80f1c3d8d7aa40a86b2fc0b5aeb1ed59b5b2010a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-14  Mark Lam  <mark.lam@apple.com>
2
3         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
4         https://bugs.webkit.org/show_bug.cgi?id=161975
5
6         Reviewed by Keith Miller.
7
8         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
9         incremental work towards enabling checks all the time.
10
11         * runtime/Options.h:
12         * runtime/VM.cpp:
13         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
14         * runtime/VM.h:
15
16 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
17
18         TaggedTemplateString function calls should emit tail position calls
19         https://bugs.webkit.org/show_bug.cgi?id=161948
20
21         Reviewed by Yusuke Suzuki.
22
23         * bytecompiler/NodesCodegen.cpp:
24         (JSC::TaggedTemplateNode::emitBytecode):
25         The tagged template string function call can be a tail call:
26         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
27
28 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
29
30         test262: Array.prototype.slice should always set length
31         https://bugs.webkit.org/show_bug.cgi?id=161953
32
33         Reviewed by Mark Lam.
34
35         * runtime/ArrayPrototype.cpp:
36         (JSC::arrayProtoFuncSplice):
37
38 2016-09-13  Michael Saboff  <msaboff@apple.com>
39
40         Promises aren't resolved properly when making a ObjC API callback
41         https://bugs.webkit.org/show_bug.cgi?id=161929
42
43         Reviewed by Geoffrey Garen.
44
45         When we go to call out to an Objective C function registered via the API,
46         we first drop all JSC locks to make the call.  As part of dropping the locks,
47         we drain the microtask queue that is used among other things for handling deferred
48         promise resolution.  The DropAllLocks scope class that drops the locks while in
49         scope, resets the current thread's AtomicStringTable to the default table.  This
50         is wrong for two reasons, first it happens before we drain the microtask queue and
51         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
52         AtomicStringTable to the table before the lock was acquired.
53
54         In fact, the manipulation of the current thread's AtomicStringTable is already 
55         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
56         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
57         and destructor should be removed.
58
59         * API/tests/testapi.mm:
60         (testObjectiveCAPIMain): Added a new test.
61         * runtime/JSLock.cpp:
62         (JSC::JSLock::DropAllLocks::DropAllLocks):
63         (JSC::JSLock::DropAllLocks::~DropAllLocks):
64
65 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
66
67         Remove Heap::isLive()
68         https://bugs.webkit.org/show_bug.cgi?id=161933
69
70         Reviewed by Mark Lam.
71         
72         Before I put any more effort into maintaining this weird function, I decided to check how it
73         was used. It turns out it's not.
74
75         * heap/Heap.h:
76         * heap/HeapInlines.h:
77         (JSC::Heap::isLive): Deleted.
78
79 2016-09-13  Mark Lam  <mark.lam@apple.com>
80
81         DFG NewArrayBuffer node should watch for "have a bad time" state change.
82         https://bugs.webkit.org/show_bug.cgi?id=161927
83         <rdar://problem/27995222>
84
85         Reviewed by Geoffrey Garen.
86
87         * dfg/DFGFixupPhase.cpp:
88         (JSC::DFG::FixupPhase::fixupNode):
89
90 2016-09-13  JF Bastien  <jfbastien@apple.com>
91
92         Support jsc shell builtin `read`
93         https://bugs.webkit.org/show_bug.cgi?id=161662
94
95         Reviewed by Keith Miller.
96
97         The jsc shell currently supports a `readFile` method which returns
98         a string. SpiderMonkey's js shell and V8's d8 shell both support
99         similar file-to-string functions, as well as a
100         binary-file-to-Uint8Array function. jsc should support a similar
101         binary file method to simplify testing, including testing of
102         WebAssembly blobs.
103
104         Emscripten's shell.js (which is also used for some WebAssembly
105         things) has a polyfill [1] for a builtin called `read`. jsc should
106         therefore have a builtin with the same name if we want things to
107         "Just Work".
108
109           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
110
111         * jsc.cpp:
112         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
113         (functionReadFile): support binary files, as per SpiderMonkey.
114         * runtime/Error.h:
115         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
116         * runtime/JSTypedArrays.cpp:
117         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
118         * runtime/JSTypedArrays.h: expose private export.
119
120 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
121
122         ES6: Classes: Should be allowed to create a static method with name "arguments"
123         https://bugs.webkit.org/show_bug.cgi?id=152985
124
125         Reviewed by Keith Miller.
126
127         Current patch covered 16.2 Forbidden Extensions - first topic 
128         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
129         should not have own properties named "caller" or "arguments".
130         Also added possibility to declare static methods and getters with 
131         name 'arguments' and 'caller' for classes. i.e.:
132         class A { static arguments() { return 'value'; } }
133         A.arguments() === 'value';
134         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
135         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
136         property from Lazy to common because it necessary to use execState during init of the accessors 
137         properties.
138
139         * runtime/Executable.h:
140         * runtime/FunctionPrototype.cpp:
141         (JSC::FunctionPrototype::initRestrictedProperties):
142         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
143         * runtime/FunctionPrototype.h:
144         * runtime/JSFunction.cpp:
145         (JSC::JSFunction::getOwnPropertySlot):
146         (JSC::JSFunction::getOwnNonIndexPropertyNames):
147         (JSC::JSFunction::put):
148         (JSC::JSFunction::deleteProperty):
149         (JSC::JSFunction::defineOwnProperty):
150         * runtime/JSGlobalObject.cpp:
151         (JSC::JSGlobalObject::init):
152         (JSC::JSGlobalObject::visitChildren):
153         * runtime/JSGlobalObject.h:
154         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
155
156 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
157
158         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
159         https://bugs.webkit.org/show_bug.cgi?id=161869
160
161         Reviewed by Saam Barati.
162         
163         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
164         empty" hook, which will set a bit in the markingNotEmpty bitvector.
165         
166         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
167         If anyone else does it but they aren't marking new objects, then this prevents
168         flipIfNecessary() from triggering when the first object is marked, which means we won't
169         always detect when a block became non-empty.
170         
171         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
172         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
173         knows that it can trigger something like noteMarked(). The only places that were using
174         flipIfNecessary() should have been using needsFlip() anyway.
175
176         * heap/CellContainer.h:
177         * heap/CellContainerInlines.h:
178         (JSC::CellContainer::needsFlip):
179         * heap/Heap.cpp:
180         (JSC::Heap::markRoots):
181         (JSC::Heap::beginMarking):
182         (JSC::Heap::endMarking):
183         (JSC::Heap::clearLivenessData): Deleted.
184         (JSC::Heap::converge): Deleted.
185         (JSC::Heap::resetVisitors): Deleted.
186         * heap/Heap.h:
187         * heap/HeapInlines.h:
188         (JSC::Heap::testAndSetMarked):
189         * heap/LargeAllocation.h:
190         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
191         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
192         * heap/MarkedBlock.cpp:
193         (JSC::MarkedBlock::flipIfNecessarySlow):
194         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
195         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
196         * heap/MarkedBlock.h:
197         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
198         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
199         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
200         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
201         * heap/MarkedSpace.h:
202         (JSC::MarkedSpace::isMarking):
203         (JSC::MarkedSpace::setIsMarking):
204         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
205         * heap/SlotVisitor.cpp:
206         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
207         * heap/WeakBlock.cpp:
208         (JSC::WeakBlock::visit):
209
210 2016-09-12  Saam Barati  <sbarati@apple.com>
211
212         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
213         https://bugs.webkit.org/show_bug.cgi?id=161640
214
215         Reviewed by Geoffrey Garen.
216
217         HashMapImpl now takes into account m_deleteCount in its load factor.
218         It now knows how to rehash to either decrease its capacity, stay at
219         the same capacity, or increase its capacity. The reason we can sometimes
220         stay at the same capacity is that we can reduce the load factor enough
221         by rehashing that growing isn't warranted. The reason for this is that
222         anytime we rehash, we remove all deleted sentinels from the buffer.
223         Therefore, staying at the same same capacity, when there are deleted entries,
224         can still reduce the load factor because it removes all deleted sentinels.
225
226         * runtime/HashMapImpl.h:
227         (JSC::HashMapBuffer::create):
228         (JSC::HashMapBuffer::reset):
229         (JSC::HashMapImpl::HashMapImpl):
230         (JSC::HashMapImpl::add):
231         (JSC::HashMapImpl::remove):
232         (JSC::HashMapImpl::size):
233         (JSC::HashMapImpl::clear):
234         (JSC::HashMapImpl::approximateSize):
235         (JSC::HashMapImpl::shouldRehashAfterAdd):
236         (JSC::HashMapImpl::shouldShrink):
237         (JSC::HashMapImpl::rehash):
238         (JSC::HashMapImpl::checkConsistency):
239         (JSC::HashMapImpl::makeAndSetNewBuffer):
240         (JSC::HashMapImpl::assertBufferIsEmpty):
241
242 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
243
244         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
245         https://bugs.webkit.org/show_bug.cgi?id=161671
246
247         Reviewed by Geoffrey Garen.
248
249         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
250         it gets a butterfly with its length.
251         When we were querying that length, we were generating a generic GetById with inline cache.
252
253         This patch adds the missing bits to treat Undecided like the other types with storage.
254
255         * dfg/DFGArrayMode.cpp:
256         (JSC::DFG::canBecomeGetArrayLength):
257         (JSC::DFG::ArrayMode::refine):
258         * dfg/DFGArrayMode.h:
259         (JSC::DFG::ArrayMode::usesButterfly):
260         (JSC::DFG::ArrayMode::lengthNeedsStorage):
261         * dfg/DFGClobberize.h:
262         (JSC::DFG::clobberize):
263         * dfg/DFGFixupPhase.cpp:
264         (JSC::DFG::FixupPhase::checkArray):
265         * dfg/DFGSpeculativeJIT.cpp:
266         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
267         * ftl/FTLCapabilities.cpp:
268         (JSC::FTL::canCompile):
269         * ftl/FTLLowerDFGToB3.cpp:
270         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
271
272 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
273
274         [DFG][FTL] Add ArithTan
275         https://bugs.webkit.org/show_bug.cgi?id=161857
276
277         Reviewed by Filip Pizlo.
278
279         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
280         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
281
282         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
283         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
284         The microbenchmark shows the 9% perf improvement.
285
286             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
287
288         * dfg/DFGAbstractInterpreterInlines.h:
289         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
290         * dfg/DFGByteCodeParser.cpp:
291         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
292         * dfg/DFGClobberize.h:
293         (JSC::DFG::clobberize):
294         * dfg/DFGDoesGC.cpp:
295         (JSC::DFG::doesGC):
296         * dfg/DFGFixupPhase.cpp:
297         (JSC::DFG::FixupPhase::fixupNode):
298         * dfg/DFGNodeType.h:
299         * dfg/DFGOperations.cpp:
300         * dfg/DFGOperations.h:
301         * dfg/DFGPredictionPropagationPhase.cpp:
302         * dfg/DFGSafeToExecute.h:
303         (JSC::DFG::safeToExecute):
304         * dfg/DFGSpeculativeJIT.cpp:
305         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
306         (JSC::DFG::SpeculativeJIT::compileArithCos):
307         (JSC::DFG::SpeculativeJIT::compileArithTan):
308         (JSC::DFG::SpeculativeJIT::compileArithSin):
309         (JSC::DFG::SpeculativeJIT::compileArithLog):
310         * dfg/DFGSpeculativeJIT.h:
311         * dfg/DFGSpeculativeJIT32_64.cpp:
312         (JSC::DFG::SpeculativeJIT::compile):
313         * dfg/DFGSpeculativeJIT64.cpp:
314         (JSC::DFG::SpeculativeJIT::compile):
315         * ftl/FTLCapabilities.cpp:
316         (JSC::FTL::canCompile):
317         * ftl/FTLLowerDFGToB3.cpp:
318         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
319         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
320         * ftl/FTLOutput.cpp:
321         (JSC::FTL::Output::doubleTan):
322         * ftl/FTLOutput.h:
323         * runtime/Intrinsic.h:
324         * runtime/MathObject.cpp:
325         (JSC::MathObject::finishCreation):
326
327 2016-09-12  Saam Barati  <sbarati@apple.com>
328
329         MapHash should do constant folding when it has a constant argument and its legal to hash that value
330         https://bugs.webkit.org/show_bug.cgi?id=161639
331
332         Reviewed by Filip Pizlo.
333
334         We now constant fold the MapHash node. We're careful to not resolve
335         ropes from the compiler thread, and to only hash strings if they're
336         not too large. The microbenchmark I added runs about 12% faster with
337         this patch.
338
339         * dfg/DFGAbstractInterpreterInlines.h:
340         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
341         * runtime/HashMapImpl.h:
342         (JSC::wangsInt64Hash):
343         (JSC::jsMapHash):
344         (JSC::concurrentJSMapHash):
345
346 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
347
348         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
349         https://bugs.webkit.org/show_bug.cgi?id=161849
350
351         Reviewed by Saam Barati.
352         
353         This is a fairly obvious change. This turns a loop that would query each bit individually
354         into a loop that will process a word at a time. I would expect a very tiny progression in
355         DFG compile times.
356         
357         This also gave me an opportunity to test and fix the new FastBitVector functionality.
358
359         * dfg/DFGForAllKills.h:
360         (JSC::DFG::forAllKilledOperands):
361
362 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
363
364         FastBitVector should have efficient and easy-to-use vector-vector operations
365         https://bugs.webkit.org/show_bug.cgi?id=161847
366
367         Reviewed by Saam Barati.
368         
369         Adapt existing users of FastBitVector to the new API.
370
371         * bytecode/BytecodeLivenessAnalysis.cpp:
372         (JSC::BytecodeLivenessAnalysis::computeKills):
373         (JSC::BytecodeLivenessAnalysis::dumpResults):
374         * bytecode/BytecodeLivenessAnalysisInlines.h:
375         (JSC::operandThatIsNotAlwaysLiveIsLive):
376         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
377         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
378         * bytecode/CodeBlock.cpp:
379         (JSC::CodeBlock::validate):
380         * dfg/DFGByteCodeParser.cpp:
381         (JSC::DFG::ByteCodeParser::flushForTerminal):
382         * dfg/DFGForAllKills.h:
383         (JSC::DFG::forAllKilledOperands):
384         * dfg/DFGGraph.h:
385         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
386         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
387         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
388         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
389         * dfg/DFGNaturalLoops.cpp:
390         (JSC::DFG::NaturalLoops::NaturalLoops):
391         * dfg/DFGPlan.cpp:
392         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
393
394 2016-09-10  Chris Dumez  <cdumez@apple.com>
395
396         parseHTMLInteger() should take a StringView in parameter
397         https://bugs.webkit.org/show_bug.cgi?id=161669
398
399         Reviewed by Ryosuke Niwa.
400
401         * runtime/DateConversion.cpp:
402         (JSC::formatDateTime):
403         Explicitly construct a String from the const WCHAR* on Windows because
404         it is ambiguous otherwise now that there is a StringBuilder::append()
405         overload taking an AtomicString in.
406
407 2016-09-08  Keith Miller  <keith_miller@apple.com>
408
409         WASM should support if-then-else
410         https://bugs.webkit.org/show_bug.cgi?id=161778
411
412         Reviewed by Michael Saboff.
413
414         This patch makes some major changes to the way that the WASM
415         function parser works. First, the control stack has been moved
416         from the parser's context to the parser itself. This simplifies
417         the way that the parser works and allows us to make the decoder
418         iterative rather than recursive. Since the control stack has been
419         moved to the parser, any context operation that refers to some
420         block now receives that block by reference.
421
422         For any if block, regardless of whether or not it is an
423         if-then-else or not, we will allocate both the entire control flow
424         diamond. This is not a major issue in the if-then case since B3
425         will immediately cleanup these blocks. In order to support if-then
426         and if-then-else we needed to be able to distinguish what the type
427         of the top block on the control stack is. This will be necessary
428         when validating the else opcode in the future. In the B3 IR
429         generator we decide to the type of the block strictly by the
430         shape.
431
432         Currently, if blocks don't handle passed and returned stack values
433         correctly. I plan to fix this when I add support for the block
434         signatures. See: https://github.com/WebAssembly/design/pull/765
435
436         * testWASM.cpp:
437         (runWASMTests):
438         * wasm/WASMB3IRGenerator.cpp:
439         (dumpProcedure):
440         (JSC::WASM::parseAndCompile):
441         * wasm/WASMB3IRGenerator.h:
442         * wasm/WASMFunctionParser.h:
443         (JSC::WASM::FunctionParser<Context>::parseBlock):
444         (JSC::WASM::FunctionParser<Context>::parseExpression):
445         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
446         * wasm/WASMOps.h:
447
448 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
449
450         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
451         https://bugs.webkit.org/show_bug.cgi?id=161801
452
453         Reviewed by Keith Miller.
454         
455         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
456         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
457         that is to call initializeMainThread().
458
459         * jsc.cpp:
460         (jscmain):
461
462 2016-09-09  Saam Barati  <sbarati@apple.com>
463
464         Make hasOwnProperty ALWAYS_INLINE
465         https://bugs.webkit.org/show_bug.cgi?id=161775
466
467         Reviewed by Ryosuke Niwa.
468
469         Speedometer spends around 2.5% of its time in hasOwnProperty.
470         Let's reduce the overhead of calling that function by marking
471         it as inline. Also, it's likely that the function will call into
472         JSObject::getOwnPropertySlot. I added a check to see if that's
473         the function we're calling, if it is, we do a direct call instead
474         of an indirect call.
475
476         * runtime/JSObject.cpp:
477         (JSC::JSObject::hasOwnProperty): Deleted.
478         * runtime/JSObjectInlines.h:
479         (JSC::JSObject::hasOwnProperty):
480
481 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
482
483         HashMapImpl needs to m_buffer.clear() in its constructor
484         https://bugs.webkit.org/show_bug.cgi?id=161796
485
486         Reviewed by Keith Miller.
487         
488         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
489         itself. That seemed like a good idea because maybe sometimes the user knows better how to
490         initialize it. But, it's not worth it if it's a constant source of bugs.
491         
492         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
493         m_value.
494
495         * runtime/AuxiliaryBarrier.h:
496         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
497         * runtime/DirectArguments.cpp:
498         (JSC::DirectArguments::DirectArguments):
499
500 2016-09-09  Youenn Fablet  <youenn@apple.com>
501
502         ASSERTION FAILED: promise.inherits(JSPromise::info())
503         https://bugs.webkit.org/show_bug.cgi?id=161632
504         <rdar://problem/28184743>
505
506         Reviewed by Mark Lam.
507
508         * runtime/JSPromiseDeferred.cpp:
509         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
510
511 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
512
513         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
514         https://bugs.webkit.org/show_bug.cgi?id=161760
515
516         Reviewed by Mark Lam.
517         
518         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
519         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
520         
521         This introduces three unnecessary overheads:
522         
523         - isLive() is not called by marking, so that change was not necessary.
524         
525         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
526           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
527           isMarked().
528         
529         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
530           return false if the flip is necessary.
531         
532         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
533         during marking.
534         
535         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
536         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
537         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
538         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
539         thing.
540
541         * bytecode/CodeBlock.cpp:
542         (JSC::CodeBlock::visitWeakly):
543         (JSC::CodeBlock::shouldJettisonDueToOldAge):
544         (JSC::shouldMarkTransition):
545         (JSC::CodeBlock::propagateTransitions):
546         (JSC::CodeBlock::determineLiveness):
547         * bytecode/PolymorphicAccess.cpp:
548         (JSC::AccessCase::propagateTransitions):
549         * heap/Heap.h:
550         * heap/HeapInlines.h:
551         (JSC::Heap::isLive):
552         (JSC::Heap::isMarked):
553         (JSC::Heap::isMarkedConcurrently):
554         * heap/MarkedBlock.cpp:
555         (JSC::MarkedBlock::flipIfNecessarySlow):
556         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
557         (JSC::MarkedBlock::needsFlip):
558         * heap/MarkedBlock.h:
559         (JSC::MarkedBlock::needsFlip):
560         (JSC::MarkedBlock::flipIfNecessary):
561         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
562         * heap/SlotVisitor.cpp:
563         (JSC::SlotVisitor::appendToMarkStack):
564         (JSC::SlotVisitor::markAuxiliary):
565         (JSC::SlotVisitor::visitChildren):
566         * runtime/Structure.cpp:
567         (JSC::Structure::isCheapDuringGC):
568         (JSC::Structure::markIfCheap):
569
570 2016-09-08  Saam Barati  <sbarati@apple.com>
571
572         We should inline operationConvertJSValueToBoolean into JIT code
573         https://bugs.webkit.org/show_bug.cgi?id=161729
574
575         Reviewed by Filip Pizlo.
576
577         This patch introduces an AssemblyHelpers emitter function
578         that replaces operationConvertJSValueToBoolean. This operation
579         was showing up when I was doing performance analysis for the
580         speedometer benchmark. I saw that it was spending about 1% of
581         its time in this function. Hopefully this patch can help us speedup
582         up speedometer by a little bit.
583
584         * dfg/DFGSpeculativeJIT32_64.cpp:
585         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
586         (JSC::DFG::SpeculativeJIT::emitBranch):
587         * dfg/DFGSpeculativeJIT64.cpp:
588         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
589         (JSC::DFG::SpeculativeJIT::emitBranch):
590         * jit/AssemblyHelpers.cpp:
591         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
592         * jit/AssemblyHelpers.h:
593         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
594         * jit/JIT.cpp:
595         (JSC::JIT::privateCompileSlowCases):
596         * jit/JIT.h:
597         * jit/JITOpcodes.cpp:
598         (JSC::JIT::emit_op_jfalse):
599         (JSC::JIT::emit_op_jtrue):
600         (JSC::JIT::emitSlow_op_jfalse): Deleted.
601         (JSC::JIT::emitSlow_op_jtrue): Deleted.
602         * jit/JITOpcodes32_64.cpp:
603         (JSC::JIT::emit_op_jfalse):
604         (JSC::JIT::emit_op_jtrue):
605         (JSC::JIT::emitSlow_op_jfalse): Deleted.
606         (JSC::JIT::emitSlow_op_jtrue): Deleted.
607         * jit/JITOperations.cpp:
608         * jit/JITOperations.h:
609
610 2016-09-08  Chris Dumez  <cdumez@apple.com>
611
612         Align proto getter / setter behavior with other browsers
613         https://bugs.webkit.org/show_bug.cgi?id=161455
614
615         Reviewed by Saam Barati.
616
617         Drop allowsAccessFrom from the methodTable and delegate cross-origin
618         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
619         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
620
621         * jsc.cpp:
622         * runtime/JSGlobalObject.cpp:
623         * runtime/JSGlobalObject.h:
624         * runtime/JSGlobalObjectFunctions.cpp:
625         (JSC::globalFuncProtoGetter):
626         (JSC::globalFuncProtoSetter):
627         (JSC::globalFuncBuiltinLog): Deleted.
628         * runtime/JSGlobalObjectFunctions.h:
629         * runtime/JSObject.cpp:
630         (JSC::JSObject::setPrototypeWithCycleCheck):
631         Remove check added in r197648. This check was added to match
632         the latest EcmaScript spec:
633         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
634         This check allowed for [[Prototype]] chain cycles if the prototype
635         chain includes objects that do not use the ordinary object definitions
636         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
637         The issue is that the rest of our code base does not properly handle
638         such cycles and we can end up in infinite loops. This became obvious
639         because this patch updates Window / Location so that they no longer
640         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
641         remove this check, I get an infinite loop in
642         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
643         called from JSObject::setPrototypeDirect(), when running the following
644         layout test:
645         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
646         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
647         issue.
648
649         * runtime/JSObject.h:
650         (JSC::JSObject::getArrayLength): Deleted.
651         * runtime/JSProxy.cpp:
652         (JSC::JSProxy::setPrototype):
653         (JSC::JSProxy::getPrototype):
654         * runtime/JSProxy.h:
655         * runtime/ObjectConstructor.cpp:
656         (JSC::objectConstructorGetPrototypeOf):
657         (JSC::objectConstructorSetPrototypeOf):
658         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
659         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
660         * runtime/ObjectConstructor.h:
661         * runtime/ReflectObject.cpp:
662         (JSC::reflectObjectGetPrototypeOf):
663         (JSC::reflectObjectSetPrototypeOf):
664
665 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
666
667         Remove CopiedSpace and use MarkedSpace instead
668         https://bugs.webkit.org/show_bug.cgi?id=159658
669
670         Reviewed by Keith Miller.
671         
672         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
673         is a simple change.
674         
675         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
676         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
677         
678         The rest of this patch is deleting CopiedSpace.
679
680         * API/JSObjectRef.cpp:
681         * CMakeLists.txt:
682         * JavaScriptCore.xcodeproj/project.pbxproj:
683         * dfg/DFGOperations.cpp:
684         * heap/ConservativeRoots.cpp:
685         (JSC::ConservativeRoots::genericAddPointer):
686         * heap/CopiedAllocator.h: Removed.
687         * heap/CopiedBlock.cpp: Removed.
688         * heap/CopiedBlock.h: Removed.
689         * heap/CopiedBlockInlines.h: Removed.
690         * heap/CopiedSpace.cpp: Removed.
691         * heap/CopiedSpace.h: Removed.
692         * heap/CopiedSpaceInlines.h: Removed.
693         * heap/CopyBarrier.h: Removed.
694         * heap/CopyToken.h: Removed.
695         * heap/CopyVisitor.cpp: Removed.
696         * heap/CopyVisitor.h: Removed.
697         * heap/CopyVisitorInlines.h: Removed.
698         * heap/CopyWorkList.h: Removed.
699         * heap/Heap.cpp:
700         (JSC::Heap::Heap):
701         (JSC::Heap::isPagedOut):
702         (JSC::Heap::updateObjectCounts):
703         (JSC::Heap::size):
704         (JSC::Heap::capacity):
705         (JSC::Heap::collectImpl):
706         (JSC::Heap::stopAllocation):
707         (JSC::Heap::updateAllocationLimits):
708         (JSC::Heap::copyBackingStores): Deleted.
709         (JSC::Heap::threadBytesCopied): Deleted.
710         * heap/Heap.h:
711         (JSC::Heap::objectSpace):
712         (JSC::Heap::allocatorForAuxiliaryData):
713         (JSC::Heap::storageSpace): Deleted.
714         (JSC::Heap::storageAllocator): Deleted.
715         * heap/HeapCellInlines.h:
716         * heap/HeapInlines.h:
717         (JSC::Heap::tryAllocateStorage): Deleted.
718         (JSC::Heap::tryReallocateStorage): Deleted.
719         * heap/HeapVerifier.cpp:
720         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
721         (JSC::HeapVerifier::reportObject):
722         (JSC::getButterflyDetails): Deleted.
723         * heap/SlotVisitor.cpp:
724         (JSC::SlotVisitor::copyLater): Deleted.
725         * heap/SlotVisitor.h:
726         * jit/AssemblyHelpers.h:
727         * jit/JITOpcodes.cpp:
728         * jsc.cpp:
729         * runtime/ArrayConstructor.cpp:
730         * runtime/ArrayPrototype.cpp:
731         * runtime/Butterfly.h:
732         * runtime/ButterflyInlines.h:
733         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
734         * runtime/ClassInfo.h:
735         * runtime/DirectArguments.cpp:
736         (JSC::DirectArguments::visitChildren):
737         (JSC::DirectArguments::overrideThings):
738         (JSC::DirectArguments::copyBackingStore): Deleted.
739         * runtime/DirectArguments.h:
740         * runtime/JSArray.cpp:
741         * runtime/JSCell.cpp:
742         (JSC::JSCell::copyBackingStore): Deleted.
743         * runtime/JSCell.h:
744         * runtime/JSLexicalEnvironment.h:
745         * runtime/JSObject.cpp:
746         * runtime/JSTypedArrays.cpp:
747         * runtime/LiteralParser.cpp:
748         * runtime/ObjectConstructor.cpp:
749         * runtime/RegExpObject.cpp:
750         * runtime/StringPrototype.cpp:
751         * runtime/WeakMapData.cpp:
752         * tools/JSDollarVMPrototype.cpp:
753         (JSC::JSDollarVMPrototype::isInStorageSpace):
754
755 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
756
757         Heap version should be 32-bit
758         https://bugs.webkit.org/show_bug.cgi?id=161751
759
760         Reviewed by Mark Lam.
761         
762         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
763         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
764         easy to handle.
765
766         * heap/CellContainer.h:
767         * heap/CellContainerInlines.h:
768         (JSC::CellContainer::flipIfNecessary):
769         * heap/ConservativeRoots.cpp:
770         (JSC::ConservativeRoots::genericAddPointer):
771         (JSC::ConservativeRoots::genericAddSpan):
772         * heap/ConservativeRoots.h:
773         * heap/Heap.h:
774         * heap/HeapInlines.h:
775         (JSC::Heap::testAndSetMarked):
776         * heap/HeapUtil.h:
777         (JSC::HeapUtil::findGCObjectPointersForMarking):
778         * heap/MarkedBlock.cpp:
779         (JSC::MarkedBlock::MarkedBlock):
780         * heap/MarkedBlock.h:
781         (JSC::MarkedBlock::flipIfNecessary):
782         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
783         (JSC::MarkedBlock::Handle::flipIfNecessary):
784         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
785         * heap/MarkedSpace.cpp:
786         (JSC::MarkedSpace::flip):
787         * heap/MarkedSpace.h:
788         (JSC::MarkedSpace::version):
789         * heap/SlotVisitor.cpp:
790         (JSC::SlotVisitor::SlotVisitor):
791         * heap/SlotVisitor.h:
792
793 2016-09-08  Mark Lam  <mark.lam@apple.com>
794
795         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
796         https://bugs.webkit.org/show_bug.cgi?id=161724
797
798         Reviewed by Filip Pizlo.
799
800         ARM architectures support ternary sub instructions.  We should make use of them
801         in emitAllocateWithNonNullAllocator().
802
803         * assembler/MacroAssemblerARM.h:
804         (JSC::MacroAssemblerARM::sub32):
805         * assembler/MacroAssemblerARM64.h:
806         (JSC::MacroAssemblerARM64::sub32):
807         * assembler/MacroAssemblerARMv7.h:
808         (JSC::MacroAssemblerARMv7::sub32):
809         * assembler/MacroAssemblerSH4.h:
810         (JSC::MacroAssemblerSH4::sub32):
811         * assembler/MacroAssemblerX86Common.h:
812         (JSC::MacroAssemblerX86Common::sub32):
813         * b3/air/AirOpcode.opcodes:
814         * b3/testb3.cpp:
815         (JSC::B3::testTernarySubInstructionSelection):
816         (JSC::B3::run):
817         * jit/AssemblyHelpers.h:
818         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
819
820 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
821
822         Move JSMap/JSSet over to Auxiliary MarkedSpace
823         https://bugs.webkit.org/show_bug.cgi?id=161744
824
825         Reviewed by Saam Barati.
826         
827         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
828         
829         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
830         speak of CopiedSpace.
831         
832         This is a purely mechanical change.
833
834         * JavaScriptCore.xcodeproj/project.pbxproj:
835         * heap/CopyToken.h:
836         * runtime/HashMapImpl.cpp:
837         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
838         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
839         * runtime/HashMapImpl.h:
840         (JSC::HashMapBuffer::create):
841         * runtime/JSMapIterator.cpp:
842         * runtime/JSMapIterator.h:
843         * runtime/JSSetIterator.cpp:
844         * runtime/JSSetIterator.h:
845         * runtime/MapBase.cpp:
846         * runtime/MapData.h: Removed.
847         * runtime/MapDataInlines.h: Removed.
848         * runtime/MapPrototype.cpp:
849         * runtime/SetConstructor.cpp:
850         * runtime/SetPrototype.cpp:
851         * runtime/VM.cpp:
852
853 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
854
855         Typed arrays should use MarkedSpace instead of CopiedSpace
856         https://bugs.webkit.org/show_bug.cgi?id=161100
857
858         Reviewed by Geoffrey Garen.
859         
860         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
861         
862         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
863         everything that typed arrays want.
864
865         * dfg/DFGOperations.cpp:
866         (JSC::DFG::newTypedArrayWithSize):
867         * dfg/DFGOperations.h:
868         (JSC::DFG::operationNewTypedArrayWithSizeForType):
869         * dfg/DFGSpeculativeJIT.cpp:
870         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
871         * dfg/DFGSpeculativeJIT.h:
872         (JSC::DFG::SpeculativeJIT::callOperation):
873         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
874         * ftl/FTLLowerDFGToB3.cpp:
875         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
876         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
877         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
878         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
879         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
880         * heap/CopyToken.h:
881         * heap/SlotVisitor.cpp:
882         (JSC::SlotVisitor::markAuxiliary):
883         * jit/JITOperations.h:
884         * runtime/JSArrayBufferView.cpp:
885         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
886         (JSC::JSArrayBufferView::JSArrayBufferView):
887         * runtime/JSArrayBufferView.h:
888         * runtime/JSGenericTypedArrayView.h:
889         * runtime/JSGenericTypedArrayViewInlines.h:
890         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
891         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
892         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
893         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
894
895 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
896
897         [Win64] Compile fixes.
898         https://bugs.webkit.org/show_bug.cgi?id=161682
899
900         Reviewed by Brent Fulgham.
901
902         * dfg/DFGSpeculativeJIT64.cpp:
903         (JSC::DFG::SpeculativeJIT::emitCall):
904         * jit/JITCall.cpp:
905         (JSC::JIT::compileOpCall):
906         * runtime/ArrayConventions.cpp:
907         (JSC::clearArrayMemset):
908
909 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
910
911         [Win] Exception fuzz tests fail
912         https://bugs.webkit.org/show_bug.cgi?id=140928
913
914         Reviewed by Mark Lam.
915
916         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
917         The tests depend on the output to stdout being written in the correct order.
918
919         * runtime/ExceptionFuzz.cpp:
920         (JSC::doExceptionFuzzing):
921
922 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
923
924         Enable the <meter> element on iOS
925         https://bugs.webkit.org/show_bug.cgi?id=161714
926         rdar://problem/8978410
927
928         Reviewed by Tim Horton.
929
930         Define ENABLE_METER_ELEMENT unconditionally now.
931
932         * Configurations/FeatureDefines.xcconfig:
933
934 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
935
936         Modernize Debugger to use nullptr
937         https://bugs.webkit.org/show_bug.cgi?id=161718
938
939         Reviewed by Mark Lam.
940
941         * debugger/Debugger.cpp:
942         (JSC::Debugger::Debugger):
943         (JSC::Debugger::~Debugger):
944         (JSC::Debugger::detach):
945         (JSC::Debugger::stepOutOfFunction):
946         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
947         * debugger/Debugger.h:
948
949 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
950
951         Web Inspector: Remove always false case in Debugger
952         https://bugs.webkit.org/show_bug.cgi?id=161717
953
954         Reviewed by Brian Burg.
955
956         * debugger/Debugger.cpp:
957         (JSC::Debugger::didExecuteProgram):
958         We would have earlier returned a few statements ago if this case was true.
959         And we would have crashed in the previous statement if this case was true.
960
961 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
962
963         Unreviewed, build fix after r205569
964
965         Tweak CMakeLists.txt
966
967         * CMakeLists.txt:
968
969 2016-09-07  Mark Lam  <mark.lam@apple.com>
970
971         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
972         https://bugs.webkit.org/show_bug.cgi?id=161498
973
974         Reviewed by Geoffrey Garen.
975
976         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
977         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
978         introduced.
979
980         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
981         which is a more suitable name now.
982
983         Note: exception scope verification is still disabled by default.  There are still
984         many places that need to be fixed up or re-expressed in a way that is friendly
985         to the verification.  I'll address those in subsequent patches.
986
987         After this patch, the code will statically enforce that:
988         1. all calls to throwException() go through a ThrowScope.
989         2. all calls to clearException() go through a CatchScope.
990         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
991            or CatchScope.
992
993         A Summary of how to use ExceptionScopes
994         =======================================
995         1. If a function can throw a JS exception, it should declare a ThrowScope at the
996            top of the function (as early as possible).
997
998         2. If a function can clear JS exceptions, it should declare a CatchScope at the
999            top of the function (as early as possible).
1000
1001         Declaring a ThrowScope in a function means that the function may throw an exception
1002         that its caller will have to handle.  Declaring a CatchScope in a function means
1003         that the function intends to clear pending exceptions before returning to its
1004         caller. 
1005
1006         For more details, see the notes below.
1007         
1008         Everything you may want to know about ExceptionScopes
1009         =====================================================
1010         ExceptionScope verification works to simulate exception throws and detect cases
1011         where exception checks are missing.  The notes below will cover:
1012
1013             1. The VM::m_needExceptionCheck bit
1014             2. ThrowScopes and CatchScopes
1015             3. Verification of needed exception checks
1016             3. Checking Exceptions
1017             4. Simulating throws
1018             5. Using ThrowScope::release()
1019             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1020             7. Checking exceptions by checking callee results
1021             8. Debugging verification errors
1022
1023         1. The VM::m_needExceptionCheck bit
1024
1025            The VM has a m_needExceptionCheck bit that indicates when an exception may be
1026            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
1027            throw.
1028
1029         2. ThrowScopes and CatchScopes
1030
1031            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
1032
1033            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
1034            at the top of its function (as early as possible) e.g.
1035  
1036                 void foo(...)
1037                 {
1038                     auto scope = DECLARE_THROW_SCOPE(vm);
1039                     ...
1040                     throwException(exec, scope, ...);
1041                 }
1042
1043            Note: by convention, every throw helper function must take a ThrowScope argument
1044            instead of instantiating its own ThrowScope.  This allows the throw to be
1045            attributed to the client code rather than the throw helper itself.
1046
1047            Every catch site (i.e. a site that calls clearException()) must declare a
1048            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
1049
1050            If a function can both throw or clear exceptions, then the ThrowScope should
1051            be declared first so that it can simulate a throw to the function's caller.
1052
1053            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
1054            can be aware if there's an enclosing CatchScope between it and the point where
1055            C++ code returns to JS code.  This is needed to determine if the ThrowScope
1056            should simulate a re-throw or not.  See (4) below for more details on returning
1057            to JS code.
1058
1059         3. Verification of needed exception checks
1060
1061            a. On construction, each ThrowScope and CatchScope will verify that
1062               VM::m_needExceptionCheck is not set.
1063  
1064               This ensures that the caller of the current function has checked for exceptions
1065               where needed before doing more work which lead to calling the current function.
1066
1067            b. On destruction, each ThrowScope and CatchScope will verify that
1068               VM::m_needExceptionCheck is not set. This verification will be skipped if
1069               the ThrowScope has been released (see (5) below).
1070
1071               This ensures that the function that owns this exception scope is not missing
1072               any exception checks before returning.
1073
1074            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
1075               is not already set, unless it's been ask to rethrow the same Exception object.
1076
1077         4. Simulating throws
1078
1079            Throws are simulated by setting the m_needExceptionCheck bit.
1080
1081            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1082            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1083            check for exceptions after a host C++ function returns to it.  However, they will
1084            not clear the m_needExceptionCheck bit.
1085
1086            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1087            it will just skip the setting of the bit.
1088
1089            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1090            throwException methods.  This is because, in practice, we always return
1091            immediately after throwing an exception.  It doesn't make sense to set the bit in
1092            the throw just to have to clear it immediately after before we do verification in
1093            the ThrowScope destructor.
1094
1095         5. Using ThrowScope::release()
1096
1097            Calling release() means that the scope is released from its obligation to
1098            verify the VM::m_needExceptionCheck bit on destruction.
1099
1100            release() should only be used at the bottom of a function if:
1101
1102            a. This function is going to let its caller check and handle the exception, e.g.
1103
1104                 void foo(...)
1105                 {
1106                     auto scope = DECLARE_THROW_SCOPE(vm);
1107                     auto result = goo(); // may throw.
1108
1109                     ... // Code that will are not affected by a pending exceptions.
1110
1111                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1112                     return result;
1113                 }
1114
1115            b. This function is going to do a tail call that may throw.
1116
1117                 void foo(...)
1118                 {
1119                     auto scope = DECLARE_THROW_SCOPE(vm);
1120                     ...
1121                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1122                     return goo(); // may throw.
1123                 }
1124
1125               release() should not be used in code paths that branch. For example:
1126
1127                 void foo(...)
1128                 {
1129                     auto scope = DECLARE_THROW_SCOPE(vm);
1130
1131                     auto result = goo1(); // may throw.
1132                     scope.release(); // WRONG !!! Don't do this.
1133                     if (result)
1134                         return;
1135
1136                     result = goo2(); // may throw.
1137                     ...
1138                     return result;
1139                 }
1140
1141             The above will result in a verification error in goo2()'s ThrowScope.  The
1142             proper way to fix this verification is to do either (6) or (7) below.
1143
1144          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1145
1146             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1147             there is one pending.  Else, it returns nullptr.
1148
1149             It also clears the m_needExceptionCheck bit thereby indicating that we've
1150             satisfied the needed exception check.  For example,
1151
1152                 void foo(...)
1153                 {
1154                     auto scope = DECLARE_THROW_SCOPE(vm);
1155
1156                     auto result = goo1(); // may throw.
1157                     if (scope.exception())
1158                         return;
1159
1160                     result = goo2(); // may throw.
1161                     ...
1162                     return result;
1163                 }
1164
1165             But sometimes, for optimization reasons, we may choose to test the result of
1166             the callee function instead doing a load of the VM exception value.  See (7)
1167             below.
1168
1169          7. Checking exceptions by checking callee results
1170
1171             This approach should only be applied when it makes a difference to performance.
1172             If we need to do this, we should add an ASSERT() that invokes the scope's
1173             exception() method to verify the result.  Since exception scope verification
1174             is only done on DEBUG builds, this ASSERT will satisfy the verification
1175             requirements without impacting performance.  For example,
1176
1177                 void foo(...)
1178                 {
1179                     auto scope = DECLARE_THROW_SCOPE(vm);
1180
1181                     bool failed = goo1(); // may throw.
1182                     ASSERT(!!scope.exception() == failed)
1183                     if (failed)
1184                         return;
1185
1186                     result = goo2(); // may throw.
1187                     ...
1188                     return result;
1189                 }
1190
1191          8. Debugging verification errors
1192
1193             a. When verification fails, you will see a message followed by an assertion
1194                failure.  For example:
1195
1196             ERROR: Unchecked JS exception:
1197                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1198                     (ExceptionScope::m_recursionDepth was ...)
1199                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1200                     (ExceptionScope::m_recursionDepth was ...)
1201                 [ backtrace here ]
1202
1203                The message tells you that failure was detected at in varargsSetup() at
1204                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1205                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1206                line 1245 and it.
1207
1208                If that is insufficient information, you can ...
1209
1210             b. Dump simulated throws
1211
1212                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1213                back traces at each simulated throw.
1214
1215             c. Narrowing down the source of a simulated throw
1216
1217                Another technique for narrowing down the source of simulated throws is by
1218                further dividing a function to smaller regions by separating each region
1219                with additional local throw scopes.  For example,
1220
1221                 ... // Region 1
1222                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1223                 ... // Region 2
1224                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1225                 ... // Region 3
1226
1227         * API/APIUtils.h:
1228         (handleExceptionIfNeeded):
1229         * CMakeLists.txt:
1230         * JavaScriptCore.xcodeproj/project.pbxproj:
1231         * bindings/ScriptFunctionCall.cpp:
1232         (Deprecated::ScriptFunctionCall::call):
1233         * bindings/ScriptValue.cpp:
1234         (Deprecated::ScriptValue::toString):
1235         * debugger/Debugger.cpp:
1236         (JSC::Debugger::pauseIfNeeded):
1237         * debugger/DebuggerCallFrame.cpp:
1238         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1239         * dfg/DFGOSRExitCompiler.cpp:
1240         * dfg/DFGOperations.cpp:
1241         (JSC::DFG::operationPutByValInternal):
1242         * inspector/InjectedScriptManager.cpp:
1243         (Inspector::InjectedScriptManager::createInjectedScript):
1244         * inspector/JSGlobalObjectInspectorController.cpp:
1245         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1246         * inspector/JSInjectedScriptHost.cpp:
1247         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1248         (Inspector::JSInjectedScriptHost::getInternalProperties):
1249         (Inspector::JSInjectedScriptHost::weakMapEntries):
1250         (Inspector::JSInjectedScriptHost::weakSetEntries):
1251         (Inspector::JSInjectedScriptHost::iteratorEntries):
1252         * inspector/JSJavaScriptCallFrame.cpp:
1253         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1254         * inspector/ScriptCallStackFactory.cpp:
1255         (Inspector::extractSourceInformationFromException):
1256         * interpreter/CachedCall.h:
1257         (JSC::CachedCall::CachedCall):
1258         * interpreter/CallFrame.h:
1259         (JSC::ExecState::clearException): Deleted.
1260         (JSC::ExecState::exception): Deleted.
1261         (JSC::ExecState::hadException): Deleted.
1262         (JSC::ExecState::lastException): Deleted.
1263         (JSC::ExecState::clearLastException): Deleted.
1264         * interpreter/Interpreter.cpp:
1265         (JSC::eval):
1266         (JSC::sizeOfVarargs):
1267         (JSC::notifyDebuggerOfUnwinding):
1268         (JSC::Interpreter::unwind):
1269         (JSC::Interpreter::execute):
1270         (JSC::Interpreter::executeCall):
1271         (JSC::Interpreter::executeConstruct):
1272         (JSC::Interpreter::prepareForRepeatCall):
1273         (JSC::Interpreter::debug):
1274         * interpreter/Interpreter.h:
1275         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1276         * interpreter/ShadowChicken.cpp:
1277         (JSC::ShadowChicken::functionsOnStack):
1278         * jit/JITCode.cpp:
1279         (JSC::JITCode::execute):
1280         * jit/JITExceptions.cpp:
1281         (JSC::genericUnwind):
1282         * jit/JITOperations.cpp:
1283         (JSC::getByVal):
1284         * jsc.cpp:
1285         (WTF::ImpureGetter::getOwnPropertySlot):
1286         (GlobalObject::moduleLoaderResolve):
1287         (GlobalObject::moduleLoaderFetch):
1288         (functionCreateElement):
1289         (functionRun):
1290         (functionRunString):
1291         (functionLoad):
1292         (functionLoadString):
1293         (functionReadFile):
1294         (functionCheckSyntax):
1295         (functionSetRandomSeed):
1296         (functionLoadModule):
1297         (functionCreateBuiltin):
1298         (functionCheckModuleSyntax):
1299         (functionGenerateHeapSnapshot):
1300         (functionSamplingProfilerStackTraces):
1301         (dumpException):
1302         (checkUncaughtException):
1303         (runWithScripts):
1304         (runInteractive):
1305         * llint/LLIntExceptions.cpp:
1306         (JSC::LLInt::returnToThrow):
1307         (JSC::LLInt::callToThrow):
1308         * llint/LLIntSlowPaths.cpp:
1309         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1310         * profiler/ProfilerBytecodeSequence.cpp:
1311         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1312         * profiler/ProfilerCompilation.cpp:
1313         (JSC::Profiler::Compilation::toJS):
1314         * profiler/ProfilerDatabase.cpp:
1315         (JSC::Profiler::Database::toJS):
1316         * profiler/ProfilerOSRExitSite.cpp:
1317         (JSC::Profiler::OSRExitSite::toJS):
1318         * profiler/ProfilerOriginStack.cpp:
1319         (JSC::Profiler::OriginStack::toJS):
1320         * runtime/ArrayPrototype.cpp:
1321         (JSC::speciesConstructArray):
1322         (JSC::shift):
1323         (JSC::unshift):
1324         (JSC::arrayProtoFuncToString):
1325         (JSC::arrayProtoFuncToLocaleString):
1326         (JSC::slowJoin):
1327         (JSC::fastJoin):
1328         (JSC::arrayProtoFuncJoin):
1329         (JSC::arrayProtoFuncPop):
1330         (JSC::arrayProtoFuncPush):
1331         (JSC::arrayProtoFuncReverse):
1332         (JSC::arrayProtoFuncShift):
1333         (JSC::arrayProtoFuncSlice):
1334         (JSC::arrayProtoFuncSplice):
1335         (JSC::arrayProtoFuncUnShift):
1336         (JSC::arrayProtoFuncIndexOf):
1337         (JSC::arrayProtoFuncLastIndexOf):
1338         (JSC::moveElements):
1339         (JSC::concatAppendOne):
1340         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1341         * runtime/BooleanConstructor.cpp:
1342         (JSC::constructWithBooleanConstructor):
1343         * runtime/CallData.cpp:
1344         (JSC::call):
1345         * runtime/CatchScope.cpp: Added.
1346         (JSC::CatchScope::CatchScope):
1347         (JSC::CatchScope::~CatchScope):
1348         * runtime/CatchScope.h: Added.
1349         (JSC::CatchScope::clearException):
1350         (JSC::CatchScope::CatchScope):
1351         * runtime/CommonSlowPaths.cpp:
1352         (JSC::SLOW_PATH_DECL):
1353         * runtime/CommonSlowPaths.h:
1354         (JSC::CommonSlowPaths::opIn):
1355         * runtime/CommonSlowPathsExceptions.cpp:
1356         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1357         * runtime/Completion.cpp:
1358         (JSC::evaluate):
1359         (JSC::rejectPromise):
1360         (JSC::loadAndEvaluateModule):
1361         (JSC::loadModule):
1362         * runtime/ConsoleObject.cpp:
1363         (JSC::consoleProtoFuncAssert):
1364         (JSC::consoleProtoFuncProfile):
1365         (JSC::consoleProtoFuncProfileEnd):
1366         (JSC::consoleProtoFuncTakeHeapSnapshot):
1367         (JSC::consoleProtoFuncTime):
1368         (JSC::consoleProtoFuncTimeEnd):
1369         * runtime/DateConstructor.cpp:
1370         (JSC::constructDate):
1371         (JSC::dateParse):
1372         * runtime/DatePrototype.cpp:
1373         (JSC::dateProtoFuncToPrimitiveSymbol):
1374         (JSC::dateProtoFuncToJSON):
1375         * runtime/ErrorConstructor.cpp:
1376         (JSC::Interpreter::constructWithErrorConstructor):
1377         * runtime/ErrorInstance.cpp:
1378         (JSC::ErrorInstance::sanitizedToString):
1379         * runtime/ErrorPrototype.cpp:
1380         (JSC::errorProtoFuncToString):
1381         * runtime/ExceptionEventLocation.cpp: Added.
1382         (WTF::printInternal):
1383         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1384         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1385         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1386         * runtime/ExceptionHelpers.h:
1387         * runtime/ExceptionScope.cpp: Added.
1388         (JSC::ExceptionScope::ExceptionScope):
1389         (JSC::ExceptionScope::~ExceptionScope):
1390         * runtime/ExceptionScope.h: Added.
1391         (JSC::ExceptionScope::vm):
1392         (JSC::ExceptionScope::recursionDepth):
1393         (JSC::ExceptionScope::exception):
1394         (JSC::ExceptionScope::ExceptionScope):
1395         * runtime/FunctionConstructor.cpp:
1396         (JSC::constructFunctionSkippingEvalEnabledCheck):
1397         * runtime/FunctionPrototype.cpp:
1398         (JSC::functionProtoFuncBind):
1399         * runtime/GenericArgumentsInlines.h:
1400         (JSC::GenericArguments<Type>::copyToArguments):
1401         * runtime/GetterSetter.cpp:
1402         (JSC::callGetter):
1403         * runtime/InspectorInstrumentationObject.cpp:
1404         (JSC::inspectorInstrumentationObjectLog):
1405         * runtime/InternalFunction.cpp:
1406         (JSC::InternalFunction::createSubclassStructure):
1407         * runtime/IntlCollator.cpp:
1408         (JSC::IntlCollator::initializeCollator):
1409         (JSC::IntlCollator::createCollator):
1410         (JSC::IntlCollator::resolvedOptions):
1411         * runtime/IntlCollatorConstructor.cpp:
1412         (JSC::constructIntlCollator):
1413         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1414         * runtime/IntlCollatorPrototype.cpp:
1415         (JSC::IntlCollatorFuncCompare):
1416         (JSC::IntlCollatorPrototypeGetterCompare):
1417         * runtime/IntlDateTimeFormat.cpp:
1418         (JSC::toDateTimeOptionsAnyDate):
1419         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1420         (JSC::IntlDateTimeFormat::resolvedOptions):
1421         (JSC::IntlDateTimeFormat::format):
1422         * runtime/IntlDateTimeFormatConstructor.cpp:
1423         (JSC::constructIntlDateTimeFormat):
1424         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1425         * runtime/IntlDateTimeFormatPrototype.cpp:
1426         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1427         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1428         * runtime/IntlNumberFormat.cpp:
1429         (JSC::IntlNumberFormat::initializeNumberFormat):
1430         (JSC::IntlNumberFormat::createNumberFormat):
1431         (JSC::IntlNumberFormat::resolvedOptions):
1432         * runtime/IntlNumberFormatConstructor.cpp:
1433         (JSC::constructIntlNumberFormat):
1434         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1435         * runtime/IntlNumberFormatPrototype.cpp:
1436         (JSC::IntlNumberFormatFuncFormatNumber):
1437         (JSC::IntlNumberFormatPrototypeGetterFormat):
1438         * runtime/IntlObject.cpp:
1439         (JSC::intlBooleanOption):
1440         (JSC::intlStringOption):
1441         (JSC::intlNumberOption):
1442         (JSC::canonicalizeLocaleList):
1443         (JSC::supportedLocales):
1444         * runtime/IntlObjectInlines.h:
1445         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1446         * runtime/IteratorOperations.cpp:
1447         (JSC::iteratorNext):
1448         (JSC::iteratorStep):
1449         (JSC::iteratorClose):
1450         (JSC::iteratorForIterable):
1451         * runtime/IteratorOperations.h:
1452         (JSC::forEachInIterable):
1453         * runtime/JSArray.cpp:
1454         (JSC::JSArray::pop):
1455         (JSC::JSArray::push):
1456         (JSC::JSArray::copyToArguments):
1457         * runtime/JSArrayBufferConstructor.cpp:
1458         (JSC::constructArrayBuffer):
1459         * runtime/JSArrayBufferPrototype.cpp:
1460         (JSC::arrayBufferProtoFuncSlice):
1461         * runtime/JSArrayInlines.h:
1462         (JSC::getLength):
1463         (JSC::toLength):
1464         * runtime/JSBoundFunction.cpp:
1465         (JSC::getBoundFunctionStructure):
1466         (JSC::JSBoundFunction::create):
1467         * runtime/JSCJSValue.cpp:
1468         (JSC::JSValue::putToPrimitive):
1469         (JSC::JSValue::putToPrimitiveByIndex):
1470         (JSC::JSValue::toStringSlowCase):
1471         * runtime/JSCJSValueInlines.h:
1472         (JSC::toPreferredPrimitiveType):
1473         (JSC::JSValue::getPropertySlot):
1474         (JSC::JSValue::equalSlowCaseInline):
1475         * runtime/JSDataViewPrototype.cpp:
1476         (JSC::getData):
1477         (JSC::setData):
1478         * runtime/JSFunction.cpp:
1479         (JSC::JSFunction::setFunctionName):
1480         * runtime/JSGenericTypedArrayView.h:
1481         (JSC::JSGenericTypedArrayView::setIndex):
1482         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1483         (JSC::constructGenericTypedArrayViewFromIterator):
1484         (JSC::constructGenericTypedArrayViewWithArguments):
1485         (JSC::constructGenericTypedArrayView):
1486         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1487         (JSC::speciesConstruct):
1488         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1489         (JSC::genericTypedArrayViewProtoFuncIncludes):
1490         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1491         (JSC::genericTypedArrayViewProtoFuncJoin):
1492         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1493         (JSC::genericTypedArrayViewProtoFuncSlice):
1494         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1495         * runtime/JSGlobalObject.h:
1496         (JSC::constructEmptyArray):
1497         (JSC::constructArray):
1498         (JSC::constructArrayNegativeIndexed):
1499         * runtime/JSGlobalObjectFunctions.cpp:
1500         (JSC::globalFuncEval):
1501         * runtime/JSJob.cpp:
1502         (JSC::JSJobMicrotask::run):
1503         * runtime/JSModuleEnvironment.cpp:
1504         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1505         * runtime/JSModuleLoader.cpp:
1506         (JSC::JSModuleLoader::fetch):
1507         * runtime/JSModuleNamespaceObject.cpp:
1508         (JSC::JSModuleNamespaceObject::finishCreation):
1509         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1510         * runtime/JSModuleRecord.cpp:
1511         (JSC::JSModuleRecord::instantiateDeclarations):
1512         * runtime/JSONObject.cpp:
1513         (JSC::Stringifier::Stringifier):
1514         (JSC::Stringifier::stringify):
1515         (JSC::Stringifier::toJSON):
1516         (JSC::Stringifier::appendStringifiedValue):
1517         (JSC::Stringifier::Holder::appendNextProperty):
1518         (JSC::Walker::walk):
1519         (JSC::JSONProtoFuncParse):
1520         * runtime/JSObject.cpp:
1521         (JSC::ordinarySetSlow):
1522         (JSC::JSObject::setPrototypeWithCycleCheck):
1523         (JSC::callToPrimitiveFunction):
1524         (JSC::JSObject::ordinaryToPrimitive):
1525         (JSC::JSObject::defaultHasInstance):
1526         (JSC::JSObject::getPropertyNames):
1527         (JSC::JSObject::toNumber):
1528         (JSC::JSObject::toString):
1529         (JSC::JSObject::defineOwnNonIndexProperty):
1530         (JSC::JSObject::getGenericPropertyNames):
1531         (JSC::JSObject::getMethod):
1532         * runtime/JSObjectInlines.h:
1533         (JSC::createListFromArrayLike):
1534         (JSC::JSObject::getPropertySlot):
1535         (JSC::JSObject::getNonIndexPropertySlot):
1536         * runtime/JSPromiseConstructor.cpp:
1537         (JSC::constructPromise):
1538         * runtime/JSPropertyNameEnumerator.h:
1539         (JSC::propertyNameEnumerator):
1540         * runtime/JSPropertyNameIterator.cpp:
1541         (JSC::JSPropertyNameIterator::create):
1542         * runtime/JSScope.cpp:
1543         (JSC::isUnscopable):
1544         (JSC::JSScope::resolve):
1545         * runtime/JSString.cpp:
1546         (JSC::JSString::equalSlowCase):
1547         * runtime/JSStringJoiner.cpp:
1548         (JSC::JSStringJoiner::join):
1549         * runtime/LiteralParser.cpp:
1550         (JSC::LiteralParser<CharType>::parse):
1551         * runtime/MapConstructor.cpp:
1552         (JSC::constructMap):
1553         * runtime/MathObject.cpp:
1554         (JSC::mathProtoFuncClz32):
1555         (JSC::mathProtoFuncHypot):
1556         (JSC::mathProtoFuncIMul):
1557         * runtime/ModuleLoaderPrototype.cpp:
1558         (JSC::moduleLoaderPrototypeParseModule):
1559         (JSC::moduleLoaderPrototypeRequestedModules):
1560         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1561         * runtime/NativeErrorConstructor.cpp:
1562         (JSC::Interpreter::constructWithNativeErrorConstructor):
1563         * runtime/NumberConstructor.cpp:
1564         (JSC::constructWithNumberConstructor):
1565         * runtime/ObjectConstructor.cpp:
1566         (JSC::constructObject):
1567         (JSC::objectConstructorGetPrototypeOf):
1568         (JSC::objectConstructorSetPrototypeOf):
1569         (JSC::objectConstructorGetOwnPropertyDescriptor):
1570         (JSC::objectConstructorGetOwnPropertyDescriptors):
1571         (JSC::objectConstructorGetOwnPropertyNames):
1572         (JSC::objectConstructorGetOwnPropertySymbols):
1573         (JSC::objectConstructorKeys):
1574         (JSC::ownEnumerablePropertyKeys):
1575         (JSC::toPropertyDescriptor):
1576         (JSC::objectConstructorDefineProperty):
1577         (JSC::defineProperties):
1578         (JSC::objectConstructorSeal):
1579         (JSC::objectConstructorFreeze):
1580         (JSC::objectConstructorIsSealed):
1581         (JSC::objectConstructorIsFrozen):
1582         (JSC::objectConstructorIsExtensible):
1583         (JSC::ownPropertyKeys):
1584         * runtime/ObjectConstructor.h:
1585         (JSC::constructObjectFromPropertyDescriptor):
1586         * runtime/ObjectPrototype.cpp:
1587         (JSC::objectProtoFuncHasOwnProperty):
1588         (JSC::objectProtoFuncIsPrototypeOf):
1589         (JSC::objectProtoFuncDefineGetter):
1590         (JSC::objectProtoFuncDefineSetter):
1591         (JSC::objectProtoFuncLookupGetter):
1592         (JSC::objectProtoFuncLookupSetter):
1593         (JSC::objectProtoFuncPropertyIsEnumerable):
1594         (JSC::objectProtoFuncToLocaleString):
1595         (JSC::objectProtoFuncToString):
1596         * runtime/Operations.cpp:
1597         (JSC::jsAddSlowCase):
1598         * runtime/Options.h:
1599         * runtime/PropertyDescriptor.cpp:
1600         (JSC::PropertyDescriptor::slowGetterSetter):
1601         * runtime/ProxyConstructor.cpp:
1602         (JSC::makeRevocableProxy):
1603         * runtime/ProxyObject.cpp:
1604         (JSC::ProxyObject::toStringName):
1605         (JSC::performProxyGet):
1606         (JSC::ProxyObject::performGet):
1607         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1608         (JSC::ProxyObject::performHasProperty):
1609         (JSC::ProxyObject::performPut):
1610         (JSC::ProxyObject::putByIndexCommon):
1611         (JSC::performProxyCall):
1612         (JSC::performProxyConstruct):
1613         (JSC::ProxyObject::performDelete):
1614         (JSC::ProxyObject::performPreventExtensions):
1615         (JSC::ProxyObject::performIsExtensible):
1616         (JSC::ProxyObject::performDefineOwnProperty):
1617         (JSC::ProxyObject::performGetOwnPropertyNames):
1618         (JSC::ProxyObject::performSetPrototype):
1619         (JSC::ProxyObject::performGetPrototype):
1620         * runtime/ReflectObject.cpp:
1621         (JSC::reflectObjectConstruct):
1622         (JSC::reflectObjectDefineProperty):
1623         (JSC::reflectObjectGet):
1624         (JSC::reflectObjectGetOwnPropertyDescriptor):
1625         (JSC::reflectObjectIsExtensible):
1626         (JSC::reflectObjectPreventExtensions):
1627         (JSC::reflectObjectSet):
1628         (JSC::reflectObjectSetPrototypeOf):
1629         * runtime/RegExpConstructor.cpp:
1630         (JSC::toFlags):
1631         (JSC::regExpCreate):
1632         (JSC::constructRegExp):
1633         * runtime/RegExpConstructor.h:
1634         (JSC::isRegExp):
1635         * runtime/RegExpObject.cpp:
1636         (JSC::collectMatches):
1637         (JSC::RegExpObject::matchGlobal):
1638         * runtime/RegExpPrototype.cpp:
1639         (JSC::regExpProtoFuncCompile):
1640         (JSC::flagsString):
1641         (JSC::regExpProtoFuncToString):
1642         (JSC::regExpProtoGetterFlags):
1643         (JSC::regExpProtoFuncSearchFast):
1644         (JSC::regExpProtoFuncSplitFast):
1645         * runtime/SetConstructor.cpp:
1646         (JSC::constructSet):
1647         * runtime/StringConstructor.cpp:
1648         (JSC::stringFromCodePoint):
1649         (JSC::constructWithStringConstructor):
1650         * runtime/StringObject.cpp:
1651         (JSC::StringObject::defineOwnProperty):
1652         * runtime/StringPrototype.cpp:
1653         (JSC::replaceUsingRegExpSearch):
1654         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1655         (JSC::replaceUsingStringSearch):
1656         (JSC::replace):
1657         (JSC::stringProtoFuncReplaceUsingRegExp):
1658         (JSC::stringProtoFuncReplaceUsingStringSearch):
1659         (JSC::stringProtoFuncCodePointAt):
1660         (JSC::stringProtoFuncSlice):
1661         (JSC::stringProtoFuncSplitFast):
1662         (JSC::stringProtoFuncSubstr):
1663         (JSC::stringProtoFuncSubstring):
1664         (JSC::stringProtoFuncLocaleCompare):
1665         (JSC::toLocaleCase):
1666         (JSC::stringProtoFuncBig):
1667         (JSC::stringProtoFuncSmall):
1668         (JSC::stringProtoFuncBlink):
1669         (JSC::stringProtoFuncBold):
1670         (JSC::stringProtoFuncFixed):
1671         (JSC::stringProtoFuncItalics):
1672         (JSC::stringProtoFuncStrike):
1673         (JSC::stringProtoFuncSub):
1674         (JSC::stringProtoFuncSup):
1675         (JSC::stringProtoFuncFontcolor):
1676         (JSC::stringProtoFuncFontsize):
1677         (JSC::stringProtoFuncAnchor):
1678         (JSC::stringProtoFuncLink):
1679         (JSC::trimString):
1680         (JSC::stringProtoFuncStartsWith):
1681         (JSC::stringProtoFuncEndsWith):
1682         (JSC::stringIncludesImpl):
1683         (JSC::stringProtoFuncIncludes):
1684         (JSC::builtinStringIncludesInternal):
1685         (JSC::stringProtoFuncNormalize):
1686         * runtime/SymbolConstructor.cpp:
1687         (JSC::symbolConstructorFor):
1688         * runtime/TemplateRegistry.cpp:
1689         (JSC::TemplateRegistry::getTemplateObject):
1690         * runtime/ThrowScope.cpp:
1691         (JSC::ThrowScope::ThrowScope):
1692         (JSC::ThrowScope::~ThrowScope):
1693         (JSC::ThrowScope::throwException):
1694         (JSC::ThrowScope::simulateThrow):
1695         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1696         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1697         * runtime/ThrowScope.h:
1698         (JSC::ThrowScope::release):
1699         (JSC::ThrowScope::ThrowScope):
1700         (JSC::ThrowScope::throwException):
1701         (JSC::ThrowScope::vm): Deleted.
1702         (JSC::ThrowScope::exception): Deleted.
1703         * runtime/ThrowScopeLocation.h: Removed.
1704         * runtime/VM.cpp:
1705         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1706         * runtime/VM.h:
1707         (JSC::VM::exception):
1708         (JSC::VM::clearException):
1709         (JSC::VM::setException): Deleted.
1710         * runtime/WeakMapConstructor.cpp:
1711         (JSC::constructWeakMap):
1712         * runtime/WeakSetConstructor.cpp:
1713         (JSC::constructWeakSet):
1714         * tools/JSDollarVMPrototype.cpp:
1715         (JSC::functionPrint):
1716
1717 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1718
1719         [INTL] some valid language tags cause errors in Intl constructors
1720         https://bugs.webkit.org/show_bug.cgi?id=161672
1721
1722         Reviewed by Mark Lam.
1723
1724         Fix private use tag parsing to match spec, allowing single character parts.
1725         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1726
1727         ```
1728         privateuse    = "x" 1*("-" (1*8alphanum))
1729         ```
1730
1731         * runtime/IntlObject.cpp:
1732         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1733
1734 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1735
1736         [JSC] Remove a couple of useless forward declaration
1737         https://bugs.webkit.org/show_bug.cgi?id=161676
1738
1739         Reviewed by Mark Lam.
1740
1741         JITMathICForwards.h should take care of declarating the Math ICs.
1742
1743         * bytecode/CodeBlock.h:
1744         * jit/JITOperations.h:
1745
1746 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1747
1748         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1749         https://bugs.webkit.org/show_bug.cgi?id=161706
1750
1751         Reviewed by Geoffrey Garen.
1752         
1753         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1754         have to do something different.
1755
1756         * jit/AssemblyHelpers.h:
1757         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1758
1759 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1760
1761         Unreviewed CMake build fix after r205552
1762
1763         * CMakeLists.txt:
1764
1765 2016-09-03  Keith Miller  <keith_miller@apple.com>
1766
1767         Add support for WASM Loops and Branches
1768         https://bugs.webkit.org/show_bug.cgi?id=161569
1769
1770         Reviewed by Benjamin Poulain.
1771
1772         This patch adds support for loops and branches to WASM. In order
1773         to support loops, we needed to change the way the B3IRGenerator
1774         tracked control information. Now, the control data holds three
1775         pieces of information: The continuation block, the loop branch
1776         target, and variables exiting the block. Whenever we branch to
1777         some control point we first check if it is a loop by checking that
1778         the loop branch target is non-null. If the branch is not targeting
1779         a loop, we map the stack values to the associated B3 variables for
1780         that stack slot.
1781
1782         Another interesting thing of note is that we now only allocate the
1783         continuation basic block lazily. This is beneficial when the
1784         continuation would just fall through to another block anyway. For
1785         example, in code like: (block ... (block (add 1 2) end) end) the
1786         continuation for the inner block just falls through to the outer
1787         block's continuation so we don't need an extra block.
1788
1789         * B3CallingConventions.cpp:
1790         (JSC::B3::jscCallingConvention): Deleted.
1791         * B3CallingConventions.h:
1792         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1793         (JSC::B3::CallingConvention::iterate): Deleted.
1794         (JSC::B3::nextJSCOffset): Deleted.
1795         * JavaScriptCore.xcodeproj/project.pbxproj:
1796         * b3/B3Type.h:
1797         * testWASM.cpp:
1798         (runWASMTests):
1799         * wasm/WASMB3IRGenerator.cpp:
1800         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1801         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1802         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1803         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1804         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1805         (JSC::WASM::B3IRGenerator::ControlData::dump):
1806         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1807         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1808         (JSC::WASM::B3IRGenerator::addLocal):
1809         (JSC::WASM::B3IRGenerator::addArguments):
1810         (JSC::WASM::B3IRGenerator::setLocal):
1811         (JSC::WASM::B3IRGenerator::addBlock):
1812         (JSC::WASM::B3IRGenerator::addLoop):
1813         (JSC::WASM::B3IRGenerator::endBlock):
1814         (JSC::WASM::B3IRGenerator::addReturn):
1815         (JSC::WASM::B3IRGenerator::addBranch):
1816         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1817         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1818         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1819         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1820         (JSC::WASM::parseAndCompile):
1821         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1822         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1823         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1824         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1825         (JSC::WASM::jscCallingConvention):
1826         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1827         (JSC::WASM::CallingConvention::CallingConvention):
1828         (JSC::WASM::CallingConvention::iterate):
1829         (JSC::WASM::nextJSCOffset):
1830         * wasm/WASMFormat.h:
1831         (JSC::WASM::toB3Type):
1832         (JSC::WASM::isValueType):
1833         * wasm/WASMFunctionParser.h:
1834         (JSC::WASM::FunctionParser<Context>::parse):
1835         (JSC::WASM::FunctionParser<Context>::parseExpression):
1836         * wasm/WASMModuleParser.cpp:
1837         (JSC::WASM::ModuleParser::parseFunctionTypes):
1838         * wasm/WASMOps.h:
1839
1840 2016-09-07  Youenn Fablet  <youenn@apple.com>
1841
1842         [Streams API] Separate compile flag for ReadableStream and WritableStream
1843         https://bugs.webkit.org/show_bug.cgi?id=161044
1844
1845         Reviewed by Alex Christensen.
1846
1847         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1848         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1849
1850         * Configurations/FeatureDefines.xcconfig:
1851         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1852         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1853         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1854
1855 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1856
1857         Fix the ENABLE(WEBASSEMBLY) build on Linux
1858         https://bugs.webkit.org/show_bug.cgi?id=161685
1859
1860         Unreviewed buildfix.
1861
1862         * wasm/JSWASMModule.cpp:
1863
1864 2016-09-06  Saam Barati  <sbarati@apple.com>
1865
1866         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1867         https://bugs.webkit.org/show_bug.cgi?id=161558
1868
1869         Reviewed by Benjamin Poulain.
1870
1871         ProxyObject had ObjectPrototype as its direct prototype.
1872         This could lead to infinite loops when doing a getDirectPrototype()
1873         loop.
1874
1875         Fixing this bug revealed another bug, which I made when implementing Proxy.
1876         We should not special case "__proto__" in get and set for Proxy Object's
1877         hooks. "__proto__" should just go through the normal set and get path.
1878
1879         * runtime/JSGlobalObject.cpp:
1880         (JSC::JSGlobalObject::init):
1881         * runtime/ProxyObject.cpp:
1882         (JSC::performProxyGet):
1883         (JSC::ProxyObject::put):
1884
1885 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1886
1887         Make JSC::PrivateName copyable
1888         https://bugs.webkit.org/show_bug.cgi?id=161666
1889
1890         Reviewed by Ryosuke Niwa.
1891
1892         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1893         And since the custom copy constructor deletes the default move constructor, we explcitly define
1894         it by `= default;`.
1895
1896         * runtime/PrivateName.h:
1897         (JSC::PrivateName::PrivateName):
1898
1899 2016-09-06  Daniel Bates  <dabates@apple.com>
1900
1901         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1902         https://bugs.webkit.org/show_bug.cgi?id=161296
1903
1904         Reviewed by Dan Bernstein.
1905
1906         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1907         with the iOS 10 beta SDK.
1908
1909         * Configurations/Base.xcconfig:
1910
1911 2016-09-06  Saam Barati  <sbarati@apple.com>
1912
1913         Unreviewed build fix for 32-bit platforms after r205520.
1914
1915         * dfg/DFGSpeculativeJIT.h:
1916         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1917
1918 2016-09-06  Saam Barati  <sbarati@apple.com>
1919
1920         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1921         https://bugs.webkit.org/show_bug.cgi?id=160870
1922
1923         Reviewed by Darin Adler.
1924
1925         Credit goes to Jonathan Bedard for finding this bug using the undefined
1926         behavior sanitizer.
1927
1928         The rule for MaterializeNewObject inside AI was assuming that the graph
1929         is in SSA form. This used to be true when MaterializeNewObject was only
1930         inserted by the allocation sinking phase. However, Filip added more uses
1931         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1932         the bug by using the structure set inside the Node's OpInfo rather than
1933         generating it from m_phiChildren inside AI.
1934
1935         * dfg/DFGAbstractInterpreterInlines.h:
1936         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1937
1938 2016-09-06  Saam Barati  <sbarati@apple.com>
1939
1940         Make JSMap and JSSet faster
1941         https://bugs.webkit.org/show_bug.cgi?id=160989
1942
1943         Reviewed by Filip Pizlo.
1944
1945         This patch revamps how we implement Map and Set. It uses
1946         a new hash map implementation. The hash map uses linear
1947         probing and it uses Wang's 64 bit hash function for JSValues
1948         that aren't strings. Strings use StringImpl's hash function.
1949         The reason I wanted to roll our own HashTable is twofold:
1950         I didn't want to inline WTF::HashMap's implementation into our
1951         JIT, since that seems error prone and unmaintainable. Also, I wanted
1952         a different structure for hash map buckets where buckets also exist in
1953         a linked list.
1954
1955         The reason for making buckets part of a linked list is that iteration
1956         is now simple. Iteration works by just traversing a linked list.
1957         This design also allows for a simple implementation when doing iteration
1958         while the hash table is mutating. Whenever we remove a bucket from
1959         the hash table, it is removed from the list, meaning items in the
1960         list don't point to it. However, the removed bucket will still point
1961         to things that are either in the list, or have also been removed.
1962         e.g, from a removed bucket, you can always follow pointers until you
1963         either find an item in the list, or you find the tail of the list.
1964         This is a really nice property because it means that a Map or Set
1965         does not need to reason about the all the iterators that point
1966         into its list. Also, whenever we add items to the Map or Set, we
1967         hijack the tail as the new item, and make the new item point to a newly
1968         created tail. This means that any iterator that pointed to the "tail" now
1969         points to non-tail items. This makes the implementation of adding things
1970         to the Map/Set while iterating easy.
1971
1972         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1973         into intrinsics in the DFG. The IR can now reason about hash map
1974         operations and can even do CSE over Wang's hash function, hash map
1975         bucket lookups, hash map bucket loads, and testing if a key is in
1976         the hash table. This makes code patterns for Map like so, super fast
1977         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1978
1979         ```
1980         function getKeyIfPresent(map, key) {
1981             if (map.has(key))
1982                 return map.get(key);
1983         }
1984         ```
1985
1986         This patch is roughly an 8% speedup on ES6SampleBench.
1987
1988
1989         * CMakeLists.txt:
1990         * JavaScriptCore.xcodeproj/project.pbxproj:
1991         * assembler/MacroAssemblerARM64.h:
1992         (JSC::MacroAssemblerARM64::not64):
1993         * bytecode/SpeculatedType.cpp:
1994         (JSC::speculationFromClassInfo):
1995         * bytecode/SpeculatedType.h:
1996         * dfg/DFGAbstractInterpreterInlines.h:
1997         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1998         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1999         * dfg/DFGByteCodeParser.cpp:
2000         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2001         * dfg/DFGClobberize.h:
2002         (JSC::DFG::clobberize):
2003         * dfg/DFGDoesGC.cpp:
2004         (JSC::DFG::doesGC):
2005         * dfg/DFGEdge.h:
2006         (JSC::DFG::Edge::shift):
2007         (JSC::DFG::Edge::makeWord):
2008         * dfg/DFGFixupPhase.cpp:
2009         (JSC::DFG::FixupPhase::fixupNode):
2010         * dfg/DFGHeapLocation.cpp:
2011         (WTF::printInternal):
2012         * dfg/DFGHeapLocation.h:
2013         * dfg/DFGNode.h:
2014         (JSC::DFG::Node::hasHeapPrediction):
2015         * dfg/DFGNodeType.h:
2016         * dfg/DFGOperations.cpp:
2017         * dfg/DFGOperations.h:
2018         * dfg/DFGPredictionPropagationPhase.cpp:
2019         * dfg/DFGSafeToExecute.h:
2020         (JSC::DFG::SafeToExecuteEdge::operator()):
2021         (JSC::DFG::safeToExecute):
2022         * dfg/DFGSpeculativeJIT.cpp:
2023         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2024         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2025         (JSC::DFG::SpeculativeJIT::speculate):
2026         * dfg/DFGSpeculativeJIT.h:
2027         (JSC::DFG::SpeculativeJIT::callOperation):
2028         * dfg/DFGSpeculativeJIT32_64.cpp:
2029         (JSC::DFG::SpeculativeJIT::compile):
2030         * dfg/DFGSpeculativeJIT64.cpp:
2031         (JSC::DFG::SpeculativeJIT::compile):
2032         * dfg/DFGUseKind.cpp:
2033         (WTF::printInternal):
2034         * dfg/DFGUseKind.h:
2035         (JSC::DFG::typeFilterFor):
2036         (JSC::DFG::isCell):
2037         * ftl/FTLAbstractHeapRepository.h:
2038         * ftl/FTLCapabilities.cpp:
2039         (JSC::FTL::canCompile):
2040         * ftl/FTLLowerDFGToB3.cpp:
2041         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2042         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2043         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2044         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2045         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2046         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2047         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2048         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2049         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2050         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2051         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2052         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2053         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2054         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2055         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2056         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2057         * jit/AssemblyHelpers.cpp:
2058         (JSC::AssemblyHelpers::wangsInt64Hash):
2059         * jit/AssemblyHelpers.h:
2060         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2061         * jit/JITOperations.h:
2062         * parser/ModuleAnalyzer.cpp:
2063         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2064         * runtime/HashMapImpl.cpp: Added.
2065         (JSC::HashMapBucket<Data>::visitChildren):
2066         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2067         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2068         * runtime/HashMapImpl.h: Added.
2069         (JSC::HashMapBucket::selectStructure):
2070         (JSC::HashMapBucket::createStructure):
2071         (JSC::HashMapBucket::create):
2072         (JSC::HashMapBucket::HashMapBucket):
2073         (JSC::HashMapBucket::setNext):
2074         (JSC::HashMapBucket::setPrev):
2075         (JSC::HashMapBucket::setKey):
2076         (JSC::HashMapBucket::setValue):
2077         (JSC::HashMapBucket::key):
2078         (JSC::HashMapBucket::value):
2079         (JSC::HashMapBucket::next):
2080         (JSC::HashMapBucket::prev):
2081         (JSC::HashMapBucket::deleted):
2082         (JSC::HashMapBucket::setDeleted):
2083         (JSC::HashMapBucket::offsetOfKey):
2084         (JSC::HashMapBucket::offsetOfValue):
2085         (JSC::HashMapBuffer::allocationSize):
2086         (JSC::HashMapBuffer::buffer):
2087         (JSC::HashMapBuffer::create):
2088         (JSC::areKeysEqual):
2089         (JSC::normalizeMapKey):
2090         (JSC::jsMapHash):
2091         (JSC::HashMapImpl::selectStructure):
2092         (JSC::HashMapImpl::createStructure):
2093         (JSC::HashMapImpl::create):
2094         (JSC::HashMapImpl::HashMapImpl):
2095         (JSC::HashMapImpl::buffer):
2096         (JSC::HashMapImpl::finishCreation):
2097         (JSC::HashMapImpl::emptyValue):
2098         (JSC::HashMapImpl::isEmpty):
2099         (JSC::HashMapImpl::deletedValue):
2100         (JSC::HashMapImpl::isDeleted):
2101         (JSC::HashMapImpl::findBucket):
2102         (JSC::HashMapImpl::get):
2103         (JSC::HashMapImpl::has):
2104         (JSC::HashMapImpl::add):
2105         (JSC::HashMapImpl::remove):
2106         (JSC::HashMapImpl::size):
2107         (JSC::HashMapImpl::clear):
2108         (JSC::HashMapImpl::bufferSizeInBytes):
2109         (JSC::HashMapImpl::offsetOfBuffer):
2110         (JSC::HashMapImpl::offsetOfCapacity):
2111         (JSC::HashMapImpl::head):
2112         (JSC::HashMapImpl::tail):
2113         (JSC::HashMapImpl::approximateSize):
2114         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2115         (JSC::HashMapImpl::rehash):
2116         (JSC::HashMapImpl::makeAndSetNewBuffer):
2117         * runtime/Intrinsic.h:
2118         * runtime/JSCJSValue.h:
2119         * runtime/JSCJSValueInlines.h:
2120         (JSC::sameValue):
2121         * runtime/JSGlobalObject.cpp:
2122         (JSC::JSGlobalObject::init):
2123         * runtime/JSMap.cpp:
2124         (JSC::JSMap::destroy): Deleted.
2125         (JSC::JSMap::estimatedSize): Deleted.
2126         (JSC::JSMap::visitChildren): Deleted.
2127         (JSC::JSMap::copyBackingStore): Deleted.
2128         (JSC::JSMap::has): Deleted.
2129         (JSC::JSMap::size): Deleted.
2130         (JSC::JSMap::get): Deleted.
2131         (JSC::JSMap::set): Deleted.
2132         (JSC::JSMap::clear): Deleted.
2133         (JSC::JSMap::remove): Deleted.
2134         * runtime/JSMap.h:
2135         (JSC::JSMap::createStructure):
2136         (JSC::JSMap::create):
2137         (JSC::JSMap::get):
2138         (JSC::JSMap::set):
2139         (JSC::JSMap::JSMap):
2140         (JSC::JSMap::Entry::key): Deleted.
2141         (JSC::JSMap::Entry::value): Deleted.
2142         (JSC::JSMap::Entry::visitChildren): Deleted.
2143         (JSC::JSMap::Entry::setKey): Deleted.
2144         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2145         (JSC::JSMap::Entry::setValue): Deleted.
2146         (JSC::JSMap::Entry::clear): Deleted.
2147         * runtime/JSMapIterator.cpp:
2148         (JSC::JSMapIterator::finishCreation):
2149         (JSC::JSMapIterator::visitChildren):
2150         (JSC::JSMapIterator::clone):
2151         * runtime/JSMapIterator.h:
2152         (JSC::JSMapIterator::advanceIter):
2153         (JSC::JSMapIterator::next):
2154         (JSC::JSMapIterator::nextKeyValue):
2155         (JSC::JSMapIterator::JSMapIterator):
2156         (JSC::JSMapIterator::setIterator):
2157         (JSC::JSMapIterator::finish): Deleted.
2158         (JSC::JSMapIterator::iteratorData): Deleted.
2159         * runtime/JSModuleLoader.cpp:
2160         (JSC::JSModuleLoader::finishCreation):
2161         * runtime/JSModuleLoader.h:
2162         (JSC::JSModuleLoader::create):
2163         * runtime/JSModuleRecord.cpp:
2164         (JSC::JSModuleRecord::finishCreation):
2165         * runtime/JSModuleRecord.h:
2166         (JSC::JSModuleRecord::create):
2167         * runtime/JSSet.cpp:
2168         (JSC::JSSet::destroy): Deleted.
2169         (JSC::JSSet::estimatedSize): Deleted.
2170         (JSC::JSSet::visitChildren): Deleted.
2171         (JSC::JSSet::copyBackingStore): Deleted.
2172         (JSC::JSSet::has): Deleted.
2173         (JSC::JSSet::size): Deleted.
2174         (JSC::JSSet::add): Deleted.
2175         (JSC::JSSet::clear): Deleted.
2176         (JSC::JSSet::remove): Deleted.
2177         * runtime/JSSet.h:
2178         (JSC::JSSet::createStructure):
2179         (JSC::JSSet::create):
2180         (JSC::JSSet::add):
2181         (JSC::JSSet::JSSet):
2182         (JSC::JSSet::Entry::key): Deleted.
2183         (JSC::JSSet::Entry::value): Deleted.
2184         (JSC::JSSet::Entry::visitChildren): Deleted.
2185         (JSC::JSSet::Entry::setKey): Deleted.
2186         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2187         (JSC::JSSet::Entry::setValue): Deleted.
2188         (JSC::JSSet::Entry::clear): Deleted.
2189         * runtime/JSSetIterator.cpp:
2190         (JSC::JSSetIterator::finishCreation):
2191         (JSC::JSSetIterator::visitChildren):
2192         (JSC::JSSetIterator::clone):
2193         * runtime/JSSetIterator.h:
2194         (JSC::JSSetIterator::advanceIter):
2195         (JSC::JSSetIterator::next):
2196         (JSC::JSSetIterator::JSSetIterator):
2197         (JSC::JSSetIterator::setIterator):
2198         (JSC::JSSetIterator::finish): Deleted.
2199         (JSC::JSSetIterator::iteratorData): Deleted.
2200         * runtime/JSType.h:
2201         * runtime/MapBase.cpp: Added.
2202         (JSC::MapBase<HashMapBucketType>::visitChildren):
2203         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2204         * runtime/MapBase.h: Added.
2205         (JSC::MapBase::size):
2206         (JSC::MapBase::has):
2207         (JSC::MapBase::clear):
2208         (JSC::MapBase::remove):
2209         (JSC::MapBase::findBucket):
2210         (JSC::MapBase::offsetOfHashMapImpl):
2211         (JSC::MapBase::impl):
2212         (JSC::MapBase::finishCreation):
2213         (JSC::MapBase::MapBase):
2214         * runtime/MapConstructor.cpp:
2215         (JSC::constructMap):
2216         * runtime/MapIteratorPrototype.cpp:
2217         (JSC::MapIteratorPrototypeFuncNext):
2218         * runtime/MapPrototype.cpp:
2219         (JSC::MapPrototype::finishCreation):
2220         (JSC::getMap):
2221         (JSC::privateFuncIsMap):
2222         (JSC::privateFuncMapIteratorNext):
2223         * runtime/PropertyDescriptor.cpp:
2224         (JSC::sameValue): Deleted.
2225         * runtime/PropertyDescriptor.h:
2226         * runtime/SetConstructor.cpp:
2227         (JSC::constructSet):
2228         * runtime/SetIteratorPrototype.cpp:
2229         (JSC::SetIteratorPrototypeFuncNext):
2230         * runtime/SetPrototype.cpp:
2231         (JSC::SetPrototype::finishCreation):
2232         (JSC::getSet):
2233         (JSC::privateFuncSetIteratorNext):
2234         * runtime/VM.cpp:
2235         (JSC::VM::VM):
2236         * runtime/VM.h:
2237
2238 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2239
2240         [JSC] Make ArithClz32 work with Cell arguments
2241         https://bugs.webkit.org/show_bug.cgi?id=161369
2242
2243         Reviewed by Geoffrey Garen.
2244
2245         ArithClz32 was already working with all primitive types
2246         thanks to the magic of ValueToInt32.
2247         This patch adds support for cell arguments through a function
2248         call.
2249
2250         * dfg/DFGAbstractInterpreterInlines.h:
2251         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2252         * dfg/DFGClobberize.h:
2253         (JSC::DFG::clobberize):
2254         * dfg/DFGFixupPhase.cpp:
2255         (JSC::DFG::FixupPhase::fixupNode):
2256         * dfg/DFGNodeType.h:
2257         * dfg/DFGOperations.cpp:
2258         * dfg/DFGOperations.h:
2259         * dfg/DFGSpeculativeJIT.cpp:
2260         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2261         * dfg/DFGSpeculativeJIT.h:
2262         (JSC::DFG::SpeculativeJIT::callOperation):
2263         * ftl/FTLLowerDFGToB3.cpp:
2264         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2265
2266 2016-09-06  Mark Lam  <mark.lam@apple.com>
2267
2268         Gardening: change to use old header guard to appease Win EWS.
2269
2270         Not reviewed.
2271
2272         * runtime/AuxiliaryBarrier.h:
2273
2274 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2275
2276         Unreviewed, rolling out r205494.
2277         https://bugs.webkit.org/show_bug.cgi?id=161646
2278
2279         This change broke the Windows build (Requested by ryanhaddad
2280         on #webkit).
2281
2282         Reverted changeset:
2283
2284         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2285         https://bugs.webkit.org/show_bug.cgi?id=161100
2286         http://trac.webkit.org/changeset/205494
2287
2288 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2289
2290         Unreviewed, rolling out r205504.
2291         https://bugs.webkit.org/show_bug.cgi?id=161645
2292
2293         Broke the iOS device build (Requested by ryanhaddad on
2294         #webkit).
2295
2296         Reverted changeset:
2297
2298         "Make JSMap and JSSet faster"
2299         https://bugs.webkit.org/show_bug.cgi?id=160989
2300         http://trac.webkit.org/changeset/205504
2301
2302 2016-09-06  Saam Barati  <sbarati@apple.com>
2303
2304         Make JSMap and JSSet faster
2305         https://bugs.webkit.org/show_bug.cgi?id=160989
2306
2307         Reviewed by Filip Pizlo.
2308
2309         This patch revamps how we implement Map and Set. It uses
2310         a new hash map implementation. The hash map uses linear
2311         probing and it uses Wang's 64 bit hash function for JSValues
2312         that aren't strings. Strings use StringImpl's hash function.
2313         The reason I wanted to roll our own HashTable is twofold:
2314         I didn't want to inline WTF::HashMap's implementation into our
2315         JIT, since that seems error prone and unmaintainable. Also, I wanted
2316         a different structure for hash map buckets where buckets also exist in
2317         a linked list.
2318
2319         The reason for making buckets part of a linked list is that iteration
2320         is now simple. Iteration works by just traversing a linked list.
2321         This design also allows for a simple implementation when doing iteration
2322         while the hash table is mutating. Whenever we remove a bucket from
2323         the hash table, it is removed from the list, meaning items in the
2324         list don't point to it. However, the removed bucket will still point
2325         to things that are either in the list, or have also been removed.
2326         e.g, from a removed bucket, you can always follow pointers until you
2327         either find an item in the list, or you find the tail of the list.
2328         This is a really nice property because it means that a Map or Set
2329         does not need to reason about the all the iterators that point
2330         into its list. Also, whenever we add items to the Map or Set, we
2331         hijack the tail as the new item, and make the new item point to a newly
2332         created tail. This means that any iterator that pointed to the "tail" now
2333         points to non-tail items. This makes the implementation of adding things
2334         to the Map/Set while iterating easy.
2335
2336         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2337         into intrinsics in the DFG. The IR can now reason about hash map
2338         operations and can even do CSE over Wang's hash function, hash map
2339         bucket lookups, hash map bucket loads, and testing if a key is in
2340         the hash table. This makes code patterns for Map like so, super fast
2341         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2342
2343         ```
2344         function getKeyIfPresent(map, key) {
2345             if (map.has(key))
2346                 return map.get(key);
2347         }
2348         ```
2349
2350         This patch is roughly an 8% speedup on ES6SampleBench.
2351
2352         * CMakeLists.txt:
2353         * JavaScriptCore.xcodeproj/project.pbxproj:
2354         * bytecode/SpeculatedType.cpp:
2355         (JSC::speculationFromClassInfo):
2356         * bytecode/SpeculatedType.h:
2357         * dfg/DFGAbstractInterpreterInlines.h:
2358         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2359         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2360         * dfg/DFGByteCodeParser.cpp:
2361         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2362         * dfg/DFGClobberize.h:
2363         (JSC::DFG::clobberize):
2364         * dfg/DFGDoesGC.cpp:
2365         (JSC::DFG::doesGC):
2366         * dfg/DFGEdge.h:
2367         (JSC::DFG::Edge::shift):
2368         (JSC::DFG::Edge::makeWord):
2369         * dfg/DFGFixupPhase.cpp:
2370         (JSC::DFG::FixupPhase::fixupNode):
2371         * dfg/DFGHeapLocation.cpp:
2372         (WTF::printInternal):
2373         * dfg/DFGHeapLocation.h:
2374         * dfg/DFGNode.h:
2375         (JSC::DFG::Node::hasHeapPrediction):
2376         * dfg/DFGNodeType.h:
2377         * dfg/DFGOperations.cpp:
2378         * dfg/DFGOperations.h:
2379         * dfg/DFGPredictionPropagationPhase.cpp:
2380         * dfg/DFGSafeToExecute.h:
2381         (JSC::DFG::SafeToExecuteEdge::operator()):
2382         (JSC::DFG::safeToExecute):
2383         * dfg/DFGSpeculativeJIT.cpp:
2384         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2385         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2386         (JSC::DFG::SpeculativeJIT::speculate):
2387         * dfg/DFGSpeculativeJIT.h:
2388         (JSC::DFG::SpeculativeJIT::callOperation):
2389         * dfg/DFGSpeculativeJIT32_64.cpp:
2390         (JSC::DFG::SpeculativeJIT::compile):
2391         * dfg/DFGSpeculativeJIT64.cpp:
2392         (JSC::DFG::SpeculativeJIT::compile):
2393         * dfg/DFGUseKind.cpp:
2394         (WTF::printInternal):
2395         * dfg/DFGUseKind.h:
2396         (JSC::DFG::typeFilterFor):
2397         (JSC::DFG::isCell):
2398         * ftl/FTLAbstractHeapRepository.h:
2399         * ftl/FTLCapabilities.cpp:
2400         (JSC::FTL::canCompile):
2401         * ftl/FTLLowerDFGToB3.cpp:
2402         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2403         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2404         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2405         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2406         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2407         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2408         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2409         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2410         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2411         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2412         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2413         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2414         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2415         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2416         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2417         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2418         * jit/AssemblyHelpers.cpp:
2419         (JSC::AssemblyHelpers::wangsInt64Hash):
2420         * jit/AssemblyHelpers.h:
2421         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2422         * jit/JITOperations.h:
2423         * parser/ModuleAnalyzer.cpp:
2424         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2425         * runtime/HashMapImpl.cpp: Added.
2426         (JSC::HashMapBucket<Data>::visitChildren):
2427         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2428         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2429         * runtime/HashMapImpl.h: Added.
2430         (JSC::HashMapBucket::selectStructure):
2431         (JSC::HashMapBucket::createStructure):
2432         (JSC::HashMapBucket::create):
2433         (JSC::HashMapBucket::HashMapBucket):
2434         (JSC::HashMapBucket::setNext):
2435         (JSC::HashMapBucket::setPrev):
2436         (JSC::HashMapBucket::setKey):
2437         (JSC::HashMapBucket::setValue):
2438         (JSC::HashMapBucket::key):
2439         (JSC::HashMapBucket::value):
2440         (JSC::HashMapBucket::next):
2441         (JSC::HashMapBucket::prev):
2442         (JSC::HashMapBucket::deleted):
2443         (JSC::HashMapBucket::setDeleted):
2444         (JSC::HashMapBucket::offsetOfKey):
2445         (JSC::HashMapBucket::offsetOfValue):
2446         (JSC::HashMapBuffer::allocationSize):
2447         (JSC::HashMapBuffer::buffer):
2448         (JSC::HashMapBuffer::create):
2449         (JSC::areKeysEqual):
2450         (JSC::normalizeMapKey):
2451         (JSC::jsMapHash):
2452         (JSC::HashMapImpl::selectStructure):
2453         (JSC::HashMapImpl::createStructure):
2454         (JSC::HashMapImpl::create):
2455         (JSC::HashMapImpl::HashMapImpl):
2456         (JSC::HashMapImpl::buffer):
2457         (JSC::HashMapImpl::finishCreation):
2458         (JSC::HashMapImpl::emptyValue):
2459         (JSC::HashMapImpl::isEmpty):
2460         (JSC::HashMapImpl::deletedValue):
2461         (JSC::HashMapImpl::isDeleted):
2462         (JSC::HashMapImpl::findBucket):
2463         (JSC::HashMapImpl::get):
2464         (JSC::HashMapImpl::has):
2465         (JSC::HashMapImpl::add):
2466         (JSC::HashMapImpl::remove):
2467         (JSC::HashMapImpl::size):
2468         (JSC::HashMapImpl::clear):
2469         (JSC::HashMapImpl::bufferSizeInBytes):
2470         (JSC::HashMapImpl::offsetOfBuffer):
2471         (JSC::HashMapImpl::offsetOfCapacity):
2472         (JSC::HashMapImpl::head):
2473         (JSC::HashMapImpl::tail):
2474         (JSC::HashMapImpl::approximateSize):
2475         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2476         (JSC::HashMapImpl::rehash):
2477         (JSC::HashMapImpl::makeAndSetNewBuffer):
2478         * runtime/Intrinsic.h:
2479         * runtime/JSCJSValue.h:
2480         * runtime/JSCJSValueInlines.h:
2481         (JSC::sameValue):
2482         * runtime/JSGlobalObject.cpp:
2483         (JSC::JSGlobalObject::init):
2484         * runtime/JSMap.cpp:
2485         (JSC::JSMap::destroy): Deleted.
2486         (JSC::JSMap::estimatedSize): Deleted.
2487         (JSC::JSMap::visitChildren): Deleted.
2488         (JSC::JSMap::copyBackingStore): Deleted.
2489         (JSC::JSMap::has): Deleted.
2490         (JSC::JSMap::size): Deleted.
2491         (JSC::JSMap::get): Deleted.
2492         (JSC::JSMap::set): Deleted.
2493         (JSC::JSMap::clear): Deleted.
2494         (JSC::JSMap::remove): Deleted.
2495         * runtime/JSMap.h:
2496         (JSC::JSMap::createStructure):
2497         (JSC::JSMap::create):
2498         (JSC::JSMap::get):
2499         (JSC::JSMap::set):
2500         (JSC::JSMap::JSMap):
2501         (JSC::JSMap::Entry::key): Deleted.
2502         (JSC::JSMap::Entry::value): Deleted.
2503         (JSC::JSMap::Entry::visitChildren): Deleted.
2504         (JSC::JSMap::Entry::setKey): Deleted.
2505         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2506         (JSC::JSMap::Entry::setValue): Deleted.
2507         (JSC::JSMap::Entry::clear): Deleted.
2508         * runtime/JSMapIterator.cpp:
2509         (JSC::JSMapIterator::finishCreation):
2510         (JSC::JSMapIterator::visitChildren):
2511         (JSC::JSMapIterator::clone):
2512         * runtime/JSMapIterator.h:
2513         (JSC::JSMapIterator::advanceIter):
2514         (JSC::JSMapIterator::next):
2515         (JSC::JSMapIterator::nextKeyValue):
2516         (JSC::JSMapIterator::JSMapIterator):
2517         (JSC::JSMapIterator::setIterator):
2518         (JSC::JSMapIterator::finish): Deleted.
2519         (JSC::JSMapIterator::iteratorData): Deleted.
2520         * runtime/JSModuleLoader.cpp:
2521         (JSC::JSModuleLoader::finishCreation):
2522         * runtime/JSModuleLoader.h:
2523         (JSC::JSModuleLoader::create):
2524         * runtime/JSModuleRecord.cpp:
2525         (JSC::JSModuleRecord::finishCreation):
2526         * runtime/JSModuleRecord.h:
2527         (JSC::JSModuleRecord::create):
2528         * runtime/JSSet.cpp:
2529         (JSC::JSSet::destroy): Deleted.
2530         (JSC::JSSet::estimatedSize): Deleted.
2531         (JSC::JSSet::visitChildren): Deleted.
2532         (JSC::JSSet::copyBackingStore): Deleted.
2533         (JSC::JSSet::has): Deleted.
2534         (JSC::JSSet::size): Deleted.
2535         (JSC::JSSet::add): Deleted.
2536         (JSC::JSSet::clear): Deleted.
2537         (JSC::JSSet::remove): Deleted.
2538         * runtime/JSSet.h:
2539         (JSC::JSSet::createStructure):
2540         (JSC::JSSet::create):
2541         (JSC::JSSet::add):
2542         (JSC::JSSet::JSSet):
2543         (JSC::JSSet::Entry::key): Deleted.
2544         (JSC::JSSet::Entry::value): Deleted.
2545         (JSC::JSSet::Entry::visitChildren): Deleted.
2546         (JSC::JSSet::Entry::setKey): Deleted.
2547         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2548         (JSC::JSSet::Entry::setValue): Deleted.
2549         (JSC::JSSet::Entry::clear): Deleted.
2550         * runtime/JSSetIterator.cpp:
2551         (JSC::JSSetIterator::finishCreation):
2552         (JSC::JSSetIterator::visitChildren):
2553         (JSC::JSSetIterator::clone):
2554         * runtime/JSSetIterator.h:
2555         (JSC::JSSetIterator::advanceIter):
2556         (JSC::JSSetIterator::next):
2557         (JSC::JSSetIterator::JSSetIterator):
2558         (JSC::JSSetIterator::setIterator):
2559         (JSC::JSSetIterator::finish): Deleted.
2560         (JSC::JSSetIterator::iteratorData): Deleted.
2561         * runtime/JSType.h:
2562         * runtime/MapBase.cpp: Added.
2563         (JSC::MapBase<HashMapBucketType>::visitChildren):
2564         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2565         * runtime/MapBase.h: Added.
2566         (JSC::MapBase::size):
2567         (JSC::MapBase::has):
2568         (JSC::MapBase::clear):
2569         (JSC::MapBase::remove):
2570         (JSC::MapBase::findBucket):
2571         (JSC::MapBase::offsetOfHashMapImpl):
2572         (JSC::MapBase::impl):
2573         (JSC::MapBase::finishCreation):
2574         (JSC::MapBase::MapBase):
2575         * runtime/MapConstructor.cpp:
2576         (JSC::constructMap):
2577         * runtime/MapIteratorPrototype.cpp:
2578         (JSC::MapIteratorPrototypeFuncNext):
2579         * runtime/MapPrototype.cpp:
2580         (JSC::MapPrototype::finishCreation):
2581         (JSC::getMap):
2582         (JSC::privateFuncIsMap):
2583         (JSC::privateFuncMapIteratorNext):
2584         * runtime/PropertyDescriptor.cpp:
2585         (JSC::sameValue): Deleted.
2586         * runtime/PropertyDescriptor.h:
2587         * runtime/SetConstructor.cpp:
2588         (JSC::constructSet):
2589         * runtime/SetIteratorPrototype.cpp:
2590         (JSC::SetIteratorPrototypeFuncNext):
2591         * runtime/SetPrototype.cpp:
2592         (JSC::SetPrototype::finishCreation):
2593         (JSC::getSet):
2594         (JSC::privateFuncSetIteratorNext):
2595         * runtime/VM.cpp:
2596         (JSC::VM::VM):
2597         * runtime/VM.h:
2598
2599 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2600
2601         Typed arrays should use MarkedSpace instead of CopiedSpace
2602         https://bugs.webkit.org/show_bug.cgi?id=161100
2603
2604         Reviewed by Geoffrey Garen.
2605         
2606         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2607         
2608         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2609         everything that typed arrays want.
2610
2611         * dfg/DFGOperations.cpp:
2612         (JSC::DFG::newTypedArrayWithSize):
2613         * dfg/DFGOperations.h:
2614         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2615         * dfg/DFGSpeculativeJIT.cpp:
2616         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2617         * dfg/DFGSpeculativeJIT.h:
2618         (JSC::DFG::SpeculativeJIT::callOperation):
2619         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2620         * ftl/FTLLowerDFGToB3.cpp:
2621         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2622         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2623         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2624         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2625         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2626         * heap/CopyToken.h:
2627         * heap/SlotVisitor.cpp:
2628         (JSC::SlotVisitor::markAuxiliary):
2629         * jit/JITOperations.h:
2630         * runtime/JSArrayBufferView.cpp:
2631         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2632         (JSC::JSArrayBufferView::JSArrayBufferView):
2633         * runtime/JSArrayBufferView.h:
2634         * runtime/JSGenericTypedArrayView.h:
2635         * runtime/JSGenericTypedArrayViewInlines.h:
2636         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2637         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2638         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2639         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2640
2641 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2642
2643         Silence GCC warning spam introduced in r205462
2644
2645         Rubber-stamped by Filip Pizlo.
2646
2647         * bytecode/Opcode.h:
2648         (JSC::padOpcodeName):
2649
2650 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2651
2652         Heap::isMarked() should use concurrent lazy flipping
2653         https://bugs.webkit.org/show_bug.cgi?id=161613
2654
2655         Reviewed by Michael Catanzaro.
2656         
2657         I found out about this race condition via
2658         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2659         
2660         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2661         phase. So, they need to lazy-flip in a non-racy way.
2662
2663         * heap/HeapInlines.h:
2664         (JSC::Heap::isLive):
2665         (JSC::Heap::isMarked):
2666
2667 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2668
2669         Unreviewed, reset generator test results after the butterflies.
2670
2671         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2672         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2673         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2674         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2675         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2676         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2677         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2678         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2679         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2680         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2681         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2682         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2683         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2684         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2685
2686 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2687
2688         Unreviewed, fix cloop build.
2689
2690         * bytecode/SuperSampler.cpp:
2691
2692 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2693
2694         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2695         https://bugs.webkit.org/show_bug.cgi?id=160125
2696
2697         Reviewed by Geoffrey Garen and Keith Miller.
2698
2699         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2700         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2701         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2702         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2703         to get rid of copied space. This change moves copied space's biggest client over to marked
2704         space.
2705         
2706         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2707         allocation path. This is a fairly mechanical change, but it caused performance regressions
2708         everywhere, so this change also fixes MarkedSpace's performance issues.
2709         
2710         At a high level the mechanical changes are:
2711         
2712         - We use AuxiliaryBarrier instead of CopyBarrier.
2713         
2714         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2715           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2716         
2717         - The JITs have to emit inlined marked space allocations instead of inline copy space
2718           allocations.
2719         
2720         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2721           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2722           space doesn't.
2723         
2724         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2725         optimizations that amounted to a major MarkedSpace rewrite:
2726         
2727         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2728           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2729           size class. I got around this by making array allocations usually round up vectorLength to
2730           the maximum allowed by the size class that we would have allocated in. Also,
2731           ensureLengthSlow() and friends first make sure that the requested length can't just be
2732           fulfilled with the current allocation size. This safeguard means that not every array
2733           allocation has to do size class queries. For example, the fast path of new Array(length)
2734           never does any size class queries, under the assumption that (1) the speed gained from
2735           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2736           size class query, is too small to offset the speed lost by doing the query on every
2737           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2738           likely.
2739         
2740         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2741           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2742           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2743           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2744           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2745           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2746           size (80 bytes), we proceed using a geometric progression, but round up each size to
2747           minimize slop at the end of the block. This naturally causes the geometric progression to
2748           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2749           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2750         
2751         - Large allocations caused massive internal fragmentation, since the smallest large
2752           allocation had to use exactly blockSize, and the largest small allocation used
2753           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2754           also had 50% internal fragmentation. This is because we required large allocations to be
2755           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2756           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2757           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2758           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2759           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2760           out great since (1) typed arrays won't use large allocations anyway since they have their
2761           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2762           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2763           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2764           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2765           must be small allocations. It's also possible to use template tricks to do one check for
2766           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2767           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2768           that get used from functions that are template-specialized like this. That's mostly to
2769           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2770           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2771           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2772           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2773           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2774           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2775           that the MarkedBlock size classes end up being:
2776           
2777           16, 32, 48, 64, 80, 112, 160, 224, 320
2778           
2779           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2780           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2781           size classes you end up with by doing --dumpSizeClasses=true.
2782         
2783         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2784           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2785           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2786           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2787           side, for better locality during a sequential walk. It's no longer necessary to scan
2788           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2789           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2790           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2791           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2792           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2793           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2794           together, these optimizations allowed me to reduce block size to 16KB without losing much
2795           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2796           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2797           progression on membuster. That's not possible yet, since there is still enough per-block
2798           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2799           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2800         
2801         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2802           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2803           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2804           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2805           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2806           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2807           that we walk the block to build a free list. This means walking dead space. The new
2808           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2809           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2810           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2811           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2812           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2813           is completely empty, which is the common case because of the generational hypothesis: the
2814           number of objects that survive an eden collection is a tiny fraction of the number of
2815           objects that had been allocated, and this fraction is so small that there are typically
2816           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2817           win over tip-of-tree.
2818         
2819         - FTL now shares the same allocation fast paths as everything else, which is great, because
2820           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2821           control flow, since it won't be able to improve the machine code we write ourselves. GC
2822           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2823           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2824           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2825           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2826           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2827           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2828           variable-length allocation but then realize that the length is known). I think it makes
2829           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2830           since this makes lowering easier (you can constant fold during lowering more easily) and it
2831           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2832           constant-fold this code. That would require allowing loads to be constant-folded, which is
2833           doable but hella tricky.
2834         
2835         - It used to be that if a logical object allocation required two physical allocations (first
2836           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2837           failure in the second fast path would cause us to forget the successful first physical
2838           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2839           register to storing either the butterfly or null, because the butterfly register is anyway
2840           going to be free inside the first allocation. The only overhead here is zeroing the
2841           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2842           path, which can then either allocate a butterfly or not. So now we never waste a successful
2843           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2844           since we control registers already) and in FTL (where it's annoying, because mutable
2845           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2846           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2847           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2848           benchmark would always allocate N small things followed by one bigger thing. The problem
2849           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2850           the JSObject size class, which both the small and big thing shared for their cell, could
2851           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2852           it allocated the big thing. So, it would end up having to allocate the big thing's large
2853           butterfly twice, every single time! Ouch!
2854         
2855         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2856           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2857           of the allocator to initialize the object to whatever state they need. It used to be that
2858           we would just use a dumb loop. I initially changed this so that we would end up in memset
2859           for large allocations, but this didn't actually help performance that much. I got a much
2860           better result by playing with different memsets written in assembly. First I wrote one
2861           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2862           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2863           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2864           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2865           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2866           of stores (if the size is known), but those paths in the JIT won't trigger for
2867           NewArrayWithSize() if the size is large, since that takes us to the
2868           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2869           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2870           that need to be filled with holes.
2871         
2872         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2873         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2874         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2875         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2876         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2877         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2878         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2879         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2880         marking barrier and we simply won't need a copying barrier. This change gets us there for
2881         the purposes of our benchmarks, since the remaining clients of copied space are not very
2882         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2883         adding back the copy barrier, which costs more perf.
2884         
2885         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2886         typed arrays and a few other weird things over to Aux MarkedSpace.
2887         
2888         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2889         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2890         just including JSCInlines.h (instead of manually including the files that includes) is
2891         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2892         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2893         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2894         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2895         meant having to manually include HeapInlines.h from the places that previously got it
2896         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2897         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2898         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2899         made it impossible to include it from outside JSC. This was a lot of work, but it was
2900         necessary to get the patch to build on all ports. It's also a net win. There were many places
2901         in WebCore that were transitively including a *ton* of JSC headers just because of the
2902         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2903         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2904
2905         * API/JSManagedValue.mm:
2906         (-[JSManagedValue initWithValue:]):
2907         * API/JSTypedArray.cpp:
2908         * API/ObjCCallbackFunction.mm:
2909         * API/tests/testapi.mm:
2910         (testObjectiveCAPI):
2911         (testWeakValue): Deleted.
2912         * CMakeLists.txt:
2913         * JavaScriptCore.xcodeproj/project.pbxproj:
2914         * Scripts/builtins/builtins_generate_combined_implementation.py:
2915         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2916         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2917         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2918         * Scripts/builtins/builtins_generate_separate_implementation.py:
2919         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2920         * assembler/AbstractMacroAssembler.h:
2921         (JSC::AbstractMacroAssembler::JumpList::link):
2922         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2923         * assembler/MacroAssembler.h:
2924         * assembler/MacroAssemblerARM64.h:
2925         (JSC::MacroAssemblerARM64::add32):
2926         * assembler/MacroAssemblerCodeRef.cpp: Added.
2927         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2928         (JSC::MacroAssemblerCodePtr::dumpWithName):
2929         (JSC::MacroAssemblerCodePtr::dump):
2930         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2931         (JSC::MacroAssemblerCodeRef::dump):
2932         * assembler/MacroAssemblerCodeRef.h:
2933         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2934         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2935         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2936         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2937         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2938         * b3/B3BasicBlock.cpp:
2939         (JSC::B3::BasicBlock::appendBoolConstant):
2940         * b3/B3BasicBlock.h:
2941         * b3/B3DuplicateTails.cpp:
2942         * b3/B3StackmapGenerationParams.h:
2943         * b3/testb3.cpp:
2944         (JSC::B3::testPatchpointTerminalReturnValue):
2945         (JSC::B3::run):
2946         * bindings/ScriptValue.cpp:
2947         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2948         * bytecode/BytecodeBasicBlock.cpp:
2949         * bytecode/BytecodeLivenessAnalysis.cpp:
2950         * bytecode/BytecodeUseDef.h:
2951         * bytecode/CallLinkInfo.cpp:
2952         (JSC::CallLinkInfo::callTypeFor):
2953         * bytecode/CallLinkInfo.h:
2954         (JSC::CallLinkInfo::callTypeFor): Deleted.
2955         * bytecode/CallLinkStatus.cpp:
2956         * bytecode/CodeBlock.cpp:
2957         (JSC::CodeBlock::finishCreation):
2958         (JSC::CodeBlock::clearLLIntGetByIdCache):
2959         (JSC::CodeBlock::predictedMachineCodeSize):
2960         * bytecode/CodeBlock.h:
2961         (JSC::CodeBlock::jitCodeMap): Deleted.
2962         (JSC::clearLLIntGetByIdCache): Deleted.
2963         * bytecode/ExecutionCounter.h:
2964         * bytecode/Instruction.h:
2965         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2966         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2967         * bytecode/ObjectAllocationProfile.h:
2968         (JSC::ObjectAllocationProfile::isNull):
2969         (JSC::ObjectAllocationProfile::initialize):
2970         * bytecode/Opcode.h:
2971         (JSC::padOpcodeName):
2972         * bytecode/PolymorphicAccess.cpp:
2973         (JSC::AccessCase::generateImpl):
2974         (JSC::PolymorphicAccess::regenerate):
2975         * bytecode/PolymorphicAccess.h:
2976         * bytecode/PreciseJumpTargets.cpp:
2977         * bytecode/StructureStubInfo.cpp:
2978         * bytecode/StructureStubInfo.h:
2979         * bytecode/UnlinkedCodeBlock.cpp:
2980         (JSC::UnlinkedCodeBlock::vm): Deleted.
2981         * bytecode/UnlinkedCodeBlock.h:
2982         * bytecode/UnlinkedInstructionStream.cpp:
2983         * bytecode/UnlinkedInstructionStream.h:
2984         * dfg/DFGOperations.cpp:
2985         * dfg/DFGSpeculativeJIT.cpp:
2986         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2987         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2988         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2989         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2990         * dfg/DFGSpeculativeJIT.h:
2991         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2992         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2993         * dfg/DFGSpeculativeJIT32_64.cpp:
2994         (JSC::DFG::SpeculativeJIT::compile):
2995         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2996         * dfg/DFGSpeculativeJIT64.cpp:
2997         (JSC::DFG::SpeculativeJIT::compile):
2998         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2999         * dfg/DFGStrengthReductionPhase.cpp:
3000         (JSC::DFG::StrengthReductionPhase::handleNode):
3001         * ftl/FTLAbstractHeapRepository.h:
3002         * ftl/FTLCompile.cpp:
3003         * ftl/FTLJITFinalizer.cpp:
3004         * ftl/FTLLowerDFGToB3.cpp:
3005         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3006         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3007         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
3008         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3009         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3010         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3011         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3012         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3013         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3014         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3015         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3016         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3017         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3018         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3019         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
3020         * ftl/FTLOutput.cpp:
3021         (JSC::FTL::Output::constBool):
3022         (JSC::FTL::Output::add):
3023         (JSC::FTL::Output::shl):
3024         (JSC::FTL::Output::aShr):
3025         (JSC::FTL::Output::lShr):
3026         (JSC::FTL::Output::zeroExt):
3027         (JSC::FTL::Output::equal):
3028         (JSC::FTL::Output::notEqual):
3029         (JSC::FTL::Output::above):
3030         (JSC::FTL::Output::aboveOrEqual):
3031         (JSC::FTL::Output::below):
3032         (JSC::FTL::Output::belowOrEqual):
3033         (JSC::FTL::Output::greaterThan):
3034         (JSC::FTL::Output::greaterThanOrEqual):
3035         (JSC::FTL::Output::lessThan):
3036         (JSC::FTL::Output::lessThanOrEqual):
3037         (JSC::FTL::Output::select):
3038         (JSC::FTL::Output::appendSuccessor):
3039         (JSC::FTL::Output::addIncomingToPhi):
3040         * ftl/FTLOutput.h:
3041         * ftl/FTLValueFromBlock.h:
3042         (JSC::FTL::ValueFromBlock::operator bool):
3043         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
3044         * ftl/FTLWeightedTarget.h:
3045         (JSC::FTL::WeightedTarget::frequentedBlock):
3046         * heap/CellContainer.h: Added.
3047         (JSC::CellContainer::CellContainer):
3048         (JSC::CellContainer::operator bool):
3049         (JSC::CellContainer::isMarkedBlock):
3050         (JSC::CellContainer::isLargeAllocation):
3051         (JSC::CellContainer::markedBlock):
3052         (JSC::CellContainer::largeAllocation):
3053         * heap/CellContainerInlines.h: Added.
3054         (JSC::CellContainer::isMarked):
3055         (JSC::CellContainer::isMarkedOrNewlyAllocated):
3056         (JSC::CellContainer::noteMarked):
3057         (JSC::CellContainer::cellSize):
3058         (JSC::CellContainer::weakSet):
3059         (JSC::CellContainer::flipIfNecessary):
3060         * heap/ConservativeRoots.cpp:
3061         (JSC::ConservativeRoots::ConservativeRoots):
3062         (JSC::ConservativeRoots::~ConservativeRoots):
3063         (JSC::ConservativeRoots::grow):
3064         (JSC::ConservativeRoots::genericAddPointer):
3065         (JSC::ConservativeRoots::genericAddSpan):
3066         * heap/ConservativeRoots.h:
3067         (JSC::ConservativeRoots::roots):
3068         * heap/CopyToken.h:
3069         * heap/FreeList.cpp: Added.
3070         (JSC::FreeList::dump):
3071         * heap/FreeList.h: Added.
3072         (JSC::FreeList::FreeList):
3073         (JSC::FreeList::list):
3074         (JSC::FreeList::bump):
3075         (JSC::FreeList::operator==):
3076         (JSC::FreeList::operator!=):
3077         (JSC::FreeList::operator bool):
3078         (JSC::FreeList::allocationWillFail):
3079         (JSC::FreeList::allocationWillSucceed):
3080         * heap/GCTypeMap.h: Added.
3081         (JSC::GCTypeMap::operator[]):
3082         * heap/Heap.cpp:
3083         (JSC::Heap::Heap):
3084         (JSC::Heap::lastChanceToFinalize):
3085         (JSC::Heap::finalizeUnconditionalFinalizers):
3086         (JSC::Heap::markRoots):
3087         (JSC::Heap::copyBackingStores):
3088         (JSC::Heap::gatherStackRoots):
3089         (JSC::Heap::gatherJSStackRoots):
3090         (JSC::Heap::gatherScratchBufferRoots):
3091         (JSC::Heap::clearLivenessData):
3092         (JSC::Heap::visitSmallStrings):
3093         (JSC::Heap::visitConservativeRoots):
3094         (JSC::Heap::removeDeadCompilerWorklistEntries):
3095         (JSC::Heap::gatherExtraHeapSnapshotData):
3096         (JSC::Heap::removeDeadHeapSnapshotNodes):
3097         (JSC::Heap::visitProtectedObjects):
3098         (JSC::Heap::visitArgumentBuffers):
3099         (JSC::Heap::visitException):
3100         (JSC::Heap::visitStrongHandles):
3101         (JSC::Heap::visitHandleStack):
3102         (JSC::Heap::visitSamplingProfiler):
3103         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3104         (JSC::Heap::converge):
3105         (JSC::Heap::visitWeakHandles):
3106         (JSC::Heap::updateObjectCounts):
3107         (JSC::Heap::clearUnmarkedExecutables):
3108         (JSC::Heap::deleteUnmarkedCompiledCode):
3109         (JSC::Heap::collectAllGarbage):
3110         (JSC::Heap::collect):
3111         (JSC::Heap::collectWithoutAnySweep):
3112         (JSC::Heap::collectImpl):
3113         (JSC::Heap::suspendCompilerThreads):
3114         (JSC::Heap::willStartCollection):
3115         (JSC::Heap::flushOldStructureIDTables):
3116         (JSC::Heap::flushWriteBarrierBuffer):
3117         (JSC::Heap::stopAllocation):
3118         (JSC::Heap::prepareForMarking):
3119         (JSC::Heap::reapWeakHandles):
3120         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3121         (JSC::Heap::sweepArrayBuffers):
3122         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3123         (JSC::MarkedBlockSnapshotFunctor::operator()):
3124         (JSC::Heap::snapshotMarkedSpace):
3125         (JSC::Heap::deleteSourceProviderCaches):
3126         (JSC::Heap::notifyIncrementalSweeper):
3127         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3128         (JSC::Heap::resetAllocators):
3129         (JSC::Heap::updateAllocationLimits):
3130         (JSC::Heap::didFinishCollection):
3131         (JSC::Heap::resumeCompilerThreads):
3132         (JSC::Zombify::visit):
3133         (JSC::Heap::forEachCodeBlockImpl):
3134         * heap/Heap.h:
3135         (JSC::Heap::allocatorForObjectWithoutDestructor):
3136         (JSC::Heap::allocatorForObjectWithDestructor):
3137         (JSC::Heap::allocatorForAuxiliaryData):
3138         (JSC::Heap::jitStubRoutines):
3139         (JSC::Heap::codeBlockSet):
3140         (JSC::Heap::storageAllocator): Deleted.
3141         * heap/HeapCell.h:
3142         (JSC::HeapCell::isZapped): Deleted.
3143         * heap/HeapCellInlines.h: Added.
3144         (JSC::HeapCell::isLargeAllocation):
3145         (JSC::HeapCell::cellContainer):
3146         (JSC::HeapCell::markedBlock):
3147         (JSC::HeapCell::largeAllocation):
3148         (JSC::HeapCell::heap):
3149         (JSC::HeapCell::vm):
3150         (JSC::HeapCell::cellSize):
3151         (JSC::HeapCell::allocatorAttributes):
3152         (JSC::HeapCell::destructionMode):
3153         (JSC::HeapCell::cellKind):
3154         * heap/HeapInlines.h:
3155         (JSC::Heap::heap):
3156         (JSC::Heap::isLive):
3157         (JSC::Heap::isMarked):
3158         (JSC::Heap::testAndSetMarked):
3159         (JSC::Heap::setMarked):
3160         (JSC::Heap::cellSize):
3161         (JSC::Heap::forEachCodeBlock):
3162         (JSC::Heap::allocateObjectOfType):
3163         (JSC::Heap::subspaceForObjectOfType):
3164         (JSC::Heap::allocatorForObjectOfType):
3165         (JSC::Heap::allocateAuxiliary):
3166         (JSC::Heap::tryAllocateAuxiliary):
3167         (JSC::Heap::tryReallocateAuxiliary):
3168         (JSC::Heap::isPointerGCObject): Deleted.
3169         (JSC::Heap::isValueGCObject): Deleted.
3170         * heap/HeapOperation.cpp: Added.
3171         (WTF::printInternal):
3172         * heap/HeapOperation.h:
3173         * heap/HeapUtil.h: Added.
3174         (JSC::HeapUtil::findGCObjectPointersForMarking):
3175         (JSC::HeapUtil::isPointerGCObjectJSCell):
3176         (JSC::HeapUtil::isValueGCObject):
3177         * heap/IncrementalSweeper.cpp:
3178         (JSC::IncrementalSweeper::sweepNextBlock):
3179         * heap/IncrementalSweeper.h:
3180         * heap/LargeAllocation.cpp: Added.
3181         (JSC::LargeAllocation::tryCreate):
3182         (JSC::LargeAllocation::LargeAllocation):
3183         (JSC::LargeAllocation::lastChanceToFinalize):
3184         (JSC::LargeAllocation::shrink):
3185         (JSC::LargeAllocation::visitWeakSet):
3186         (JSC::LargeAllocation::reapWeakSet):
3187         (JSC::LargeAllocation::flip):
3188         (JSC::LargeAllocation::isEmpty):
3189         (JSC::LargeAllocation::sweep):
3190         (JSC::LargeAllocation::destroy):
3191         (JSC::LargeAllocation::dump):
3192         * heap/LargeAllocation.h: Added.
3193         (JSC::LargeAllocation::fromCell):
3194         (JSC::LargeAllocation::cell):
3195         (JSC::LargeAllocation::isLargeAllocation):
3196         (JSC::LargeAllocation::heap):
3197         (JSC::LargeAllocation::vm):
3198         (JSC::LargeAllocation::weakSet):
3199         (JSC::LargeAllocation::clearNewlyAllocated):
3200         (JSC::LargeAllocation::isNewlyAllocated):
3201         (JSC::LargeAllocation::isMarked):
3202         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3203         (JSC::LargeAllocation::isLive):
3204         (JSC::LargeAllocation::hasValidCell):
3205         (JSC::LargeAllocation::cellSize):
3206         (JSC::LargeAllocation::aboveLowerBound):
3207         (JSC::LargeAllocation::belowUpperBound):
3208         (JSC::LargeAllocation::contains):
3209         (JSC::LargeAllocation::attributes):
3210         (JSC::LargeAllocation::flipIfNecessary):
3211         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
3212         (JSC::LargeAllocation::testAndSetMarked):
3213         (JSC::LargeAllocation::setMarked):
3214         (JSC::LargeAllocation::clearMarked):
3215         (JSC::LargeAllocation::noteMarked):
3216         (JSC::LargeAllocation::headerSize):
3217         * heap/MarkedAllocator.cpp:
3218         (JSC::MarkedAllocator::MarkedAllocator):
3219         (JSC::MarkedAllocator::isPagedOut):
3220         (JSC::MarkedAllocator::retire):
3221         (JSC::MarkedAllocator::filterNextBlock):
3222         (JSC::MarkedAllocator::setNextBlockToSweep):
3223         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3224         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3225         (JSC::MarkedAllocator::allocateSlowCase):
3226         (JSC::MarkedAllocator::tryAllocateSlowCase):
3227         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3228         (JSC::blockHeaderSize):
3229         (JSC::MarkedAllocator::blockSizeForBytes):
3230         (JSC::MarkedAllocator::tryAllocateBlock):
3231         (JSC::MarkedAllocator::addBlock):
3232         (JSC::MarkedAllocator::removeBlock):
3233         (JSC::MarkedAllocator::stopAllocating):
3234         (JSC::MarkedAllocator::reset):
3235         (JSC::MarkedAllocator::lastChanceToFinalize):
3236         (JSC::MarkedAllocator::setFreeList):
3237         (JSC::isListPagedOut): Deleted.
3238         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3239         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3240         (JSC::MarkedAllocator::tryAllocate): Deleted.
3241         (JSC::MarkedAllocator::allocateBlock): Deleted.
3242         * heap/MarkedAllocator.h:
3243         (JSC::MarkedAllocator::takeLastActiveBlock):
3244         (JSC::MarkedAllocator::offsetOfFreeList):
3245         (JSC::MarkedAllocator::offsetOfCellSize):
3246         (JSC::MarkedAllocator::tryAllocate):
3247         (JSC::MarkedAllocator::allocate):
3248         (JSC::MarkedAllocator::forEachBlock):
3249         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3250         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3251         (JSC::MarkedAllocator::init): Deleted.
3252         (JSC::MarkedAllocator::stopAllocating): Deleted.
3253         * heap/MarkedBlock.cpp:
3254         (JSC::MarkedBlock::tryCreate):
3255         (JSC::MarkedBlock::Handle::Handle):
3256         (JSC::MarkedBlock::Handle::~Handle):
3257         (JSC::MarkedBlock::MarkedBlock):
3258         (JSC::MarkedBlock::Handle::specializedSweep):
3259         (JSC::MarkedBlock::Handle::sweep):
3260         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
3261         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
3262         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
3263         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3264         (JSC::SetNewlyAllocatedFunctor::operator()):
3265         (JSC::MarkedBlock::Handle::stopAllocating):
3266         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3267         (JSC::MarkedBlock::Handle::resumeAllocating):
3268         (JSC::MarkedBlock::Handle::zap):
3269         (JSC::MarkedBlock::Handle::forEachFreeCell):
3270         (JSC::MarkedBlock::flipIfNecessary):
3271         (JSC::MarkedBlock::Handle::flipIfNecessary):
3272         (JSC::MarkedBlock::flipIfNecessarySlow):
3273         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
3274         (JSC::MarkedBlock::clearMarks):
3275         (JSC::MarkedBlock::assertFlipped):
3276         (JSC::MarkedBlock::needsFlip):
3277         (JSC::MarkedBlock::Handle::needsFlip):
3278         (JSC::MarkedBlock::Handle::willRemoveBlock):
3279         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3280         (JSC::MarkedBlock::markCount):
3281         (JSC::MarkedBlock::Handle::isEmpty):
3282         (JSC::MarkedBlock::clearHasAnyMarked):
3283         (JSC::MarkedBlock::noteMarkedSlow):
3284         (WTF::printInternal):
3285         (JSC::MarkedBlock::create): Deleted.
3286         (JSC::MarkedBlock::destroy): Deleted.
3287         (JSC::MarkedBlock::callDestructor): Deleted.
3288         (JSC::MarkedBlock::specializedSweep): Deleted.
3289         (JSC::MarkedBlock::sweep): Deleted.
3290         (JSC::MarkedBlock::sweepHelper): Deleted.
3291         (JSC::MarkedBlock::stopAllocating): Deleted.
3292         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
3293         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
3294         (JSC::MarkedBlock::resumeAllocating): Deleted.
3295         (JSC::MarkedBlock::didRetireBlock): Deleted.
3296         * heap/MarkedBlock.h:
3297         (JSC::MarkedBlock::VoidFunctor::returnValue):
3298         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3299         (JSC::MarkedBlock::CountFunctor::count):
3300         (JSC::MarkedBlock::CountFunctor::returnValue):
3301         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
3302         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
3303         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
3304         (JSC::MarkedBlock::Handle::state):
3305         (JSC::MarkedBlock::needsDestruction):
3306         (JSC::MarkedBlock::handle):
3307         (JSC::MarkedBlock::Handle::block):
3308         (JSC::MarkedBlock::firstAtom):
3309         (JSC::MarkedBlock::atoms):
3310         (JSC::MarkedBlock::isAtomAligned):
3311         (JSC::MarkedBlock::Handle::cellAlign):
3312         (JSC::MarkedBlock::blockFor):
3313         (JSC::MarkedBlock::Handle::allocator):
3314         (JSC::MarkedBlock::Handle::heap):
3315         (JSC::MarkedBlock::Handle::vm):
3316         (JSC::MarkedBlock::vm):
3317         (JSC::MarkedBlock::Handle::weakSet):
3318         (JSC::MarkedBlock::weakSet):
3319         (JSC::MarkedBlock::Handle::shrink):
3320         (JSC::MarkedBlock::Handle::visitWeakSet):
3321         (JSC::MarkedBlock::Handle::reapWeakSet):
3322         (JSC::MarkedBlock::Handle::cellSize):
3323         (JSC::MarkedBlock::cellSize):
3324         (JSC::MarkedBlock::Handle::attributes):
3325         (JSC::MarkedBlock::attributes):
3326         (JSC::MarkedBlock::Handle::needsDestruction):
3327         (JSC::MarkedBlock::Handle::destruction):
3328         (JSC::MarkedBlock::Handle::cellKind):
3329         (JSC::MarkedBlock::Handle::markCount):
3330         (JSC::MarkedBlock::Handle::size):
3331         (JSC::MarkedBlock::atomNumber):
3332         (JSC::MarkedBlock::flipIfNecessary):
3333         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
3334         (JSC::MarkedBlock::Handle::flipIfNecessary):
3335         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
3336         (JSC::MarkedBlock::Handle::flipForEdenCollection):
3337         (JSC::MarkedBlock::assertFlipped):
3338         (JSC::MarkedBlock::Handle::assertFlipped):
3339         (JSC::MarkedBlock::isMarked):
3340         (JSC::MarkedBlock::testAndSetMarked):
3341         (JSC::MarkedBlock::Handle::isNewlyAllocated):
3342         (JSC::MarkedBlock::Handle::setNewlyAllocated):
3343         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
3344         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
3345         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3346         (JSC::MarkedBlock::Handle::isLive):
3347         (JSC::MarkedBlock::isAtom):
3348         (JSC::MarkedBlock::Handle::isLiveCell):
3349         (JSC::MarkedBlock::Handle::forEachCell):
3350         (JSC::MarkedBlock::Handle::forEachLiveCell):
3351         (JSC::MarkedBlock::Handle::forEachDeadCell):
3352         (JSC::MarkedBlock::Handle::needsSweeping):
3353         (JSC::MarkedBlock::Handle::isAllocated):
3354         (JSC::MarkedBlock::Handle::isMarked):
3355         (JSC::MarkedBlock::Handle::isFreeListed):
3356         (JSC::MarkedBlock::hasAnyMarked):
3357         (JSC::MarkedBlock::noteMarked):
3358         (WTF::MarkedBlockHash::hash):
3359         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
3360         (JSC::MarkedBlock::allocator): Deleted.
3361         (JSC::MarkedBlock::heap): Deleted.
3362         (JSC::MarkedBlock::shrink): Deleted.
3363         (JSC::MarkedBlock::visitWeakSet): Deleted.
3364         (JSC::MarkedBlock::reapWeakSet): Deleted.
3365         (JSC::MarkedBlock::willRemoveBlock): Deleted.
3366         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
3367         (JSC::MarkedBlock::markCount): Deleted.
3368         (JSC::MarkedBlock::isEmpty): Deleted.
3369         (JSC::MarkedBlock::destruction): Deleted.
3370         (JSC::MarkedBlock::cellKind): Deleted.
3371         (JSC::MarkedBlock::size): Deleted.
3372         (JSC::MarkedBlock::capacity): Deleted.
3373         (JSC::MarkedBlock::setMarked): Deleted.
3374         (JSC::MarkedBlock::clearMarked): Deleted.
3375         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
3376         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
3377         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
3378         (JSC::MarkedBlock::isLive): Deleted.
3379         (JSC::MarkedBlock::isLiveCell): Deleted.
3380         (JSC::MarkedBlock::forEachCell): Deleted.
3381         (JSC::MarkedBlock::forEachLiveCell): Deleted.
3382         (JSC::MarkedBlock::forEachDeadCell): Deleted.
3383         (JSC::MarkedBlock::needsSweeping): Deleted.
3384         (JSC::MarkedBlock::isAllocated): Deleted.
3385         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
3386         * heap/MarkedSpace.cpp:
3387         (JSC::MarkedSpace::initializeSizeClassForStepSize):
3388         (JSC::MarkedSpace::MarkedSpace):
3389         (JSC::MarkedSpace::~MarkedSpace):
3390         (JSC::MarkedSpace::lastChanceToFinalize):
3391         (JSC::MarkedSpace::allocate):
3392         (JSC::MarkedSpace::tryAllocate):
3393         (JSC::MarkedSpace::allocateLarge):
3394         (JSC::MarkedSpace::tryAllocateLarge):
3395         (JSC::MarkedSpace::sweep):
3396         (JSC::MarkedSpace::sweepLargeAllocations):
3397         (JSC::MarkedSpace::zombifySweep):
3398         (JSC::MarkedSpace::resetAllocators):
3399         (JSC::MarkedSpace::visitWeakSets):
3400         (JSC::MarkedSpace::reapWeakSets):
3401         (JSC::MarkedSpace::stopAllocating):
3402         (JSC::MarkedSpace::prepareForMarking):
3403         (JSC::MarkedSpace::resumeAllocating):
3404         (JSC::MarkedSpace::isPagedOut):
3405         (JSC::MarkedSpace::freeBlock):
3406         (JSC::MarkedSpace::freeOrShrinkBlock):
3407         (JSC::MarkedSpace::shrink):
3408         (JSC::MarkedSpace::clearNewlyAllocated):
3409         (JSC::VerifyMarked::operator()):
3410         (JSC::MarkedSpace::flip):
3411         (JSC::MarkedSpace::objectCount):
3412         (JSC::MarkedSpace::size):
3413         (JSC::MarkedSpace::capacity):
3414         (JSC::MarkedSpace::addActiveWeakSet):
3415         (JSC::MarkedSpace::didAddBlock):
3416         (JSC::MarkedSpace::didAllocateInBlock):
3417         (JSC::MarkedSpace::forEachAllocator): Deleted.
3418         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
3419         (JSC::MarkedSpace::clearMarks): Deleted.
3420         * heap/MarkedSpace.h:
3421         (JSC::MarkedSpace::sizeClassToIndex):
3422         (JSC::MarkedSpace::indexToSizeClass):
3423         (JSC::MarkedSpace::version):
3424         (JSC::MarkedSpace::blocksWithNewObjects):
3425         (JSC::MarkedSpace::largeAllocations):
3426         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3427         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3428         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3429         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3430         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3431         (JSC::MarkedSpace::forEachLiveCell):
3432         (JSC::MarkedSpace::forEachDeadCell):
3433         (JSC::MarkedSpace::allocatorFor):
3434         (JSC::MarkedSpace::destructorAllocatorFor):
3435         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3436         (JSC::MarkedSpace::allocateWithoutDestructor):
3437         (JSC::MarkedSpace::allocateWithDestructor):
3438         (JSC::MarkedSpace::allocateAuxiliary):
3439         (JSC::MarkedSpace::tryAllocateAuxiliary):
3440         (JSC::MarkedSpace::forEachBlock):
3441         (JSC::MarkedSpace::forEachAllocator):
3442         (JSC::MarkedSpace::optimalSizeFor):
3443         (JSC::MarkedSpace::didAddBlock): Deleted.
3444         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
3445         (JSC::MarkedSpace::objectCount): Deleted.
3446         (JSC::MarkedSpace::size): Deleted.
3447         (JSC::MarkedSpace::capacity): Deleted.
3448         * heap/SlotVisitor.cpp:
3449         (JSC::SlotVisitor::SlotVisitor):
3450         (JSC::SlotVisitor::didStartMarking):
3451         (JSC::SlotVisitor::reset):
3452         (JSC::SlotVisitor::append):
3453         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3454         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3455         (JSC::SlotVisitor::appendToMarkStack):
3456         (JSC::SlotVisitor::markAuxiliary):
3457         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3458         (JSC::SlotVisitor::visitChildren):
3459         * heap/SlotVisitor.h:
3460         * heap/WeakBlock.cpp:
3461         (JSC::WeakBlock::create):
3462         (JSC::WeakBlock::WeakBlock):
3463         (JSC::WeakBlock::visit):
3464         (JSC::WeakBlock::reap):
3465         * heap/WeakBlock.h:
3466         (JSC::WeakBlock::disconnectContainer):
3467         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3468         * heap/WeakSet.cpp:
3469         (JSC::WeakSet::~WeakSet):
3470         (JSC::WeakSet::sweep):
3471         (JSC::WeakSet::shrink):
3472         (JSC::WeakSet::addAllocator):
3473         * heap/WeakSet.h:
3474         (JSC::WeakSet::container):
3475         (JSC::WeakSet::setContainer):
3476         (JSC::WeakSet::WeakSet):
3477         (JSC::WeakSet::visit):
3478         (JSC::WeakSet::shrink): Deleted.
3479         * heap/WeakSetInlines.h:
3480         (JSC::WeakSet::allocate):
3481         * inspector/InjectedScriptManager.cpp:
3482         * inspector/JSGlobalObjectInspectorController.cpp:
3483         * inspector/JSJavaScriptCallFrame.cpp:
3484         * inspector/ScriptDebugServer.cpp:
3485         * inspector/agents/InspectorDebuggerAgent.cpp:
3486         * interpreter/CachedCall.h:
3487         (JSC::CachedCall::CachedCall):
3488         * interpreter/Interpreter.cpp:
3489         (JSC::loadVarargs):
3490         (JSC::StackFrame::sourceID): Deleted.
3491         (JSC::StackFrame::sourceURL): Deleted.
3492         (JSC::StackFrame::functionName): Deleted.
3493         (JSC::StackFrame::computeLineAndColumn): Deleted.
3494         (JSC::StackFrame::toString): Deleted.
3495         * interpreter/Interpreter.h:
3496         (JSC::StackFrame::isNative): Deleted.
3497         * jit/AssemblyHelpers.h:
3498         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3499         (JSC::AssemblyHelpers::emitAllocate):
3500         (JSC::AssemblyHelpers::emitAllocateJSCell):
3501         (JSC::AssemblyHelpers::emitAllocateJSObject):
3502         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3503         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3504         * jit/GCAwareJITStubRoutine.cpp:
3505         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3506         * jit/JIT.cpp:
3507         (JSC::JIT::compileCTINativeCall):
3508         (JSC::JIT::link):
3509         * jit/JIT.h:
3510         (JSC::JIT::compileCTINativeCall): Deleted.
3511         * jit/JITExceptions.cpp:
3512         (JSC::genericUnwind):
3513         * jit/JITExceptions.h:
3514         * jit/JITOpcodes.cpp:
3515         (JSC::JIT::emit_op_new_object):
3516         (JSC::JIT::emitSlow_op_new_object):
3517         (JSC::JIT::emit_op_create_this):
3518         (JSC::JIT::emitSlow_op_create_this):
3519         * jit/JITOpcodes32_64.cpp:
3520         (JSC::JIT::emit_op_new_object):
3521         (JSC::JIT::emitSlow_op_new_object):
3522         (JSC::JIT::emit_op_create_this):
3523         (JSC::JIT::emitSlow_op_create_this):
3524         * jit/JITOperations.cpp:
3525         * jit/JITOperations.h:
3526         * jit/JITPropertyAccess.cpp:
3527         (JSC::JIT::emitWriteBarrier):
3528         * jit/JITThunks.cpp:
3529         * jit/JITThunks.h:
3530         * jsc.cpp:
3531         (functionDescribeArray):
3532         (main):
3533         * llint/LLIntData.cpp:
3534         (JSC::LLInt::Data::performAssertions):
3535         * llint/LLIntExceptions.cpp:
3536         * llint/LLIntThunks.cpp:
3537         * llint/LLIntThunks.h:
3538         * llint/LowLevelInterpreter.asm:
3539         * llint/LowLevelInterpreter.cpp:
3540         * llint/LowLevelInterpreter32_64.asm:
3541         * llint/LowLevelInterpreter64.asm:
3542         * parser/ModuleAnalyzer.cpp:
3543         * parser/NodeConstructors.h:
3544         * parser/Nodes.h:
3545         * profiler/ProfilerBytecode.cpp:
3546         * profiler/ProfilerBytecode.h:
3547         * profiler/ProfilerBytecodeSequence.cpp:
3548         * runtime/ArrayConventions.h:
3549         (JSC::indexingHeaderForArrayStorage):
3550         (JSC::baseIndexingHeaderForArrayStorage):
3551         (JSC::indexingHeaderForArray): Deleted.
3552         (JSC::baseIndexingHeaderForArray): Deleted.
3553         * runtime/ArrayPrototype.cpp:
3554         (JSC::arrayProtoFuncSplice):
3555         (JSC::concatAppendOne):
3556         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3557         * runtime/ArrayStorage.h:
3558         (JSC::ArrayStorage::vectorLength):
3559         (JSC::ArrayStorage::totalSizeFor):
3560         (JSC::ArrayStorage::totalSize):
3561         (JSC::ArrayStorage::availableVectorLength):
3562         (JSC::ArrayStorage::optimalVectorLength):
3563         (JSC::ArrayStorage::sizeFor): Deleted.
3564         * runtime/AuxiliaryBarrier.h: Added.
3565         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3566         (JSC::AuxiliaryBarrier::clear):
3567         (JSC::AuxiliaryBarrier::get):
3568         (JSC::AuxiliaryBarrier::slot):
3569         (JSC::AuxiliaryBarrier::operator bool):
3570         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3571         * runtime/AuxiliaryBarrierInlines.h: Added.
3572         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3573         (JSC::AuxiliaryBarrier<T>::set):
3574         * runtime/Butterfly.h:
3575         * runtime/ButterflyInlines.h:
3576         (JSC::Butterfly::availableContiguousVectorLength):
3577         (JSC::Butterfly::optimalContiguousVectorLength):
3578         (JSC::Butterfly::createUninitialized):
3579         (JSC::Butterfly::growArrayRight):
3580         * runtime/ClonedArguments.cpp:
3581         (JSC::ClonedArguments::createEmpty):
3582         * runtime/CommonSlowPathsExceptions.cpp:
3583         * runtime/CommonSlowPathsExceptions.h:
3584         * runtime/DataView.cpp:
3585         * runtime/DirectArguments.h:
3586         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3587         * runtime/Error.cpp:
3588         * runtime/Error.h:
3589         * runtime/ErrorInstance.cpp:
3590         * runtime/ErrorInstance.h:
3591         * runtime/Exception.cpp:
3592         * runtime/Exception.h:
3593         * runtime/GeneratorFrame.cpp:
3594         * runtime/GeneratorPrototype.cpp:
3595         * runtime/InternalFunction.cpp:
3596         (JSC::InternalFunction::InternalFunction):
3597         * runtime/IntlCollator.cpp:
3598         * runtime/IntlCollatorConstructor.cpp:
3599         * runtime/IntlCollatorPrototype.cpp:
3600         * runtime/IntlDateTimeFormat.cpp:
3601         * runtime/IntlDateTimeFormatConstructor.cpp:
3602         * runtime/IntlDateTimeFormatPrototype.cpp:
3603         * runtime/IntlNumberFormat.cpp:
3604         * runtime/IntlNumberFormatConstructor.cpp:
3605         * runtime/IntlNumberFormatPrototype.cpp:
3606         * runtime/IntlObject.cpp:
3607         * runtime/IteratorPrototype.cpp:
3608         * runtime/JSArray.cpp:
3609         (JSC::JSArray::tryCreateUninitialized):
3610         (JSC::JSArray::setLengthWritable):
3611         (JSC::JSArray::unshiftCountSlowCase):
3612         (JSC::JSArray::setLengthWithArrayStorage):
3613         (JSC::JSArray::appendMemcpy):
3614         (JSC::JSArray::setLength):
3615         (JSC::JSArray::pop):
3616         (JSC::JSArray::push):
3617         (JSC::JSArray::fastSlice):
3618         (JSC::JSArray::shiftCountWithArrayStorage):
3619         (JSC::JSArray::shiftCountWithAnyIndexingType):
3620         (JSC::JSArray::unshiftCountWithArrayStorage):
3621         (JSC::JSArray::fillArgList):
3622         (JSC::JSArray::copyToArguments):
3623         * runtime/JSArray.h:
3624         (JSC::createContiguousArrayButterfly):
3625         (JSC::createArrayButterfly):
3626         (JSC::JSArray::create):
3627         (JSC::JSArray::tryCreateUninitialized): Deleted.
3628         * runtime/JSArrayBufferView.h:
3629         * runtime/JSCInlines.h:
3630         * runtime/JSCJSValue.cpp:
3631         (JSC::JSValue::dumpInContextAssumingStructure):
3632         * runtime/JSCallee.cpp:
3633         (JSC::JSCallee::JSCallee):
3634         * runtime/JSCell.cpp:
3635         (JSC::JSCell::estimatedSize):
3636         * runtime/JSCell.h:
3637         (JSC::JSCell::cellStateOffset): Deleted.
3638         * runtime/JSCellInlines.h:
3639         (JSC::ExecState::vm):
3640         (JSC::JSCell::classInfo):
3641         (JSC::JSCell::callDestructor):
3642         (JSC::JSCell::vm): Deleted.
3643         * runtime/JSFunction.cpp:
3644         (JSC::JSFunction::create):
3645         (JSC::JSFunction::allocateAndInitializeRareData):
3646         (JSC::JSFunction::initializeRareData):
3647         (JSC::JSFunction::getOwnPropertySlot):
3648         (JSC::JSFunction::put):
3649         (JSC::JSFunction::deleteProperty):
3650         (JSC::JSFunction::defineOwnProperty):
3651         (JSC::JSFunction::setFunctionName):
3652         (JSC::JSFunction::reifyLength):
3653         (JSC::JSFunction::reifyName):
3654         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3655         (JSC::JSFunction::reifyBoundNameIfNeeded):
3656         * runtime/JSFunction.h:
3657         * runtime/JSFunctionInlines.h:
3658         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3659         (JSC::JSFunction::JSFunction):
3660         * runtime/JSGenericTypedArrayViewInlines.h:
3661         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3662         * runtime/JSInternalPromise.cpp:
3663         * runtime/JSInternalPromiseConstructor.cpp:
3664         * runtime/JSInternalPromiseDeferred.cpp:
3665         * runtime/JSInternalPromisePrototype.cpp:
3666         * runtime/JSJob.cpp:
3667         * runtime/JSMapIterator.cpp:
3668         * runtime/JSModuleNamespaceObject.cpp:
3669         * runtime/JSModuleRecord.cpp:
3670         * runtime/JSObject.cpp:
3671         (JSC::JSObject::visitButterfly):
3672         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3673         (JSC::JSObject::createInitialIndexedStorage):
3674         (JSC::JSObject::createInitialUndecided):
3675         (JSC::JSObject::createInitialInt32):
3676         (JSC::JSObject::createInitialDouble):
3677         (JSC::JSObject::createInitialContiguous):
3678         (JSC::JSObject::createArrayStorage):
3679         (JSC::JSObject::createInitialArrayStorage):
3680         (JSC::JSObject::convertUndecidedToInt32):
3681         (JSC::JSObject::convertUndecidedToContiguous):
3682         (JSC::JSObject::convertUndecidedToArrayStorage):
3683         (JSC::JSObject::convertInt32ToDouble):
3684         (JSC::JSObject::convertInt32ToArrayStorage):
3685         (JSC::JSObject::convertDoubleToArrayStorage):
3686         (JSC::JSObject::convertContiguousToArrayStorage):
3687         (JSC::JSObject::putByIndexBeyondVectorLength):
3688         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3689         (JSC::JSObject::getNewVectorLength):
3690         (JSC::JSObject::increaseVectorLength):
3691         (JSC::JSObject::ensureLengthSlow):
3692         (JSC::JSObject::growOutOfLineStorage):
3693         (JSC::JSObject::copyButterfly): Deleted.
3694         (JSC::JSObject::copyBackingStore): Deleted.
3695         * runtime/JSObject.h:
3696         (JSC::JSObject::globalObject):
3697         (JSC::JSObject::putDirectInternal):
3698         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3699         * runtime/JSObjectInlines.h:
3700         * runtime/JSPromise.cpp:
3701         * runtime/JSPromiseConstructor.cpp:
3702         * runtime/JSPromiseDeferred.cpp:
3703         * runtime/JSPromisePrototype.cpp:
3704         * runtime/JSPropertyNameIterator.cpp:
3705         * runtime/JSScope.cpp:
3706         (JSC::JSScope::resolve):
3707         * runtime/JSScope.h:
3708         (JSC::JSScope::globalObject):
3709         (JSC::JSScope::vm): Deleted.
3710         * runtime/JSSetIterator.cpp:
3711         * runtime/JSStringIterator.cpp:
3712         * runtime/JSTemplateRegistryKey.cpp:
3713         * runtime/JSTypedArrayViewConstructor.cpp:
3714         * runtime/JSTypedArrayViewPrototype.cpp:
3715         * runtime/JSWeakMap.cpp:
3716         * runtime/JSWeakSet.cpp:
3717         * runtime/MapConstructor.cpp:
3718         * runtime/MapIteratorPrototype.cpp:
3719         * runtime/MapPrototype.cpp:
3720         * runtime/NativeErrorConstructor.cpp:
3721         * runtime/NativeStdFunctionCell.cpp:
3722         * runtime/Operations.h:
3723         (JSC::scribbleFreeCells):
3724         (JSC::scribble):
3725         * runtime/Options.h:
3726         * runtime/PropertyTable.cpp:
3727         * runtime/ProxyConstructor.cpp:
3728         * runtime/ProxyObject.cpp:
3729         * runtime/ProxyRevoke.cpp:
3730         * runtime/RegExp.cpp:
3731         (JSC::RegExp::match):
3732         (JSC::RegExp::matchConcurrently):
3733         (JSC::RegExp::matchCompareWithInterpreter):
3734         * runtime/RegExp.h:
3735         * runtime/RegExpConstructor.h:
3736         * runtime/RegExpInlines.h:
3737         (JSC::RegExp::matchInline):
3738         * runtime/RegExpMatchesArray.h:
3739         (JSC::tryCreateUninitializedRegExpMatchesArray):
3740         (JSC::createRegExpMatchesArray):
3741         * runtime/RegExpPrototype.cpp:
3742         (JSC::genericSplit):
3743         * runtime/RuntimeType.cpp:
3744         * runtime/SamplingProfiler.cpp:
3745         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3746         * runtime/SetConstructor.cpp:
3747         * runtime/SetIteratorPrototype.cpp:
3748         * runtime/SetPrototype.cpp:
3749         * runtime/StackFrame.cpp: Added.
3750         (JSC::StackFrame::sourceID):
3751         (JSC::StackFrame::sourceURL):
3752         (JSC::StackFrame::functionName):
3753         (JSC::StackFrame::computeLineAndColumn):
3754         (JSC::StackFrame::toString):
3755         * runtime/StackFrame.h: Added.
3756         (JSC::StackFrame::isNative):
3757         * runtime/StringConstructor.cpp:
3758         * runtime/StringIteratorPrototype.cpp:
3759         * runtime/StructureInlines.h:
3760         (JSC::Structure::propertyTable):
3761         * runtime/TemplateRegistry.cpp:
3762         * runtime/TestRunnerUtils.cpp:
3763         (JSC::finalizeStatsAtEndOfTesting):
3764         * runtime/TestRunnerUtils.h:
3765         * runtime/TypeProfilerLog.cpp:
3766         * runtime/TypeSet.cpp:
3767         * runtime/VM.cpp:
3768         (JSC::VM::VM):
3769         (JSC::VM::ensureStackCapacityForCLoop):
3770         (JSC::VM::isSafeToRecurseSoftCLoop):
3771         * runtime/VM.h:
3772         * runtime/VMEntryScope.h:
3773         * runtime/VMInlines.h:
3774         (JSC::VM::ensureStackCapacityFor):
3775         (JSC::VM::isSafeToRecurseSoft):
3776         * runtime/WeakMapConstructor.cpp:
3777         * runtime/WeakMapData.cpp:
3778         * runtime/WeakMapPrototype.cpp:
3779         * runtime/WeakSetConstructor.cpp:
3780         * runtime/WeakSetPrototype.cpp:
3781         * testRegExp.cpp:
3782         (testOneRegExp):
3783         * tools/JSDollarVM.cpp:
3784         * tools/JSDollarVMPrototype.cpp:
3785         (JSC::JSDollarVMPrototype::isInObjectSpace):
3786
3787 2016-09-04  Commit Queue  <commit-queue@webkit.org>
3788
3789         Unreviewed, rolling out r205415.
3790         https://bugs.webkit.org/show_bug.cgi?id=161573
3791
3792         Many bots see inspector test failures, rolling out now and
3793         investigating later. (Requested by brrian on #webkit).
3794
3795         Reverted changeset:
3796
3797         "Web Inspector: unify Main.html and Test.html sources and
3798         generate different copies with the preprocessor"
3799         https://bugs.webkit.org/show_bug.cgi?id=161212
3800         http://trac.webkit.org/changeset/205415
3801
3802 2016-09-01  Brian Burg  <bburg@apple.com>
3803
3804         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
3805         https://bugs.webkit.org/show_bug.cgi?id=161212
3806         <rdar://problem/28017961>
3807
3808         Reviewed by Joseph Pecoraro.
3809
3810         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
3811
3812 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
3813
3814         Use ASCIILiteral in some more places
3815         https://bugs.webkit.org/show_bug.cgi?id=161557
3816
3817         Reviewed by Darin Adler.
3818
3819         * runtime/TypeSet.h:
3820         (JSC::StructureShape::setConstructorName):
3821
3822 2016-09-01  Michael Saboff  <msaboff@apple.com>
3823
3824         Import Chakra tests to JSC
3825         https://bugs.webkit.org/show_bug.cgi?id=154697
3826
3827         Reviewed by Saam Barati.
3828
3829         Added --dumpException option to jsc command line utility to dump uncaught exception
3830         text even for the last exception that matches --exception.  This is used to
3831         check the exception text for a text that is expected to end on an exception.
3832         Chakra has several tests of this form and does the same thing when such a test
3833         ends with an exception.  Tests that rely on this behavior have had their expected
3834         output updated for JSC specific text.
3835
3836         * jsc.cpp:
3837
3838 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
3839
3840         [JSC] Remove some more useless cases from FTL Capabilities
3841         https://bugs.webkit.org/show_bug.cgi?id=161466
3842
3843         Reviewed by Geoffrey Garen.
3844
3845         Some cases do not make sense:
3846         -In: Fixup only generate CellUse.
3847         -PutByIdXXX: same.
3848         -GetIndexedPropertyStorage: those cases are the only ones supported
3849          by DFG. We would have crashed in SpeculativeJIT if other modes