Gardening: change to use old header guard to appease Win EWS.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-06  Mark Lam  <mark.lam@apple.com>
2
3         Gardening: change to use old header guard to appease Win EWS.
4
5         Not reviewed.
6
7         * runtime/AuxiliaryBarrier.h:
8
9 2016-09-06  Commit Queue  <commit-queue@webkit.org>
10
11         Unreviewed, rolling out r205494.
12         https://bugs.webkit.org/show_bug.cgi?id=161646
13
14         This change broke the Windows build (Requested by ryanhaddad
15         on #webkit).
16
17         Reverted changeset:
18
19         "Typed arrays should use MarkedSpace instead of CopiedSpace"
20         https://bugs.webkit.org/show_bug.cgi?id=161100
21         http://trac.webkit.org/changeset/205494
22
23 2016-09-06  Commit Queue  <commit-queue@webkit.org>
24
25         Unreviewed, rolling out r205504.
26         https://bugs.webkit.org/show_bug.cgi?id=161645
27
28         Broke the iOS device build (Requested by ryanhaddad on
29         #webkit).
30
31         Reverted changeset:
32
33         "Make JSMap and JSSet faster"
34         https://bugs.webkit.org/show_bug.cgi?id=160989
35         http://trac.webkit.org/changeset/205504
36
37 2016-09-06  Saam Barati  <sbarati@apple.com>
38
39         Make JSMap and JSSet faster
40         https://bugs.webkit.org/show_bug.cgi?id=160989
41
42         Reviewed by Filip Pizlo.
43
44         This patch revamps how we implement Map and Set. It uses
45         a new hash map implementation. The hash map uses linear
46         probing and it uses Wang's 64 bit hash function for JSValues
47         that aren't strings. Strings use StringImpl's hash function.
48         The reason I wanted to roll our own HashTable is twofold:
49         I didn't want to inline WTF::HashMap's implementation into our
50         JIT, since that seems error prone and unmaintainable. Also, I wanted
51         a different structure for hash map buckets where buckets also exist in
52         a linked list.
53
54         The reason for making buckets part of a linked list is that iteration
55         is now simple. Iteration works by just traversing a linked list.
56         This design also allows for a simple implementation when doing iteration
57         while the hash table is mutating. Whenever we remove a bucket from
58         the hash table, it is removed from the list, meaning items in the
59         list don't point to it. However, the removed bucket will still point
60         to things that are either in the list, or have also been removed.
61         e.g, from a removed bucket, you can always follow pointers until you
62         either find an item in the list, or you find the tail of the list.
63         This is a really nice property because it means that a Map or Set
64         does not need to reason about the all the iterators that point
65         into its list. Also, whenever we add items to the Map or Set, we
66         hijack the tail as the new item, and make the new item point to a newly
67         created tail. This means that any iterator that pointed to the "tail" now
68         points to non-tail items. This makes the implementation of adding things
69         to the Map/Set while iterating easy.
70
71         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
72         into intrinsics in the DFG. The IR can now reason about hash map
73         operations and can even do CSE over Wang's hash function, hash map
74         bucket lookups, hash map bucket loads, and testing if a key is in
75         the hash table. This makes code patterns for Map like so, super fast
76         in the FTL, since we will only be doing a single hash and hash bucket lookup:
77
78         ```
79         function getKeyIfPresent(map, key) {
80             if (map.has(key))
81                 return map.get(key);
82         }
83         ```
84
85         This patch is roughly an 8% speedup on ES6SampleBench.
86
87         * CMakeLists.txt:
88         * JavaScriptCore.xcodeproj/project.pbxproj:
89         * bytecode/SpeculatedType.cpp:
90         (JSC::speculationFromClassInfo):
91         * bytecode/SpeculatedType.h:
92         * dfg/DFGAbstractInterpreterInlines.h:
93         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
94         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
95         * dfg/DFGByteCodeParser.cpp:
96         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
97         * dfg/DFGClobberize.h:
98         (JSC::DFG::clobberize):
99         * dfg/DFGDoesGC.cpp:
100         (JSC::DFG::doesGC):
101         * dfg/DFGEdge.h:
102         (JSC::DFG::Edge::shift):
103         (JSC::DFG::Edge::makeWord):
104         * dfg/DFGFixupPhase.cpp:
105         (JSC::DFG::FixupPhase::fixupNode):
106         * dfg/DFGHeapLocation.cpp:
107         (WTF::printInternal):
108         * dfg/DFGHeapLocation.h:
109         * dfg/DFGNode.h:
110         (JSC::DFG::Node::hasHeapPrediction):
111         * dfg/DFGNodeType.h:
112         * dfg/DFGOperations.cpp:
113         * dfg/DFGOperations.h:
114         * dfg/DFGPredictionPropagationPhase.cpp:
115         * dfg/DFGSafeToExecute.h:
116         (JSC::DFG::SafeToExecuteEdge::operator()):
117         (JSC::DFG::safeToExecute):
118         * dfg/DFGSpeculativeJIT.cpp:
119         (JSC::DFG::SpeculativeJIT::speculateMapObject):
120         (JSC::DFG::SpeculativeJIT::speculateSetObject):
121         (JSC::DFG::SpeculativeJIT::speculate):
122         * dfg/DFGSpeculativeJIT.h:
123         (JSC::DFG::SpeculativeJIT::callOperation):
124         * dfg/DFGSpeculativeJIT32_64.cpp:
125         (JSC::DFG::SpeculativeJIT::compile):
126         * dfg/DFGSpeculativeJIT64.cpp:
127         (JSC::DFG::SpeculativeJIT::compile):
128         * dfg/DFGUseKind.cpp:
129         (WTF::printInternal):
130         * dfg/DFGUseKind.h:
131         (JSC::DFG::typeFilterFor):
132         (JSC::DFG::isCell):
133         * ftl/FTLAbstractHeapRepository.h:
134         * ftl/FTLCapabilities.cpp:
135         (JSC::FTL::canCompile):
136         * ftl/FTLLowerDFGToB3.cpp:
137         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
138         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
139         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
140         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
141         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
142         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
143         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
144         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
145         (JSC::FTL::DFG::LowerDFGToB3::speculate):
146         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
147         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
148         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
149         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
150         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
151         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
152         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
153         * jit/AssemblyHelpers.cpp:
154         (JSC::AssemblyHelpers::wangsInt64Hash):
155         * jit/AssemblyHelpers.h:
156         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
157         * jit/JITOperations.h:
158         * parser/ModuleAnalyzer.cpp:
159         (JSC::ModuleAnalyzer::ModuleAnalyzer):
160         * runtime/HashMapImpl.cpp: Added.
161         (JSC::HashMapBucket<Data>::visitChildren):
162         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
163         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
164         * runtime/HashMapImpl.h: Added.
165         (JSC::HashMapBucket::selectStructure):
166         (JSC::HashMapBucket::createStructure):
167         (JSC::HashMapBucket::create):
168         (JSC::HashMapBucket::HashMapBucket):
169         (JSC::HashMapBucket::setNext):
170         (JSC::HashMapBucket::setPrev):
171         (JSC::HashMapBucket::setKey):
172         (JSC::HashMapBucket::setValue):
173         (JSC::HashMapBucket::key):
174         (JSC::HashMapBucket::value):
175         (JSC::HashMapBucket::next):
176         (JSC::HashMapBucket::prev):
177         (JSC::HashMapBucket::deleted):
178         (JSC::HashMapBucket::setDeleted):
179         (JSC::HashMapBucket::offsetOfKey):
180         (JSC::HashMapBucket::offsetOfValue):
181         (JSC::HashMapBuffer::allocationSize):
182         (JSC::HashMapBuffer::buffer):
183         (JSC::HashMapBuffer::create):
184         (JSC::areKeysEqual):
185         (JSC::normalizeMapKey):
186         (JSC::jsMapHash):
187         (JSC::HashMapImpl::selectStructure):
188         (JSC::HashMapImpl::createStructure):
189         (JSC::HashMapImpl::create):
190         (JSC::HashMapImpl::HashMapImpl):
191         (JSC::HashMapImpl::buffer):
192         (JSC::HashMapImpl::finishCreation):
193         (JSC::HashMapImpl::emptyValue):
194         (JSC::HashMapImpl::isEmpty):
195         (JSC::HashMapImpl::deletedValue):
196         (JSC::HashMapImpl::isDeleted):
197         (JSC::HashMapImpl::findBucket):
198         (JSC::HashMapImpl::get):
199         (JSC::HashMapImpl::has):
200         (JSC::HashMapImpl::add):
201         (JSC::HashMapImpl::remove):
202         (JSC::HashMapImpl::size):
203         (JSC::HashMapImpl::clear):
204         (JSC::HashMapImpl::bufferSizeInBytes):
205         (JSC::HashMapImpl::offsetOfBuffer):
206         (JSC::HashMapImpl::offsetOfCapacity):
207         (JSC::HashMapImpl::head):
208         (JSC::HashMapImpl::tail):
209         (JSC::HashMapImpl::approximateSize):
210         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
211         (JSC::HashMapImpl::rehash):
212         (JSC::HashMapImpl::makeAndSetNewBuffer):
213         * runtime/Intrinsic.h:
214         * runtime/JSCJSValue.h:
215         * runtime/JSCJSValueInlines.h:
216         (JSC::sameValue):
217         * runtime/JSGlobalObject.cpp:
218         (JSC::JSGlobalObject::init):
219         * runtime/JSMap.cpp:
220         (JSC::JSMap::destroy): Deleted.
221         (JSC::JSMap::estimatedSize): Deleted.
222         (JSC::JSMap::visitChildren): Deleted.
223         (JSC::JSMap::copyBackingStore): Deleted.
224         (JSC::JSMap::has): Deleted.
225         (JSC::JSMap::size): Deleted.
226         (JSC::JSMap::get): Deleted.
227         (JSC::JSMap::set): Deleted.
228         (JSC::JSMap::clear): Deleted.
229         (JSC::JSMap::remove): Deleted.
230         * runtime/JSMap.h:
231         (JSC::JSMap::createStructure):
232         (JSC::JSMap::create):
233         (JSC::JSMap::get):
234         (JSC::JSMap::set):
235         (JSC::JSMap::JSMap):
236         (JSC::JSMap::Entry::key): Deleted.
237         (JSC::JSMap::Entry::value): Deleted.
238         (JSC::JSMap::Entry::visitChildren): Deleted.
239         (JSC::JSMap::Entry::setKey): Deleted.
240         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
241         (JSC::JSMap::Entry::setValue): Deleted.
242         (JSC::JSMap::Entry::clear): Deleted.
243         * runtime/JSMapIterator.cpp:
244         (JSC::JSMapIterator::finishCreation):
245         (JSC::JSMapIterator::visitChildren):
246         (JSC::JSMapIterator::clone):
247         * runtime/JSMapIterator.h:
248         (JSC::JSMapIterator::advanceIter):
249         (JSC::JSMapIterator::next):
250         (JSC::JSMapIterator::nextKeyValue):
251         (JSC::JSMapIterator::JSMapIterator):
252         (JSC::JSMapIterator::setIterator):
253         (JSC::JSMapIterator::finish): Deleted.
254         (JSC::JSMapIterator::iteratorData): Deleted.
255         * runtime/JSModuleLoader.cpp:
256         (JSC::JSModuleLoader::finishCreation):
257         * runtime/JSModuleLoader.h:
258         (JSC::JSModuleLoader::create):
259         * runtime/JSModuleRecord.cpp:
260         (JSC::JSModuleRecord::finishCreation):
261         * runtime/JSModuleRecord.h:
262         (JSC::JSModuleRecord::create):
263         * runtime/JSSet.cpp:
264         (JSC::JSSet::destroy): Deleted.
265         (JSC::JSSet::estimatedSize): Deleted.
266         (JSC::JSSet::visitChildren): Deleted.
267         (JSC::JSSet::copyBackingStore): Deleted.
268         (JSC::JSSet::has): Deleted.
269         (JSC::JSSet::size): Deleted.
270         (JSC::JSSet::add): Deleted.
271         (JSC::JSSet::clear): Deleted.
272         (JSC::JSSet::remove): Deleted.
273         * runtime/JSSet.h:
274         (JSC::JSSet::createStructure):
275         (JSC::JSSet::create):
276         (JSC::JSSet::add):
277         (JSC::JSSet::JSSet):
278         (JSC::JSSet::Entry::key): Deleted.
279         (JSC::JSSet::Entry::value): Deleted.
280         (JSC::JSSet::Entry::visitChildren): Deleted.
281         (JSC::JSSet::Entry::setKey): Deleted.
282         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
283         (JSC::JSSet::Entry::setValue): Deleted.
284         (JSC::JSSet::Entry::clear): Deleted.
285         * runtime/JSSetIterator.cpp:
286         (JSC::JSSetIterator::finishCreation):
287         (JSC::JSSetIterator::visitChildren):
288         (JSC::JSSetIterator::clone):
289         * runtime/JSSetIterator.h:
290         (JSC::JSSetIterator::advanceIter):
291         (JSC::JSSetIterator::next):
292         (JSC::JSSetIterator::JSSetIterator):
293         (JSC::JSSetIterator::setIterator):
294         (JSC::JSSetIterator::finish): Deleted.
295         (JSC::JSSetIterator::iteratorData): Deleted.
296         * runtime/JSType.h:
297         * runtime/MapBase.cpp: Added.
298         (JSC::MapBase<HashMapBucketType>::visitChildren):
299         (JSC::MapBase<HashMapBucketType>::estimatedSize):
300         * runtime/MapBase.h: Added.
301         (JSC::MapBase::size):
302         (JSC::MapBase::has):
303         (JSC::MapBase::clear):
304         (JSC::MapBase::remove):
305         (JSC::MapBase::findBucket):
306         (JSC::MapBase::offsetOfHashMapImpl):
307         (JSC::MapBase::impl):
308         (JSC::MapBase::finishCreation):
309         (JSC::MapBase::MapBase):
310         * runtime/MapConstructor.cpp:
311         (JSC::constructMap):
312         * runtime/MapIteratorPrototype.cpp:
313         (JSC::MapIteratorPrototypeFuncNext):
314         * runtime/MapPrototype.cpp:
315         (JSC::MapPrototype::finishCreation):
316         (JSC::getMap):
317         (JSC::privateFuncIsMap):
318         (JSC::privateFuncMapIteratorNext):
319         * runtime/PropertyDescriptor.cpp:
320         (JSC::sameValue): Deleted.
321         * runtime/PropertyDescriptor.h:
322         * runtime/SetConstructor.cpp:
323         (JSC::constructSet):
324         * runtime/SetIteratorPrototype.cpp:
325         (JSC::SetIteratorPrototypeFuncNext):
326         * runtime/SetPrototype.cpp:
327         (JSC::SetPrototype::finishCreation):
328         (JSC::getSet):
329         (JSC::privateFuncSetIteratorNext):
330         * runtime/VM.cpp:
331         (JSC::VM::VM):
332         * runtime/VM.h:
333
334 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
335
336         Typed arrays should use MarkedSpace instead of CopiedSpace
337         https://bugs.webkit.org/show_bug.cgi?id=161100
338
339         Reviewed by Geoffrey Garen.
340         
341         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
342         
343         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
344         everything that typed arrays want.
345
346         * dfg/DFGOperations.cpp:
347         (JSC::DFG::newTypedArrayWithSize):
348         * dfg/DFGOperations.h:
349         (JSC::DFG::operationNewTypedArrayWithSizeForType):
350         * dfg/DFGSpeculativeJIT.cpp:
351         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
352         * dfg/DFGSpeculativeJIT.h:
353         (JSC::DFG::SpeculativeJIT::callOperation):
354         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
355         * ftl/FTLLowerDFGToB3.cpp:
356         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
357         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
358         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
359         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
360         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
361         * heap/CopyToken.h:
362         * heap/SlotVisitor.cpp:
363         (JSC::SlotVisitor::markAuxiliary):
364         * jit/JITOperations.h:
365         * runtime/JSArrayBufferView.cpp:
366         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
367         (JSC::JSArrayBufferView::JSArrayBufferView):
368         * runtime/JSArrayBufferView.h:
369         * runtime/JSGenericTypedArrayView.h:
370         * runtime/JSGenericTypedArrayViewInlines.h:
371         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
372         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
373         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
374         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
375
376 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
377
378         Silence GCC warning spam introduced in r205462
379
380         Rubber-stamped by Filip Pizlo.
381
382         * bytecode/Opcode.h:
383         (JSC::padOpcodeName):
384
385 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
386
387         Heap::isMarked() should use concurrent lazy flipping
388         https://bugs.webkit.org/show_bug.cgi?id=161613
389
390         Reviewed by Michael Catanzaro.
391         
392         I found out about this race condition via
393         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
394         
395         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
396         phase. So, they need to lazy-flip in a non-racy way.
397
398         * heap/HeapInlines.h:
399         (JSC::Heap::isLive):
400         (JSC::Heap::isMarked):
401
402 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
403
404         Unreviewed, reset generator test results after the butterflies.
405
406         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
407         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
408         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
409         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
410         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
411         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
412         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
413         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
414         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
415         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
416         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
417         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
418         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
419         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
420
421 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
422
423         Unreviewed, fix cloop build.
424
425         * bytecode/SuperSampler.cpp:
426
427 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
428
429         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
430         https://bugs.webkit.org/show_bug.cgi?id=160125
431
432         Reviewed by Geoffrey Garen and Keith Miller.
433
434         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
435         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
436         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
437         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
438         to get rid of copied space. This change moves copied space's biggest client over to marked
439         space.
440         
441         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
442         allocation path. This is a fairly mechanical change, but it caused performance regressions
443         everywhere, so this change also fixes MarkedSpace's performance issues.
444         
445         At a high level the mechanical changes are:
446         
447         - We use AuxiliaryBarrier instead of CopyBarrier.
448         
449         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
450           CheckedBoolean stuff, since it's so much more trouble than it's worth.
451         
452         - The JITs have to emit inlined marked space allocations instead of inline copy space
453           allocations.
454         
455         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
456           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
457           space doesn't.
458         
459         That's about 1/3 of this change. But this led to performance problems, which I fixed with
460         optimizations that amounted to a major MarkedSpace rewrite:
461         
462         - MarkedSpace always causes internal fragmentation for array allocations because the vector
463           length we choose when we resize usually leads to a cell size that doesn't correspond to any
464           size class. I got around this by making array allocations usually round up vectorLength to
465           the maximum allowed by the size class that we would have allocated in. Also,
466           ensureLengthSlow() and friends first make sure that the requested length can't just be
467           fulfilled with the current allocation size. This safeguard means that not every array
468           allocation has to do size class queries. For example, the fast path of new Array(length)
469           never does any size class queries, under the assumption that (1) the speed gained from
470           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
471           size class query, is too small to offset the speed lost by doing the query on every
472           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
473           likely.
474         
475         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
476           changes MarkedSpace size classes to use a linear progression for very small sizes followed
477           by a geometric progression that naturally transitions to a hyperbolic progression. We want
478           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
479           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
480           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
481           size (80 bytes), we proceed using a geometric progression, but round up each size to
482           minimize slop at the end of the block. This naturally causes the geometric progression to
483           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
484           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
485         
486         - Large allocations caused massive internal fragmentation, since the smallest large
487           allocation had to use exactly blockSize, and the largest small allocation used
488           blockSize / 2. The next size up - the first large allocation size to require two blocks -
489           also had 50% internal fragmentation. This is because we required large allocations to be
490           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
491           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
492           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
493           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
494           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
495           out great since (1) typed arrays won't use large allocations anyway since they have their
496           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
497           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
498           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
499           rare as possible; for example, ExecState::vm() skips the check because we know that callees
500           must be small allocations. It's also possible to use template tricks to do one check for
501           cell container kind, and then invoke a function specialized for MarkedBlock or a function
502           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
503           that get used from functions that are template-specialized like this. That's mostly to
504           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
505           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
506           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
507           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
508           cutoff for large allocations is runtime-configurable, so long as you don't choose something
509           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
510           that the MarkedBlock size classes end up being:
511           
512           16, 32, 48, 64, 80, 112, 160, 224, 320
513           
514           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
515           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
516           size classes you end up with by doing --dumpSizeClasses=true.
517         
518         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
519           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
520           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
521           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
522           side, for better locality during a sequential walk. It's no longer necessary to scan
523           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
524           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
525           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
526           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
527           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
528           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
529           together, these optimizations allowed me to reduce block size to 16KB without losing much
530           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
531           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
532           progression on membuster. That's not possible yet, since there is still enough per-block
533           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
534           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
535         
536         - Even after all of that, copying butterflies was still faster because it allowed us to skip
537           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
538           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
539           larger than O(live), especially in an eden collection. Copying satisfies this premise while
540           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
541           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
542           that we walk the block to build a free list. This means walking dead space. The new
543           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
544           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
545           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
546           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
547           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
548           is completely empty, which is the common case because of the generational hypothesis: the
549           number of objects that survive an eden collection is a tiny fraction of the number of
550           objects that had been allocated, and this fraction is so small that there are typically
551           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
552           win over tip-of-tree.
553         
554         - FTL now shares the same allocation fast paths as everything else, which is great, because
555           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
556           control flow, since it won't be able to improve the machine code we write ourselves. GC
557           fast paths are best written in assembly. So, I've empowered B3 to have even better support
558           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
559           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
560           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
561           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
562           ability to constant-fold some allocator logic (in case we first assume that we're doing a
563           variable-length allocation but then realize that the length is known). I think it makes
564           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
565           since this makes lowering easier (you can constant fold during lowering more easily) and it
566           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
567           constant-fold this code. That would require allowing loads to be constant-folded, which is
568           doable but hella tricky.
569         
570         - It used to be that if a logical object allocation required two physical allocations (first
571           the butterfly and then the cell), then the JIT would emit the code in such a way that a
572           failure in the second fast path would cause us to forget the successful first physical
573           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
574           register to storing either the butterfly or null, because the butterfly register is anyway
575           going to be free inside the first allocation. The only overhead here is zeroing the
576           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
577           path, which can then either allocate a butterfly or not. So now we never waste a successful
578           allocation. This patch implements such a solution both in DFG (where it's easy to do this
579           since we control registers already) and in FTL (where it's annoying, because mutable
580           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
581           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
582           one version of this patch, this wastage would resonate with some Kraken benchmark: the
583           benchmark would always allocate N small things followed by one bigger thing. The problem
584           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
585           the JSObject size class, which both the small and big thing shared for their cell, could
586           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
587           it allocated the big thing. So, it would end up having to allocate the big thing's large
588           butterfly twice, every single time! Ouch!
589         
590         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
591           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
592           of the allocator to initialize the object to whatever state they need. It used to be that
593           we would just use a dumb loop. I initially changed this so that we would end up in memset
594           for large allocations, but this didn't actually help performance that much. I got a much
595           better result by playing with different memsets written in assembly. First I wrote one
596           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
597           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
598           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
599           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
600           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
601           of stores (if the size is known), but those paths in the JIT won't trigger for
602           NewArrayWithSize() if the size is large, since that takes us to the
603           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
604           optimizations here are all in JSArray::create() - that's the hot place for large arrays
605           that need to be filled with holes.
606         
607         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
608         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
609         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
610         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
611         difference, but take the hit for now because it's a crazy corner case. By comparison, the
612         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
613         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
614         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
615         marking barrier and we simply won't need a copying barrier. This change gets us there for
616         the purposes of our benchmarks, since the remaining clients of copied space are not very
617         important. On the other hand, if we keep copying, then getting barrier-ready would mean
618         adding back the copy barrier, which costs more perf.
619         
620         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
621         typed arrays and a few other weird things over to Aux MarkedSpace.
622         
623         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
624         and CellContainer meant that I had to include those files from everywhere. Fortunately,
625         just including JSCInlines.h (instead of manually including the files that includes) is
626         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
627         that we were already basically doing. In places where JSCInlines.h would be too much, I just
628         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
629         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
630         meant having to manually include HeapInlines.h from the places that previously got it
631         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
632         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
633         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
634         made it impossible to include it from outside JSC. This was a lot of work, but it was
635         necessary to get the patch to build on all ports. It's also a net win. There were many places
636         in WebCore that were transitively including a *ton* of JSC headers just because of the
637         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
638         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
639
640         * API/JSManagedValue.mm:
641         (-[JSManagedValue initWithValue:]):
642         * API/JSTypedArray.cpp:
643         * API/ObjCCallbackFunction.mm:
644         * API/tests/testapi.mm:
645         (testObjectiveCAPI):
646         (testWeakValue): Deleted.
647         * CMakeLists.txt:
648         * JavaScriptCore.xcodeproj/project.pbxproj:
649         * Scripts/builtins/builtins_generate_combined_implementation.py:
650         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
651         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
652         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
653         * Scripts/builtins/builtins_generate_separate_implementation.py:
654         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
655         * assembler/AbstractMacroAssembler.h:
656         (JSC::AbstractMacroAssembler::JumpList::link):
657         (JSC::AbstractMacroAssembler::JumpList::linkTo):
658         * assembler/MacroAssembler.h:
659         * assembler/MacroAssemblerARM64.h:
660         (JSC::MacroAssemblerARM64::add32):
661         * assembler/MacroAssemblerCodeRef.cpp: Added.
662         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
663         (JSC::MacroAssemblerCodePtr::dumpWithName):
664         (JSC::MacroAssemblerCodePtr::dump):
665         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
666         (JSC::MacroAssemblerCodeRef::dump):
667         * assembler/MacroAssemblerCodeRef.h:
668         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
669         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
670         (JSC::MacroAssemblerCodePtr::dump): Deleted.
671         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
672         (JSC::MacroAssemblerCodeRef::dump): Deleted.
673         * b3/B3BasicBlock.cpp:
674         (JSC::B3::BasicBlock::appendBoolConstant):
675         * b3/B3BasicBlock.h:
676         * b3/B3DuplicateTails.cpp:
677         * b3/B3StackmapGenerationParams.h:
678         * b3/testb3.cpp:
679         (JSC::B3::testPatchpointTerminalReturnValue):
680         (JSC::B3::run):
681         * bindings/ScriptValue.cpp:
682         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
683         * bytecode/BytecodeBasicBlock.cpp:
684         * bytecode/BytecodeLivenessAnalysis.cpp:
685         * bytecode/BytecodeUseDef.h:
686         * bytecode/CallLinkInfo.cpp:
687         (JSC::CallLinkInfo::callTypeFor):
688         * bytecode/CallLinkInfo.h:
689         (JSC::CallLinkInfo::callTypeFor): Deleted.
690         * bytecode/CallLinkStatus.cpp:
691         * bytecode/CodeBlock.cpp:
692         (JSC::CodeBlock::finishCreation):
693         (JSC::CodeBlock::clearLLIntGetByIdCache):
694         (JSC::CodeBlock::predictedMachineCodeSize):
695         * bytecode/CodeBlock.h:
696         (JSC::CodeBlock::jitCodeMap): Deleted.
697         (JSC::clearLLIntGetByIdCache): Deleted.
698         * bytecode/ExecutionCounter.h:
699         * bytecode/Instruction.h:
700         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
701         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
702         * bytecode/ObjectAllocationProfile.h:
703         (JSC::ObjectAllocationProfile::isNull):
704         (JSC::ObjectAllocationProfile::initialize):
705         * bytecode/Opcode.h:
706         (JSC::padOpcodeName):
707         * bytecode/PolymorphicAccess.cpp:
708         (JSC::AccessCase::generateImpl):
709         (JSC::PolymorphicAccess::regenerate):
710         * bytecode/PolymorphicAccess.h:
711         * bytecode/PreciseJumpTargets.cpp:
712         * bytecode/StructureStubInfo.cpp:
713         * bytecode/StructureStubInfo.h:
714         * bytecode/UnlinkedCodeBlock.cpp:
715         (JSC::UnlinkedCodeBlock::vm): Deleted.
716         * bytecode/UnlinkedCodeBlock.h:
717         * bytecode/UnlinkedInstructionStream.cpp:
718         * bytecode/UnlinkedInstructionStream.h:
719         * dfg/DFGOperations.cpp:
720         * dfg/DFGSpeculativeJIT.cpp:
721         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
722         (JSC::DFG::SpeculativeJIT::compileMakeRope):
723         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
724         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
725         * dfg/DFGSpeculativeJIT.h:
726         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
727         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
728         * dfg/DFGSpeculativeJIT32_64.cpp:
729         (JSC::DFG::SpeculativeJIT::compile):
730         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
731         * dfg/DFGSpeculativeJIT64.cpp:
732         (JSC::DFG::SpeculativeJIT::compile):
733         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
734         * dfg/DFGStrengthReductionPhase.cpp:
735         (JSC::DFG::StrengthReductionPhase::handleNode):
736         * ftl/FTLAbstractHeapRepository.h:
737         * ftl/FTLCompile.cpp:
738         * ftl/FTLJITFinalizer.cpp:
739         * ftl/FTLLowerDFGToB3.cpp:
740         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
741         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
742         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
743         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
744         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
745         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
746         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
747         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
748         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
749         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
750         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
751         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
752         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
753         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
754         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
755         * ftl/FTLOutput.cpp:
756         (JSC::FTL::Output::constBool):
757         (JSC::FTL::Output::add):
758         (JSC::FTL::Output::shl):
759         (JSC::FTL::Output::aShr):
760         (JSC::FTL::Output::lShr):
761         (JSC::FTL::Output::zeroExt):
762         (JSC::FTL::Output::equal):
763         (JSC::FTL::Output::notEqual):
764         (JSC::FTL::Output::above):
765         (JSC::FTL::Output::aboveOrEqual):
766         (JSC::FTL::Output::below):
767         (JSC::FTL::Output::belowOrEqual):
768         (JSC::FTL::Output::greaterThan):
769         (JSC::FTL::Output::greaterThanOrEqual):
770         (JSC::FTL::Output::lessThan):
771         (JSC::FTL::Output::lessThanOrEqual):
772         (JSC::FTL::Output::select):
773         (JSC::FTL::Output::appendSuccessor):
774         (JSC::FTL::Output::addIncomingToPhi):
775         * ftl/FTLOutput.h:
776         * ftl/FTLValueFromBlock.h:
777         (JSC::FTL::ValueFromBlock::operator bool):
778         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
779         * ftl/FTLWeightedTarget.h:
780         (JSC::FTL::WeightedTarget::frequentedBlock):
781         * heap/CellContainer.h: Added.
782         (JSC::CellContainer::CellContainer):
783         (JSC::CellContainer::operator bool):
784         (JSC::CellContainer::isMarkedBlock):
785         (JSC::CellContainer::isLargeAllocation):
786         (JSC::CellContainer::markedBlock):
787         (JSC::CellContainer::largeAllocation):
788         * heap/CellContainerInlines.h: Added.
789         (JSC::CellContainer::isMarked):
790         (JSC::CellContainer::isMarkedOrNewlyAllocated):
791         (JSC::CellContainer::noteMarked):
792         (JSC::CellContainer::cellSize):
793         (JSC::CellContainer::weakSet):
794         (JSC::CellContainer::flipIfNecessary):
795         * heap/ConservativeRoots.cpp:
796         (JSC::ConservativeRoots::ConservativeRoots):
797         (JSC::ConservativeRoots::~ConservativeRoots):
798         (JSC::ConservativeRoots::grow):
799         (JSC::ConservativeRoots::genericAddPointer):
800         (JSC::ConservativeRoots::genericAddSpan):
801         * heap/ConservativeRoots.h:
802         (JSC::ConservativeRoots::roots):
803         * heap/CopyToken.h:
804         * heap/FreeList.cpp: Added.
805         (JSC::FreeList::dump):
806         * heap/FreeList.h: Added.
807         (JSC::FreeList::FreeList):
808         (JSC::FreeList::list):
809         (JSC::FreeList::bump):
810         (JSC::FreeList::operator==):
811         (JSC::FreeList::operator!=):
812         (JSC::FreeList::operator bool):
813         (JSC::FreeList::allocationWillFail):
814         (JSC::FreeList::allocationWillSucceed):
815         * heap/GCTypeMap.h: Added.
816         (JSC::GCTypeMap::operator[]):
817         * heap/Heap.cpp:
818         (JSC::Heap::Heap):
819         (JSC::Heap::lastChanceToFinalize):
820         (JSC::Heap::finalizeUnconditionalFinalizers):
821         (JSC::Heap::markRoots):
822         (JSC::Heap::copyBackingStores):
823         (JSC::Heap::gatherStackRoots):
824         (JSC::Heap::gatherJSStackRoots):
825         (JSC::Heap::gatherScratchBufferRoots):
826         (JSC::Heap::clearLivenessData):
827         (JSC::Heap::visitSmallStrings):
828         (JSC::Heap::visitConservativeRoots):
829         (JSC::Heap::removeDeadCompilerWorklistEntries):
830         (JSC::Heap::gatherExtraHeapSnapshotData):
831         (JSC::Heap::removeDeadHeapSnapshotNodes):
832         (JSC::Heap::visitProtectedObjects):
833         (JSC::Heap::visitArgumentBuffers):
834         (JSC::Heap::visitException):
835         (JSC::Heap::visitStrongHandles):
836         (JSC::Heap::visitHandleStack):
837         (JSC::Heap::visitSamplingProfiler):
838         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
839         (JSC::Heap::converge):
840         (JSC::Heap::visitWeakHandles):
841         (JSC::Heap::updateObjectCounts):
842         (JSC::Heap::clearUnmarkedExecutables):
843         (JSC::Heap::deleteUnmarkedCompiledCode):
844         (JSC::Heap::collectAllGarbage):
845         (JSC::Heap::collect):
846         (JSC::Heap::collectWithoutAnySweep):
847         (JSC::Heap::collectImpl):
848         (JSC::Heap::suspendCompilerThreads):
849         (JSC::Heap::willStartCollection):
850         (JSC::Heap::flushOldStructureIDTables):
851         (JSC::Heap::flushWriteBarrierBuffer):
852         (JSC::Heap::stopAllocation):
853         (JSC::Heap::prepareForMarking):
854         (JSC::Heap::reapWeakHandles):
855         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
856         (JSC::Heap::sweepArrayBuffers):
857         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
858         (JSC::MarkedBlockSnapshotFunctor::operator()):
859         (JSC::Heap::snapshotMarkedSpace):
860         (JSC::Heap::deleteSourceProviderCaches):
861         (JSC::Heap::notifyIncrementalSweeper):
862         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
863         (JSC::Heap::resetAllocators):
864         (JSC::Heap::updateAllocationLimits):
865         (JSC::Heap::didFinishCollection):
866         (JSC::Heap::resumeCompilerThreads):
867         (JSC::Zombify::visit):
868         (JSC::Heap::forEachCodeBlockImpl):
869         * heap/Heap.h:
870         (JSC::Heap::allocatorForObjectWithoutDestructor):
871         (JSC::Heap::allocatorForObjectWithDestructor):
872         (JSC::Heap::allocatorForAuxiliaryData):
873         (JSC::Heap::jitStubRoutines):
874         (JSC::Heap::codeBlockSet):
875         (JSC::Heap::storageAllocator): Deleted.
876         * heap/HeapCell.h:
877         (JSC::HeapCell::isZapped): Deleted.
878         * heap/HeapCellInlines.h: Added.
879         (JSC::HeapCell::isLargeAllocation):
880         (JSC::HeapCell::cellContainer):
881         (JSC::HeapCell::markedBlock):
882         (JSC::HeapCell::largeAllocation):
883         (JSC::HeapCell::heap):
884         (JSC::HeapCell::vm):
885         (JSC::HeapCell::cellSize):
886         (JSC::HeapCell::allocatorAttributes):
887         (JSC::HeapCell::destructionMode):
888         (JSC::HeapCell::cellKind):
889         * heap/HeapInlines.h:
890         (JSC::Heap::heap):
891         (JSC::Heap::isLive):
892         (JSC::Heap::isMarked):
893         (JSC::Heap::testAndSetMarked):
894         (JSC::Heap::setMarked):
895         (JSC::Heap::cellSize):
896         (JSC::Heap::forEachCodeBlock):
897         (JSC::Heap::allocateObjectOfType):
898         (JSC::Heap::subspaceForObjectOfType):
899         (JSC::Heap::allocatorForObjectOfType):
900         (JSC::Heap::allocateAuxiliary):
901         (JSC::Heap::tryAllocateAuxiliary):
902         (JSC::Heap::tryReallocateAuxiliary):
903         (JSC::Heap::isPointerGCObject): Deleted.
904         (JSC::Heap::isValueGCObject): Deleted.
905         * heap/HeapOperation.cpp: Added.
906         (WTF::printInternal):
907         * heap/HeapOperation.h:
908         * heap/HeapUtil.h: Added.
909         (JSC::HeapUtil::findGCObjectPointersForMarking):
910         (JSC::HeapUtil::isPointerGCObjectJSCell):
911         (JSC::HeapUtil::isValueGCObject):
912         * heap/IncrementalSweeper.cpp:
913         (JSC::IncrementalSweeper::sweepNextBlock):
914         * heap/IncrementalSweeper.h:
915         * heap/LargeAllocation.cpp: Added.
916         (JSC::LargeAllocation::tryCreate):
917         (JSC::LargeAllocation::LargeAllocation):
918         (JSC::LargeAllocation::lastChanceToFinalize):
919         (JSC::LargeAllocation::shrink):
920         (JSC::LargeAllocation::visitWeakSet):
921         (JSC::LargeAllocation::reapWeakSet):
922         (JSC::LargeAllocation::flip):
923         (JSC::LargeAllocation::isEmpty):
924         (JSC::LargeAllocation::sweep):
925         (JSC::LargeAllocation::destroy):
926         (JSC::LargeAllocation::dump):
927         * heap/LargeAllocation.h: Added.
928         (JSC::LargeAllocation::fromCell):
929         (JSC::LargeAllocation::cell):
930         (JSC::LargeAllocation::isLargeAllocation):
931         (JSC::LargeAllocation::heap):
932         (JSC::LargeAllocation::vm):
933         (JSC::LargeAllocation::weakSet):
934         (JSC::LargeAllocation::clearNewlyAllocated):
935         (JSC::LargeAllocation::isNewlyAllocated):
936         (JSC::LargeAllocation::isMarked):
937         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
938         (JSC::LargeAllocation::isLive):
939         (JSC::LargeAllocation::hasValidCell):
940         (JSC::LargeAllocation::cellSize):
941         (JSC::LargeAllocation::aboveLowerBound):
942         (JSC::LargeAllocation::belowUpperBound):
943         (JSC::LargeAllocation::contains):
944         (JSC::LargeAllocation::attributes):
945         (JSC::LargeAllocation::flipIfNecessary):
946         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
947         (JSC::LargeAllocation::testAndSetMarked):
948         (JSC::LargeAllocation::setMarked):
949         (JSC::LargeAllocation::clearMarked):
950         (JSC::LargeAllocation::noteMarked):
951         (JSC::LargeAllocation::headerSize):
952         * heap/MarkedAllocator.cpp:
953         (JSC::MarkedAllocator::MarkedAllocator):
954         (JSC::MarkedAllocator::isPagedOut):
955         (JSC::MarkedAllocator::retire):
956         (JSC::MarkedAllocator::filterNextBlock):
957         (JSC::MarkedAllocator::setNextBlockToSweep):
958         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
959         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
960         (JSC::MarkedAllocator::allocateSlowCase):
961         (JSC::MarkedAllocator::tryAllocateSlowCase):
962         (JSC::MarkedAllocator::allocateSlowCaseImpl):
963         (JSC::blockHeaderSize):
964         (JSC::MarkedAllocator::blockSizeForBytes):
965         (JSC::MarkedAllocator::tryAllocateBlock):
966         (JSC::MarkedAllocator::addBlock):
967         (JSC::MarkedAllocator::removeBlock):
968         (JSC::MarkedAllocator::stopAllocating):
969         (JSC::MarkedAllocator::reset):
970         (JSC::MarkedAllocator::lastChanceToFinalize):
971         (JSC::MarkedAllocator::setFreeList):
972         (JSC::isListPagedOut): Deleted.
973         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
974         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
975         (JSC::MarkedAllocator::tryAllocate): Deleted.
976         (JSC::MarkedAllocator::allocateBlock): Deleted.
977         * heap/MarkedAllocator.h:
978         (JSC::MarkedAllocator::takeLastActiveBlock):
979         (JSC::MarkedAllocator::offsetOfFreeList):
980         (JSC::MarkedAllocator::offsetOfCellSize):
981         (JSC::MarkedAllocator::tryAllocate):
982         (JSC::MarkedAllocator::allocate):
983         (JSC::MarkedAllocator::forEachBlock):
984         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
985         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
986         (JSC::MarkedAllocator::init): Deleted.
987         (JSC::MarkedAllocator::stopAllocating): Deleted.
988         * heap/MarkedBlock.cpp:
989         (JSC::MarkedBlock::tryCreate):
990         (JSC::MarkedBlock::Handle::Handle):
991         (JSC::MarkedBlock::Handle::~Handle):
992         (JSC::MarkedBlock::MarkedBlock):
993         (JSC::MarkedBlock::Handle::specializedSweep):
994         (JSC::MarkedBlock::Handle::sweep):
995         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
996         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
997         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
998         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
999         (JSC::SetNewlyAllocatedFunctor::operator()):
1000         (JSC::MarkedBlock::Handle::stopAllocating):
1001         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1002         (JSC::MarkedBlock::Handle::resumeAllocating):
1003         (JSC::MarkedBlock::Handle::zap):
1004         (JSC::MarkedBlock::Handle::forEachFreeCell):
1005         (JSC::MarkedBlock::flipIfNecessary):
1006         (JSC::MarkedBlock::Handle::flipIfNecessary):
1007         (JSC::MarkedBlock::flipIfNecessarySlow):
1008         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
1009         (JSC::MarkedBlock::clearMarks):
1010         (JSC::MarkedBlock::assertFlipped):
1011         (JSC::MarkedBlock::needsFlip):
1012         (JSC::MarkedBlock::Handle::needsFlip):
1013         (JSC::MarkedBlock::Handle::willRemoveBlock):
1014         (JSC::MarkedBlock::Handle::didConsumeFreeList):
1015         (JSC::MarkedBlock::markCount):
1016         (JSC::MarkedBlock::Handle::isEmpty):
1017         (JSC::MarkedBlock::clearHasAnyMarked):
1018         (JSC::MarkedBlock::noteMarkedSlow):
1019         (WTF::printInternal):
1020         (JSC::MarkedBlock::create): Deleted.
1021         (JSC::MarkedBlock::destroy): Deleted.
1022         (JSC::MarkedBlock::callDestructor): Deleted.
1023         (JSC::MarkedBlock::specializedSweep): Deleted.
1024         (JSC::MarkedBlock::sweep): Deleted.
1025         (JSC::MarkedBlock::sweepHelper): Deleted.
1026         (JSC::MarkedBlock::stopAllocating): Deleted.
1027         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
1028         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
1029         (JSC::MarkedBlock::resumeAllocating): Deleted.
1030         (JSC::MarkedBlock::didRetireBlock): Deleted.
1031         * heap/MarkedBlock.h:
1032         (JSC::MarkedBlock::VoidFunctor::returnValue):
1033         (JSC::MarkedBlock::CountFunctor::CountFunctor):
1034         (JSC::MarkedBlock::CountFunctor::count):
1035         (JSC::MarkedBlock::CountFunctor::returnValue):
1036         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
1037         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
1038         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
1039         (JSC::MarkedBlock::Handle::state):
1040         (JSC::MarkedBlock::needsDestruction):
1041         (JSC::MarkedBlock::handle):
1042         (JSC::MarkedBlock::Handle::block):
1043         (JSC::MarkedBlock::firstAtom):
1044         (JSC::MarkedBlock::atoms):
1045         (JSC::MarkedBlock::isAtomAligned):
1046         (JSC::MarkedBlock::Handle::cellAlign):
1047         (JSC::MarkedBlock::blockFor):
1048         (JSC::MarkedBlock::Handle::allocator):
1049         (JSC::MarkedBlock::Handle::heap):
1050         (JSC::MarkedBlock::Handle::vm):
1051         (JSC::MarkedBlock::vm):
1052         (JSC::MarkedBlock::Handle::weakSet):
1053         (JSC::MarkedBlock::weakSet):
1054         (JSC::MarkedBlock::Handle::shrink):
1055         (JSC::MarkedBlock::Handle::visitWeakSet):
1056         (JSC::MarkedBlock::Handle::reapWeakSet):
1057         (JSC::MarkedBlock::Handle::cellSize):
1058         (JSC::MarkedBlock::cellSize):
1059         (JSC::MarkedBlock::Handle::attributes):
1060         (JSC::MarkedBlock::attributes):
1061         (JSC::MarkedBlock::Handle::needsDestruction):
1062         (JSC::MarkedBlock::Handle::destruction):
1063         (JSC::MarkedBlock::Handle::cellKind):
1064         (JSC::MarkedBlock::Handle::markCount):
1065         (JSC::MarkedBlock::Handle::size):
1066         (JSC::MarkedBlock::atomNumber):
1067         (JSC::MarkedBlock::flipIfNecessary):
1068         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
1069         (JSC::MarkedBlock::Handle::flipIfNecessary):
1070         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
1071         (JSC::MarkedBlock::Handle::flipForEdenCollection):
1072         (JSC::MarkedBlock::assertFlipped):
1073         (JSC::MarkedBlock::Handle::assertFlipped):
1074         (JSC::MarkedBlock::isMarked):
1075         (JSC::MarkedBlock::testAndSetMarked):
1076         (JSC::MarkedBlock::Handle::isNewlyAllocated):
1077         (JSC::MarkedBlock::Handle::setNewlyAllocated):
1078         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
1079         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
1080         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
1081         (JSC::MarkedBlock::Handle::isLive):
1082         (JSC::MarkedBlock::isAtom):
1083         (JSC::MarkedBlock::Handle::isLiveCell):
1084         (JSC::MarkedBlock::Handle::forEachCell):
1085         (JSC::MarkedBlock::Handle::forEachLiveCell):
1086         (JSC::MarkedBlock::Handle::forEachDeadCell):
1087         (JSC::MarkedBlock::Handle::needsSweeping):
1088         (JSC::MarkedBlock::Handle::isAllocated):
1089         (JSC::MarkedBlock::Handle::isMarked):
1090         (JSC::MarkedBlock::Handle::isFreeListed):
1091         (JSC::MarkedBlock::hasAnyMarked):
1092         (JSC::MarkedBlock::noteMarked):
1093         (WTF::MarkedBlockHash::hash):
1094         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
1095         (JSC::MarkedBlock::allocator): Deleted.
1096         (JSC::MarkedBlock::heap): Deleted.
1097         (JSC::MarkedBlock::shrink): Deleted.
1098         (JSC::MarkedBlock::visitWeakSet): Deleted.
1099         (JSC::MarkedBlock::reapWeakSet): Deleted.
1100         (JSC::MarkedBlock::willRemoveBlock): Deleted.
1101         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
1102         (JSC::MarkedBlock::markCount): Deleted.
1103         (JSC::MarkedBlock::isEmpty): Deleted.
1104         (JSC::MarkedBlock::destruction): Deleted.
1105         (JSC::MarkedBlock::cellKind): Deleted.
1106         (JSC::MarkedBlock::size): Deleted.
1107         (JSC::MarkedBlock::capacity): Deleted.
1108         (JSC::MarkedBlock::setMarked): Deleted.
1109         (JSC::MarkedBlock::clearMarked): Deleted.
1110         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
1111         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
1112         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
1113         (JSC::MarkedBlock::isLive): Deleted.
1114         (JSC::MarkedBlock::isLiveCell): Deleted.
1115         (JSC::MarkedBlock::forEachCell): Deleted.
1116         (JSC::MarkedBlock::forEachLiveCell): Deleted.
1117         (JSC::MarkedBlock::forEachDeadCell): Deleted.
1118         (JSC::MarkedBlock::needsSweeping): Deleted.
1119         (JSC::MarkedBlock::isAllocated): Deleted.
1120         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
1121         * heap/MarkedSpace.cpp:
1122         (JSC::MarkedSpace::initializeSizeClassForStepSize):
1123         (JSC::MarkedSpace::MarkedSpace):
1124         (JSC::MarkedSpace::~MarkedSpace):
1125         (JSC::MarkedSpace::lastChanceToFinalize):
1126         (JSC::MarkedSpace::allocate):
1127         (JSC::MarkedSpace::tryAllocate):
1128         (JSC::MarkedSpace::allocateLarge):
1129         (JSC::MarkedSpace::tryAllocateLarge):
1130         (JSC::MarkedSpace::sweep):
1131         (JSC::MarkedSpace::sweepLargeAllocations):
1132         (JSC::MarkedSpace::zombifySweep):
1133         (JSC::MarkedSpace::resetAllocators):
1134         (JSC::MarkedSpace::visitWeakSets):
1135         (JSC::MarkedSpace::reapWeakSets):
1136         (JSC::MarkedSpace::stopAllocating):
1137         (JSC::MarkedSpace::prepareForMarking):
1138         (JSC::MarkedSpace::resumeAllocating):
1139         (JSC::MarkedSpace::isPagedOut):
1140         (JSC::MarkedSpace::freeBlock):
1141         (JSC::MarkedSpace::freeOrShrinkBlock):
1142         (JSC::MarkedSpace::shrink):
1143         (JSC::MarkedSpace::clearNewlyAllocated):
1144         (JSC::VerifyMarked::operator()):
1145         (JSC::MarkedSpace::flip):
1146         (JSC::MarkedSpace::objectCount):
1147         (JSC::MarkedSpace::size):
1148         (JSC::MarkedSpace::capacity):
1149         (JSC::MarkedSpace::addActiveWeakSet):
1150         (JSC::MarkedSpace::didAddBlock):
1151         (JSC::MarkedSpace::didAllocateInBlock):
1152         (JSC::MarkedSpace::forEachAllocator): Deleted.
1153         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
1154         (JSC::MarkedSpace::clearMarks): Deleted.
1155         * heap/MarkedSpace.h:
1156         (JSC::MarkedSpace::sizeClassToIndex):
1157         (JSC::MarkedSpace::indexToSizeClass):
1158         (JSC::MarkedSpace::version):
1159         (JSC::MarkedSpace::blocksWithNewObjects):
1160         (JSC::MarkedSpace::largeAllocations):
1161         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
1162         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
1163         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
1164         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
1165         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
1166         (JSC::MarkedSpace::forEachLiveCell):
1167         (JSC::MarkedSpace::forEachDeadCell):
1168         (JSC::MarkedSpace::allocatorFor):
1169         (JSC::MarkedSpace::destructorAllocatorFor):
1170         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1171         (JSC::MarkedSpace::allocateWithoutDestructor):
1172         (JSC::MarkedSpace::allocateWithDestructor):
1173         (JSC::MarkedSpace::allocateAuxiliary):
1174         (JSC::MarkedSpace::tryAllocateAuxiliary):
1175         (JSC::MarkedSpace::forEachBlock):
1176         (JSC::MarkedSpace::forEachAllocator):
1177         (JSC::MarkedSpace::optimalSizeFor):
1178         (JSC::MarkedSpace::didAddBlock): Deleted.
1179         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
1180         (JSC::MarkedSpace::objectCount): Deleted.
1181         (JSC::MarkedSpace::size): Deleted.
1182         (JSC::MarkedSpace::capacity): Deleted.
1183         * heap/SlotVisitor.cpp:
1184         (JSC::SlotVisitor::SlotVisitor):
1185         (JSC::SlotVisitor::didStartMarking):
1186         (JSC::SlotVisitor::reset):
1187         (JSC::SlotVisitor::append):
1188         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1189         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1190         (JSC::SlotVisitor::appendToMarkStack):
1191         (JSC::SlotVisitor::markAuxiliary):
1192         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
1193         (JSC::SlotVisitor::visitChildren):
1194         * heap/SlotVisitor.h:
1195         * heap/WeakBlock.cpp:
1196         (JSC::WeakBlock::create):
1197         (JSC::WeakBlock::WeakBlock):
1198         (JSC::WeakBlock::visit):
1199         (JSC::WeakBlock::reap):
1200         * heap/WeakBlock.h:
1201         (JSC::WeakBlock::disconnectContainer):
1202         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
1203         * heap/WeakSet.cpp:
1204         (JSC::WeakSet::~WeakSet):
1205         (JSC::WeakSet::sweep):
1206         (JSC::WeakSet::shrink):
1207         (JSC::WeakSet::addAllocator):
1208         * heap/WeakSet.h:
1209         (JSC::WeakSet::container):
1210         (JSC::WeakSet::setContainer):
1211         (JSC::WeakSet::WeakSet):
1212         (JSC::WeakSet::visit):
1213         (JSC::WeakSet::shrink): Deleted.
1214         * heap/WeakSetInlines.h:
1215         (JSC::WeakSet::allocate):
1216         * inspector/InjectedScriptManager.cpp:
1217         * inspector/JSGlobalObjectInspectorController.cpp:
1218         * inspector/JSJavaScriptCallFrame.cpp:
1219         * inspector/ScriptDebugServer.cpp:
1220         * inspector/agents/InspectorDebuggerAgent.cpp:
1221         * interpreter/CachedCall.h:
1222         (JSC::CachedCall::CachedCall):
1223         * interpreter/Interpreter.cpp:
1224         (JSC::loadVarargs):
1225         (JSC::StackFrame::sourceID): Deleted.
1226         (JSC::StackFrame::sourceURL): Deleted.
1227         (JSC::StackFrame::functionName): Deleted.
1228         (JSC::StackFrame::computeLineAndColumn): Deleted.
1229         (JSC::StackFrame::toString): Deleted.
1230         * interpreter/Interpreter.h:
1231         (JSC::StackFrame::isNative): Deleted.
1232         * jit/AssemblyHelpers.h:
1233         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1234         (JSC::AssemblyHelpers::emitAllocate):
1235         (JSC::AssemblyHelpers::emitAllocateJSCell):
1236         (JSC::AssemblyHelpers::emitAllocateJSObject):
1237         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1238         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1239         * jit/GCAwareJITStubRoutine.cpp:
1240         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1241         * jit/JIT.cpp:
1242         (JSC::JIT::compileCTINativeCall):
1243         (JSC::JIT::link):
1244         * jit/JIT.h:
1245         (JSC::JIT::compileCTINativeCall): Deleted.
1246         * jit/JITExceptions.cpp:
1247         (JSC::genericUnwind):
1248         * jit/JITExceptions.h:
1249         * jit/JITOpcodes.cpp:
1250         (JSC::JIT::emit_op_new_object):
1251         (JSC::JIT::emitSlow_op_new_object):
1252         (JSC::JIT::emit_op_create_this):
1253         (JSC::JIT::emitSlow_op_create_this):
1254         * jit/JITOpcodes32_64.cpp:
1255         (JSC::JIT::emit_op_new_object):
1256         (JSC::JIT::emitSlow_op_new_object):
1257         (JSC::JIT::emit_op_create_this):
1258         (JSC::JIT::emitSlow_op_create_this):
1259         * jit/JITOperations.cpp:
1260         * jit/JITOperations.h:
1261         * jit/JITPropertyAccess.cpp:
1262         (JSC::JIT::emitWriteBarrier):
1263         * jit/JITThunks.cpp:
1264         * jit/JITThunks.h:
1265         * jsc.cpp:
1266         (functionDescribeArray):
1267         (main):
1268         * llint/LLIntData.cpp:
1269         (JSC::LLInt::Data::performAssertions):
1270         * llint/LLIntExceptions.cpp:
1271         * llint/LLIntThunks.cpp:
1272         * llint/LLIntThunks.h:
1273         * llint/LowLevelInterpreter.asm:
1274         * llint/LowLevelInterpreter.cpp:
1275         * llint/LowLevelInterpreter32_64.asm:
1276         * llint/LowLevelInterpreter64.asm:
1277         * parser/ModuleAnalyzer.cpp:
1278         * parser/NodeConstructors.h:
1279         * parser/Nodes.h:
1280         * profiler/ProfilerBytecode.cpp:
1281         * profiler/ProfilerBytecode.h:
1282         * profiler/ProfilerBytecodeSequence.cpp:
1283         * runtime/ArrayConventions.h:
1284         (JSC::indexingHeaderForArrayStorage):
1285         (JSC::baseIndexingHeaderForArrayStorage):
1286         (JSC::indexingHeaderForArray): Deleted.
1287         (JSC::baseIndexingHeaderForArray): Deleted.
1288         * runtime/ArrayPrototype.cpp:
1289         (JSC::arrayProtoFuncSplice):
1290         (JSC::concatAppendOne):
1291         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1292         * runtime/ArrayStorage.h:
1293         (JSC::ArrayStorage::vectorLength):
1294         (JSC::ArrayStorage::totalSizeFor):
1295         (JSC::ArrayStorage::totalSize):
1296         (JSC::ArrayStorage::availableVectorLength):
1297         (JSC::ArrayStorage::optimalVectorLength):
1298         (JSC::ArrayStorage::sizeFor): Deleted.
1299         * runtime/AuxiliaryBarrier.h: Added.
1300         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
1301         (JSC::AuxiliaryBarrier::clear):
1302         (JSC::AuxiliaryBarrier::get):
1303         (JSC::AuxiliaryBarrier::slot):
1304         (JSC::AuxiliaryBarrier::operator bool):
1305         (JSC::AuxiliaryBarrier::setWithoutBarrier):
1306         * runtime/AuxiliaryBarrierInlines.h: Added.
1307         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
1308         (JSC::AuxiliaryBarrier<T>::set):
1309         * runtime/Butterfly.h:
1310         * runtime/ButterflyInlines.h:
1311         (JSC::Butterfly::availableContiguousVectorLength):
1312         (JSC::Butterfly::optimalContiguousVectorLength):
1313         (JSC::Butterfly::createUninitialized):
1314         (JSC::Butterfly::growArrayRight):
1315         * runtime/ClonedArguments.cpp:
1316         (JSC::ClonedArguments::createEmpty):
1317         * runtime/CommonSlowPathsExceptions.cpp:
1318         * runtime/CommonSlowPathsExceptions.h:
1319         * runtime/DataView.cpp:
1320         * runtime/DirectArguments.h:
1321         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1322         * runtime/Error.cpp:
1323         * runtime/Error.h:
1324         * runtime/ErrorInstance.cpp:
1325         * runtime/ErrorInstance.h:
1326         * runtime/Exception.cpp:
1327         * runtime/Exception.h:
1328         * runtime/GeneratorFrame.cpp:
1329         * runtime/GeneratorPrototype.cpp:
1330         * runtime/InternalFunction.cpp:
1331         (JSC::InternalFunction::InternalFunction):
1332         * runtime/IntlCollator.cpp:
1333         * runtime/IntlCollatorConstructor.cpp:
1334         * runtime/IntlCollatorPrototype.cpp:
1335         * runtime/IntlDateTimeFormat.cpp:
1336         * runtime/IntlDateTimeFormatConstructor.cpp:
1337         * runtime/IntlDateTimeFormatPrototype.cpp:
1338         * runtime/IntlNumberFormat.cpp:
1339         * runtime/IntlNumberFormatConstructor.cpp:
1340         * runtime/IntlNumberFormatPrototype.cpp:
1341         * runtime/IntlObject.cpp:
1342         * runtime/IteratorPrototype.cpp:
1343         * runtime/JSArray.cpp:
1344         (JSC::JSArray::tryCreateUninitialized):
1345         (JSC::JSArray::setLengthWritable):
1346         (JSC::JSArray::unshiftCountSlowCase):
1347         (JSC::JSArray::setLengthWithArrayStorage):
1348         (JSC::JSArray::appendMemcpy):
1349         (JSC::JSArray::setLength):
1350         (JSC::JSArray::pop):
1351         (JSC::JSArray::push):
1352         (JSC::JSArray::fastSlice):
1353         (JSC::JSArray::shiftCountWithArrayStorage):
1354         (JSC::JSArray::shiftCountWithAnyIndexingType):
1355         (JSC::JSArray::unshiftCountWithArrayStorage):
1356         (JSC::JSArray::fillArgList):
1357         (JSC::JSArray::copyToArguments):
1358         * runtime/JSArray.h:
1359         (JSC::createContiguousArrayButterfly):
1360         (JSC::createArrayButterfly):
1361         (JSC::JSArray::create):
1362         (JSC::JSArray::tryCreateUninitialized): Deleted.
1363         * runtime/JSArrayBufferView.h:
1364         * runtime/JSCInlines.h:
1365         * runtime/JSCJSValue.cpp:
1366         (JSC::JSValue::dumpInContextAssumingStructure):
1367         * runtime/JSCallee.cpp:
1368         (JSC::JSCallee::JSCallee):
1369         * runtime/JSCell.cpp:
1370         (JSC::JSCell::estimatedSize):
1371         * runtime/JSCell.h:
1372         (JSC::JSCell::cellStateOffset): Deleted.
1373         * runtime/JSCellInlines.h:
1374         (JSC::ExecState::vm):
1375         (JSC::JSCell::classInfo):
1376         (JSC::JSCell::callDestructor):
1377         (JSC::JSCell::vm): Deleted.
1378         * runtime/JSFunction.cpp:
1379         (JSC::JSFunction::create):
1380         (JSC::JSFunction::allocateAndInitializeRareData):
1381         (JSC::JSFunction::initializeRareData):
1382         (JSC::JSFunction::getOwnPropertySlot):
1383         (JSC::JSFunction::put):
1384         (JSC::JSFunction::deleteProperty):
1385         (JSC::JSFunction::defineOwnProperty):
1386         (JSC::JSFunction::setFunctionName):
1387         (JSC::JSFunction::reifyLength):
1388         (JSC::JSFunction::reifyName):
1389         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1390         (JSC::JSFunction::reifyBoundNameIfNeeded):
1391         * runtime/JSFunction.h:
1392         * runtime/JSFunctionInlines.h:
1393         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1394         (JSC::JSFunction::JSFunction):
1395         * runtime/JSGenericTypedArrayViewInlines.h:
1396         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1397         * runtime/JSInternalPromise.cpp:
1398         * runtime/JSInternalPromiseConstructor.cpp:
1399         * runtime/JSInternalPromiseDeferred.cpp:
1400         * runtime/JSInternalPromisePrototype.cpp:
1401         * runtime/JSJob.cpp:
1402         * runtime/JSMapIterator.cpp:
1403         * runtime/JSModuleNamespaceObject.cpp:
1404         * runtime/JSModuleRecord.cpp:
1405         * runtime/JSObject.cpp:
1406         (JSC::JSObject::visitButterfly):
1407         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1408         (JSC::JSObject::createInitialIndexedStorage):
1409         (JSC::JSObject::createInitialUndecided):
1410         (JSC::JSObject::createInitialInt32):
1411         (JSC::JSObject::createInitialDouble):
1412         (JSC::JSObject::createInitialContiguous):
1413         (JSC::JSObject::createArrayStorage):
1414         (JSC::JSObject::createInitialArrayStorage):
1415         (JSC::JSObject::convertUndecidedToInt32):
1416         (JSC::JSObject::convertUndecidedToContiguous):
1417         (JSC::JSObject::convertUndecidedToArrayStorage):
1418         (JSC::JSObject::convertInt32ToDouble):
1419         (JSC::JSObject::convertInt32ToArrayStorage):
1420         (JSC::JSObject::convertDoubleToArrayStorage):
1421         (JSC::JSObject::convertContiguousToArrayStorage):
1422         (JSC::JSObject::putByIndexBeyondVectorLength):
1423         (JSC::JSObject::putDirectIndexBeyondVectorLength):
1424         (JSC::JSObject::getNewVectorLength):
1425         (JSC::JSObject::increaseVectorLength):
1426         (JSC::JSObject::ensureLengthSlow):
1427         (JSC::JSObject::growOutOfLineStorage):
1428         (JSC::JSObject::copyButterfly): Deleted.
1429         (JSC::JSObject::copyBackingStore): Deleted.
1430         * runtime/JSObject.h:
1431         (JSC::JSObject::globalObject):
1432         (JSC::JSObject::putDirectInternal):
1433         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
1434         * runtime/JSObjectInlines.h:
1435         * runtime/JSPromise.cpp:
1436         * runtime/JSPromiseConstructor.cpp:
1437         * runtime/JSPromiseDeferred.cpp:
1438         * runtime/JSPromisePrototype.cpp:
1439         * runtime/JSPropertyNameIterator.cpp:
1440         * runtime/JSScope.cpp:
1441         (JSC::JSScope::resolve):
1442         * runtime/JSScope.h:
1443         (JSC::JSScope::globalObject):
1444         (JSC::JSScope::vm): Deleted.
1445         * runtime/JSSetIterator.cpp:
1446         * runtime/JSStringIterator.cpp:
1447         * runtime/JSTemplateRegistryKey.cpp:
1448         * runtime/JSTypedArrayViewConstructor.cpp:
1449         * runtime/JSTypedArrayViewPrototype.cpp:
1450         * runtime/JSWeakMap.cpp:
1451         * runtime/JSWeakSet.cpp:
1452         * runtime/MapConstructor.cpp:
1453         * runtime/MapIteratorPrototype.cpp:
1454         * runtime/MapPrototype.cpp:
1455         * runtime/NativeErrorConstructor.cpp:
1456         * runtime/NativeStdFunctionCell.cpp:
1457         * runtime/Operations.h:
1458         (JSC::scribbleFreeCells):
1459         (JSC::scribble):
1460         * runtime/Options.h:
1461         * runtime/PropertyTable.cpp:
1462         * runtime/ProxyConstructor.cpp:
1463         * runtime/ProxyObject.cpp:
1464         * runtime/ProxyRevoke.cpp:
1465         * runtime/RegExp.cpp:
1466         (JSC::RegExp::match):
1467         (JSC::RegExp::matchConcurrently):
1468         (JSC::RegExp::matchCompareWithInterpreter):
1469         * runtime/RegExp.h:
1470         * runtime/RegExpConstructor.h:
1471         * runtime/RegExpInlines.h:
1472         (JSC::RegExp::matchInline):
1473         * runtime/RegExpMatchesArray.h:
1474         (JSC::tryCreateUninitializedRegExpMatchesArray):
1475         (JSC::createRegExpMatchesArray):
1476         * runtime/RegExpPrototype.cpp:
1477         (JSC::genericSplit):
1478         * runtime/RuntimeType.cpp:
1479         * runtime/SamplingProfiler.cpp:
1480         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1481         * runtime/SetConstructor.cpp:
1482         * runtime/SetIteratorPrototype.cpp:
1483         * runtime/SetPrototype.cpp:
1484         * runtime/StackFrame.cpp: Added.
1485         (JSC::StackFrame::sourceID):
1486         (JSC::StackFrame::sourceURL):
1487         (JSC::StackFrame::functionName):
1488         (JSC::StackFrame::computeLineAndColumn):
1489         (JSC::StackFrame::toString):
1490         * runtime/StackFrame.h: Added.
1491         (JSC::StackFrame::isNative):
1492         * runtime/StringConstructor.cpp:
1493         * runtime/StringIteratorPrototype.cpp:
1494         * runtime/StructureInlines.h:
1495         (JSC::Structure::propertyTable):
1496         * runtime/TemplateRegistry.cpp:
1497         * runtime/TestRunnerUtils.cpp:
1498         (JSC::finalizeStatsAtEndOfTesting):
1499         * runtime/TestRunnerUtils.h:
1500         * runtime/TypeProfilerLog.cpp:
1501         * runtime/TypeSet.cpp:
1502         * runtime/VM.cpp:
1503         (JSC::VM::VM):
1504         (JSC::VM::ensureStackCapacityForCLoop):
1505         (JSC::VM::isSafeToRecurseSoftCLoop):
1506         * runtime/VM.h:
1507         * runtime/VMEntryScope.h:
1508         * runtime/VMInlines.h:
1509         (JSC::VM::ensureStackCapacityFor):
1510         (JSC::VM::isSafeToRecurseSoft):
1511         * runtime/WeakMapConstructor.cpp:
1512         * runtime/WeakMapData.cpp:
1513         * runtime/WeakMapPrototype.cpp:
1514         * runtime/WeakSetConstructor.cpp:
1515         * runtime/WeakSetPrototype.cpp:
1516         * testRegExp.cpp:
1517         (testOneRegExp):
1518         * tools/JSDollarVM.cpp:
1519         * tools/JSDollarVMPrototype.cpp:
1520         (JSC::JSDollarVMPrototype::isInObjectSpace):
1521
1522 2016-09-04  Commit Queue  <commit-queue@webkit.org>
1523
1524         Unreviewed, rolling out r205415.
1525         https://bugs.webkit.org/show_bug.cgi?id=161573
1526
1527         Many bots see inspector test failures, rolling out now and
1528         investigating later. (Requested by brrian on #webkit).
1529
1530         Reverted changeset:
1531
1532         "Web Inspector: unify Main.html and Test.html sources and
1533         generate different copies with the preprocessor"
1534         https://bugs.webkit.org/show_bug.cgi?id=161212
1535         http://trac.webkit.org/changeset/205415
1536
1537 2016-09-01  Brian Burg  <bburg@apple.com>
1538
1539         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
1540         https://bugs.webkit.org/show_bug.cgi?id=161212
1541         <rdar://problem/28017961>
1542
1543         Reviewed by Joseph Pecoraro.
1544
1545         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
1546
1547 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
1548
1549         Use ASCIILiteral in some more places
1550         https://bugs.webkit.org/show_bug.cgi?id=161557
1551
1552         Reviewed by Darin Adler.
1553
1554         * runtime/TypeSet.h:
1555         (JSC::StructureShape::setConstructorName):
1556
1557 2016-09-01  Michael Saboff  <msaboff@apple.com>
1558
1559         Import Chakra tests to JSC
1560         https://bugs.webkit.org/show_bug.cgi?id=154697
1561
1562         Reviewed by Saam Barati.
1563
1564         Added --dumpException option to jsc command line utility to dump uncaught exception
1565         text even for the last exception that matches --exception.  This is used to
1566         check the exception text for a text that is expected to end on an exception.
1567         Chakra has several tests of this form and does the same thing when such a test
1568         ends with an exception.  Tests that rely on this behavior have had their expected
1569         output updated for JSC specific text.
1570
1571         * jsc.cpp:
1572
1573 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
1574
1575         [JSC] Remove some more useless cases from FTL Capabilities
1576         https://bugs.webkit.org/show_bug.cgi?id=161466
1577
1578         Reviewed by Geoffrey Garen.
1579
1580         Some cases do not make sense:
1581         -In: Fixup only generate CellUse.
1582         -PutByIdXXX: same.
1583         -GetIndexedPropertyStorage: those cases are the only ones supported
1584          by DFG. We would have crashed in SpeculativeJIT if other modes
1585          were generated.
1586
1587         * ftl/FTLCapabilities.cpp:
1588         (JSC::FTL::canCompile):
1589         * ftl/FTLLowerDFGToB3.cpp:
1590         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1591         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1592         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1593
1594 2016-09-02  Chris Dumez  <cdumez@apple.com>
1595
1596         Unreviewed, roll out r205354 because it caused JSC test failures
1597
1598         * jsc.cpp:
1599         * runtime/JSGlobalObject.cpp:
1600         * runtime/JSGlobalObject.h:
1601         (JSC::JSGlobalObject::allowsAccessFrom):
1602         (JSC::JSGlobalObject::setDebugger): Deleted.
1603         * runtime/JSGlobalObjectFunctions.cpp:
1604         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1605         (JSC::GlobalFuncProtoGetterFunctor::result):
1606         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1607         (JSC::globalFuncProtoGetter):
1608         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
1609         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
1610         (JSC::GlobalFuncProtoSetterFunctor::operator()):
1611         (JSC::checkProtoSetterAccessAllowed):
1612         (JSC::globalFuncProtoSetter):
1613         * runtime/JSGlobalObjectFunctions.h:
1614         * runtime/JSObject.cpp:
1615         (JSC::JSObject::setPrototypeWithCycleCheck):
1616         (JSC::JSObject::allowsAccessFrom):
1617         * runtime/JSObject.h:
1618         * runtime/JSProxy.cpp:
1619         * runtime/JSProxy.h:
1620         * runtime/ObjectConstructor.cpp:
1621         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1622         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
1623         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1624         (JSC::objectConstructorGetPrototypeOf):
1625         (JSC::objectConstructorSetPrototypeOf):
1626         * runtime/ObjectConstructor.h:
1627         * runtime/ReflectObject.cpp:
1628         (JSC::reflectObjectGetPrototypeOf):
1629         (JSC::reflectObjectSetPrototypeOf):
1630
1631 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
1632
1633         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
1634         https://bugs.webkit.org/show_bug.cgi?id=160802
1635
1636         Reviewed by Saam Barati.
1637
1638         This patch is fixing a broken mechanism of MathIC that avoids allocate
1639         a register to LHS or RHS if one of these operands are proven as valid
1640         constant for JIT*Generator. In previous implementation, even if the
1641         JIT*Generator was not using an operand register because it was proven as a
1642         constant, compileMathIC and emitICFast were allocating a register for
1643         it. This was broken because mathIC->isLeftOperandValidConstant and
1644         mathIC->isLeftOperandValidConstant were being called before its Generator be
1645         properly initialized. We changed this mechanism to enable Generators write
1646         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
1647         and isRightOperandValidConstant(SnippetOperand).
1648
1649         * dfg/DFGSpeculativeJIT.cpp:
1650         (JSC::DFG::SpeculativeJIT::compileMathIC):
1651         * jit/JITAddGenerator.h:
1652         (JSC::JITAddGenerator::JITAddGenerator):
1653         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1654         (JSC::JITAddGenerator::isRightOperandValidConstant):
1655         * jit/JITArithmetic.cpp:
1656         (JSC::JIT::emitMathICFast):
1657         * jit/JITMathIC.h:
1658         * jit/JITMulGenerator.h:
1659         (JSC::JITMulGenerator::JITMulGenerator):
1660         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1661         (JSC::JITMulGenerator::isRightOperandValidConstant):
1662         * jit/JITSubGenerator.h:
1663         (JSC::JITSubGenerator::isLeftOperandValidConstant):
1664         (JSC::JITSubGenerator::isRightOperandValidConstant):
1665
1666 2016-09-02  JF Bastien  <jfbastien@apple.com>
1667
1668         GetByValWithThis: fix opInfo in DFG creation
1669         https://bugs.webkit.org/show_bug.cgi?id=161541
1670
1671         Reviewed by Saam Barati.
1672
1673         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
1674
1675         * dfg/DFGByteCodeParser.cpp:
1676         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
1677
1678 2016-09-02  Chris Dumez  <cdumez@apple.com>
1679
1680         Object.preventExtensions() should throw cross-origin
1681         https://bugs.webkit.org/show_bug.cgi?id=161486
1682
1683         Reviewed by Geoffrey Garen.
1684
1685         Update JSProxy to forward preventExtensions() calls to its target.
1686
1687         * runtime/JSProxy.cpp:
1688         (JSC::JSProxy::preventExtensions):
1689         * runtime/JSProxy.h:
1690
1691 2016-09-02  Chris Dumez  <cdumez@apple.com>
1692
1693         Align proto getter / setter behavior with other browsers
1694         https://bugs.webkit.org/show_bug.cgi?id=161455
1695
1696         Reviewed by Mark Lam.
1697
1698         Drop allowsAccessFrom from the methodTable and delegate cross-origin
1699         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
1700         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
1701
1702         * jsc.cpp:
1703         * runtime/JSGlobalObject.cpp:
1704         * runtime/JSGlobalObject.h:
1705         * runtime/JSGlobalObjectFunctions.cpp:
1706         (JSC::globalFuncProtoGetter):
1707         (JSC::globalFuncProtoSetter):
1708         (JSC::globalFuncBuiltinLog): Deleted.
1709         * runtime/JSGlobalObjectFunctions.h:
1710         * runtime/JSObject.h:
1711         (JSC::JSObject::getArrayLength): Deleted.
1712         * runtime/JSProxy.cpp:
1713         (JSC::JSProxy::setPrototype):
1714         (JSC::JSProxy::getPrototype):
1715         * runtime/JSProxy.h:
1716         * runtime/ObjectConstructor.cpp:
1717         (JSC::objectConstructorGetPrototypeOf):
1718         (JSC::objectConstructorSetPrototypeOf):
1719         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
1720         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
1721         * runtime/ObjectConstructor.h:
1722         * runtime/ReflectObject.cpp:
1723         (JSC::reflectObjectGetPrototypeOf):
1724         (JSC::reflectObjectSetPrototypeOf):
1725
1726         * runtime/JSObject.cpp:
1727         (JSC::JSObject::setPrototypeWithCycleCheck):
1728         Comment out check added in r197648. This check was added to match
1729         the latest EcmaScript spec:
1730         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
1731         This check allowed for [[Prototype]] chain cycles if the prototype
1732         chain includes objects that do not use the ordinary object definitions
1733         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
1734         The issue is that the rest of our code base does not properly handle
1735         such cycles and we can end up in infinite loops. This became obvious
1736         because this patch updates Window / Location so that they no longer
1737         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
1738         comment out this check, I get an infinite loop in
1739         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
1740         called from JSObject::setPrototypeDirect(), when running the following
1741         layout test:
1742         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
1743         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
1744         issue.
1745
1746 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1747
1748         Add toJS for JSC::PrivateName
1749         https://bugs.webkit.org/show_bug.cgi?id=161522
1750
1751         Reviewed by Ryosuke Niwa.
1752
1753         Add the export annotation.
1754         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
1755         since PrivateName never holds null SymbolImpl pointer. And along with this change,
1756         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
1757
1758         * runtime/Completion.cpp:
1759         (JSC::createSymbolForEntryPointModule):
1760         * runtime/IdentifierInlines.h:
1761         (JSC::Identifier::fromUid):
1762         * runtime/JSFunction.cpp:
1763         (JSC::JSFunction::setFunctionName):
1764         * runtime/PrivateName.h:
1765         (JSC::PrivateName::PrivateName):
1766         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
1767         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
1768         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
1769         (JSC::PrivateName::operator==):
1770         (JSC::PrivateName::operator!=):
1771         * runtime/PropertyName.h:
1772         (JSC::PropertyName::PropertyName):
1773         * runtime/Symbol.cpp:
1774         (JSC::Symbol::finishCreation):
1775         * runtime/Symbol.h:
1776         * runtime/SymbolConstructor.cpp:
1777         (JSC::symbolConstructorKeyFor):
1778
1779 2016-09-01  Dan Bernstein  <mitz@apple.com>
1780
1781         Build fix.
1782
1783         * Configurations/FeatureDefines.xcconfig:
1784
1785 2016-09-01  JF Bastien  <jfbastien@apple.com>
1786
1787         jsc: fix cmake build missing symbol getPropertySlot
1788         https://bugs.webkit.org/show_bug.cgi?id=161521
1789
1790         Reviewed by Saam Barati.
1791
1792         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
1793         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
1794
1795 2016-09-01  JF Bastien  <jfbastien@apple.com>
1796
1797         jsc: provide printErr()
1798         https://bugs.webkit.org/show_bug.cgi?id=161513
1799
1800         Reviewed by Mark Lam.
1801
1802         * jsc.cpp:
1803         (GlobalObject::finishCreation):
1804         (printInternal): renamed from functionPrint, add error checking
1805         (functionPrintStdOut): punt to printInternal
1806         (functionPrintStdErr): punt to printInternal
1807         (functionPrint): Deleted.
1808
1809 2016-09-01  Mark Lam  <mark.lam@apple.com>
1810
1811         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
1812         https://bugs.webkit.org/show_bug.cgi?id=161499
1813
1814         Reviewed by Saam Barati.
1815
1816         This is just a refactoring patch to move some inline functions to their Inlines.h
1817         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
1818         later.
1819
1820         * bindings/ScriptValue.cpp:
1821         * interpreter/Interpreter.cpp:
1822         * runtime/IntlDateTimeFormatPrototype.cpp:
1823         * runtime/IntlNumberFormatPrototype.cpp:
1824         * runtime/JSArray.cpp:
1825         * runtime/JSArray.h:
1826         (JSC::getLength): Deleted.
1827         (JSC::toLength): Deleted.
1828         * runtime/JSArrayInlines.h:
1829         (JSC::JSArray::mergeIndexingTypeForCopying):
1830         (JSC::JSArray::canFastCopy):
1831         (JSC::getLength):
1832         (JSC::toLength):
1833         * runtime/JSInternalPromise.cpp:
1834         * runtime/JSInternalPromiseDeferred.cpp:
1835         * runtime/JSJob.cpp:
1836         * runtime/JSModuleRecord.cpp:
1837         * runtime/JSObject.h:
1838         (JSC::JSObject::getPropertySlot): Deleted.
1839         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
1840         * runtime/JSObjectInlines.h:
1841         (JSC::JSObject::getPropertySlot):
1842         (JSC::JSObject::getNonIndexPropertySlot):
1843         * runtime/JSPromiseDeferred.cpp:
1844         * runtime/JSTypedArrayViewPrototype.cpp:
1845         * runtime/MapConstructor.cpp:
1846         * runtime/SamplingProfiler.cpp:
1847         * runtime/SetConstructor.cpp:
1848         * runtime/WeakMapConstructor.cpp:
1849         * runtime/WeakSetConstructor.cpp:
1850
1851 2016-09-01  JF Bastien  <jfbastien@apple.com>
1852
1853         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
1854         https://bugs.webkit.org/show_bug.cgi?id=160922
1855
1856         Reviewed by Keith Miller.
1857
1858         Add value profiling to GetBy{Id,Val}WithThis.
1859
1860         * bytecode/BytecodeList.json:
1861         * bytecode/CodeBlock.cpp:
1862         (JSC::CodeBlock::dumpBytecode):
1863         (JSC::CodeBlock::finishCreation):
1864         * bytecompiler/BytecodeGenerator.cpp:
1865         (JSC::BytecodeGenerator::emitGetById):
1866         (JSC::BytecodeGenerator::emitGetByVal):
1867         * dfg/DFGByteCodeParser.cpp:
1868         (JSC::DFG::ByteCodeParser::parseBlock):
1869         * dfg/DFGNode.h:
1870         (JSC::DFG::Node::hasHeapPrediction):
1871         * dfg/DFGPredictionPropagationPhase.cpp:
1872         * llint/LowLevelInterpreter.asm:
1873         * runtime/CommonSlowPaths.cpp:
1874         (JSC::SLOW_PATH_DECL):
1875
1876 2016-09-01  Keith Miller  <keith_miller@apple.com>
1877
1878         WASM functions should be able to use arguments
1879         https://bugs.webkit.org/show_bug.cgi?id=161471
1880
1881         Reviewed by Benjamin Poulain.
1882
1883         This patch does a couple of changes:
1884
1885         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
1886
1887         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
1888
1889         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
1890
1891         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
1892         (JSC::B3::jscCallingConvention):
1893         * B3CallingConventions.h: Added.
1894         (JSC::B3::CallingConvention::CallingConvention):
1895         (JSC::B3::CallingConvention::iterate):
1896         (JSC::B3::nextJSCOffset):
1897         * JavaScriptCore.xcodeproj/project.pbxproj:
1898         * interpreter/ProtoCallFrame.h:
1899         * llint/LLIntThunks.cpp:
1900         (JSC::vmEntryToWASM):
1901         * llint/LLIntThunks.h:
1902         * testWASM.cpp:
1903         (invoke):
1904         (box):
1905         (runWASMTests):
1906         * wasm/WASMB3IRGenerator.cpp:
1907         (JSC::WASM::B3IRGenerator::addLocal):
1908         (JSC::WASM::B3IRGenerator::addArguments):
1909         (JSC::WASM::B3IRGenerator::getLocal):
1910         * wasm/WASMFormat.h:
1911         * wasm/WASMFunctionParser.h:
1912         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1913         (JSC::WASM::FunctionParser<Context>::parseExpression):
1914         * wasm/WASMModuleParser.cpp:
1915         (JSC::WASM::ModuleParser::parseFunctionTypes):
1916         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1917         * wasm/WASMModuleParser.h:
1918         * wasm/WASMOps.h:
1919
1920 2016-09-01  Keith Miller  <keith_miller@apple.com>
1921
1922         Rename WASM classes dropping the WASM prefix
1923         https://bugs.webkit.org/show_bug.cgi?id=161500
1924
1925         Reviewed by Mark Lam.
1926
1927         Having to write WASM::WASMModule seems silly. Also, this patch
1928         merges WASMFunctionReturnType and WASMValueType into one type
1929         that is a typedef of B3::Type. Using B3::Type as the WASM
1930         primitive type makes it trivial to convert a Vector of WASM
1931         types into a Vector of B3 types.
1932
1933         * b3/B3Type.h:
1934         * wasm/JSWASMModule.h:
1935         (JSC::JSWASMModule::signatures):
1936         (JSC::JSWASMModule::functionImports):
1937         (JSC::JSWASMModule::functionImportSignatures):
1938         (JSC::JSWASMModule::globalVariableTypes):
1939         (JSC::JSWASMModule::functionDeclarations):
1940         (JSC::JSWASMModule::functionPointerTables):
1941         * wasm/WASMB3IRGenerator.cpp:
1942         (JSC::WASM::toB3Op):
1943         (JSC::WASM::B3IRGenerator::addLocal):
1944         (JSC::WASM::B3IRGenerator::unaryOp):
1945         (JSC::WASM::B3IRGenerator::binaryOp):
1946         (JSC::WASM::B3IRGenerator::addConstant):
1947         (JSC::WASM::parseAndCompile):
1948         * wasm/WASMB3IRGenerator.h:
1949         * wasm/WASMFormat.h:
1950         * wasm/WASMFunctionParser.h:
1951         (JSC::WASM::FunctionParser<Context>::FunctionParser):
1952         (JSC::WASM::FunctionParser<Context>::parse):
1953         (JSC::WASM::FunctionParser<Context>::parseBlock):
1954         (JSC::WASM::FunctionParser<Context>::parseExpression):
1955         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser): Deleted.
1956         (JSC::WASM::WASMFunctionParser<Context>::parse): Deleted.
1957         (JSC::WASM::WASMFunctionParser<Context>::parseBlock): Deleted.
1958         (JSC::WASM::WASMFunctionParser<Context>::parseExpression): Deleted.
1959         * wasm/WASMModuleParser.cpp:
1960         (JSC::WASM::ModuleParser::parse):
1961         (JSC::WASM::ModuleParser::parseFunctionTypes):
1962         (JSC::WASM::ModuleParser::parseFunctionSignatures):
1963         (JSC::WASM::ModuleParser::parseFunctionDefinitions):
1964         (JSC::WASM::WASMModuleParser::parse): Deleted.
1965         (JSC::WASM::WASMModuleParser::parseFunctionTypes): Deleted.
1966         (JSC::WASM::WASMModuleParser::parseFunctionSignatures): Deleted.
1967         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions): Deleted.
1968         * wasm/WASMModuleParser.h:
1969         (JSC::WASM::ModuleParser::ModuleParser):
1970         (JSC::WASM::ModuleParser::functionInformation):
1971         (JSC::WASM::WASMModuleParser::WASMModuleParser): Deleted.
1972         (JSC::WASM::WASMModuleParser::functionInformation): Deleted.
1973         * wasm/WASMOps.h:
1974         * wasm/WASMParser.h:
1975         (JSC::WASM::Parser::Parser):
1976         (JSC::WASM::Parser::consumeCharacter):
1977         (JSC::WASM::Parser::consumeString):
1978         (JSC::WASM::Parser::parseUInt32):
1979         (JSC::WASM::Parser::parseUInt7):
1980         (JSC::WASM::Parser::parseVarUInt1):
1981         (JSC::WASM::Parser::parseValueType):
1982         (JSC::WASM::WASMParser::WASMParser): Deleted.
1983         (JSC::WASM::WASMParser::consumeCharacter): Deleted.
1984         (JSC::WASM::WASMParser::consumeString): Deleted.
1985         (JSC::WASM::WASMParser::parseUInt32): Deleted.
1986         (JSC::WASM::WASMParser::parseUInt7): Deleted.
1987         (JSC::WASM::WASMParser::parseVarUInt1): Deleted.
1988         (JSC::WASM::WASMParser::parseValueType): Deleted.
1989         * wasm/WASMPlan.cpp:
1990         (JSC::WASM::Plan::Plan):
1991         * wasm/WASMSections.cpp:
1992         (JSC::WASM::Sections::lookup):
1993         (JSC::WASM::WASMSections::lookup): Deleted.
1994         * wasm/WASMSections.h:
1995         (JSC::WASM::Sections::validateOrder):
1996         (JSC::WASM::WASMSections::validateOrder): Deleted.
1997
1998 2016-09-01  Filip Pizlo  <fpizlo@apple.com>
1999
2000         ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
2001         https://bugs.webkit.org/show_bug.cgi?id=161492
2002
2003         Reviewed by Mark Lam.
2004         
2005         If you materialize a sunken object that is referenced from another sunken object, then you
2006         have to emit a PutHint to tell OSR that the latter object now refers to a materialized
2007         object rather than to the old sunken one.
2008         
2009         The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
2010         did it when the PromotedLocationDescriptor for the field used for referring to the other
2011         object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
2012         I can sort of imagine why we thought that would be right - neededForMaterialization() means
2013         it's a special meta-data field initialized on construction. But just because it's immutable
2014         and special doesn't mean that materialization can't change its physical representation.
2015         Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
2016         regress anything.
2017
2018         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2019
2020 2016-09-01  Chris Dumez  <cdumez@apple.com>
2021
2022         Unreviewed, rolling out r205297.
2023
2024         Caused some JSC test failures
2025
2026         Reverted changeset:
2027
2028         "Align cross-origin proto getter / setter behavior with the
2029         specification"
2030         https://bugs.webkit.org/show_bug.cgi?id=161455
2031         http://trac.webkit.org/changeset/205297
2032
2033 2016-09-01  Chris Dumez  <cdumez@apple.com>
2034
2035         Align cross-origin proto getter / setter behavior with the specification
2036         https://bugs.webkit.org/show_bug.cgi?id=161455
2037
2038         Reviewed by Mark Lam.
2039
2040         Align cross-origin proto getter / setter behavior with the specification:
2041
2042         The setter should throw a TypeError:
2043         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
2044         - https://html.spec.whatwg.org/#location-setprototypeof
2045         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
2046
2047         The getter should return null:
2048         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
2049         - https://html.spec.whatwg.org/#location-getprototypeof
2050
2051         I have verified that this aligns our behavior with Firefox and Chrome.
2052
2053         * runtime/JSGlobalObjectFunctions.cpp:
2054         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2055         (JSC::globalFuncProtoSetter):
2056
2057 2016-09-01  Csaba Osztrogonác  <ossy@webkit.org>
2058
2059         Unreviewed ARM buildfix after r205283.
2060
2061         * assembler/ARMAssembler.h:
2062         (JSC::ARMAssembler::patchableJumpSize):
2063         * assembler/MacroAssemblerARM.h:
2064         (JSC::MacroAssemblerARM::patchableJumpSize):
2065
2066 2016-09-01  Saam Barati  <sbarati@apple.com>
2067
2068         JITMathIC was misusing maxJumpReplacementSize
2069         https://bugs.webkit.org/show_bug.cgi?id=161356
2070         <rdar://problem/28065560>
2071
2072         Reviewed by Benjamin Poulain.
2073
2074         JITMathIC was assuming that maxJumpReplacementSize is the size
2075         you'd get if you emitted a patchableJump() using the macro assembler.
2076         This is not true, however. It happens to be true on arm64, x86 and x86-64,
2077         however, it is not true on armv7. This patch introduces an alternative to
2078         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
2079         to use that number instead.
2080
2081         * assembler/ARM64Assembler.h:
2082         (JSC::ARM64Assembler::patchableJumpSize):
2083         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
2084         * assembler/ARMv7Assembler.h:
2085         (JSC::ARMv7Assembler::patchableJumpSize):
2086         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
2087         * assembler/MacroAssemblerARM64.h:
2088         (JSC::MacroAssemblerARM64::patchableJumpSize):
2089         * assembler/MacroAssemblerARMv7.h:
2090         (JSC::MacroAssemblerARMv7::patchableJumpSize):
2091         * assembler/MacroAssemblerX86Common.h:
2092         (JSC::MacroAssemblerX86Common::patchableJumpSize):
2093         * assembler/X86Assembler.h:
2094         (JSC::X86Assembler::patchableJumpSize):
2095         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
2096         * jit/JITMathIC.h:
2097         (JSC::JITMathIC::generateInline):
2098
2099 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2100
2101         [JSC] Add initiator parameter to module pipeline
2102         https://bugs.webkit.org/show_bug.cgi?id=161470
2103
2104         Reviewed by Saam Barati.
2105
2106         The fetching semantics of the <script type="module"> tag has per module-tag context.
2107         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
2108         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
2109         to the module loader pipeline. We are planning to transfer information by this parameter.
2110
2111         At the same time, we also perform some clean up.
2112
2113         - Use arrow function in ModuleLoaderPrototype.js.
2114         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
2115
2116         * builtins/ModuleLoaderPrototype.js:
2117         (newRegistryEntry):
2118         (commitInstantiated):
2119         (requestFetch):
2120         (requestTranslate):
2121         (requestInstantiate):
2122         (requestSatisfy):
2123         (requestInstantiateAll):
2124         (requestLink):
2125         (moduleEvaluation):
2126         (provide):
2127         (loadAndEvaluateModule):
2128         (requestResolveDependencies.): Deleted.
2129         (requestResolveDependencies): Deleted.
2130         (requestReady): Deleted.
2131         (link): Deleted.
2132         (loadModule): Deleted.
2133         (linkAndEvaluateModule): Deleted.
2134         * bytecode/BytecodeIntrinsicRegistry.cpp:
2135         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2136         * bytecode/BytecodeIntrinsicRegistry.h:
2137         * jsc.cpp:
2138         (GlobalObject::moduleLoaderResolve):
2139         (GlobalObject::moduleLoaderFetch):
2140         * runtime/Completion.cpp:
2141         (JSC::loadAndEvaluateModule):
2142         (JSC::loadModule):
2143         (JSC::linkAndEvaluateModule):
2144         * runtime/Completion.h:
2145         * runtime/JSGlobalObject.h:
2146         * runtime/JSModuleLoader.cpp:
2147         (JSC::JSModuleLoader::loadAndEvaluateModule):
2148         (JSC::JSModuleLoader::loadModule):
2149         (JSC::JSModuleLoader::linkAndEvaluateModule):
2150         (JSC::JSModuleLoader::resolve):
2151         (JSC::JSModuleLoader::fetch):
2152         (JSC::JSModuleLoader::translate):
2153         (JSC::JSModuleLoader::instantiate):
2154         (JSC::JSModuleLoader::evaluate):
2155         * runtime/JSModuleLoader.h:
2156         * runtime/ModuleLoaderPrototype.cpp:
2157         (JSC::moduleLoaderPrototypeResolve):
2158         (JSC::moduleLoaderPrototypeFetch):
2159         (JSC::moduleLoaderPrototypeTranslate):
2160         (JSC::moduleLoaderPrototypeInstantiate):
2161         (JSC::moduleLoaderPrototypeEvaluate):
2162
2163 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2164
2165         [JSC] linking and evaluating the modules are done in a sync manner
2166         https://bugs.webkit.org/show_bug.cgi?id=161467
2167
2168         Reviewed by Saam Barati.
2169
2170         While the fetching and the other stages are done in an asynchronous manner,
2171         linking and evaluating are done in a sync manner.
2172         Just return the result value and do not wrap them with the internal promise.
2173
2174         * builtins/ModuleLoaderPrototype.js:
2175         (linkAndEvaluateModule):
2176         * runtime/Completion.cpp:
2177         (JSC::linkAndEvaluateModule):
2178         * runtime/Completion.h:
2179         * runtime/JSModuleLoader.cpp:
2180         (JSC::JSModuleLoader::linkAndEvaluateModule):
2181         * runtime/JSModuleLoader.h:
2182
2183 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2184
2185         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
2186         https://bugs.webkit.org/show_bug.cgi?id=161436
2187
2188         Reviewed by Filip Pizlo.
2189
2190         * jsc.cpp:
2191         (GlobalObject::finishCreation):
2192         (functionGetRandomSeed):
2193         (functionSetRandomSeed):
2194         * runtime/JSGlobalObject.h:
2195         (JSC::JSGlobalObject::weakRandom):
2196         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
2197
2198 2016-08-31  Chris Dumez  <cdumez@apple.com>
2199
2200         Object.getPrototypeOf() should return null cross-origin
2201         https://bugs.webkit.org/show_bug.cgi?id=161393
2202
2203         Reviewed by Geoffrey Garen.
2204
2205         Object.getPrototypeOf() should return null cross-origin:
2206         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
2207         - https://html.spec.whatwg.org/#location-getprototypeof
2208
2209         Firefox and Chrome return null. However, WebKit was returning undefined.
2210
2211         * runtime/ObjectConstructor.cpp:
2212         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2213
2214 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2215
2216         [JSC] AbstractValue can contain padding which is not zero-filled
2217         https://bugs.webkit.org/show_bug.cgi?id=161427
2218
2219         Reviewed by Saam Barati.
2220
2221         We checked that AbstractValue is zero-filled when initializing it to ensure
2222         that zero-filled memory can be used as the initialized AbstractValue.
2223         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
2224         padding now. And this padding is not ensured that it is initialized with zeros.
2225         So debug assertion fails when building with GCC.
2226
2227         This patch changes the strategy. Instead of checking the initialized
2228         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
2229         considered to be equal to the initialized AbstractValue.
2230
2231         * dfg/DFGAbstractValue.cpp:
2232         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
2233         * dfg/DFGAbstractValue.h:
2234         (JSC::DFG::AbstractValue::AbstractValue):
2235
2236 2016-08-31  Brady Eidson  <beidson@apple.com>
2237
2238         WK2 Gamepad provider on iOS.
2239         https://bugs.webkit.org/show_bug.cgi?id=161412
2240
2241         Reviewed by Tim Horton.
2242
2243         * Configurations/FeatureDefines.xcconfig:
2244
2245 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
2246
2247         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
2248         https://bugs.webkit.org/show_bug.cgi?id=161410
2249
2250         Reviewed by Geoffrey Garen.
2251
2252         * dfg/DFGFixupPhase.cpp:
2253         (JSC::DFG::FixupPhase::fixupNode):
2254         DoubleRep is able to convert numbers, undefined, booleans and null.
2255         I was too pessimistic when I gated the double implementations
2256         on number-or-boolean speculation. We can just let DoubleRep convert
2257         the other cases as long as it is not a Cell.
2258
2259 2016-08-30  Chris Dumez  <cdumez@apple.com>
2260
2261         Unreviewed, fix build after r205205.
2262
2263         * runtime/ObjectConstructor.cpp:
2264         (JSC::objectConstructorSetPrototypeOf):
2265
2266 2016-08-30  Chris Dumez  <cdumez@apple.com>
2267
2268         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
2269         https://bugs.webkit.org/show_bug.cgi?id=161396
2270
2271         Reviewed by Ryosuke Niwa.
2272
2273         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
2274         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
2275         - https://html.spec.whatwg.org/#location-setprototypeof
2276         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
2277
2278         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
2279
2280         Note that technically, we should also throw in the same origin case.
2281         However, not all browsers agree on this yet so I haven't not changed
2282         the behavior for the same origin case.
2283
2284         * runtime/ObjectConstructor.cpp:
2285         (JSC::objectConstructorSetPrototypeOf):
2286
2287 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
2288
2289         [JSC] Clean up the remaining compare nodes in FTLCapabilities
2290         https://bugs.webkit.org/show_bug.cgi?id=161400
2291
2292         Reviewed by Geoffrey Garen.
2293
2294         It looks like we implemented all the cases without realizing it.
2295
2296         * ftl/FTLCapabilities.cpp:
2297         (JSC::FTL::canCompile):
2298         * ftl/FTLLowerDFGToB3.cpp:
2299         (JSC::FTL::DFG::LowerDFGToB3::compare):
2300
2301 2016-08-30  Mark Lam  <mark.lam@apple.com>
2302
2303         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
2304         https://bugs.webkit.org/show_bug.cgi?id=161171
2305
2306         Reviewed by Filip Pizlo and Geoffrey Garen.
2307
2308         This is the first step towards having a mechanism (using the ThrowScope) to
2309         verify that we're properly checking for exceptions in all the needed places.
2310         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
2311
2312         This patch only introduces the ThrowScope, and changes all throw sites to throw
2313         using a ThrowScope instance.  VM::throwException() functions are now private, and
2314         cannot be accessed directly.  All throws must now go through a ThrowScope.
2315
2316         Verification is disabled for the moment until we can fix all the verification
2317         failures that will show up.
2318
2319         I also did a smoke test of the ThrowScope mechanisms by running verification on
2320         the JSTests/stress/op-add-exceptions.js test with a local build with verification
2321         turned on.
2322
2323         Performance is neutral on aggregate with this patch.
2324
2325         Misc other changes:
2326         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
2327         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
2328
2329         * API/APICallbackFunction.h:
2330         (JSC::APICallbackFunction::call):
2331         (JSC::APICallbackFunction::construct):
2332         * API/JSCallbackObjectFunctions.h:
2333         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2334         (JSC::JSCallbackObject<Parent>::defaultValue):
2335         (JSC::JSCallbackObject<Parent>::put):
2336         (JSC::JSCallbackObject<Parent>::putByIndex):
2337         (JSC::JSCallbackObject<Parent>::deleteProperty):
2338         (JSC::JSCallbackObject<Parent>::construct):
2339         (JSC::JSCallbackObject<Parent>::customHasInstance):
2340         (JSC::JSCallbackObject<Parent>::call):
2341         (JSC::JSCallbackObject<Parent>::getStaticValue):
2342         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2343         (JSC::JSCallbackObject<Parent>::callbackGetter):
2344         * API/JSTypedArray.cpp:
2345         (createTypedArray):
2346         * CMakeLists.txt:
2347         * JavaScriptCore.xcodeproj/project.pbxproj:
2348         * dfg/DFGOperations.cpp:
2349         (JSC::DFG::newTypedArrayWithSize):
2350         * inspector/JSInjectedScriptHost.cpp:
2351         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2352         * inspector/JSInjectedScriptHostPrototype.cpp:
2353         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
2354         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
2355         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
2356         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
2357         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
2358         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
2359         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
2360         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
2361         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
2362         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
2363         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
2364         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
2365         * inspector/JSJavaScriptCallFrame.cpp:
2366         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2367         * inspector/JSJavaScriptCallFramePrototype.cpp:
2368         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
2369         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2370         (Inspector::jsJavaScriptCallFrameAttributeCaller):
2371         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
2372         (Inspector::jsJavaScriptCallFrameAttributeLine):
2373         (Inspector::jsJavaScriptCallFrameAttributeColumn):
2374         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
2375         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
2376         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
2377         (Inspector::jsJavaScriptCallFrameAttributeType):
2378         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
2379         * interpreter/CachedCall.h:
2380         (JSC::CachedCall::CachedCall):
2381         * interpreter/Interpreter.cpp:
2382         (JSC::eval):
2383         (JSC::sizeOfVarargs):
2384         (JSC::sizeFrameForForwardArguments):
2385         (JSC::sizeFrameForVarargs):
2386         (JSC::Interpreter::execute):
2387         (JSC::Interpreter::executeCall):
2388         (JSC::Interpreter::executeConstruct):
2389         (JSC::Interpreter::prepareForRepeatCall):
2390         * jit/JITOperations.cpp:
2391         * jsc.cpp:
2392         (WTF::CustomGetter::customGetter):
2393         (WTF::RuntimeArray::lengthGetter):
2394         (functionCreateElement):
2395         (functionRun):
2396         (functionRunString):
2397         (functionLoad):
2398         (functionLoadString):
2399         (functionReadFile):
2400         (functionCheckSyntax):
2401         (functionTransferArrayBuffer):
2402         (functionLoadModule):
2403         (functionCheckModuleSyntax):
2404         (functionSamplingProfilerStackTraces):
2405         * llint/LLIntSlowPaths.cpp:
2406         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2407         (JSC::LLInt::getByVal):
2408         (JSC::LLInt::handleHostCall):
2409         (JSC::LLInt::setUpCall):
2410         (JSC::LLInt::llint_throw_stack_overflow_error):
2411         * runtime/ArrayConstructor.cpp:
2412         (JSC::constructArrayWithSizeQuirk):
2413         * runtime/ArrayConstructor.h:
2414         (JSC::isArray):
2415         * runtime/ArrayPrototype.cpp:
2416         (JSC::shift):
2417         (JSC::unshift):
2418         (JSC::arrayProtoFuncToString):
2419         (JSC::arrayProtoFuncPop):
2420         (JSC::arrayProtoFuncReverse):
2421         (JSC::arrayProtoFuncSplice):
2422         (JSC::concatAppendOne):
2423         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2424         * runtime/BooleanPrototype.cpp:
2425         (JSC::booleanProtoFuncToString):
2426         (JSC::booleanProtoFuncValueOf):
2427         * runtime/CommonSlowPaths.cpp:
2428         * runtime/CommonSlowPaths.h:
2429         (JSC::CommonSlowPaths::opIn):
2430         * runtime/CommonSlowPathsExceptions.cpp:
2431         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2432         * runtime/ConstructData.cpp:
2433         (JSC::construct):
2434         * runtime/DatePrototype.cpp:
2435         (JSC::formateDateInstance):
2436         (JSC::dateProtoFuncToISOString):
2437         (JSC::dateProtoFuncToLocaleString):
2438         (JSC::dateProtoFuncToLocaleDateString):
2439         (JSC::dateProtoFuncToLocaleTimeString):
2440         (JSC::dateProtoFuncToPrimitiveSymbol):
2441         (JSC::dateProtoFuncGetTime):
2442         (JSC::dateProtoFuncGetFullYear):
2443         (JSC::dateProtoFuncGetUTCFullYear):
2444         (JSC::dateProtoFuncGetMonth):
2445         (JSC::dateProtoFuncGetUTCMonth):
2446         (JSC::dateProtoFuncGetDate):
2447         (JSC::dateProtoFuncGetUTCDate):
2448         (JSC::dateProtoFuncGetDay):
2449         (JSC::dateProtoFuncGetUTCDay):
2450         (JSC::dateProtoFuncGetHours):
2451         (JSC::dateProtoFuncGetUTCHours):
2452         (JSC::dateProtoFuncGetMinutes):
2453         (JSC::dateProtoFuncGetUTCMinutes):
2454         (JSC::dateProtoFuncGetSeconds):
2455         (JSC::dateProtoFuncGetUTCSeconds):
2456         (JSC::dateProtoFuncGetMilliSeconds):
2457         (JSC::dateProtoFuncGetUTCMilliseconds):
2458         (JSC::dateProtoFuncGetTimezoneOffset):
2459         (JSC::dateProtoFuncSetTime):
2460         (JSC::setNewValueFromTimeArgs):
2461         (JSC::setNewValueFromDateArgs):
2462         (JSC::dateProtoFuncSetYear):
2463         (JSC::dateProtoFuncGetYear):
2464         (JSC::dateProtoFuncToJSON):
2465         * runtime/Error.cpp:
2466         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2467         (JSC::throwTypeError):
2468         (JSC::throwSyntaxError):
2469         * runtime/Error.h:
2470         (JSC::throwRangeError):
2471         (JSC::throwVMError):
2472         (JSC::throwVMTypeError):
2473         (JSC::throwVMRangeError):
2474         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
2475         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
2476         * runtime/ErrorPrototype.cpp:
2477         (JSC::errorProtoFuncToString):
2478         * runtime/ExceptionFuzz.cpp:
2479         (JSC::doExceptionFuzzing):
2480         * runtime/ExceptionHelpers.cpp:
2481         (JSC::throwOutOfMemoryError):
2482         (JSC::throwStackOverflowError):
2483         (JSC::throwTerminatedExecutionException):
2484         * runtime/ExceptionHelpers.h:
2485         * runtime/Executable.cpp:
2486         (JSC::ScriptExecutable::newCodeBlockFor):
2487         (JSC::EvalExecutable::create):
2488         * runtime/FunctionConstructor.cpp:
2489         (JSC::constructFunction):
2490         (JSC::constructFunctionSkippingEvalEnabledCheck):
2491         * runtime/FunctionPrototype.cpp:
2492         (JSC::functionProtoFuncToString):
2493         (JSC::functionProtoFuncBind):
2494         * runtime/GetterSetter.cpp:
2495         (JSC::callSetter):
2496         * runtime/IntlCollator.cpp:
2497         (JSC::IntlCollator::compareStrings):
2498         * runtime/IntlCollatorPrototype.cpp:
2499         (JSC::IntlCollatorPrototypeGetterCompare):
2500         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2501         * runtime/IntlDateTimeFormat.cpp:
2502         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2503         (JSC::IntlDateTimeFormat::format):
2504         * runtime/IntlDateTimeFormatPrototype.cpp:
2505         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2506         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2507         * runtime/IntlNumberFormat.cpp:
2508         (JSC::IntlNumberFormat::initializeNumberFormat):
2509         (JSC::IntlNumberFormat::formatNumber):
2510         * runtime/IntlNumberFormatPrototype.cpp:
2511         (JSC::IntlNumberFormatPrototypeGetterFormat):
2512         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2513         * runtime/IntlObject.cpp:
2514         (JSC::intlStringOption):
2515         (JSC::intlNumberOption):
2516         (JSC::canonicalizeLocaleList):
2517         (JSC::lookupSupportedLocales):
2518         * runtime/IteratorOperations.cpp:
2519         (JSC::iteratorNext):
2520         (JSC::iteratorClose):
2521         (JSC::createIteratorResultObject):
2522         (JSC::iteratorForIterable):
2523         * runtime/JSArray.cpp:
2524         (JSC::JSArray::defineOwnProperty):
2525         (JSC::JSArray::put):
2526         (JSC::JSArray::appendMemcpy):
2527         (JSC::JSArray::setLength):
2528         (JSC::JSArray::pop):
2529         (JSC::JSArray::push):
2530         (JSC::JSArray::unshiftCountWithArrayStorage):
2531         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2532         * runtime/JSArrayBufferConstructor.cpp:
2533         (JSC::constructArrayBuffer):
2534         (JSC::callArrayBuffer):
2535         * runtime/JSArrayBufferPrototype.cpp:
2536         (JSC::arrayBufferProtoFuncSlice):
2537         * runtime/JSCInlines.h:
2538         * runtime/JSCJSValue.cpp:
2539         (JSC::JSValue::toObjectSlowCase):
2540         (JSC::JSValue::synthesizePrototype):
2541         (JSC::JSValue::putToPrimitive):
2542         (JSC::JSValue::putToPrimitiveByIndex):
2543         (JSC::JSValue::toStringSlowCase):
2544         * runtime/JSCJSValueInlines.h:
2545         (JSC::toPreferredPrimitiveType):
2546         (JSC::JSValue::requireObjectCoercible):
2547         * runtime/JSDataView.cpp:
2548         (JSC::JSDataView::create):
2549         * runtime/JSDataViewPrototype.cpp:
2550         (JSC::getData):
2551         (JSC::setData):
2552         (JSC::dataViewProtoGetterBuffer):
2553         (JSC::dataViewProtoGetterByteLength):
2554         (JSC::dataViewProtoGetterByteOffset):
2555         * runtime/JSFunction.cpp:
2556         (JSC::callHostFunctionAsConstructor):
2557         (JSC::JSFunction::callerGetter):
2558         (JSC::JSFunction::put):
2559         (JSC::JSFunction::defineOwnProperty):
2560         * runtime/JSGenericTypedArrayView.h:
2561         (JSC::JSGenericTypedArrayView::setIndex):
2562         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2563         (JSC::constructGenericTypedArrayViewFromIterator):
2564         (JSC::constructGenericTypedArrayViewWithArguments):
2565         (JSC::constructGenericTypedArrayView):
2566         (JSC::callGenericTypedArrayView):
2567         * runtime/JSGenericTypedArrayViewInlines.h:
2568         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2569         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2570         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
2571         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
2572         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2573         (JSC::speciesConstruct):
2574         (JSC::genericTypedArrayViewProtoFuncSet):
2575         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2576         (JSC::genericTypedArrayViewProtoFuncIncludes):
2577         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2578         (JSC::genericTypedArrayViewProtoFuncJoin):
2579         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2580         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
2581         (JSC::genericTypedArrayViewProtoGetterFuncLength):
2582         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
2583         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
2584         (JSC::genericTypedArrayViewProtoFuncReverse):
2585         (JSC::genericTypedArrayViewPrivateFuncSort):
2586         (JSC::genericTypedArrayViewProtoFuncSlice):
2587         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2588         * runtime/JSGlobalObject.cpp:
2589         (JSC::JSGlobalObject::createEvalCodeBlock):
2590         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2591         * runtime/JSGlobalObjectFunctions.cpp:
2592         (JSC::encode):
2593         (JSC::decode):
2594         (JSC::globalFuncEval):
2595         (JSC::globalFuncThrowTypeError):
2596         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
2597         (JSC::globalFuncProtoGetter):
2598         (JSC::globalFuncProtoSetter):
2599         * runtime/JSModuleEnvironment.cpp:
2600         (JSC::JSModuleEnvironment::put):
2601         * runtime/JSModuleNamespaceObject.cpp:
2602         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2603         (JSC::JSModuleNamespaceObject::put):
2604         (JSC::JSModuleNamespaceObject::putByIndex):
2605         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2606         (JSC::moduleNamespaceObjectSymbolIterator):
2607         * runtime/JSModuleRecord.cpp:
2608         (JSC::JSModuleRecord::getModuleNamespace):
2609         (JSC::JSModuleRecord::link):
2610         (JSC::JSModuleRecord::instantiateDeclarations):
2611         * runtime/JSONObject.cpp:
2612         (JSC::Stringifier::appendStringifiedValue):
2613         (JSC::Walker::walk):
2614         (JSC::JSONProtoFuncParse):
2615         (JSC::JSONProtoFuncStringify):
2616         * runtime/JSObject.cpp:
2617         (JSC::JSObject::setPrototypeWithCycleCheck):
2618         (JSC::callToPrimitiveFunction):
2619         (JSC::JSObject::ordinaryToPrimitive):
2620         (JSC::JSObject::hasInstance):
2621         (JSC::JSObject::defaultHasInstance):
2622         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2623         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2624         (JSC::validateAndApplyPropertyDescriptor):
2625         (JSC::JSObject::getMethod):
2626         * runtime/JSObject.h:
2627         (JSC::createListFromArrayLike): Deleted.
2628         * runtime/JSObjectInlines.h:
2629         (JSC::createListFromArrayLike):
2630         (JSC::JSObject::putInline):
2631         * runtime/JSPromiseConstructor.cpp:
2632         (JSC::constructPromise):
2633         (JSC::callPromise):
2634         * runtime/JSPropertyNameIterator.cpp:
2635         (JSC::propertyNameIteratorFuncNext):
2636         * runtime/JSString.cpp:
2637         (JSC::JSRopeString::outOfMemory):
2638         * runtime/JSStringBuilder.h:
2639         (JSC::JSStringBuilder::build):
2640         (JSC::jsMakeNontrivialString):
2641         * runtime/JSStringJoiner.cpp:
2642         (JSC::JSStringJoiner::joinedLength):
2643         (JSC::JSStringJoiner::join):
2644         * runtime/JSStringJoiner.h:
2645         (JSC::JSStringJoiner::JSStringJoiner):
2646         * runtime/JSSymbolTableObject.h:
2647         (JSC::symbolTablePut):
2648         * runtime/JSTypedArrayViewConstructor.cpp:
2649         (JSC::constructTypedArrayView):
2650         * runtime/JSTypedArrayViewPrototype.cpp:
2651         (JSC::typedArrayViewPrivateFuncLength):
2652         (JSC::typedArrayViewPrivateFuncSort):
2653         (JSC::typedArrayViewProtoFuncSet):
2654         (JSC::typedArrayViewProtoFuncCopyWithin):
2655         (JSC::typedArrayViewProtoFuncIncludes):
2656         (JSC::typedArrayViewProtoFuncLastIndexOf):
2657         (JSC::typedArrayViewProtoFuncIndexOf):
2658         (JSC::typedArrayViewProtoFuncJoin):
2659         (JSC::typedArrayViewProtoGetterFuncBuffer):
2660         (JSC::typedArrayViewProtoGetterFuncLength):
2661         (JSC::typedArrayViewProtoGetterFuncByteLength):
2662         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2663         (JSC::typedArrayViewProtoFuncReverse):
2664         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2665         (JSC::typedArrayViewProtoFuncSlice):
2666         * runtime/MapConstructor.cpp:
2667         (JSC::callMap):
2668         (JSC::constructMap):
2669         * runtime/MapDataInlines.h:
2670         (JSC::JSIterator>::ensureSpaceForAppend):
2671         * runtime/MapIteratorPrototype.cpp:
2672         (JSC::MapIteratorPrototypeFuncNext):
2673         * runtime/MapPrototype.cpp:
2674         (JSC::getMap):
2675         (JSC::mapProtoFuncValues):
2676         (JSC::mapProtoFuncEntries):
2677         (JSC::mapProtoFuncKeys):
2678         * runtime/ModuleLoaderPrototype.cpp:
2679         (JSC::moduleLoaderPrototypeParseModule):
2680         * runtime/NullSetterFunction.cpp:
2681         (JSC::callReturnUndefined):
2682         * runtime/NumberPrototype.cpp:
2683         (JSC::numberProtoFuncToExponential):
2684         (JSC::numberProtoFuncToFixed):
2685         (JSC::numberProtoFuncToPrecision):
2686         (JSC::numberProtoFuncToString):
2687         (JSC::numberProtoFuncToLocaleString):
2688         (JSC::numberProtoFuncValueOf):
2689         * runtime/ObjectConstructor.cpp:
2690         (JSC::objectConstructorSetPrototypeOf):
2691         (JSC::toPropertyDescriptor):
2692         (JSC::objectConstructorDefineProperty):
2693         (JSC::objectConstructorDefineProperties):
2694         (JSC::objectConstructorCreate):
2695         * runtime/ObjectPrototype.cpp:
2696         (JSC::objectProtoFuncDefineGetter):
2697         (JSC::objectProtoFuncDefineSetter):
2698         (JSC::objectProtoFuncToString):
2699         * runtime/Operations.h:
2700         (JSC::jsString):
2701         (JSC::jsStringFromRegisterArray):
2702         (JSC::jsStringFromArguments):
2703         * runtime/ProxyConstructor.cpp:
2704         (JSC::makeRevocableProxy):
2705         (JSC::proxyRevocableConstructorThrowError):
2706         (JSC::constructProxyObject):
2707         (JSC::callProxy):
2708         * runtime/ProxyObject.cpp:
2709         (JSC::ProxyObject::finishCreation):
2710         (JSC::performProxyGet):
2711         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2712         (JSC::ProxyObject::performHasProperty):
2713         (JSC::ProxyObject::getOwnPropertySlotCommon):
2714         (JSC::ProxyObject::performPut):
2715         (JSC::performProxyCall):
2716         (JSC::performProxyConstruct):
2717         (JSC::ProxyObject::performDelete):
2718         (JSC::ProxyObject::performPreventExtensions):
2719         (JSC::ProxyObject::performIsExtensible):
2720         (JSC::ProxyObject::performDefineOwnProperty):
2721         (JSC::ProxyObject::performGetOwnPropertyNames):
2722         (JSC::ProxyObject::performSetPrototype):
2723         (JSC::ProxyObject::performGetPrototype):
2724         * runtime/ReflectObject.cpp:
2725         (JSC::reflectObjectConstruct):
2726         (JSC::reflectObjectDefineProperty):
2727         (JSC::reflectObjectEnumerate):
2728         (JSC::reflectObjectGet):
2729         (JSC::reflectObjectGetOwnPropertyDescriptor):
2730         (JSC::reflectObjectGetPrototypeOf):
2731         (JSC::reflectObjectIsExtensible):
2732         (JSC::reflectObjectOwnKeys):
2733         (JSC::reflectObjectPreventExtensions):
2734         (JSC::reflectObjectSet):
2735         (JSC::reflectObjectSetPrototypeOf):
2736         * runtime/RegExpConstructor.cpp:
2737         (JSC::toFlags):
2738         (JSC::regExpCreate):
2739         * runtime/RegExpObject.cpp:
2740         (JSC::collectMatches):
2741         * runtime/RegExpObject.h:
2742         (JSC::RegExpObject::setLastIndex):
2743         * runtime/RegExpPrototype.cpp:
2744         (JSC::regExpProtoFuncTestFast):
2745         (JSC::regExpProtoFuncExec):
2746         (JSC::regExpProtoFuncMatchFast):
2747         (JSC::regExpProtoFuncCompile):
2748         (JSC::regExpProtoFuncToString):
2749         (JSC::regExpProtoGetterGlobal):
2750         (JSC::regExpProtoGetterIgnoreCase):
2751         (JSC::regExpProtoGetterMultiline):
2752         (JSC::regExpProtoGetterSticky):
2753         (JSC::regExpProtoGetterUnicode):
2754         (JSC::regExpProtoGetterFlags):
2755         (JSC::regExpProtoGetterSource):
2756         (JSC::regExpProtoFuncSplitFast):
2757         * runtime/Reject.h:
2758         (JSC::reject):
2759         * runtime/SetConstructor.cpp:
2760         (JSC::callSet):
2761         (JSC::constructSet):
2762         * runtime/SetIteratorPrototype.cpp:
2763         (JSC::SetIteratorPrototypeFuncNext):
2764         * runtime/SetPrototype.cpp:
2765         (JSC::getSet):
2766         (JSC::setProtoFuncValues):
2767         (JSC::setProtoFuncEntries):
2768         * runtime/SparseArrayValueMap.cpp:
2769         (JSC::SparseArrayValueMap::putEntry):
2770         (JSC::SparseArrayEntry::put):
2771         * runtime/StringConstructor.cpp:
2772         (JSC::stringFromCodePoint):
2773         * runtime/StringObject.cpp:
2774         (JSC::StringObject::put):
2775         (JSC::StringObject::putByIndex):
2776         * runtime/StringPrototype.cpp:
2777         (JSC::jsSpliceSubstrings):
2778         (JSC::jsSpliceSubstringsWithSeparators):
2779         (JSC::repeatCharacter):
2780         (JSC::replace):
2781         (JSC::stringProtoFuncToString):
2782         (JSC::stringProtoFuncCharAt):
2783         (JSC::stringProtoFuncCharCodeAt):
2784         (JSC::stringProtoFuncCodePointAt):
2785         (JSC::stringProtoFuncConcat):
2786         (JSC::stringProtoFuncIndexOf):
2787         (JSC::stringProtoFuncLastIndexOf):
2788         (JSC::stringProtoFuncSlice):
2789         (JSC::stringProtoFuncSubstr):
2790         (JSC::stringProtoFuncSubstring):
2791         (JSC::stringProtoFuncToLowerCase):
2792         (JSC::stringProtoFuncToUpperCase):
2793         (JSC::stringProtoFuncLocaleCompare):
2794         (JSC::toLocaleCase):
2795         (JSC::stringProtoFuncBig):
2796         (JSC::stringProtoFuncSmall):
2797         (JSC::stringProtoFuncBlink):
2798         (JSC::stringProtoFuncBold):
2799         (JSC::stringProtoFuncFixed):
2800         (JSC::stringProtoFuncItalics):
2801         (JSC::stringProtoFuncStrike):
2802         (JSC::stringProtoFuncSub):
2803         (JSC::stringProtoFuncSup):
2804         (JSC::stringProtoFuncFontcolor):
2805         (JSC::stringProtoFuncFontsize):
2806         (JSC::stringProtoFuncAnchor):
2807         (JSC::stringProtoFuncLink):
2808         (JSC::trimString):
2809         (JSC::stringProtoFuncStartsWith):
2810         (JSC::stringProtoFuncEndsWith):
2811         (JSC::stringProtoFuncIncludes):
2812         (JSC::stringProtoFuncIterator):
2813         (JSC::normalize):
2814         (JSC::stringProtoFuncNormalize):
2815         * runtime/StringRecursionChecker.cpp:
2816         (JSC::StringRecursionChecker::throwStackOverflowError):
2817         * runtime/Symbol.cpp:
2818         (JSC::Symbol::toNumber):
2819         * runtime/SymbolConstructor.cpp:
2820         (JSC::symbolConstructorKeyFor):
2821         * runtime/SymbolPrototype.cpp:
2822         (JSC::symbolProtoFuncToString):
2823         (JSC::symbolProtoFuncValueOf):
2824         * runtime/ThrowScope.cpp: Added.
2825         (JSC::ThrowScope::ThrowScope):
2826         (JSC::ThrowScope::~ThrowScope):
2827         (JSC::ThrowScope::throwException):
2828         (JSC::ThrowScope::printIfNeedCheck):
2829         (JSC::ThrowScope::simulateThrow):
2830         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
2831         * runtime/ThrowScope.h: Added.
2832         (JSC::ThrowScope::vm):
2833         (JSC::ThrowScope::exception):
2834         (JSC::ThrowScope::release):
2835         (JSC::ThrowScope::ThrowScope):
2836         (JSC::ThrowScope::throwException):
2837         (JSC::throwException):
2838         * runtime/ThrowScopeLocation.h: Added.
2839         (JSC::ThrowScopeLocation::ThrowScopeLocation):
2840         * runtime/VM.h:
2841         * runtime/VMEntryScope.h:
2842         (JSC::VMEntryScope::vm):
2843         * runtime/WeakMapConstructor.cpp:
2844         (JSC::callWeakMap):
2845         (JSC::constructWeakMap):
2846         * runtime/WeakMapPrototype.cpp:
2847         (JSC::getWeakMapData):
2848         (JSC::protoFuncWeakMapSet):
2849         * runtime/WeakSetConstructor.cpp:
2850         (JSC::callWeakSet):
2851         (JSC::constructWeakSet):
2852         * runtime/WeakSetPrototype.cpp:
2853         (JSC::getWeakMapData):
2854         (JSC::protoFuncWeakSetAdd):
2855
2856 2016-08-30  Alex Christensen  <achristensen@webkit.org>
2857
2858         Fix WebInspectorUI in internal Windows build
2859         https://bugs.webkit.org/show_bug.cgi?id=161221
2860         rdar://problem/28019023
2861
2862         Reviewed by Brent Fulgham and Joseph Pecoraro.
2863
2864         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2865
2866 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
2867
2868         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
2869         https://bugs.webkit.org/show_bug.cgi?id=161263
2870         <rdar://problem/28035849>
2871
2872         Reviewed by Matt Baker.
2873
2874         * inspector/InjectedScriptSource.js:
2875         (InjectedScript.prototype._propertyDescriptors):
2876         Previously we only took the "numeric index fast path" if an object was
2877         array like with length > 100. When we dropped the length check we
2878         ended up breaking our display of Array prototype, because [].__proto__
2879         is an array instance. Get it back by just doing a check of length > 0.
2880         We may want to address this differently in the future by knowing if
2881         we are getting properties for a prototype or not.
2882
2883 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2884
2885         [JSC] Clean up FTL Capabilities for CompareEq
2886         https://bugs.webkit.org/show_bug.cgi?id=161353
2887
2888         Reviewed by Geoffrey Garen.
2889
2890         It looks like we already have code for every case.
2891         This patch removes the tests from FTLCapabilities
2892         and move the generic case last as usual.
2893
2894         * ftl/FTLCapabilities.cpp:
2895         (JSC::FTL::canCompile):
2896         * ftl/FTLLowerDFGToB3.cpp:
2897         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
2898
2899 2016-08-29  Keith Miller  <keith_miller@apple.com>
2900
2901         Fix toStringName for Proxies and add support for normal instances
2902         https://bugs.webkit.org/show_bug.cgi?id=161275
2903
2904         Reviewed by Saam Barati.
2905
2906         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
2907         Additionally, there are a couple of other classes that need to return "Object" for their
2908         toStringName. Since this isn't tested by test262 I will propose a new test there.
2909
2910         * runtime/ClassInfo.h:
2911         * runtime/JSArrayBufferView.cpp:
2912         (JSC::JSArrayBufferView::toStringName):
2913         * runtime/JSArrayBufferView.h:
2914         * runtime/JSCell.cpp:
2915         (JSC::JSCell::toStringName):
2916         * runtime/JSCell.h:
2917         * runtime/JSMap.cpp:
2918         (JSC::JSMap::toStringName):
2919         * runtime/JSMap.h:
2920         * runtime/JSObject.cpp:
2921         (JSC::JSObject::toStringName):
2922         * runtime/JSObject.h:
2923         * runtime/JSSet.cpp:
2924         (JSC::JSSet::destroy):
2925         (JSC::JSSet::toStringName):
2926         * runtime/JSSet.h:
2927         * runtime/JSWeakMap.cpp:
2928         (JSC::JSWeakMap::toStringName):
2929         * runtime/JSWeakMap.h:
2930         * runtime/JSWeakSet.cpp:
2931         (JSC::JSWeakSet::toStringName):
2932         * runtime/JSWeakSet.h:
2933         * runtime/ObjectPrototype.cpp:
2934         (JSC::objectProtoFuncToString):
2935         * runtime/ProxyObject.cpp:
2936         (JSC::ProxyObject::toStringName):
2937         * runtime/ProxyObject.h:
2938         * runtime/SymbolObject.cpp:
2939         (JSC::SymbolObject::toStringName):
2940         * runtime/SymbolObject.h:
2941         (JSC::SymbolObject::internalValue):
2942
2943 2016-08-29  Youenn Fablet  <youenn@apple.com>
2944
2945         [Fetch API] Response cloning should structureClone when teeing Response stream
2946         https://bugs.webkit.org/show_bug.cgi?id=161147
2947
2948         Reviewed by Darin Adler.
2949
2950         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
2951         * runtime/JSArrayBufferConstructor.cpp:
2952         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
2953         * runtime/JSDataView.h: Exporting create method.
2954
2955 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
2956
2957         [JSC] Improve ArithAbs with polymorphic input
2958         https://bugs.webkit.org/show_bug.cgi?id=161286
2959
2960         Reviewed by Saam Barati.
2961
2962         This is similar to the previous patches: if we have polymorphic
2963         input, do a function call.
2964
2965         I also discovered a few problems with the tests and fixed them:
2966         -I forgot to add NodeMustGenerate to the previous nodes I changed.
2967          They could have been eliminated by DCE.
2968         -ArithAbs was always exiting if the input types do not include numbers.
2969          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
2970          instead of isInt32OrBooleanSpeculation(). The test of
2971          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
2972          contains double or int52. If we were in that case, we were always speculating
2973          Int32. That always fails and we were recompiling the same code over and over.
2974
2975         * dfg/DFGAbstractInterpreterInlines.h:
2976         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2977         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
2978
2979         * dfg/DFGClobberize.h:
2980         (JSC::DFG::clobberize):
2981         * dfg/DFGFixupPhase.cpp:
2982         (JSC::DFG::FixupPhase::fixupNode):
2983         * dfg/DFGNode.h:
2984         (JSC::DFG::Node::hasResult):
2985         (JSC::DFG::Node::hasHeapPrediction):
2986         (JSC::DFG::Node::hasInt32Result): Deleted.
2987         The accessor hasInt32Result() was unused.
2988
2989         * dfg/DFGNodeType.h:
2990         * dfg/DFGOperations.cpp:
2991         * dfg/DFGOperations.h:
2992         * dfg/DFGPredictionPropagationPhase.cpp:
2993         * dfg/DFGSpeculativeJIT.cpp:
2994         (JSC::DFG::SpeculativeJIT::compileArithAbs):
2995         * dfg/DFGSpeculativeJIT.h:
2996         * dfg/DFGSpeculativeJIT32_64.cpp:
2997         (JSC::DFG::SpeculativeJIT::compile):
2998         * dfg/DFGSpeculativeJIT64.cpp:
2999         (JSC::DFG::SpeculativeJIT::compile):
3000         * ftl/FTLLowerDFGToB3.cpp:
3001         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
3002
3003 2016-08-28  Saam Barati  <sbarati@apple.com>
3004
3005         Make SpeculatedType a 64-bit integer
3006         https://bugs.webkit.org/show_bug.cgi?id=161268
3007
3008         Reviewed by Filip Pizlo and Benjamin Poulain.
3009
3010         I'm going to introduce two new types into this and we only
3011         have room for one in 32-bits. So, this patch widens SpeculatedType
3012         to 64 bits. This also pulls this information through the DFG where
3013         we needed to change DFGNode to support this.
3014
3015         * bytecode/SpeculatedType.h:
3016         * dfg/DFGNode.cpp:
3017         (JSC::DFG::Node::convertToPutHint):
3018         (JSC::DFG::Node::promotedLocationDescriptor):
3019         * dfg/DFGNode.h:
3020         (JSC::DFG::Node::Node):
3021         (JSC::DFG::Node::convertToCheckStructure):
3022         (JSC::DFG::Node::constant):
3023         (JSC::DFG::Node::convertToConstant):
3024         (JSC::DFG::Node::convertToConstantStoragePointer):
3025         (JSC::DFG::Node::convertToPutStack):
3026         (JSC::DFG::Node::convertToGetStack):
3027         (JSC::DFG::Node::convertToGetByOffset):
3028         (JSC::DFG::Node::convertToMultiGetByOffset):
3029         (JSC::DFG::Node::convertToPutByOffset):
3030         (JSC::DFG::Node::convertToMultiPutByOffset):
3031         (JSC::DFG::Node::convertToPhantomNewObject):
3032         (JSC::DFG::Node::convertToPhantomNewFunction):
3033         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
3034         (JSC::DFG::Node::convertToPhantomCreateActivation):
3035         (JSC::DFG::Node::convertToGetLocal):
3036         (JSC::DFG::Node::lazyJSValue):
3037         (JSC::DFG::Node::initializationValueForActivation):
3038         (JSC::DFG::Node::tryGetVariableAccessData):
3039         (JSC::DFG::Node::variableAccessData):
3040         (JSC::DFG::Node::unlinkedLocal):
3041         (JSC::DFG::Node::unlinkedMachineLocal):
3042         (JSC::DFG::Node::stackAccessData):
3043         (JSC::DFG::Node::phi):
3044         (JSC::DFG::Node::identifierNumber):
3045         (JSC::DFG::Node::getPutInfo):
3046         (JSC::DFG::Node::accessorAttributes):
3047         (JSC::DFG::Node::newArrayBufferData):
3048         (JSC::DFG::Node::indexingType):
3049         (JSC::DFG::Node::typedArrayType):
3050         (JSC::DFG::Node::inlineCapacity):
3051         (JSC::DFG::Node::scopeOffset):
3052         (JSC::DFG::Node::capturedArgumentsOffset):
3053         (JSC::DFG::Node::variablePointer):
3054         (JSC::DFG::Node::callVarargsData):
3055         (JSC::DFG::Node::loadVarargsData):
3056         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
3057         (JSC::DFG::Node::targetBlock):
3058         (JSC::DFG::Node::branchData):
3059         (JSC::DFG::Node::switchData):
3060         (JSC::DFG::Node::getHeapPrediction):
3061         (JSC::DFG::Node::cellOperand):
3062         (JSC::DFG::Node::watchpointSet):
3063         (JSC::DFG::Node::storagePointer):
3064         (JSC::DFG::Node::uidOperand):
3065         (JSC::DFG::Node::typeInfoOperand):
3066         (JSC::DFG::Node::transition):
3067         (JSC::DFG::Node::structureSet):
3068         (JSC::DFG::Node::structure):
3069         (JSC::DFG::Node::storageAccessData):
3070         (JSC::DFG::Node::multiGetByOffsetData):
3071         (JSC::DFG::Node::multiPutByOffsetData):
3072         (JSC::DFG::Node::objectMaterializationData):
3073         (JSC::DFG::Node::arrayMode):
3074         (JSC::DFG::Node::arithMode):
3075         (JSC::DFG::Node::arithRoundingMode):
3076         (JSC::DFG::Node::setArithRoundingMode):
3077         (JSC::DFG::Node::executionCounter):
3078         (JSC::DFG::Node::typeLocation):
3079         (JSC::DFG::Node::basicBlockLocation):
3080         (JSC::DFG::Node::numberOfArgumentsToSkip):
3081         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
3082         (JSC::DFG::Node::OpInfoWrapper::operator=):
3083         * dfg/DFGOpInfo.h:
3084         (JSC::DFG::OpInfo::OpInfo):
3085         * dfg/DFGPromotedHeapLocation.h:
3086         (JSC::DFG::PromotedLocationDescriptor::imm1):
3087         (JSC::DFG::PromotedLocationDescriptor::imm2):
3088
3089 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
3090
3091         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
3092         https://bugs.webkit.org/show_bug.cgi?id=161120
3093
3094         Reviewed by Darin Adler.
3095
3096         * inspector/JSGlobalObjectInspectorController.cpp:
3097
3098 2016-08-26  Sam Weinig  <sam@webkit.org>
3099
3100         Remove support for ENABLE_LEGACY_WEB_AUDIO
3101         https://bugs.webkit.org/show_bug.cgi?id=161262
3102
3103         Reviewed by Anders Carlsson.
3104
3105         * Configurations/FeatureDefines.xcconfig:
3106         Remove ENABLE_LEGACY_WEB_AUDIO
3107
3108 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
3109
3110         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
3111         https://bugs.webkit.org/show_bug.cgi?id=161229
3112
3113         Reviewed by Geoffrey Garen.
3114
3115         Add (String, Untyped) uses to FTL CompareStrictEq.
3116         This was the last use type not implemented, the node is fully
3117         supported by FTL after this patch.
3118
3119         * ftl/FTLCapabilities.cpp:
3120         (JSC::FTL::canCompile):
3121         * ftl/FTLLowerDFGToB3.cpp:
3122         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
3123         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
3124
3125         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
3126         Remove the type checks when possible.
3127
3128 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
3129
3130         Web Inspector: Frontend should have access to Resource Timing information
3131         https://bugs.webkit.org/show_bug.cgi?id=160095
3132
3133         Reviewed by Alex Christensen.
3134
3135         Rename ResourceTiming property.
3136
3137         * inspector/protocol/Network.json:
3138         Rename navigationStart to startTime so it's applicable
3139         for all resources and not just the main resource.
3140
3141 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
3142
3143         Web Inspector: Provide a way to clear an IndexedDB object store
3144         https://bugs.webkit.org/show_bug.cgi?id=161167
3145         <rdar://problem/27996932>
3146
3147         Reviewed by Brian Burg.
3148
3149         * inspector/protocol/IndexedDB.json:
3150         Cleanup the protocol file.
3151
3152 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
3153
3154         Web Inspector: Some CSS selectors in the UI aren't escaped
3155         https://bugs.webkit.org/show_bug.cgi?id=151378
3156
3157         Reviewed by Joseph Pecoraro.
3158
3159         Change ElementData from sending a className string to using an array of
3160         classes, allowing for proper escaping of each class value.
3161
3162         * inspector/protocol/OverlayTypes.json:
3163
3164 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
3165
3166         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
3167         https://bugs.webkit.org/show_bug.cgi?id=161213
3168         <rdar://problem/28017986>
3169
3170         Reviewed by Brian Burg.
3171
3172         * inspector/agents/InspectorHeapAgent.cpp:
3173         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
3174         Don't take a final snapshot when disconnecting.
3175
3176         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3177         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
3178         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
3179         * inspector/agents/InspectorScriptProfilerAgent.h:
3180         * runtime/SamplingProfiler.h:
3181         Don't process samples when disconnecting.
3182
3183 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
3184
3185         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
3186         https://bugs.webkit.org/show_bug.cgi?id=161027
3187         <rdar://problem/27871349>
3188
3189         Reviewed by Mark Lam.
3190
3191         For JSContext inspection, when a frontend connects keep the target alive.
3192         This means ref'ing the JSGlobalObject / VM when the first frontend
3193         connects and deref'ing when the last frontend disconnects.
3194
3195         * inspector/JSGlobalObjectInspectorController.h:
3196         * inspector/JSGlobalObjectInspectorController.cpp:
3197         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
3198         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
3199         Now that frontends keep the global object alive, when the global object
3200         is destroyed that must mean that no frontends exist. Remove the now
3201         stale code path.
3202
3203         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
3204         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
3205         Ref the target when the first frontend connects, deref when the last disconnects.
3206
3207 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3208
3209         [ES6] newPromiseCapabilities should check the given argument is constructor
3210         https://bugs.webkit.org/show_bug.cgi?id=161226
3211
3212         Reviewed by Mark Lam.
3213
3214         Use @isConstructor.
3215
3216         * builtins/PromiseOperations.js:
3217
3218 2016-08-25  Keith Miller  <keith_miller@apple.com>
3219
3220         toString called on proxies returns incorrect tag
3221         https://bugs.webkit.org/show_bug.cgi?id=161111
3222
3223         Reviewed by Benjamin Poulain.
3224
3225         This patch adds a new Method table function toStringName. This function
3226         is used by Object.prototype.toString to create the string tag that it
3227         inserts. Right now it only changes the stringification of proxy objects.
3228         In future patches I plan to make it work for other classes of objects as
3229         well.
3230
3231         * runtime/ClassInfo.h:
3232         * runtime/JSCell.cpp:
3233         (JSC::JSCell::toStringName):
3234         * runtime/JSCell.h:
3235         * runtime/JSObject.cpp:
3236         (JSC::JSObject::toStringName):
3237         * runtime/JSObject.h:
3238         * runtime/ObjectPrototype.cpp:
3239         (JSC::objectProtoFuncToString):
3240         * runtime/ProxyObject.cpp:
3241         (JSC::ProxyObject::toStringName):
3242         * runtime/ProxyObject.h:
3243
3244 2016-08-26  Csaba Osztrogonác  <ossy@webkit.org>
3245
3246         Fix the ENABLE(WEBASSEMBLY) build on Linux
3247         https://bugs.webkit.org/show_bug.cgi?id=161197
3248
3249         Reviewed by Mark Lam.
3250
3251         * CMakeLists.txt:
3252         * b3/B3Common.cpp:
3253         (JSC::B3::shouldDumpIR):
3254         * shell/CMakeLists.txt:
3255         * wasm/JSWASMModule.h:
3256         * wasm/WASMB3IRGenerator.cpp:
3257         (JSC::WASM::toB3Op):
3258         * wasm/WASMB3IRGenerator.h:
3259         * wasm/WASMFormat.h:
3260         * wasm/WASMFunctionParser.h:
3261         * wasm/WASMModuleParser.cpp:
3262         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
3263         * wasm/WASMModuleParser.h:
3264         * wasm/WASMParser.h:
3265         * wasm/WASMPlan.cpp:
3266         * wasm/WASMPlan.h:
3267         * wasm/WASMSections.cpp:
3268
3269 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
3270
3271         [Win] Compile fix.
3272         https://bugs.webkit.org/show_bug.cgi?id=161235
3273
3274         Reviewed by Brent Fulgham.
3275
3276         YarrPattern::errorMessage has inconsistent dll linkage.
3277
3278         * yarr/YarrPattern.h:
3279
3280 2016-08-25  Alex Christensen  <achristensen@webkit.org>
3281
3282         CMake build fix.
3283
3284         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
3285         This is needed for the internal Windows build.
3286
3287 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
3288
3289         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
3290         https://bugs.webkit.org/show_bug.cgi?id=161181
3291
3292         Reviewed by Geoffrey Garen.
3293
3294         All the nodes are doing the exact same thing with a single
3295         difference: how to process constants. I made that into a separate
3296         function called from each node.
3297
3298         I also generalized the constant-to-number code of DoubleRep
3299         to make it available for all those nodes.
3300
3301         * dfg/DFGAbstractInterpreter.h:
3302         * dfg/DFGAbstractInterpreterInlines.h:
3303         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
3305         * runtime/JSCJSValue.cpp:
3306         (JSC::JSValue::toNumberFromPrimitive):
3307         * runtime/JSCJSValue.h:
3308
3309 2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3310
3311         [DFG][FTL] Implement ES6 Generators in DFG / FTL
3312         https://bugs.webkit.org/show_bug.cgi?id=152723
3313
3314         Reviewed by Filip Pizlo.
3315
3316         This patch introduces DFG and FTL support for ES6 generators.
3317         ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
3318         In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
3319         here. Those are emitted by the generatorification phase.
3320
3321         So the graph is super simple! Before the generatorification, the graph looks like this.
3322
3323              op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...
3324
3325         Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
3326         This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
3327         op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
3328         perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
3329         special generator frame scope. And we also set up the global switch for the generator.
3330