
1306         (JSC::constructDate):
1307         (JSC::dateParse):
1308         * runtime/DatePrototype.cpp:
1309         (JSC::dateProtoFuncToPrimitiveSymbol):
1310         (JSC::dateProtoFuncToJSON):
1311         * runtime/ErrorConstructor.cpp:
1312         (JSC::Interpreter::constructWithErrorConstructor):
1313         * runtime/ErrorInstance.cpp:
1314         (JSC::ErrorInstance::sanitizedToString):
1315         * runtime/ErrorPrototype.cpp:
1316         (JSC::errorProtoFuncToString):
1317         * runtime/ExceptionEventLocation.cpp: Added.
1318         (WTF::printInternal):
1319         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1320         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1321         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1322         * runtime/ExceptionHelpers.h:
1323         * runtime/ExceptionScope.cpp: Added.
1324         (JSC::ExceptionScope::ExceptionScope):
1325         (JSC::ExceptionScope::~ExceptionScope):
1326         * runtime/ExceptionScope.h: Added.
1327         (JSC::ExceptionScope::vm):
1328         (JSC::ExceptionScope::recursionDepth):
1329         (JSC::ExceptionScope::exception):
1330         (JSC::ExceptionScope::ExceptionScope):
1331         * runtime/FunctionConstructor.cpp:
1332         (JSC::constructFunctionSkippingEvalEnabledCheck):
1333         * runtime/FunctionPrototype.cpp:
1334         (JSC::functionProtoFuncBind):
1335         * runtime/GenericArgumentsInlines.h:
1336         (JSC::GenericArguments<Type>::copyToArguments):
1337         * runtime/GetterSetter.cpp:
1338         (JSC::callGetter):
1339         * runtime/InspectorInstrumentationObject.cpp:
1340         (JSC::inspectorInstrumentationObjectLog):
1341         * runtime/InternalFunction.cpp:
1342         (JSC::InternalFunction::createSubclassStructure):
1343         * runtime/IntlCollator.cpp:
1344         (JSC::IntlCollator::initializeCollator):
1345         (JSC::IntlCollator::createCollator):
1346         (JSC::IntlCollator::resolvedOptions):
1347         * runtime/IntlCollatorConstructor.cpp:
1348         (JSC::constructIntlCollator):
1349         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1350         * runtime/IntlCollatorPrototype.cpp:
1351         (JSC::IntlCollatorFuncCompare):
1352         (JSC::IntlCollatorPrototypeGetterCompare):
1353         * runtime/IntlDateTimeFormat.cpp:
1354         (JSC::toDateTimeOptionsAnyDate):
1355         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1356         (JSC::IntlDateTimeFormat::resolvedOptions):
1357         (JSC::IntlDateTimeFormat::format):
1358         * runtime/IntlDateTimeFormatConstructor.cpp:
1359         (JSC::constructIntlDateTimeFormat):
1360         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1361         * runtime/IntlDateTimeFormatPrototype.cpp:
1362         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1363         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1364         * runtime/IntlNumberFormat.cpp:
1365         (JSC::IntlNumberFormat::initializeNumberFormat):
1366         (JSC::IntlNumberFormat::createNumberFormat):
1367         (JSC::IntlNumberFormat::resolvedOptions):
1368         * runtime/IntlNumberFormatConstructor.cpp:
1369         (JSC::constructIntlNumberFormat):
1370         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1371         * runtime/IntlNumberFormatPrototype.cpp:
1372         (JSC::IntlNumberFormatFuncFormatNumber):
1373         (JSC::IntlNumberFormatPrototypeGetterFormat):
1374         * runtime/IntlObject.cpp:
1375         (JSC::intlBooleanOption):
1376         (JSC::intlStringOption):
1377         (JSC::intlNumberOption):
1378         (JSC::canonicalizeLocaleList):
1379         (JSC::supportedLocales):
1380         * runtime/IntlObjectInlines.h:
1381         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1382         * runtime/IteratorOperations.cpp:
1383         (JSC::iteratorNext):
1384         (JSC::iteratorStep):
1385         (JSC::iteratorClose):
1386         (JSC::iteratorForIterable):
1387         * runtime/IteratorOperations.h:
1388         (JSC::forEachInIterable):
1389         * runtime/JSArray.cpp:
1390         (JSC::JSArray::pop):
1391         (JSC::JSArray::push):
1392         (JSC::JSArray::copyToArguments):
1393         * runtime/JSArrayBufferConstructor.cpp:
1394         (JSC::constructArrayBuffer):
1395         * runtime/JSArrayBufferPrototype.cpp:
1396         (JSC::arrayBufferProtoFuncSlice):
1397         * runtime/JSArrayInlines.h:
1398         (JSC::getLength):
1399         (JSC::toLength):
1400         * runtime/JSBoundFunction.cpp:
1401         (JSC::getBoundFunctionStructure):
1402         (JSC::JSBoundFunction::create):
1403         * runtime/JSCJSValue.cpp:
1404         (JSC::JSValue::putToPrimitive):
1405         (JSC::JSValue::putToPrimitiveByIndex):
1406         (JSC::JSValue::toStringSlowCase):
1407         * runtime/JSCJSValueInlines.h:
1408         (JSC::toPreferredPrimitiveType):
1409         (JSC::JSValue::getPropertySlot):
1410         (JSC::JSValue::equalSlowCaseInline):
1411         * runtime/JSDataViewPrototype.cpp:
1412         (JSC::getData):
1413         (JSC::setData):
1414         * runtime/JSFunction.cpp:
1415         (JSC::JSFunction::setFunctionName):
1416         * runtime/JSGenericTypedArrayView.h:
1417         (JSC::JSGenericTypedArrayView::setIndex):
1418         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1419         (JSC::constructGenericTypedArrayViewFromIterator):
1420         (JSC::constructGenericTypedArrayViewWithArguments):
1421         (JSC::constructGenericTypedArrayView):
1422         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1423         (JSC::speciesConstruct):
1424         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1425         (JSC::genericTypedArrayViewProtoFuncIncludes):
1426         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1427         (JSC::genericTypedArrayViewProtoFuncJoin):
1428         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1429         (JSC::genericTypedArrayViewProtoFuncSlice):
1430         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1431         * runtime/JSGlobalObject.h:
1432         (JSC::constructEmptyArray):
1433         (JSC::constructArray):
1434         (JSC::constructArrayNegativeIndexed):
1435         * runtime/JSGlobalObjectFunctions.cpp:
1436         (JSC::globalFuncEval):
1437         * runtime/JSJob.cpp:
1438         (JSC::JSJobMicrotask::run):
1439         * runtime/JSModuleEnvironment.cpp:
1440         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1441         * runtime/JSModuleLoader.cpp:
1442         (JSC::JSModuleLoader::fetch):
1443         * runtime/JSModuleNamespaceObject.cpp:
1444         (JSC::JSModuleNamespaceObject::finishCreation):
1445         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1446         * runtime/JSModuleRecord.cpp:
1447         (JSC::JSModuleRecord::instantiateDeclarations):
1448         * runtime/JSONObject.cpp:
1449         (JSC::Stringifier::Stringifier):
1450         (JSC::Stringifier::stringify):
1451         (JSC::Stringifier::toJSON):
1452         (JSC::Stringifier::appendStringifiedValue):
1453         (JSC::Stringifier::Holder::appendNextProperty):
1454         (JSC::Walker::walk):
1455         (JSC::JSONProtoFuncParse):
1456         * runtime/JSObject.cpp:
1457         (JSC::ordinarySetSlow):
1458         (JSC::JSObject::setPrototypeWithCycleCheck):
1459         (JSC::callToPrimitiveFunction):
1460         (JSC::JSObject::ordinaryToPrimitive):
1461         (JSC::JSObject::defaultHasInstance):
1462         (JSC::JSObject::getPropertyNames):
1463         (JSC::JSObject::toNumber):
1464         (JSC::JSObject::toString):
1465         (JSC::JSObject::defineOwnNonIndexProperty):
1466         (JSC::JSObject::getGenericPropertyNames):
1467         (JSC::JSObject::getMethod):
1468         * runtime/JSObjectInlines.h:
1469         (JSC::createListFromArrayLike):
1470         (JSC::JSObject::getPropertySlot):
1471         (JSC::JSObject::getNonIndexPropertySlot):
1472         * runtime/JSPromiseConstructor.cpp:
1473         (JSC::constructPromise):
1474         * runtime/JSPropertyNameEnumerator.h:
1475         (JSC::propertyNameEnumerator):
1476         * runtime/JSPropertyNameIterator.cpp:
1477         (JSC::JSPropertyNameIterator::create):
1478         * runtime/JSScope.cpp:
1479         (JSC::isUnscopable):
1480         (JSC::JSScope::resolve):
1481         * runtime/JSString.cpp:
1482         (JSC::JSString::equalSlowCase):
1483         * runtime/JSStringJoiner.cpp:
1484         (JSC::JSStringJoiner::join):
1485         * runtime/LiteralParser.cpp:
1486         (JSC::LiteralParser<CharType>::parse):
1487         * runtime/MapConstructor.cpp:
1488         (JSC::constructMap):
1489         * runtime/MathObject.cpp:
1490         (JSC::mathProtoFuncClz32):
1491         (JSC::mathProtoFuncHypot):
1492         (JSC::mathProtoFuncIMul):
1493         * runtime/ModuleLoaderPrototype.cpp:
1494         (JSC::moduleLoaderPrototypeParseModule):
1495         (JSC::moduleLoaderPrototypeRequestedModules):
1496         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1497         * runtime/NativeErrorConstructor.cpp:
1498         (JSC::Interpreter::constructWithNativeErrorConstructor):
1499         * runtime/NumberConstructor.cpp:
1500         (JSC::constructWithNumberConstructor):
1501         * runtime/ObjectConstructor.cpp:
1502         (JSC::constructObject):
1503         (JSC::objectConstructorGetPrototypeOf):
1504         (JSC::objectConstructorSetPrototypeOf):
1505         (JSC::objectConstructorGetOwnPropertyDescriptor):
1506         (JSC::objectConstructorGetOwnPropertyDescriptors):
1507         (JSC::objectConstructorGetOwnPropertyNames):
1508         (JSC::objectConstructorGetOwnPropertySymbols):
1509         (JSC::objectConstructorKeys):
1510         (JSC::ownEnumerablePropertyKeys):
1511         (JSC::toPropertyDescriptor):
1512         (JSC::objectConstructorDefineProperty):
1513         (JSC::defineProperties):
1514         (JSC::objectConstructorSeal):
1515         (JSC::objectConstructorFreeze):
1516         (JSC::objectConstructorIsSealed):
1517         (JSC::objectConstructorIsFrozen):
1518         (JSC::objectConstructorIsExtensible):
1519         (JSC::ownPropertyKeys):
1520         * runtime/ObjectConstructor.h:
1521         (JSC::constructObjectFromPropertyDescriptor):
1522         * runtime/ObjectPrototype.cpp:
1523         (JSC::objectProtoFuncHasOwnProperty):
1524         (JSC::objectProtoFuncIsPrototypeOf):
1525         (JSC::objectProtoFuncDefineGetter):
1526         (JSC::objectProtoFuncDefineSetter):
1527         (JSC::objectProtoFuncLookupGetter):
1528         (JSC::objectProtoFuncLookupSetter):
1529         (JSC::objectProtoFuncPropertyIsEnumerable):
1530         (JSC::objectProtoFuncToLocaleString):
1531         (JSC::objectProtoFuncToString):
1532         * runtime/Operations.cpp:
1533         (JSC::jsAddSlowCase):
1534         * runtime/Options.h:
1535         * runtime/PropertyDescriptor.cpp:
1536         (JSC::PropertyDescriptor::slowGetterSetter):
1537         * runtime/ProxyConstructor.cpp:
1538         (JSC::makeRevocableProxy):
1539         * runtime/ProxyObject.cpp:
1540         (JSC::ProxyObject::toStringName):
1541         (JSC::performProxyGet):
1542         (JSC::ProxyObject::performGet):
1543         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1544         (JSC::ProxyObject::performHasProperty):
1545         (JSC::ProxyObject::performPut):
1546         (JSC::ProxyObject::putByIndexCommon):
1547         (JSC::performProxyCall):
1548         (JSC::performProxyConstruct):
1549         (JSC::ProxyObject::performDelete):
1550         (JSC::ProxyObject::performPreventExtensions):
1551         (JSC::ProxyObject::performIsExtensible):
1552         (JSC::ProxyObject::performDefineOwnProperty):
1553         (JSC::ProxyObject::performGetOwnPropertyNames):
1554         (JSC::ProxyObject::performSetPrototype):
1555         (JSC::ProxyObject::performGetPrototype):
1556         * runtime/ReflectObject.cpp:
1557         (JSC::reflectObjectConstruct):
1558         (JSC::reflectObjectDefineProperty):
1559         (JSC::reflectObjectGet):
1560         (JSC::reflectObjectGetOwnPropertyDescriptor):
1561         (JSC::reflectObjectIsExtensible):
1562         (JSC::reflectObjectPreventExtensions):
1563         (JSC::reflectObjectSet):
1564         (JSC::reflectObjectSetPrototypeOf):
1565         * runtime/RegExpConstructor.cpp:
1566         (JSC::toFlags):
1567         (JSC::regExpCreate):
1568         (JSC::constructRegExp):
1569         * runtime/RegExpConstructor.h:
1570         (JSC::isRegExp):
1571         * runtime/RegExpObject.cpp:
1572         (JSC::collectMatches):
1573         (JSC::RegExpObject::matchGlobal):
1574         * runtime/RegExpPrototype.cpp:
1575         (JSC::regExpProtoFuncCompile):
1576         (JSC::flagsString):
1577         (JSC::regExpProtoFuncToString):
1578         (JSC::regExpProtoGetterFlags):
1579         (JSC::regExpProtoFuncSearchFast):
1580         (JSC::regExpProtoFuncSplitFast):
1581         * runtime/SetConstructor.cpp:
1582         (JSC::constructSet):
1583         * runtime/StringConstructor.cpp:
1584         (JSC::stringFromCodePoint):
1585         (JSC::constructWithStringConstructor):
1586         * runtime/StringObject.cpp:
1587         (JSC::StringObject::defineOwnProperty):
1588         * runtime/StringPrototype.cpp:
1589         (JSC::replaceUsingRegExpSearch):
1590         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1591         (JSC::replaceUsingStringSearch):
1592         (JSC::replace):
1593         (JSC::stringProtoFuncReplaceUsingRegExp):
1594         (JSC::stringProtoFuncReplaceUsingStringSearch):
1595         (JSC::stringProtoFuncCodePointAt):
1596         (JSC::stringProtoFuncSlice):
1597         (JSC::stringProtoFuncSplitFast):
1598         (JSC::stringProtoFuncSubstr):
1599         (JSC::stringProtoFuncSubstring):
1600         (JSC::stringProtoFuncLocaleCompare):
1601         (JSC::toLocaleCase):
1602         (JSC::stringProtoFuncBig):
1603         (JSC::stringProtoFuncSmall):
1604         (JSC::stringProtoFuncBlink):
1605         (JSC::stringProtoFuncBold):
1606         (JSC::stringProtoFuncFixed):
1607         (JSC::stringProtoFuncItalics):
1608         (JSC::stringProtoFuncStrike):
1609         (JSC::stringProtoFuncSub):
1610         (JSC::stringProtoFuncSup):
1611         (JSC::stringProtoFuncFontcolor):
1612         (JSC::stringProtoFuncFontsize):
1613         (JSC::stringProtoFuncAnchor):
1614         (JSC::stringProtoFuncLink):
1615         (JSC::trimString):
1616         (JSC::stringProtoFuncStartsWith):
1617         (JSC::stringProtoFuncEndsWith):
1618         (JSC::stringIncludesImpl):
1619         (JSC::stringProtoFuncIncludes):
1620         (JSC::builtinStringIncludesInternal):
1621         (JSC::stringProtoFuncNormalize):
1622         * runtime/SymbolConstructor.cpp:
1623         (JSC::symbolConstructorFor):
1624         * runtime/TemplateRegistry.cpp:
1625         (JSC::TemplateRegistry::getTemplateObject):
1626         * runtime/ThrowScope.cpp:
1627         (JSC::ThrowScope::ThrowScope):
1628         (JSC::ThrowScope::~ThrowScope):
1629         (JSC::ThrowScope::throwException):
1630         (JSC::ThrowScope::simulateThrow):
1631         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1632         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1633         * runtime/ThrowScope.h:
1634         (JSC::ThrowScope::release):
1635         (JSC::ThrowScope::ThrowScope):
1636         (JSC::ThrowScope::throwException):
1637         (JSC::ThrowScope::vm): Deleted.
1638         (JSC::ThrowScope::exception): Deleted.
1639         * runtime/ThrowScopeLocation.h: Removed.
1640         * runtime/VM.cpp:
1641         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1642         * runtime/VM.h:
1643         (JSC::VM::exception):
1644         (JSC::VM::clearException):
1645         (JSC::VM::setException): Deleted.
1646         * runtime/WeakMapConstructor.cpp:
1647         (JSC::constructWeakMap):
1648         * runtime/WeakSetConstructor.cpp:
1649         (JSC::constructWeakSet):
1650         * tools/JSDollarVMPrototype.cpp:
1651         (JSC::functionPrint):
1652
1653 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1654
1655         [INTL] some valid language tags cause errors in Intl constructors
1656         https://bugs.webkit.org/show_bug.cgi?id=161672
1657
1658         Reviewed by Mark Lam.
1659
1660         Fix private use tag parsing to match spec, allowing single character parts.
1661         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1662
1663         ```
1664         privateuse    = "x" 1*("-" (1*8alphanum))
1665         ```
1666
1667         * runtime/IntlObject.cpp:
1668         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1669
1670 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1671
1672         [JSC] Remove a couple of useless forward declaration
1673         https://bugs.webkit.org/show_bug.cgi?id=161676
1674
1675         Reviewed by Mark Lam.
1676
1677         JITMathICForwards.h should take care of declarating the Math ICs.
1678
1679         * bytecode/CodeBlock.h:
1680         * jit/JITOperations.h:
1681
1682 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1683
1684         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1685         https://bugs.webkit.org/show_bug.cgi?id=161706
1686
1687         Reviewed by Geoffrey Garen.
1688         
1689         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1690         have to do something different.
1691
1692         * jit/AssemblyHelpers.h:
1693         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1694
1695 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1696
1697         Unreviewed CMake build fix after r205552
1698
1699         * CMakeLists.txt:
1700
1701 2016-09-03  Keith Miller  <keith_miller@apple.com>
1702
1703         Add support for WASM Loops and Branches
1704         https://bugs.webkit.org/show_bug.cgi?id=161569
1705
1706         Reviewed by Benjamin Poulain.
1707
1708         This patch adds support for loops and branches to WASM. In order
1709         to support loops, we needed to change the way the B3IRGenerator
1710         tracked control information. Now, the control data holds three
1711         pieces of information: The continuation block, the loop branch
1712         target, and variables exiting the block. Whenever we branch to
1713         some control point we first check if it is a loop by checking that
1714         the loop branch target is non-null. If the branch is not targeting
1715         a loop, we map the stack values to the associated B3 variables for
1716         that stack slot.
1717
1718         Another interesting thing of note is that we now only allocate the
1719         continuation basic block lazily. This is beneficial when the
1720         continuation would just fall through to another block anyway. For
1721         example, in code like: (block ... (block (add 1 2) end) end) the
1722         continuation for the inner block just falls through to the outer
1723         block's continuation so we don't need an extra block.
1724
1725         * B3CallingConventions.cpp:
1726         (JSC::B3::jscCallingConvention): Deleted.
1727         * B3CallingConventions.h:
1728         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1729         (JSC::B3::CallingConvention::iterate): Deleted.
1730         (JSC::B3::nextJSCOffset): Deleted.
1731         * JavaScriptCore.xcodeproj/project.pbxproj:
1732         * b3/B3Type.h:
1733         * testWASM.cpp:
1734         (runWASMTests):
1735         * wasm/WASMB3IRGenerator.cpp:
1736         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1737         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1738         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1739         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1740         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1741         (JSC::WASM::B3IRGenerator::ControlData::dump):
1742         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1743         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1744         (JSC::WASM::B3IRGenerator::addLocal):
1745         (JSC::WASM::B3IRGenerator::addArguments):
1746         (JSC::WASM::B3IRGenerator::setLocal):
1747         (JSC::WASM::B3IRGenerator::addBlock):
1748         (JSC::WASM::B3IRGenerator::addLoop):
1749         (JSC::WASM::B3IRGenerator::endBlock):
1750         (JSC::WASM::B3IRGenerator::addReturn):
1751         (JSC::WASM::B3IRGenerator::addBranch):
1752         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1753         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1754         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1755         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1756         (JSC::WASM::parseAndCompile):
1757         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1758         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1759         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1760         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1761         (JSC::WASM::jscCallingConvention):
1762         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1763         (JSC::WASM::CallingConvention::CallingConvention):
1764         (JSC::WASM::CallingConvention::iterate):
1765         (JSC::WASM::nextJSCOffset):
1766         * wasm/WASMFormat.h:
1767         (JSC::WASM::toB3Type):
1768         (JSC::WASM::isValueType):
1769         * wasm/WASMFunctionParser.h:
1770         (JSC::WASM::FunctionParser<Context>::parse):
1771         (JSC::WASM::FunctionParser<Context>::parseExpression):
1772         * wasm/WASMModuleParser.cpp:
1773         (JSC::WASM::ModuleParser::parseFunctionTypes):
1774         * wasm/WASMOps.h:
1775
1776 2016-09-07  Youenn Fablet  <youenn@apple.com>
1777
1778         [Streams API] Separate compile flag for ReadableStream and WritableStream
1779         https://bugs.webkit.org/show_bug.cgi?id=161044
1780
1781         Reviewed by Alex Christensen.
1782
1783         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1784         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1785
1786         * Configurations/FeatureDefines.xcconfig:
1787         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1788         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1789         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1790
1791 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1792
1793         Fix the ENABLE(WEBASSEMBLY) build on Linux
1794         https://bugs.webkit.org/show_bug.cgi?id=161685
1795
1796         Unreviewed buildfix.
1797
1798         * wasm/JSWASMModule.cpp:
1799
1800 2016-09-06  Saam Barati  <sbarati@apple.com>
1801
1802         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1803         https://bugs.webkit.org/show_bug.cgi?id=161558
1804
1805         Reviewed by Benjamin Poulain.
1806
1807         ProxyObject had ObjectPrototype as its direct prototype.
1808         This could lead to infinite loops when doing a getDirectPrototype()
1809         loop.
1810
1811         Fixing this bug revealed another bug, which I made when implementing Proxy.
1812         We should not special case "__proto__" in get and set for Proxy Object's
1813         hooks. "__proto__" should just go through the normal set and get path.
1814
1815         * runtime/JSGlobalObject.cpp:
1816         (JSC::JSGlobalObject::init):
1817         * runtime/ProxyObject.cpp:
1818         (JSC::performProxyGet):
1819         (JSC::ProxyObject::put):
1820
1821 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1822
1823         Make JSC::PrivateName copyable
1824         https://bugs.webkit.org/show_bug.cgi?id=161666
1825
1826         Reviewed by Ryosuke Niwa.
1827
1828         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1829         And since the custom copy constructor deletes the default move constructor, we explcitly define
1830         it by `= default;`.
1831
1832         * runtime/PrivateName.h:
1833         (JSC::PrivateName::PrivateName):
1834
1835 2016-09-06  Daniel Bates  <dabates@apple.com>
1836
1837         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1838         https://bugs.webkit.org/show_bug.cgi?id=161296
1839
1840         Reviewed by Dan Bernstein.
1841
1842         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1843         with the iOS 10 beta SDK.
1844
1845         * Configurations/Base.xcconfig:
1846
1847 2016-09-06  Saam Barati  <sbarati@apple.com>
1848
1849         Unreviewed build fix for 32-bit platforms after r205520.
1850
1851         * dfg/DFGSpeculativeJIT.h:
1852         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1853
1854 2016-09-06  Saam Barati  <sbarati@apple.com>
1855
1856         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1857         https://bugs.webkit.org/show_bug.cgi?id=160870
1858
1859         Reviewed by Darin Adler.
1860
1861         Credit goes to Jonathan Bedard for finding this bug using the undefined
1862         behavior sanitizer.
1863
1864         The rule for MaterializeNewObject inside AI was assuming that the graph
1865         is in SSA form. This used to be true when MaterializeNewObject was only
1866         inserted by the allocation sinking phase. However, Filip added more uses
1867         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1868         the bug by using the structure set inside the Node's OpInfo rather than
1869         generating it from m_phiChildren inside AI.
1870
1871         * dfg/DFGAbstractInterpreterInlines.h:
1872         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1873
1874 2016-09-06  Saam Barati  <sbarati@apple.com>
1875
1876         Make JSMap and JSSet faster
1877         https://bugs.webkit.org/show_bug.cgi?id=160989
1878
1879         Reviewed by Filip Pizlo.
1880
1881         This patch revamps how we implement Map and Set. It uses
1882         a new hash map implementation. The hash map uses linear
1883         probing and it uses Wang's 64 bit hash function for JSValues
1884         that aren't strings. Strings use StringImpl's hash function.
1885         The reason I wanted to roll our own HashTable is twofold:
1886         I didn't want to inline WTF::HashMap's implementation into our
1887         JIT, since that seems error prone and unmaintainable. Also, I wanted
1888         a different structure for hash map buckets where buckets also exist in
1889         a linked list.
1890
1891         The reason for making buckets part of a linked list is that iteration
1892         is now simple. Iteration works by just traversing a linked list.
1893         This design also allows for a simple implementation when doing iteration
1894         while the hash table is mutating. Whenever we remove a bucket from
1895         the hash table, it is removed from the list, meaning items in the
1896         list don't point to it. However, the removed bucket will still point
1897         to things that are either in the list, or have also been removed.
1898         e.g, from a removed bucket, you can always follow pointers until you
1899         either find an item in the list, or you find the tail of the list.
1900         This is a really nice property because it means that a Map or Set
1901         does not need to reason about the all the iterators that point
1902         into its list. Also, whenever we add items to the Map or Set, we
1903         hijack the tail as the new item, and make the new item point to a newly
1904         created tail. This means that any iterator that pointed to the "tail" now
1905         points to non-tail items. This makes the implementation of adding things
1906         to the Map/Set while iterating easy.
1907
1908         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1909         into intrinsics in the DFG. The IR can now reason about hash map
1910         operations and can even do CSE over Wang's hash function, hash map
1911         bucket lookups, hash map bucket loads, and testing if a key is in
1912         the hash table. This makes code patterns for Map like so, super fast
1913         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1914
1915         ```
1916         function getKeyIfPresent(map, key) {
1917             if (map.has(key))
1918                 return map.get(key);
1919         }
1920         ```
1921
1922         This patch is roughly an 8% speedup on ES6SampleBench.
1923
1924
1925         * CMakeLists.txt:
1926         * JavaScriptCore.xcodeproj/project.pbxproj:
1927         * assembler/MacroAssemblerARM64.h:
1928         (JSC::MacroAssemblerARM64::not64):
1929         * bytecode/SpeculatedType.cpp:
1930         (JSC::speculationFromClassInfo):
1931         * bytecode/SpeculatedType.h:
1932         * dfg/DFGAbstractInterpreterInlines.h:
1933         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1934         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1935         * dfg/DFGByteCodeParser.cpp:
1936         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1937         * dfg/DFGClobberize.h:
1938         (JSC::DFG::clobberize):
1939         * dfg/DFGDoesGC.cpp:
1940         (JSC::DFG::doesGC):
1941         * dfg/DFGEdge.h:
1942         (JSC::DFG::Edge::shift):
1943         (JSC::DFG::Edge::makeWord):
1944         * dfg/DFGFixupPhase.cpp:
1945         (JSC::DFG::FixupPhase::fixupNode):
1946         * dfg/DFGHeapLocation.cpp:
1947         (WTF::printInternal):
1948         * dfg/DFGHeapLocation.h:
1949         * dfg/DFGNode.h:
1950         (JSC::DFG::Node::hasHeapPrediction):
1951         * dfg/DFGNodeType.h:
1952         * dfg/DFGOperations.cpp:
1953         * dfg/DFGOperations.h:
1954         * dfg/DFGPredictionPropagationPhase.cpp:
1955         * dfg/DFGSafeToExecute.h:
1956         (JSC::DFG::SafeToExecuteEdge::operator()):
1957         (JSC::DFG::safeToExecute):
1958         * dfg/DFGSpeculativeJIT.cpp:
1959         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1960         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1961         (JSC::DFG::SpeculativeJIT::speculate):
1962         * dfg/DFGSpeculativeJIT.h:
1963         (JSC::DFG::SpeculativeJIT::callOperation):
1964         * dfg/DFGSpeculativeJIT32_64.cpp:
1965         (JSC::DFG::SpeculativeJIT::compile):
1966         * dfg/DFGSpeculativeJIT64.cpp:
1967         (JSC::DFG::SpeculativeJIT::compile):
1968         * dfg/DFGUseKind.cpp:
1969         (WTF::printInternal):
1970         * dfg/DFGUseKind.h:
1971         (JSC::DFG::typeFilterFor):
1972         (JSC::DFG::isCell):
1973         * ftl/FTLAbstractHeapRepository.h:
1974         * ftl/FTLCapabilities.cpp:
1975         (JSC::FTL::canCompile):
1976         * ftl/FTLLowerDFGToB3.cpp:
1977         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1978         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1979         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1980         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1981         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1982         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1983         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1984         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1985         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1986         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1987         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1988         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1989         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1990         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1991         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1992         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1993         * jit/AssemblyHelpers.cpp:
1994         (JSC::AssemblyHelpers::wangsInt64Hash):
1995         * jit/AssemblyHelpers.h:
1996         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1997         * jit/JITOperations.h:
1998         * parser/ModuleAnalyzer.cpp:
1999         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2000         * runtime/HashMapImpl.cpp: Added.
2001         (JSC::HashMapBucket<Data>::visitChildren):
2002         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2003         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2004         * runtime/HashMapImpl.h: Added.
2005         (JSC::HashMapBucket::selectStructure):
2006         (JSC::HashMapBucket::createStructure):
2007         (JSC::HashMapBucket::create):
2008         (JSC::HashMapBucket::HashMapBucket):
2009         (JSC::HashMapBucket::setNext):
2010         (JSC::HashMapBucket::setPrev):
2011         (JSC::HashMapBucket::setKey):
2012         (JSC::HashMapBucket::setValue):
2013         (JSC::HashMapBucket::key):
2014         (JSC::HashMapBucket::value):
2015         (JSC::HashMapBucket::next):
2016         (JSC::HashMapBucket::prev):
2017         (JSC::HashMapBucket::deleted):
2018         (JSC::HashMapBucket::setDeleted):
2019         (JSC::HashMapBucket::offsetOfKey):
2020         (JSC::HashMapBucket::offsetOfValue):
2021         (JSC::HashMapBuffer::allocationSize):
2022         (JSC::HashMapBuffer::buffer):
2023         (JSC::HashMapBuffer::create):
2024         (JSC::areKeysEqual):
2025         (JSC::normalizeMapKey):
2026         (JSC::jsMapHash):
2027         (JSC::HashMapImpl::selectStructure):
2028         (JSC::HashMapImpl::createStructure):
2029         (JSC::HashMapImpl::create):
2030         (JSC::HashMapImpl::HashMapImpl):
2031         (JSC::HashMapImpl::buffer):
2032         (JSC::HashMapImpl::finishCreation):
2033         (JSC::HashMapImpl::emptyValue):
2034         (JSC::HashMapImpl::isEmpty):
2035         (JSC::HashMapImpl::deletedValue):
2036         (JSC::HashMapImpl::isDeleted):
2037         (JSC::HashMapImpl::findBucket):
2038         (JSC::HashMapImpl::get):
2039         (JSC::HashMapImpl::has):
2040         (JSC::HashMapImpl::add):
2041         (JSC::HashMapImpl::remove):
2042         (JSC::HashMapImpl::size):
2043         (JSC::HashMapImpl::clear):
2044         (JSC::HashMapImpl::bufferSizeInBytes):
2045         (JSC::HashMapImpl::offsetOfBuffer):
2046         (JSC::HashMapImpl::offsetOfCapacity):
2047         (JSC::HashMapImpl::head):
2048         (JSC::HashMapImpl::tail):
2049         (JSC::HashMapImpl::approximateSize):
2050         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2051         (JSC::HashMapImpl::rehash):
2052         (JSC::HashMapImpl::makeAndSetNewBuffer):
2053         * runtime/Intrinsic.h:
2054         * runtime/JSCJSValue.h:
2055         * runtime/JSCJSValueInlines.h:
2056         (JSC::sameValue):
2057         * runtime/JSGlobalObject.cpp:
2058         (JSC::JSGlobalObject::init):
2059         * runtime/JSMap.cpp:
2060         (JSC::JSMap::destroy): Deleted.
2061         (JSC::JSMap::estimatedSize): Deleted.
2062         (JSC::JSMap::visitChildren): Deleted.
2063         (JSC::JSMap::copyBackingStore): Deleted.
2064         (JSC::JSMap::has): Deleted.
2065         (JSC::JSMap::size): Deleted.
2066         (JSC::JSMap::get): Deleted.
2067         (JSC::JSMap::set): Deleted.
2068         (JSC::JSMap::clear): Deleted.
2069         (JSC::JSMap::remove): Deleted.
2070         * runtime/JSMap.h:
2071         (JSC::JSMap::createStructure):
2072         (JSC::JSMap::create):
2073         (JSC::JSMap::get):
2074         (JSC::JSMap::set):
2075         (JSC::JSMap::JSMap):
2076         (JSC::JSMap::Entry::key): Deleted.
2077         (JSC::JSMap::Entry::value): Deleted.
2078         (JSC::JSMap::Entry::visitChildren): Deleted.
2079         (JSC::JSMap::Entry::setKey): Deleted.
2080         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2081         (JSC::JSMap::Entry::setValue): Deleted.
2082         (JSC::JSMap::Entry::clear): Deleted.
2083         * runtime/JSMapIterator.cpp:
2084         (JSC::JSMapIterator::finishCreation):
2085         (JSC::JSMapIterator::visitChildren):
2086         (JSC::JSMapIterator::clone):
2087         * runtime/JSMapIterator.h:
2088         (JSC::JSMapIterator::advanceIter):
2089         (JSC::JSMapIterator::next):
2090         (JSC::JSMapIterator::nextKeyValue):
2091         (JSC::JSMapIterator::JSMapIterator):
2092         (JSC::JSMapIterator::setIterator):
2093         (JSC::JSMapIterator::finish): Deleted.
2094         (JSC::JSMapIterator::iteratorData): Deleted.
2095         * runtime/JSModuleLoader.cpp:
2096         (JSC::JSModuleLoader::finishCreation):
2097         * runtime/JSModuleLoader.h:
2098         (JSC::JSModuleLoader::create):
2099         * runtime/JSModuleRecord.cpp:
2100         (JSC::JSModuleRecord::finishCreation):
2101         * runtime/JSModuleRecord.h:
2102         (JSC::JSModuleRecord::create):
2103         * runtime/JSSet.cpp:
2104         (JSC::JSSet::destroy): Deleted.
2105         (JSC::JSSet::estimatedSize): Deleted.
2106         (JSC::JSSet::visitChildren): Deleted.
2107         (JSC::JSSet::copyBackingStore): Deleted.
2108         (JSC::JSSet::has): Deleted.
2109         (JSC::JSSet::size): Deleted.
2110         (JSC::JSSet::add): Deleted.
2111         (JSC::JSSet::clear): Deleted.
2112         (JSC::JSSet::remove): Deleted.
2113         * runtime/JSSet.h:
2114         (JSC::JSSet::createStructure):
2115         (JSC::JSSet::create):
2116         (JSC::JSSet::add):
2117         (JSC::JSSet::JSSet):
2118         (JSC::JSSet::Entry::key): Deleted.
2119         (JSC::JSSet::Entry::value): Deleted.
2120         (JSC::JSSet::Entry::visitChildren): Deleted.
2121         (JSC::JSSet::Entry::setKey): Deleted.
2122         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2123         (JSC::JSSet::Entry::setValue): Deleted.
2124         (JSC::JSSet::Entry::clear): Deleted.
2125         * runtime/JSSetIterator.cpp:
2126         (JSC::JSSetIterator::finishCreation):
2127         (JSC::JSSetIterator::visitChildren):
2128         (JSC::JSSetIterator::clone):
2129         * runtime/JSSetIterator.h:
2130         (JSC::JSSetIterator::advanceIter):
2131         (JSC::JSSetIterator::next):
2132         (JSC::JSSetIterator::JSSetIterator):
2133         (JSC::JSSetIterator::setIterator):
2134         (JSC::JSSetIterator::finish): Deleted.
2135         (JSC::JSSetIterator::iteratorData): Deleted.
2136         * runtime/JSType.h:
2137         * runtime/MapBase.cpp: Added.
2138         (JSC::MapBase<HashMapBucketType>::visitChildren):
2139         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2140         * runtime/MapBase.h: Added.
2141         (JSC::MapBase::size):
2142         (JSC::MapBase::has):
2143         (JSC::MapBase::clear):
2144         (JSC::MapBase::remove):
2145         (JSC::MapBase::findBucket):
2146         (JSC::MapBase::offsetOfHashMapImpl):
2147         (JSC::MapBase::impl):
2148         (JSC::MapBase::finishCreation):
2149         (JSC::MapBase::MapBase):
2150         * runtime/MapConstructor.cpp:
2151         (JSC::constructMap):
2152         * runtime/MapIteratorPrototype.cpp:
2153         (JSC::MapIteratorPrototypeFuncNext):
2154         * runtime/MapPrototype.cpp:
2155         (JSC::MapPrototype::finishCreation):
2156         (JSC::getMap):
2157         (JSC::privateFuncIsMap):
2158         (JSC::privateFuncMapIteratorNext):
2159         * runtime/PropertyDescriptor.cpp:
2160         (JSC::sameValue): Deleted.
2161         * runtime/PropertyDescriptor.h:
2162         * runtime/SetConstructor.cpp:
2163         (JSC::constructSet):
2164         * runtime/SetIteratorPrototype.cpp:
2165         (JSC::SetIteratorPrototypeFuncNext):
2166         * runtime/SetPrototype.cpp:
2167         (JSC::SetPrototype::finishCreation):
2168         (JSC::getSet):
2169         (JSC::privateFuncSetIteratorNext):
2170         * runtime/VM.cpp:
2171         (JSC::VM::VM):
2172         * runtime/VM.h:
2173
2174 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2175
2176         [JSC] Make ArithClz32 work with Cell arguments
2177         https://bugs.webkit.org/show_bug.cgi?id=161369
2178
2179         Reviewed by Geoffrey Garen.
2180
2181         ArithClz32 was already working with all primitive types
2182         thanks to the magic of ValueToInt32.
2183         This patch adds support for cell arguments through a function
2184         call.
2185
2186         * dfg/DFGAbstractInterpreterInlines.h:
2187         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2188         * dfg/DFGClobberize.h:
2189         (JSC::DFG::clobberize):
2190         * dfg/DFGFixupPhase.cpp:
2191         (JSC::DFG::FixupPhase::fixupNode):
2192         * dfg/DFGNodeType.h:
2193         * dfg/DFGOperations.cpp:
2194         * dfg/DFGOperations.h:
2195         * dfg/DFGSpeculativeJIT.cpp:
2196         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2197         * dfg/DFGSpeculativeJIT.h:
2198         (JSC::DFG::SpeculativeJIT::callOperation):
2199         * ftl/FTLLowerDFGToB3.cpp:
2200         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2201
2202 2016-09-06  Mark Lam  <mark.lam@apple.com>
2203
2204         Gardening: change to use old header guard to appease Win EWS.
2205
2206         Not reviewed.
2207
2208         * runtime/AuxiliaryBarrier.h:
2209
2210 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2211
2212         Unreviewed, rolling out r205494.
2213         https://bugs.webkit.org/show_bug.cgi?id=161646
2214
2215         This change broke the Windows build (Requested by ryanhaddad
2216         on #webkit).
2217
2218         Reverted changeset:
2219
2220         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2221         https://bugs.webkit.org/show_bug.cgi?id=161100
2222         http://trac.webkit.org/changeset/205494
2223
2224 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2225
2226         Unreviewed, rolling out r205504.
2227         https://bugs.webkit.org/show_bug.cgi?id=161645
2228
2229         Broke the iOS device build (Requested by ryanhaddad on
2230         #webkit).
2231
2232         Reverted changeset:
2233
2234         "Make JSMap and JSSet faster"
2235         https://bugs.webkit.org/show_bug.cgi?id=160989
2236         http://trac.webkit.org/changeset/205504
2237
2238 2016-09-06  Saam Barati  <sbarati@apple.com>
2239
2240         Make JSMap and JSSet faster
2241         https://bugs.webkit.org/show_bug.cgi?id=160989
2242
2243         Reviewed by Filip Pizlo.
2244
2245         This patch revamps how we implement Map and Set. It uses
2246         a new hash map implementation. The hash map uses linear
2247         probing and it uses Wang's 64 bit hash function for JSValues
2248         that aren't strings. Strings use StringImpl's hash function.
2249         The reason I wanted to roll our own HashTable is twofold:
2250         I didn't want to inline WTF::HashMap's implementation into our
2251         JIT, since that seems error prone and unmaintainable. Also, I wanted
2252         a different structure for hash map buckets where buckets also exist in
2253         a linked list.
2254
2255         The reason for making buckets part of a linked list is that iteration
2256         is now simple. Iteration works by just traversing a linked list.
2257         This design also allows for a simple implementation when doing iteration
2258         while the hash table is mutating. Whenever we remove a bucket from
2259         the hash table, it is removed from the list, meaning items in the
2260         list don't point to it. However, the removed bucket will still point
2261         to things that are either in the list, or have also been removed.
2262         e.g, from a removed bucket, you can always follow pointers until you
2263         either find an item in the list, or you find the tail of the list.
2264         This is a really nice property because it means that a Map or Set
2265         does not need to reason about the all the iterators that point
2266         into its list. Also, whenever we add items to the Map or Set, we
2267         hijack the tail as the new item, and make the new item point to a newly
2268         created tail. This means that any iterator that pointed to the "tail" now
2269         points to non-tail items. This makes the implementation of adding things
2270         to the Map/Set while iterating easy.
2271
2272         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2273         into intrinsics in the DFG. The IR can now reason about hash map
2274         operations and can even do CSE over Wang's hash function, hash map
2275         bucket lookups, hash map bucket loads, and testing if a key is in
2276         the hash table. This makes code patterns for Map like so, super fast
2277         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2278
2279         ```
2280         function getKeyIfPresent(map, key) {
2281             if (map.has(key))
2282                 return map.get(key);
2283         }
2284         ```
2285
2286         This patch is roughly an 8% speedup on ES6SampleBench.
2287
2288         * CMakeLists.txt:
2289         * JavaScriptCore.xcodeproj/project.pbxproj:
2290         * bytecode/SpeculatedType.cpp:
2291         (JSC::speculationFromClassInfo):
2292         * bytecode/SpeculatedType.h:
2293         * dfg/DFGAbstractInterpreterInlines.h:
2294         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2295         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2296         * dfg/DFGByteCodeParser.cpp:
2297         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2298         * dfg/DFGClobberize.h:
2299         (JSC::DFG::clobberize):
2300         * dfg/DFGDoesGC.cpp:
2301         (JSC::DFG::doesGC):
2302         * dfg/DFGEdge.h:
2303         (JSC::DFG::Edge::shift):
2304         (JSC::DFG::Edge::makeWord):
2305         * dfg/DFGFixupPhase.cpp:
2306         (JSC::DFG::FixupPhase::fixupNode):
2307         * dfg/DFGHeapLocation.cpp:
2308         (WTF::printInternal):
2309         * dfg/DFGHeapLocation.h:
2310         * dfg/DFGNode.h:
2311         (JSC::DFG::Node::hasHeapPrediction):
2312         * dfg/DFGNodeType.h:
2313         * dfg/DFGOperations.cpp:
2314         * dfg/DFGOperations.h:
2315         * dfg/DFGPredictionPropagationPhase.cpp:
2316         * dfg/DFGSafeToExecute.h:
2317         (JSC::DFG::SafeToExecuteEdge::operator()):
2318         (JSC::DFG::safeToExecute):
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2321         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2322         (JSC::DFG::SpeculativeJIT::speculate):
2323         * dfg/DFGSpeculativeJIT.h:
2324         (JSC::DFG::SpeculativeJIT::callOperation):
2325         * dfg/DFGSpeculativeJIT32_64.cpp:
2326         (JSC::DFG::SpeculativeJIT::compile):
2327         * dfg/DFGSpeculativeJIT64.cpp:
2328         (JSC::DFG::SpeculativeJIT::compile):
2329         * dfg/DFGUseKind.cpp:
2330         (WTF::printInternal):
2331         * dfg/DFGUseKind.h:
2332         (JSC::DFG::typeFilterFor):
2333         (JSC::DFG::isCell):
2334         * ftl/FTLAbstractHeapRepository.h:
2335         * ftl/FTLCapabilities.cpp:
2336         (JSC::FTL::canCompile):
2337         * ftl/FTLLowerDFGToB3.cpp:
2338         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2339         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2340         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2341         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2342         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2343         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2344         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2345         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2346         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2347         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2348         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2349         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2350         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2351         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2352         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2353         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2354         * jit/AssemblyHelpers.cpp:
2355         (JSC::AssemblyHelpers::wangsInt64Hash):
2356         * jit/AssemblyHelpers.h:
2357         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2358         * jit/JITOperations.h:
2359         * parser/ModuleAnalyzer.cpp:
2360         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2361         * runtime/HashMapImpl.cpp: Added.
2362         (JSC::HashMapBucket<Data>::visitChildren):
2363         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2364         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2365         * runtime/HashMapImpl.h: Added.
2366         (JSC::HashMapBucket::selectStructure):
2367         (JSC::HashMapBucket::createStructure):
2368         (JSC::HashMapBucket::create):
2369         (JSC::HashMapBucket::HashMapBucket):
2370         (JSC::HashMapBucket::setNext):
2371         (JSC::HashMapBucket::setPrev):
2372         (JSC::HashMapBucket::setKey):
2373         (JSC::HashMapBucket::setValue):
2374         (JSC::HashMapBucket::key):
2375         (JSC::HashMapBucket::value):
2376         (JSC::HashMapBucket::next):
2377         (JSC::HashMapBucket::prev):
2378         (JSC::HashMapBucket::deleted):
2379         (JSC::HashMapBucket::setDeleted):
2380         (JSC::HashMapBucket::offsetOfKey):
2381         (JSC::HashMapBucket::offsetOfValue):
2382         (JSC::HashMapBuffer::allocationSize):
2383         (JSC::HashMapBuffer::buffer):
2384         (JSC::HashMapBuffer::create):
2385         (JSC::areKeysEqual):
2386         (JSC::normalizeMapKey):
2387         (JSC::jsMapHash):
2388         (JSC::HashMapImpl::selectStructure):
2389         (JSC::HashMapImpl::createStructure):
2390         (JSC::HashMapImpl::create):
2391         (JSC::HashMapImpl::HashMapImpl):
2392         (JSC::HashMapImpl::buffer):
2393         (JSC::HashMapImpl::finishCreation):
2394         (JSC::HashMapImpl::emptyValue):
2395         (JSC::HashMapImpl::isEmpty):
2396         (JSC::HashMapImpl::deletedValue):
2397         (JSC::HashMapImpl::isDeleted):
2398         (JSC::HashMapImpl::findBucket):
2399         (JSC::HashMapImpl::get):
2400         (JSC::HashMapImpl::has):
2401         (JSC::HashMapImpl::add):
2402         (JSC::HashMapImpl::remove):
2403         (JSC::HashMapImpl::size):
2404         (JSC::HashMapImpl::clear):
2405         (JSC::HashMapImpl::bufferSizeInBytes):
2406         (JSC::HashMapImpl::offsetOfBuffer):
2407         (JSC::HashMapImpl::offsetOfCapacity):
2408         (JSC::HashMapImpl::head):
2409         (JSC::HashMapImpl::tail):
2410         (JSC::HashMapImpl::approximateSize):
2411         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2412         (JSC::HashMapImpl::rehash):
2413         (JSC::HashMapImpl::makeAndSetNewBuffer):
2414         * runtime/Intrinsic.h:
2415         * runtime/JSCJSValue.h:
2416         * runtime/JSCJSValueInlines.h:
2417         (JSC::sameValue):
2418         * runtime/JSGlobalObject.cpp:
2419         (JSC::JSGlobalObject::init):
2420         * runtime/JSMap.cpp:
2421         (JSC::JSMap::destroy): Deleted.
2422         (JSC::JSMap::estimatedSize): Deleted.
2423         (JSC::JSMap::visitChildren): Deleted.
2424         (JSC::JSMap::copyBackingStore): Deleted.
2425         (JSC::JSMap::has): Deleted.
2426         (JSC::JSMap::size): Deleted.
2427         (JSC::JSMap::get): Deleted.
2428         (JSC::JSMap::set): Deleted.
2429         (JSC::JSMap::clear): Deleted.
2430         (JSC::JSMap::remove): Deleted.
2431         * runtime/JSMap.h:
2432         (JSC::JSMap::createStructure):
2433         (JSC::JSMap::create):
2434         (JSC::JSMap::get):
2435         (JSC::JSMap::set):
2436         (JSC::JSMap::JSMap):
2437         (JSC::JSMap::Entry::key): Deleted.
2438         (JSC::JSMap::Entry::value): Deleted.
2439         (JSC::JSMap::Entry::visitChildren): Deleted.
2440         (JSC::JSMap::Entry::setKey): Deleted.
2441         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2442         (JSC::JSMap::Entry::setValue): Deleted.
2443         (JSC::JSMap::Entry::clear): Deleted.
2444         * runtime/JSMapIterator.cpp:
2445         (JSC::JSMapIterator::finishCreation):
2446         (JSC::JSMapIterator::visitChildren):
2447         (JSC::JSMapIterator::clone):
2448         * runtime/JSMapIterator.h:
2449         (JSC::JSMapIterator::advanceIter):
2450         (JSC::JSMapIterator::next):
2451         (JSC::JSMapIterator::nextKeyValue):
2452         (JSC::JSMapIterator::JSMapIterator):
2453         (JSC::JSMapIterator::setIterator):
2454         (JSC::JSMapIterator::finish): Deleted.
2455         (JSC::JSMapIterator::iteratorData): Deleted.
2456         * runtime/JSModuleLoader.cpp:
2457         (JSC::JSModuleLoader::finishCreation):
2458         * runtime/JSModuleLoader.h:
2459         (JSC::JSModuleLoader::create):
2460         * runtime/JSModuleRecord.cpp:
2461         (JSC::JSModuleRecord::finishCreation):
2462         * runtime/JSModuleRecord.h:
2463         (JSC::JSModuleRecord::create):
2464         * runtime/JSSet.cpp:
2465         (JSC::JSSet::destroy): Deleted.
2466         (JSC::JSSet::estimatedSize): Deleted.
2467         (JSC::JSSet::visitChildren): Deleted.
2468         (JSC::JSSet::copyBackingStore): Deleted.
2469         (JSC::JSSet::has): Deleted.
2470         (JSC::JSSet::size): Deleted.
2471         (JSC::JSSet::add): Deleted.
2472         (JSC::JSSet::clear): Deleted.
2473         (JSC::JSSet::remove): Deleted.
2474         * runtime/JSSet.h:
2475         (JSC::JSSet::createStructure):
2476         (JSC::JSSet::create):
2477         (JSC::JSSet::add):
2478         (JSC::JSSet::JSSet):
2479         (JSC::JSSet::Entry::key): Deleted.
2480         (JSC::JSSet::Entry::value): Deleted.
2481         (JSC::JSSet::Entry::visitChildren): Deleted.
2482         (JSC::JSSet::Entry::setKey): Deleted.
2483         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2484         (JSC::JSSet::Entry::setValue): Deleted.
2485         (JSC::JSSet::Entry::clear): Deleted.
2486         * runtime/JSSetIterator.cpp:
2487         (JSC::JSSetIterator::finishCreation):
2488         (JSC::JSSetIterator::visitChildren):
2489         (JSC::JSSetIterator::clone):
2490         * runtime/JSSetIterator.h:
2491         (JSC::JSSetIterator::advanceIter):
2492         (JSC::JSSetIterator::next):
2493         (JSC::JSSetIterator::JSSetIterator):
2494         (JSC::JSSetIterator::setIterator):
2495         (JSC::JSSetIterator::finish): Deleted.
2496         (JSC::JSSetIterator::iteratorData): Deleted.
2497         * runtime/JSType.h:
2498         * runtime/MapBase.cpp: Added.
2499         (JSC::MapBase<HashMapBucketType>::visitChildren):
2500         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2501         * runtime/MapBase.h: Added.
2502         (JSC::MapBase::size):
2503         (JSC::MapBase::has):
2504         (JSC::MapBase::clear):
2505         (JSC::MapBase::remove):
2506         (JSC::MapBase::findBucket):
2507         (JSC::MapBase::offsetOfHashMapImpl):
2508         (JSC::MapBase::impl):
2509         (JSC::MapBase::finishCreation):
2510         (JSC::MapBase::MapBase):
2511         * runtime/MapConstructor.cpp:
2512         (JSC::constructMap):
2513         * runtime/MapIteratorPrototype.cpp:
2514         (JSC::MapIteratorPrototypeFuncNext):
2515         * runtime/MapPrototype.cpp:
2516         (JSC::MapPrototype::finishCreation):
2517         (JSC::getMap):
2518         (JSC::privateFuncIsMap):
2519         (JSC::privateFuncMapIteratorNext):
2520         * runtime/PropertyDescriptor.cpp:
2521         (JSC::sameValue): Deleted.
2522         * runtime/PropertyDescriptor.h:
2523         * runtime/SetConstructor.cpp:
2524         (JSC::constructSet):
2525         * runtime/SetIteratorPrototype.cpp:
2526         (JSC::SetIteratorPrototypeFuncNext):
2527         * runtime/SetPrototype.cpp:
2528         (JSC::SetPrototype::finishCreation):
2529         (JSC::getSet):
2530         (JSC::privateFuncSetIteratorNext):
2531         * runtime/VM.cpp:
2532         (JSC::VM::VM):
2533         * runtime/VM.h:
2534
2535 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2536
2537         Typed arrays should use MarkedSpace instead of CopiedSpace
2538         https://bugs.webkit.org/show_bug.cgi?id=161100
2539
2540         Reviewed by Geoffrey Garen.
2541         
2542         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2543         
2544         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2545         everything that typed arrays want.
2546
2547         * dfg/DFGOperations.cpp:
2548         (JSC::DFG::newTypedArrayWithSize):
2549         * dfg/DFGOperations.h:
2550         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2551         * dfg/DFGSpeculativeJIT.cpp:
2552         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2553         * dfg/DFGSpeculativeJIT.h:
2554         (JSC::DFG::SpeculativeJIT::callOperation):
2555         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2556         * ftl/FTLLowerDFGToB3.cpp:
2557         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2558         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2559         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2560         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2561         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2562         * heap/CopyToken.h:
2563         * heap/SlotVisitor.cpp:
2564         (JSC::SlotVisitor::markAuxiliary):
2565         * jit/JITOperations.h:
2566         * runtime/JSArrayBufferView.cpp:
2567         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2568         (JSC::JSArrayBufferView::JSArrayBufferView):
2569         * runtime/JSArrayBufferView.h:
2570         * runtime/JSGenericTypedArrayView.h:
2571         * runtime/JSGenericTypedArrayViewInlines.h:
2572         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2573         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2574         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2575         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2576
2577 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2578
2579         Silence GCC warning spam introduced in r205462
2580
2581         Rubber-stamped by Filip Pizlo.
2582
2583         * bytecode/Opcode.h:
2584         (JSC::padOpcodeName):
2585
2586 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2587
2588         Heap::isMarked() should use concurrent lazy flipping
2589         https://bugs.webkit.org/show_bug.cgi?id=161613
2590
2591         Reviewed by Michael Catanzaro.
2592         
2593         I found out about this race condition via
2594         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2595         
2596         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2597         phase. So, they need to lazy-flip in a non-racy way.
2598
2599         * heap/HeapInlines.h:
2600         (JSC::Heap::isLive):
2601         (JSC::Heap::isMarked):
2602
2603 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2604
2605         Unreviewed, reset generator test results after the butterflies.
2606
2607         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2608         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2609         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2610         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2611         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2612         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2613         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2614         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2615         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2616         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2617         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2618         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2619         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2620         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2621
2622 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Unreviewed, fix cloop build.
2625
2626         * bytecode/SuperSampler.cpp:
2627
2628 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2629
2630         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2631         https://bugs.webkit.org/show_bug.cgi?id=160125
2632
2633         Reviewed by Geoffrey Garen and Keith Miller.
2634
2635         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2636         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2637         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2638         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2639         to get rid of copied space. This change moves copied space's biggest client over to marked
2640         space.
2641         
2642         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2643         allocation path. This is a fairly mechanical change, but it caused performance regressions
2644         everywhere, so this change also fixes MarkedSpace's performance issues.
2645         
2646         At a high level the mechanical changes are:
2647         
2648         - We use AuxiliaryBarrier instead of CopyBarrier.
2649         
2650         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2651           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2652         
2653         - The JITs have to emit inlined marked space allocations instead of inline copy space
2654           allocations.
2655         
2656         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2657           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2658           space doesn't.
2659         
2660         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2661         optimizations that amounted to a major MarkedSpace rewrite:
2662         
2663         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2664           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2665           size class. I got around this by making array allocations usually round up vectorLength to
2666           the maximum allowed by the size class that we would have allocated in. Also,
2667           ensureLengthSlow() and friends first make sure that the requested length can't just be
2668           fulfilled with the current allocation size. This safeguard means that not every array
2669           allocation has to do size class queries. For example, the fast path of new Array(length)
2670           never does any size class queries, under the assumption that (1) the speed gained from
2671           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2672           size class query, is too small to offset the speed lost by doing the query on every
2673           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2674           likely.
2675         
2676         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2677           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2678           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2679           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2680           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2681           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2682           size (80 bytes), we proceed using a geometric progression, but round up each size to
2683           minimize slop at the end of the block. This naturally causes the geometric progression to
2684           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2685           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2686         
2687         - Large allocations caused massive internal fragmentation, since the smallest large
2688           allocation had to use exactly blockSize, and the largest small allocation used
2689           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2690           also had 50% internal fragmentation. This is because we required large allocations to be
2691           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2692           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2693           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2694           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2695           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2696           out great since (1) typed arrays won't use large allocations anyway since they have their
2697           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2698           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2699           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2700           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2701           must be small allocations. It's also possible to use template tricks to do one check for
2702           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2703           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2704           that get used from functions that are template-specialized like this. That's mostly to
2705           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2706           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2707           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2708           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2709           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2710           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2711           that the MarkedBlock size classes end up being:
2712           
2713           16, 32, 48, 64, 80, 112, 160, 224, 320
2714           
2715           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2716           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2717           size classes you end up with by doing --dumpSizeClasses=true.
2718         
2719         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2720           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2721           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2722           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2723           side, for better locality during a sequential walk. It's no longer necessary to scan
2724           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2725           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2726           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2727           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2728           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2729           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2730           together, these optimizations allowed me to reduce block size to 16KB without losing much
2731           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2732           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2733           progression on membuster. That's not possible yet, since there is still enough per-block
2734           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2735           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2736         
2737         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2738           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2739           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2740           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2741           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2742           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2743           that we walk the block to build a free list. This means walking dead space. The new
2744           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2745           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2746           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2747           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2748           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2749           is completely empty, which is the common case because of the generational hypothesis: the
2750           number of objects that survive an eden collection is a tiny fraction of the number of
2751           objects that had been allocated, and this fraction is so small that there are typically
2752           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2753           win over tip-of-tree.
2754         
2755         - FTL now shares the same allocation fast paths as everything else, which is great, because
2756           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2757           control flow, since it won't be able to improve the machine code we write ourselves. GC
2758           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2759           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2760           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2761           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2762           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2763           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2764           variable-length allocation but then realize that the length is known). I think it makes
2765           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2766           since this makes lowering easier (you can constant fold during lowering more easily) and it
2767           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2768           constant-fold this code. That would require allowing loads to be constant-folded, which is
2769           doable but hella tricky.
2770         
2771         - It used to be that if a logical object allocation required two physical allocations (first
2772           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2773           failure in the second fast path would cause us to forget the successful first physical
2774           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2775           register to storing either the butterfly or null, because the butterfly register is anyway
2776           going to be free inside the first allocation. The only overhead here is zeroing the
2777           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2778           path, which can then either allocate a butterfly or not. So now we never waste a successful
2779           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2780           since we control registers already) and in FTL (where it's annoying, because mutable
2781           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2782           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2783           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2784           benchmark would always allocate N small things followed by one bigger thing. The problem
2785           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2786           the JSObject size class, which both the small and big thing shared for their cell, could
2787           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2788           it allocated the big thing. So, it would end up having to allocate the big thing's large
2789           butterfly twice, every single time! Ouch!
2790         
2791         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2792           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2793           of the allocator to initialize the object to whatever state they need. It used to be that
2794           we would just use a dumb loop. I initially changed this so that we would end up in memset
2795           for large allocations, but this didn't actually help performance that much. I got a much
2796           better result by playing with different memsets written in assembly. First I wrote one
2797           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2798           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2799           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2800           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2801           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2802           of stores (if the size is known), but those paths in the JIT won't trigger for
2803           NewArrayWithSize() if the size is large, since that takes us to the
2804           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2805           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2806           that need to be filled with holes.
2807         
2808         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2809         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2810         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2811         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2812         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2813         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2814         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2815         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2816         marking barrier and we simply won't need a copying barrier. This change gets us there for
2817         the purposes of our benchmarks, since the remaining clients of copied space are not very
2818         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2819         adding back the copy barrier, which costs more perf.
2820         
2821         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2822         typed arrays and a few other weird things over to Aux MarkedSpace.
2823         
2824         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2825         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2826         just including JSCInlines.h (instead of manually including the files that includes) is
2827         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2828         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2829         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2830         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2831         meant having to manually include HeapInlines.h from the places that previously got it
2832         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2833         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2834         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2835         made it impossible to include it from outside JSC. This was a lot of work, but it was
2836         necessary to get the patch to build on all ports. It's also a net win. There were many places
2837         in WebCore that were transitively including a *ton* of JSC headers just because of the
2838         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2839         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2840
2841         * API/JSManagedValue.mm:
2842         (-[JSManagedValue initWithValue:]):
2843         * API/JSTypedArray.cpp:
2844         * API/ObjCCallbackFunction.mm:
2845         * API/tests/testapi.mm:
2846         (testObjectiveCAPI):
2847         (testWeakValue): Deleted.
2848         * CMakeLists.txt:
2849         * JavaScriptCore.xcodeproj/project.pbxproj:
2850         * Scripts/builtins/builtins_generate_combined_implementation.py:
2851         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2852         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2853         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2854         * Scripts/builtins/builtins_generate_separate_implementation.py:
2855         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2856         * assembler/AbstractMacroAssembler.h:
2857         (JSC::AbstractMacroAssembler::JumpList::link):
2858         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2859         * assembler/MacroAssembler.h:
2860         * assembler/MacroAssemblerARM64.h:
2861         (JSC::MacroAssemblerARM64::add32):
2862         * assembler/MacroAssemblerCodeRef.cpp: Added.
2863         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2864         (JSC::MacroAssemblerCodePtr::dumpWithName):
2865         (JSC::MacroAssemblerCodePtr::dump):
2866         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2867         (JSC::MacroAssemblerCodeRef::dump):
2868         * assembler/MacroAssemblerCodeRef.h:
2869         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2870         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2871         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2872         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2873         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2874         * b3/B3BasicBlock.cpp:
2875         (JSC::B3::BasicBlock::appendBoolConstant):
2876         * b3/B3BasicBlock.h:
2877         * b3/B3DuplicateTails.cpp:
2878         * b3/B3StackmapGenerationParams.h:
2879         * b3/testb3.cpp:
2880         (JSC::B3::testPatchpointTerminalReturnValue):
2881         (JSC::B3::run):
2882         * bindings/ScriptValue.cpp:
2883         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2884         * bytecode/BytecodeBasicBlock.cpp:
2885         * bytecode/BytecodeLivenessAnalysis.cpp:
2886         * bytecode/BytecodeUseDef.h:
2887         * bytecode/CallLinkInfo.cpp:
2888         (JSC::CallLinkInfo::callTypeFor):
2889         * bytecode/CallLinkInfo.h:
2890         (JSC::CallLinkInfo::callTypeFor): Deleted.
2891         * bytecode/CallLinkStatus.cpp:
2892         * bytecode/CodeBlock.cpp:
2893         (JSC::CodeBlock::finishCreation):
2894         (JSC::CodeBlock::clearLLIntGetByIdCache):
2895         (JSC::CodeBlock::predictedMachineCodeSize):
2896         * bytecode/CodeBlock.h:
2897         (JSC::CodeBlock::jitCodeMap): Deleted.
2898         (JSC::clearLLIntGetByIdCache): Deleted.
2899         * bytecode/ExecutionCounter.h:
2900         * bytecode/Instruction.h:
2901         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2902         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2903         * bytecode/ObjectAllocationProfile.h:
2904         (JSC::ObjectAllocationProfile::isNull):
2905         (JSC::ObjectAllocationProfile::initialize):
2906         * bytecode/Opcode.h:
2907         (JSC::padOpcodeName):
2908         * bytecode/PolymorphicAccess.cpp:
2909         (JSC::AccessCase::generateImpl):
2910         (JSC::PolymorphicAccess::regenerate):
2911         * bytecode/PolymorphicAccess.h:
2912         * bytecode/PreciseJumpTargets.cpp:
2913         * bytecode/StructureStubInfo.cpp:
2914         * bytecode/StructureStubInfo.h:
2915         * bytecode/UnlinkedCodeBlock.cpp:
2916         (JSC::UnlinkedCodeBlock::vm): Deleted.
2917         * bytecode/UnlinkedCodeBlock.h:
2918         * bytecode/UnlinkedInstructionStream.cpp:
2919         * bytecode/UnlinkedInstructionStream.h:
2920         * dfg/DFGOperations.cpp:
2921         * dfg/DFGSpeculativeJIT.cpp:
2922         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2923         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2924         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2925         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2926         * dfg/DFGSpeculativeJIT.h:
2927         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2928         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2929         * dfg/DFGSpeculativeJIT32_64.cpp:
2930         (JSC::DFG::SpeculativeJIT::compile):
2931         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2932         * dfg/DFGSpeculativeJIT64.cpp:
2933         (JSC::DFG::SpeculativeJIT::compile):
2934         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2935         * dfg/DFGStrengthReductionPhase.cpp:
2936         (JSC::DFG::StrengthReductionPhase::handleNode):
2937         * ftl/FTLAbstractHeapRepository.h:
2938         * ftl/FTLCompile.cpp:
2939         * ftl/FTLJITFinalizer.cpp:
2940         * ftl/FTLLowerDFGToB3.cpp:
2941         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2942         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2943         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2944         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2945         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2946         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2947         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2948         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2949         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2950         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2951         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2952         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2953         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2954         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2955         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2956         * ftl/FTLOutput.cpp:
2957         (JSC::FTL::Output::constBool):
2958         (JSC::FTL::Output::add):
2959         (JSC::FTL::Output::shl):
2960         (JSC::FTL::Output::aShr):
2961         (JSC::FTL::Output::lShr):
2962         (JSC::FTL::Output::zeroExt):
2963         (JSC::FTL::Output::equal):
2964         (JSC::FTL::Output::notEqual):
2965         (JSC::FTL::Output::above):
2966         (JSC::FTL::Output::aboveOrEqual):
2967         (JSC::FTL::Output::below):
2968         (JSC::FTL::Output::belowOrEqual):
2969         (JSC::FTL::Output::greaterThan):
2970         (JSC::FTL::Output::greaterThanOrEqual):
2971         (JSC::FTL::Output::lessThan):
2972         (JSC::FTL::Output::lessThanOrEqual):
2973         (JSC::FTL::Output::select):
2974         (JSC::FTL::Output::appendSuccessor):
2975         (JSC::FTL::Output::addIncomingToPhi):
2976         * ftl/FTLOutput.h:
2977         * ftl/FTLValueFromBlock.h:
2978         (JSC::FTL::ValueFromBlock::operator bool):
2979         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2980         * ftl/FTLWeightedTarget.h:
2981         (JSC::FTL::WeightedTarget::frequentedBlock):
2982         * heap/CellContainer.h: Added.
2983         (JSC::CellContainer::CellContainer):
2984         (JSC::CellContainer::operator bool):
2985         (JSC::CellContainer::isMarkedBlock):
2986         (JSC::CellContainer::isLargeAllocation):
2987         (JSC::CellContainer::markedBlock):
2988         (JSC::CellContainer::largeAllocation):
2989         * heap/CellContainerInlines.h: Added.
2990         (JSC::CellContainer::isMarked):
2991         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2992         (JSC::CellContainer::noteMarked):
2993         (JSC::CellContainer::cellSize):
2994         (JSC::CellContainer::weakSet):
2995         (JSC::CellContainer::flipIfNecessary):
2996         * heap/ConservativeRoots.cpp:
2997         (JSC::ConservativeRoots::ConservativeRoots):
2998         (JSC::ConservativeRoots::~ConservativeRoots):
2999         (JSC::ConservativeRoots::grow):
3000         (JSC::ConservativeRoots::genericAddPointer):
3001         (JSC::ConservativeRoots::genericAddSpan):
3002         * heap/ConservativeRoots.h:
3003         (JSC::ConservativeRoots::roots):
3004         * heap/CopyToken.h:
3005         * heap/FreeList.cpp: Added.
3006         (JSC::FreeList::dump):
3007         * heap/FreeList.h: Added.
3008         (JSC::FreeList::FreeList):
3009         (JSC::FreeList::list):
3010         (JSC::FreeList::bump):
3011         (JSC::FreeList::operator==):
3012         (JSC::FreeList::operator!=):
3013         (JSC::FreeList::operator bool):
3014         (JSC::FreeList::allocationWillFail):
3015         (JSC::FreeList::allocationWillSucceed):
3016         * heap/GCTypeMap.h: Added.
3017         (JSC::GCTypeMap::operator[]):
3018         * heap/Heap.cpp:
3019         (JSC::Heap::Heap):
3020         (JSC::Heap::lastChanceToFinalize):
3021         (JSC::Heap::finalizeUnconditionalFinalizers):
3022         (JSC::Heap::markRoots):
3023         (JSC::Heap::copyBackingStores):
3024         (JSC::Heap::gatherStackRoots):
3025         (JSC::Heap::gatherJSStackRoots):
3026         (JSC::Heap::gatherScratchBufferRoots):
3027         (JSC::Heap::clearLivenessData):
3028         (JSC::Heap::visitSmallStrings):
3029         (JSC::Heap::visitConservativeRoots):
3030         (JSC::Heap::removeDeadCompilerWorklistEntries):
3031         (JSC::Heap::gatherExtraHeapSnapshotData):
3032         (JSC::Heap::removeDeadHeapSnapshotNodes):
3033         (JSC::Heap::visitProtectedObjects):
3034         (JSC::Heap::visitArgumentBuffers):
3035         (JSC::Heap::visitException):
3036         (JSC::Heap::visitStrongHandles):
3037         (JSC::Heap::visitHandleStack):
3038         (JSC::Heap::visitSamplingProfiler):
3039         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3040         (JSC::Heap::converge):
3041         (JSC::Heap::visitWeakHandles):
3042         (JSC::Heap::updateObjectCounts):
3043         (JSC::Heap::clearUnmarkedExecutables):
3044         (JSC::Heap::deleteUnmarkedCompiledCode):
3045         (JSC::Heap::collectAllGarbage):
3046         (JSC::Heap::collect):
3047         (JSC::Heap::collectWithoutAnySweep):
3048         (JSC::Heap::collectImpl):
3049         (JSC::Heap::suspendCompilerThreads):
3050         (JSC::Heap::willStartCollection):
3051         (JSC::Heap::flushOldStructureIDTables):
3052         (JSC::Heap::flushWriteBarrierBuffer):
3053         (JSC::Heap::stopAllocation):
3054         (JSC::Heap::prepareForMarking):
3055         (JSC::Heap::reapWeakHandles):
3056         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3057         (JSC::Heap::sweepArrayBuffers):
3058         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3059         (JSC::MarkedBlockSnapshotFunctor::operator()):
3060         (JSC::Heap::snapshotMarkedSpace):
3061         (JSC::Heap::deleteSourceProviderCaches):
3062         (JSC::Heap::notifyIncrementalSweeper):
3063         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3064         (JSC::Heap::resetAllocators):
3065         (JSC::Heap::updateAllocationLimits):
3066         (JSC::Heap::didFinishCollection):
3067         (JSC::Heap::resumeCompilerThreads):
3068         (JSC::Zombify::visit):
3069         (JSC::Heap::forEachCodeBlockImpl):
3070         * heap/Heap.h:
3071         (JSC::Heap::allocatorForObjectWithoutDestructor):
3072         (JSC::Heap::allocatorForObjectWithDestructor):
3073         (JSC::Heap::allocatorForAuxiliaryData):
3074         (JSC::Heap::jitStubRoutines):
3075         (JSC::Heap::codeBlockSet):
3076         (JSC::Heap::storageAllocator): Deleted.
3077         * heap/HeapCell.h:
3078         (JSC::HeapCell::isZapped): Deleted.
3079         * heap/HeapCellInlines.h: Added.
3080         (JSC::HeapCell::isLargeAllocation):
3081         (JSC::HeapCell::cellContainer):
3082         (JSC::HeapCell::markedBlock):
3083         (JSC::HeapCell::largeAllocation):
3084         (JSC::HeapCell::heap):
3085         (JSC::HeapCell::vm):
3086         (JSC::HeapCell::cellSize):
3087         (JSC::HeapCell::allocatorAttributes):
3088         (JSC::HeapCell::destructionMode):
3089         (JSC::HeapCell::cellKind):
3090         * heap/HeapInlines.h:
3091         (JSC::Heap::heap):
3092         (JSC::Heap::isLive):
3093         (JSC::Heap::isMarked):
3094         (JSC::Heap::testAndSetMarked):
3095         (JSC::Heap::setMarked):
3096         (JSC::Heap::cellSize):
3097         (JSC::Heap::forEachCodeBlock):
3098         (JSC::Heap::allocateObjectOfType):
3099         (JSC::Heap::subspaceForObjectOfType):
3100         (JSC::Heap::allocatorForObjectOfType):
3101         (JSC::Heap::allocateAuxiliary):
3102         (JSC::Heap::tryAllocateAuxiliary):
3103         (JSC::Heap::tryReallocateAuxiliary):
3104         (JSC::Heap::isPointerGCObject): Deleted.
3105         (JSC::Heap::isValueGCObject): Deleted.
3106         * heap/HeapOperation.cpp: Added.
3107         (WTF::printInternal):
3108         * heap/HeapOperation.h:
3109         * heap/HeapUtil.h: Added.
3110         (JSC::HeapUtil::findGCObjectPointersForMarking):
3111         (JSC::HeapUtil::isPointerGCObjectJSCell):
3112         (JSC::HeapUtil::isValueGCObject):
3113         * heap/IncrementalSweeper.cpp:
3114         (JSC::IncrementalSweeper::sweepNextBlock):
3115         * heap/IncrementalSweeper.h:
3116         * heap/LargeAllocation.cpp: Added.
3117         (JSC::LargeAllocation::tryCreate):
3118         (JSC::LargeAllocation::LargeAllocation):
3119         (JSC::LargeAllocation::lastChanceToFinalize):
3120         (JSC::LargeAllocation::shrink):
3121         (JSC::LargeAllocation::visitWeakSet):
3122         (JSC::LargeAllocation::reapWeakSet):
3123         (JSC::LargeAllocation::flip):
3124         (JSC::LargeAllocation::isEmpty):
3125         (JSC::LargeAllocation::sweep):
3126         (JSC::LargeAllocation::destroy):
3127         (JSC::LargeAllocation::dump):
3128         * heap/LargeAllocation.h: Added.
3129         (JSC::LargeAllocation::fromCell):
3130         (JSC::LargeAllocation::cell):
3131         (JSC::LargeAllocation::isLargeAllocation):
3132         (JSC::LargeAllocation::heap):
3133         (JSC::LargeAllocation::vm):
3134         (JSC::LargeAllocation::weakSet):
3135         (JSC::LargeAllocation::clearNewlyAllocated):
3136         (JSC::LargeAllocation::isNewlyAllocated):
3137         (JSC::LargeAllocation::isMarked):
3138         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3139         (JSC::LargeAllocation::isLive):
3140         (JSC::LargeAllocation::hasValidCell):
3141         (JSC::LargeAllocation::cellSize):
3142         (JSC::LargeAllocation::aboveLowerBound):
3143         (JSC::LargeAllocation::belowUpperBound):
3144         (JSC::LargeAllocation::contains):
3145         (JSC::LargeAllocation::attributes):
3146         (JSC::LargeAllocation::flipIfNecessary):
3147         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
3148         (JSC::LargeAllocation::testAndSetMarked):
3149         (JSC::LargeAllocation::setMarked):
3150         (JSC::LargeAllocation::clearMarked):
3151         (JSC::LargeAllocation::noteMarked):
3152         (JSC::LargeAllocation::headerSize):
3153         * heap/MarkedAllocator.cpp:
3154         (JSC::MarkedAllocator::MarkedAllocator):
3155         (JSC::MarkedAllocator::isPagedOut):
3156         (JSC::MarkedAllocator::retire):
3157         (JSC::MarkedAllocator::filterNextBlock):
3158         (JSC::MarkedAllocator::setNextBlockToSweep):
3159         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3160         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3161         (JSC::MarkedAllocator::allocateSlowCase):
3162         (JSC::MarkedAllocator::tryAllocateSlowCase):
3163         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3164         (JSC::blockHeaderSize):
3165         (JSC::MarkedAllocator::blockSizeForBytes):
3166         (JSC::MarkedAllocator::tryAllocateBlock):
3167         (JSC::MarkedAllocator::addBlock):
3168         (JSC::MarkedAllocator::removeBlock):
3169         (JSC::MarkedAllocator::stopAllocating):
3170         (JSC::MarkedAllocator::reset):
3171         (JSC::MarkedAllocator::lastChanceToFinalize):
3172         (JSC::MarkedAllocator::setFreeList):
3173         (JSC::isListPagedOut): Deleted.
3174         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3175         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3176         (JSC::MarkedAllocator::tryAllocate): Deleted.
3177         (JSC::MarkedAllocator::allocateBlock): Deleted.
3178         * heap/MarkedAllocator.h:
3179         (JSC::MarkedAllocator::takeLastActiveBlock):
3180         (JSC::MarkedAllocator::offsetOfFreeList):
3181         (JSC::MarkedAllocator::offsetOfCellSize):
3182         (JSC::MarkedAllocator::tryAllocate):
3183         (JSC::MarkedAllocator::allocate):
3184         (JSC::MarkedAllocator::forEachBlock):
3185         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3186         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3187         (JSC::MarkedAllocator::init): Deleted.
3188         (JSC::MarkedAllocator::stopAllocating): Deleted.
3189         * heap/MarkedBlock.cpp:
3190         (JSC::MarkedBlock::tryCreate):
3191         (JSC::MarkedBlock::Handle::Handle):
3192         (JSC::MarkedBlock::Handle::~Handle):
3193         (JSC::MarkedBlock::MarkedBlock):
3194         (JSC::MarkedBlock::Handle::specializedSweep):
3195         (JSC::MarkedBlock::Handle::sweep):
3196         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
3197         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
3198         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
3199         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3200         (JSC::SetNewlyAllocatedFunctor::operator()):
3201         (JSC::MarkedBlock::Handle::stopAllocating):
3202         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3203         (JSC::MarkedBlock::Handle::resumeAllocating):
3204         (JSC::MarkedBlock::Handle::zap):
3205         (JSC::MarkedBlock::Handle::forEachFreeCell):
3206         (JSC::MarkedBlock::flipIfNecessary):
3207         (JSC::MarkedBlock::Handle::flipIfNecessary):
3208         (JSC::MarkedBlock::flipIfNecessarySlow):
3209         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
3210         (JSC::MarkedBlock::clearMarks):
3211         (JSC::MarkedBlock::assertFlipped):
3212         (JSC::MarkedBlock::needsFlip):
3213         (JSC::MarkedBlock::Handle::needsFlip):
3214         (JSC::MarkedBlock::Handle::willRemoveBlock):
3215         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3216         (JSC::MarkedBlock::markCount):
3217         (JSC::MarkedBlock::Handle::isEmpty):
3218         (JSC::MarkedBlock::clearHasAnyMarked):
3219         (JSC::MarkedBlock::noteMarkedSlow):
3220         (WTF::printInternal):
3221         (JSC::MarkedBlock::create): Deleted.
3222         (JSC::MarkedBlock::destroy): Deleted.
3223         (JSC::MarkedBlock::callDestructor): Deleted.
3224         (JSC::MarkedBlock::specializedSweep): Deleted.
3225         (JSC::MarkedBlock::sweep): Deleted.
3226         (JSC::MarkedBlock::sweepHelper): Deleted.
3227         (JSC::MarkedBlock::stopAllocating): Deleted.
3228         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
3229         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
3230         (JSC::MarkedBlock::resumeAllocating): Deleted.
3231         (JSC::MarkedBlock::didRetireBlock): Deleted.
3232         * heap/MarkedBlock.h:
3233         (JSC::MarkedBlock::VoidFunctor::returnValue):
3234         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3235         (JSC::MarkedBlock::CountFunctor::count):
3236         (JSC::MarkedBlock::CountFunctor::returnValue):
3237         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
3238         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
3239         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
3240         (JSC::MarkedBlock::Handle::state):
3241         (JSC::MarkedBlock::needsDestruction):
3242         (JSC::MarkedBlock::handle):
3243         (JSC::MarkedBlock::Handle::block):
3244         (JSC::MarkedBlock::firstAtom):
3245         (JSC::MarkedBlock::atoms):
3246         (JSC::MarkedBlock::isAtomAligned):
3247         (JSC::MarkedBlock::Handle::cellAlign):
3248         (JSC::MarkedBlock::blockFor):
3249         (JSC::MarkedBlock::Handle::allocator):
3250         (JSC::MarkedBlock::Handle::heap):
3251         (JSC::MarkedBlock::Handle::vm):
3252         (JSC::MarkedBlock::vm):
3253         (JSC::MarkedBlock::Handle::weakSet):
3254         (JSC::MarkedBlock::weakSet):
3255         (JSC::MarkedBlock::Handle::shrink):
3256         (JSC::MarkedBlock::Handle::visitWeakSet):
3257         (JSC::MarkedBlock::Handle::reapWeakSet):
3258         (JSC::MarkedBlock::Handle::cellSize):
3259         (JSC::MarkedBlock::cellSize):
3260         (JSC::MarkedBlock::Handle::attributes):
3261         (JSC::MarkedBlock::attributes):
3262         (JSC::MarkedBlock::Handle::needsDestruction):
3263         (JSC::MarkedBlock::Handle::destruction):
3264         (JSC::MarkedBlock::Handle::cellKind):
3265         (JSC::MarkedBlock::Handle::markCount):
3266         (JSC::MarkedBlock::Handle::size):
3267         (JSC::MarkedBlock::atomNumber):
3268         (JSC::MarkedBlock::flipIfNecessary):
3269         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
3270         (JSC::MarkedBlock::Handle::flipIfNecessary):
3271         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
3272         (JSC::MarkedBlock::Handle::flipForEdenCollection):
3273         (JSC::MarkedBlock::assertFlipped):
3274         (JSC::MarkedBlock::Handle::assertFlipped):
3275         (JSC::MarkedBlock::isMarked):
3276         (JSC::MarkedBlock::testAndSetMarked):
3277         (JSC::MarkedBlock::Handle::isNewlyAllocated):
3278         (JSC::MarkedBlock::Handle::setNewlyAllocated):
3279         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
3280         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
3281         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3282         (JSC::MarkedBlock::Handle::isLive):
3283         (JSC::MarkedBlock::isAtom):
3284         (JSC::MarkedBlock::Handle::isLiveCell):
3285         (JSC::MarkedBlock::Handle::forEachCell):
3286         (JSC::MarkedBlock::Handle::forEachLiveCell):
3287         (JSC::MarkedBlock::Handle::forEachDeadCell):
3288         (JSC::MarkedBlock::Handle::needsSweeping):
3289         (JSC::MarkedBlock::Handle::isAllocated):
3290         (JSC::MarkedBlock::Handle::isMarked):
3291         (JSC::MarkedBlock::Handle::isFreeListed):
3292         (JSC::MarkedBlock::hasAnyMarked):
3293         (JSC::MarkedBlock::noteMarked):
3294         (WTF::Mark